Section 33 of the Personal Data (Privacy) Ordinance (PDPO) prohibits the transfer of personal data to places outside Hong Kong except in circumstances specified in the PDPO.
Although section 33 is not yet in operation, this dormant provision may well come into force in the near future. Over the last 12 or so months, it is known that Hong Kong’s Privacy Commissioner (the Commissioner) and the Hong Kong Government, have been working towards the activation of section 33, so that restrictions on the transfer of personal data cross-borders are implemented. In December 2014, the Commissioner published a Guidance Note on Personal Data Protection in Cross-Border Data Transfer (the Guidance Note) for data users to prepare for the implementation of section 33. Accordingly, data users should review their existing privacy policies to ensure compliance with the cross-border transfer restrictions once section 33 is implemented.
Personal data means any recorded information relating to an identifiable living individual. Examples of personal data are identity card numbers, telephone numbers, addresses, fingerprints, names, medical and employment records, and photos.
What is section 33?
Section 33 of the PDPO prohibits cross-border data transfers in two primary scenarios, namely (i) transfers of personal data from Hong Kong to a place outside Hong Kong; and (ii) transfers of personal data between two other jurisdictions where the transfer is controlled by a Hong Kong data user.
The provision therefore has potentially far-reaching implications as it prohibits transfer of personal data abroad by a person who controls the collection, holding, processing or use of the data in Hong Kong. However, a person who is merely transmitting data on behalf of another and not for any of his own purposes, will not be subject to section 33 pursuant to section 2(12) of the PDPO. An example of this exception is a telecommunication service provider who solely transmits personal data for other data users.
Typical examples of data use and transfer (as identified by the Commissioner) which will trigger the application of section 33 include the following:
- Engaging a third party service provider situated outside Hong Kong to process personal data;
- Storing personal data in a cloud server that is accessible outside of Hong Kong;
- Sending an email containing personal data to a recipient located outside Hong Kong;
- Sharing personal data of customers and/or employees with related companies around the world in a centralised database; or
- Passing customers’ personal data to contractors situated outside Hong Kong for the purpose of direct marketing.
Contravention Data users who, without reasonable excuse, contravene section 33 are liable to a fine of up to HK$10,000 per breach. The Commissioner may also issue enforcement notices to data users who have contravened section 33. Contravention of an enforcement notice issued by the Commissioner is an offence which carries a fine and imprisonment, and a daily penalty in the case of a continuing offence after conviction.
Exceptions to section 33 The exceptions to section 33 are as follows:
- White List jurisdictions
The transfer of personal data to a place that has been specified by notice in the Gazette by the Commissioner. The Commissioner currently describes this list of jurisdiction as the White List. The White List is a fluid/dynamic listing, which is – and will be – subject to ongoing review by the Commissioner from time to time. The places specified in the White List are regarded to have substantially similar data protection laws as the PDPO.
- Similar PDPO protections
This exception applies when the data user has reasonable grounds for believing that a jurisdiction, though not in the White List, has in force laws which are substantially similar to, or serve the same purposes as the PDPO. To satisfy this requirement, a data user is expected to undertake professional assessment and seek legal advice. Subjective views, even if honestly held, will not in itself be sufficient.
Data users can transfer personal data abroad if the data subject has consented in writing to the transfer. Such consent needs to be express, voluntary and in writing. The Guidance Note provides that in order to obtain the data subject’s written consent, the data user should first provide the data subject with the information as to the places their personal data would be transferred to. The data subject should also be informed of the purpose of the transfer and the consequences of providing such consent. Additional guidance is needed regarding, for example, employees data, and on-line transactions.
- Avoidance or mitigation of adverse action
Another exception is that the data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the consent, but if it was practicable, such consent would be given. The Commissioner has indicated this limb has a narrow application. The onus is on the data users to prove their belief was reasonable in the relevant factual circumstances.
- Statutory exemptions
Data users may transfer personal data outside Hong Kong if the data falls within one of the exemptions under Part VIII of the PDPO. The relevant exemptions include where personal data is held only for domestic purposes; to assist in crime prevention; news activities which are in the public interest; where non-disclosure is likely to cause serious harm to the physical or mental health of the individual; where the transfer is required by Hong Kong law or in Hong Kong legal proceedings; or in an emergency situation.
- Due diligence and all reasonable precautions are taken
Another way to satisfy the cross-border transfer restriction is that the data user has taken all reasonable precautions and exercised all appropriate due diligence to ensure that the data will not, in that place, be collected, held, processed, or used in any manner that would be a contravention of the PDPO if it occurred in Hong Kong.
One of the ways to satisfy this due diligence requirement is to put in place an enforceable contract between the parties to the transfer. The Guidance Note provides some sample clauses to assist data users to prepare these enforceable contracts for the purpose of satisfying this exception.
We expect that the Guidance Note is a precursor to the implementation of section 33 over 2015. Given the significant impact of section 33 on data transfer activities across various sectors in Hong Kong, particularly given the predominance of the financial services industry in Hong Kong, a review of current privacy statements and privacy protection protocols and systems is warranted; and in fact will be necessary to ensure compliance with section 33, when it becomes operative.