We take a closer look at businesses' obligations under Hong Kong law to protect personal data in a cross-border transfer and the new recommended model contractual clauses.

Introduction: Protection of personal data transferred out of Hong Kong

The Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) is the main legislation in Hong Kong which seeks to protect and regulate the collection, holding, processing, or use of personal data based on a set of data protection principles (DPPs).

In accordance with DPP3, personal data must not be used for a new purpose without the express and voluntary consent of the data subject. This includes the transfer of personal data outside Hong Kong without the data subject's consent, unless the transfer falls within the exemptions under Part 8 of the PDPO. These exemptions include the handling of personal data collected in the context crime prevention, litigation and the performance of judicial functions, etc.

If a data user engages a data processor to process personal data outside Hong Kong, the data user must also adopt contractual or other means to: (a) prevent any personal data from being kept longer than is necessary by the data processor (DPP2(3)); and (b) prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor (DPP4(2)).

The data user remains liable for the processing and handling of personal data carried out by the data processor, who acts as the data user's agent (s.65 of the PDPO). For example, if a data user passes the personal data of its customers to a contractor situated outside Hong Kong to make direct marketing phone calls, both the data user and the data processor must abide by the requirements for using personal data in direct marketing under Part 6A of the PDPO.

Currently there is no legislation in implementation which governs the transfer of personal data to a jurisdiction outside Hong Kong. S.33 of the PDPO, which intends to govern cross-border transfers of personal data to other jurisdictions, has not yet come into force. However, recent developments may suggest that this will soon change as the Office of the Privacy Commissioner for Personal Data (PCPD) has published new guidance on recommended model contractual clauses for cross-border transfers of personal data.

Recent development: Guidance on model clauses

The recent PCPD guidance provides two sets of recommended model contractual clauses, which addresses cross-border transfers of personal data in two different scenarios, (a) from one data user to another data user; and (b) from a data user to a data processor. The model clauses are free-standing clauses which can be incorporated into any applicable agreement, for example a data processing agreement or a general service agreement.

The guidance advises data users to take all reasonable precautions and exercise all due diligence to ensure that the personal data transferred would not, in the destination jurisdictions, be handled in a manner which, if that took place in Hong Kong, would be a contravention of the requirements of the PDPO.

The model clauses provide that a transferee of personal data should:

  • only use or process the personal data for the specified purpose(s) of the transfer;
  • adopt agreed security measures for the use or processing of the personal data;
  • retain the personal data transferred only for a period of time which is necessary for the fulfilment of the prescribed purpose(s);
  • take all practicable steps to erase the personal data once the purpose(s) of transfer have been achieved;
  • not make any onward transfer of personal data to any third party except as agreed by the parties (and ensure that parties to any onward transfer should be subject to the same (or substantially similar) model clauses); and
  • comply with the data subjects’ access and correction requests (only for a transferee acting as a data user).

The model clauses also include a Data Transfer Schedule which is intended to set out the transferor's and transferee's agreements in respect of specific operational and technical aspects of the data transfer, including:

  • the categories of personal data;
  • the purposes for which they are being transferred;
  • any specific agreement on the destinations to which the personal data will be transferred;
  • any specific maximum retention period applicable;
  • any specific agreement in respect of onward transfers of personal data which the transferee may make;
  • the security measures which the transferee is required to apply to its use/processing and storage of
  • the personal data, for e.g. encryption and erasure processes; and
  • the parties' arrangements for handling data subjects’ access and correction requests.

In addition to the model clauses, the transferor may also wish to adopt additional contractual rights and obligations which are relevant to the practices of their business. For instance, multi-national corporations may seek to adopt a more comprehensive set of clauses which cover a variety of obligations and scenarios to ensure that their operations comply with all applicable laws. These additional clauses may govern reporting, audit and inspection rights, notification duties in respect of a data breach, and compliance support and cooperation duties.

Finally, the guidance recommends that all data users should adopt good "data ethics". In essence, this means that data users (and data processors) should be doing what is right by data subjects and building on a culture of transparency and trust with data users. The guidance poignantly states that, if a data user is unable to demonstrate that it has implemented good data protection measures, including for e.g., the incorporation of model clauses, the data user may be liable to potential liability and reputational damage.

Currently there is no legal requirement to implement the model clauses but they are recommended best practice, so businesses should give serious consideration as to adoption of the model clauses (or similar) within contracts in order to better protect personal data. Moreover, although s.33 of the PDPO has not yet come into force, this is a good opportunity to get practices and legal agreements in order before its eventual enforcement. The model clauses also comply with several other provisions of the PDPO, including the DPPs.

The renewed focus on data protection, in particular concerning cross-border flows of personal data, coincides with the implementation of the Personal Information Protection Law (PIPL) in Mainland China which has extra-territorial effect. Since PIPL requires standard contractual clauses, Hong Kong's data protection regime is undoubtedly ensuring that it plays its part in the protection of data which flows across the border with Mainland China. It is therefore important that businesses use this opportunity to act upon the guidance of the PCPD if they are sending and receiving a vast amount of personal data between Mainland China and Hong Kong.