Organisations in the European Union with operations in the United States have, for over a decade now, taken comfort that the transfer of personal data to the United States would be lawful if the recipient had subscribed to the US Safe Harbour Scheme (the "Scheme"). According to the European Commission Decision 2000/520, the operation of the Scheme meant that personal data transferred to the United States would be afforded an adequate level of protection (that is, an EU-standard level of protection).
That is no longer the case. In the recent case of Schrems v DPC, the Court of Justice of the European Union (the "CJEU") ruled that the US Safe Harbour Scheme does not provide an equivalent standard of protection for personal data, because data recipients are required to disregard the Safe Harbour Principles where they conflict with national security, public interest or law enforcement requirements of the United States. A summary of the CJEU's decision and, in particular, its immediate consequences for organisations in the EU is available here.
This case is of interest in Hong Kong, because of recent indications that the Hong Kong Government may take steps to bring section 33 of the Personal Data (Privacy) Ordinance into effect. Section 33, once it becomes operative, will prohibit the transfer of personal data out of Hong Kong, unless an exception applies.
Like in the EU, a number of exceptions may be available to a data user wishing to transfer data outside Hong Kong. For example, section 33(2) of the PDPO will permit such transfer where: (i) there are laws in place in the country in which the recipient is located which are substantially similar to, or serve the same purposes as, the PDPO; or (ii) the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be handled (e.g. collected, held, processed or used) in a manner that would contravene of the PDPO.
In Q3 of 2015, the Hong Kong Government appointed consulting firm, Deloitte, to undertake a Business Impact Assessment (the "Business Impact Assessment") to assess the impact on business of the proposed implementation of section 33, with a view to ensuring that viable means are available for data users to fulfil the requirements of that provision, without stifling legitimate business operations.
When approached by us, individual spokespersons involved in the study were unwilling to comment on whether the decision in Schrems v DPC would impact on the release date of the Business Impact Assessment. However, it seems reasonable to expect that the proposal to implement section 33 PDPO in Hong Kong will be delayed as a result of these developments, at least until the position in Europe on cross-border data transfers to the United States becomes clearer.