On December 29, 2014, the Hong Kong Office of the Privacy Commissioner for Personal Data published guidance (“Guidance Note”) on the protection of personal data in cross-border data transfers. The Guidance Note was released in light of the Privacy Commissioner’s renewed focus on the legal restrictions governing cross-border data transfers in Hong Kong, which have not yet gone into effect.
Although the Hong Kong Personal Data (Privacy) Ordinance (the “Ordinance”) contains a provision (“Section 33”) imposing restrictions on cross-border data transfers, this provision did not go into effect when the rest of the Ordinance was enacted in 1995. Consequently, there currently is no effective legal restriction on cross-border data transfers in Hong Kong. As such, the new Guidance Note published by the Privacy Commissioner is voluntary and not binding. The Privacy Commissioner intends for the Guidance Note to be a practical guide that helps data users prepare for the cross-border data transfer restrictions of Section 33. The Privacy Commissioner noted, however, that no firm date has been set for Section 33 to go into operation.
Notably, the Guidance Note provides recommended model contractual clauses for cross-border data transfers of personal data outside of Hong Kong. The Privacy Commissioner’s Office does not require that the recommended model clauses be used verbatim. Instead, the Guidance Note advises the parties to make revisions or additions according to their own commercial needs.