On 12 May 2022, the Office of the Privacy Commissioner for Personal Data ("PCPD") issued the new Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data ("New Guidance"), which includes two new sets of Recommended Model Contractual Clauses ("New RMCs").
Although section 33 of the Personal Data (Privacy) Ordinance (Cap.486) ("PDPO") imposes restrictions on cross-border transfer of data outside of Hong Kong, this section is still not yet in operation. As such, adoption of the Recommended Model Contractual Clauses ("RMCs") is considered best practice rather than a mandatory obligation. The PCPD recommends data users to adopt the RMCs as part of their data governance responsibility to protect and respect the personal data privacy of data subjects.
It is not the first time that the PCPD has issued RMCs in Hong Kong. The New Guidance supplements the Guidance on Personal Data Protection in Cross-border Data Transfer (which includes RMCs in the Schedule annexed thereto ("2014 RMCs")) issued by the PCPD in December 2014.
We set out below a few key points that data users should take note of when they adopt RMCs in their data transfer agreements:
- Two sets of New RMCs: While there is only one set of 2014 RMCs (i.e. Transferor to Transferee), there are two sets of New RMCs, i.e. (i) Data User to Data User RMCs; and (ii) Data User to Data Processor RMCs. The New RMCs are also published in both English and Chinese.
- The New RMCs are applicable to cross-border data transfers between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user: In addition to cross-border data transfers from a Hong Kong entity to an overseas entity, the New RMCs should also be adopted in relation to cross-border data transfers between two entities outside Hong Kong when such transfer is controlled by a Hong Kong data user[1].
- The New RMCs may be adapted and modified: Unlike the EU Standard Contractual Clauses, organisations are free to use alternative wording which in substance is consistent with the requirements of the PDPO when the New RMCs are (i) adapted in developing their own form of data transfer agreements; or (ii) incorporated into a wider service agreement. The New RMCs are prepared as free-standing clauses which may be incorporated into more general commercial agreements between data transferors and data transferees provided that the substantive effect of the New RMCs continues to be met.
- Additional contractual measures: In addition to the incorporation of the New RMCs, a data transferor should consider whether it is necessary or advisable to incorporate additional contractual assurances, rights and obligations in relation to the use or processing of the personal data by the transferee in the context of the specific cross-border data transfer, especially where the subject matter of the contract consists of more complex contractual obligations that last for a comparatively long period of time. For example, multi-national companies usually adopt a more complex set of additional contractual clauses in their data transfer agreements.
- The 2014 RMCs contain recommended clauses on additional contractual assurances. Examples of such additional assurances are (i) reporting, audit and inspection rights; (ii) notification of breach; and (iii) compliance support and co-operation.
- In the context of data user to data user transfers, it is recommended that the agreed roles and responsibilities between the parties should be set out to ensure that adequate protection be given to the transferred personal data in areas where mutual co-operation is likely to be beneficial. For example, the parties may agree on an obligation to work jointly to ensure that personal data be kept up to date or an obligation to ensure each data user should provide a designated point of contact to communicate with each other with respect to PDPO compliance.
- Data ethics, transparency and accountability: Data users should adopt good data ethics, which means doing what is reasonably expected by data subjects and being transparent about data processing activities. Data users are recommended to notify data subjects of any proposed cross-border data transfer and the underlying grounds though a privacy notice or privacy policy.
Data users in Hong Kong are recommended to incorporate the New RMCs in their agreements if (i) personal data is transferred outside of Hong Kong; or (ii) personal data is transferred between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user. If a data user is unable to demonstrate that it has implemented good data practice, e.g. the incorporation of the New RMCs, it may be susceptible to potential liability and reputational damage.
[1] A "data user" is defined under the PDPO as a person who, either alone or jointly with other persons, controls the collection, holding, processing or use of personal data.
Disclaimer
Herbert Smith Freehills LLP has a Formal Law Alliance (FLA) with Singapore law firm Prolegis LLC, which provides clients with access to Singapore law advice from Prolegis. The FLA in the name of Herbert Smith Freehills Prolegis allows the two firms to deliver a complementary and seamless legal service.