If multinational corporations wish to keep or share employee records in different jurisdictions they need to review their employment contracts in light of forthcoming changes to Hong Kong’s data protection laws.
The Hong Kong Government is planning reforms to the Hong Kong Data Protection (Privacy) Ordinance (the Ordinance), which has been in force since December 1996, in order to bring it into line with international privacy laws and standards. A consultation report released late last year by the Constitutional and Mainland Affairs Bureau outlines, amongst other things, greater powers for Hong Kong’s Privacy Commissioner of Personal Data, as well as new offences and sanctions for repeated breaches of the data protection principles. Under the proposals the Commissioner will be able to impose fines of up to HK$50,000 and imprisonment for two years, with a daily fine of HK$1,000 for continuing breaches. This aspect of the reforms has, however, generated a great deal of public comment and so it remains to be seen to what extent it will be adopted by Hong Kong’s Legislative Council when amending the Ordinance.
One of the key potential changes for employers to note is the proposal to bring section 33 of the Ordinance into force. Section 33 restricts the transfer of personal data from Hong Kong to any jurisdiction that does not have adequate data protection provisions in place. Despite having been on the statute books since 1996, this provision has never actually been brought into force. This means that as things currently stand multinational corporations may not be subject to stringent regulations on the transfer of employees’ personal data to other jurisdictions, provided they have notified them at the time they collect the data that it may be transferred outside Hong Kong. If s.33 comes into force (there is currently no fixed date for this) it means that multinational corporations will be in breach of the Ordinance if they have not obtained employees’ consent before sharing or transferring their personal data with other group companies in different jurisdictions or have not taken measures or reasonable precautions to safeguard the personal data of the employees. To get ready for the implementation of s.33 employers should therefore be reviewing their employment contracts for employees in Hong Kong to ensure that there will be no unauthorised personal data transfers between group companies.