Hong Kong: Cross-border data transfers

On 29 December 2014, the Office of the Privacy Commissioner for Personal Data (PCPD) published a Guidance Note entitled "Guidance on Personal Data Protection in Cross-border Data Transfer" (the Guidance Note). The Guidance Note is of particular relevance to multi-national corporations (MNCs) because their corporate structure will inevitably involve a significant amount of personal data (including personal data of employees) being transferred between entities located in different jurisdictions.  

Background

In Hong Kong, personal data is protected mainly by the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The PDPO was enacted in 1995, but section 33 is not yet in operation. That section prohibits the transfer of personal data to places outside Hong Kong unless certain conditions are met. Whilst no firm date has been set for the implementation of section 33, the publication of the Guidance Note by the PCPD suggests that it may be implemented in the near future to ensure that Hong Kong continued status as an international financial centre and data hub. This e-bulletin considers the implications for employers of section 33 coming into operation.

What will be the effect of section 33?

Once it comes into effect, section 33 will prohibit the transfer of personal data (i) from Hong Kong to a place outside of Hong Kong; and (ii) between two other jurisdictions where the transfer is controlled by a Hong Kong data user, unless an exception applies.

By way of example, section 33 will apply to the following:

1. sending or transmitting employees' personal data from Hong Kong to other members of a corporate group or to service providers located in another jurisdiction for storage and/or processing (e.g. by sending paper or electronic documents containing personal data by courier, post or email);
2. sharing employees' personal data with other members of a corporate group located outside Hong Kong by making such information available to download or access from a centralised database, even if the database is stored in Hong Kong; and

• storing employees' personal data in a cloud, if the cloud server is located, or is accessible from, outside Hong Kong.

Exceptions to the section 33 prohibition

Section 33 will not prohibit the cross-border transfer of an employee's personal data if one or more of the following exceptions are fulfilled[1]:

1. The data transferee is located in a jurisdiction “whitelisted” by the PCPD as a jurisdiction that has in force a data protection regime which is substantially similar to, or serves the same purposes as, the PDPO;
2. The data user has “reasonable grounds” for believing that the destination has a data protection regime in force which is substantially similar to, or serves the same purposes as, the PDPO;

• The data subject has consented to the transfer in writing;

1. The data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be handled (e.g. collected, held, processed or used (including disclosure and transfer)) in a manner that would be a contravention of the PDPO. Putting in place an enforceable contract between the parties to the transfer is one of the methods to satisfy this exception. Alternatively, data users may also adopt non-contractual means to satisfy this exception, including, for example, in the case of intra-group transfers, the implementation of adequate internal safeguards, policies and procedures which apply to the group as a whole;
2. The data user has reasonable grounds for believing that: (i) the transfer is to avoid or mitigate adverse action against the data subject; (ii) it is not practicable to obtain written consent from the data subject; and (iii) the data subject would have given consent if it had been practicable to obtain it; or
3. An exemption under Part VIII of the PDPO applies[2].

Although no "whitelist" has yet been released, it seems unlikely that the PCPD would assess the United States of America for example, as having in force any law which is substantially similar to, or serve the same purposes as, the PDPO. It is less clear, however, whether the PCPD will adopt a similar approach to that of regulators in the United Kingdom in respect of transfer of personal data to recipients in the USA. Guidance published by the Information Commissioner's Office in the UK suggests that data users in the UK may lawfully transmit personal data to a recipient in the USA if: (i) the transferee has signed up to the voluntary US Department of Commerce's Safe Harbor Scheme; and (ii) the transferor has sought and received assurance from the transferee that the recipient is compliant with their safe harbor obligations.

Implications for employers

The implementation of section 33 will require employers to review their existing arrangements for the handling of employees' personal data, including relevant intra-group policies and procedures, and to take steps to ensure those arrangements comply with the requirements of section 33.

Employers who transfer employees' personal data to related entities or third party service providers located in jurisdictions other than Hong Kong or who use cloud storage solutions, should seek to ensure that the terms of such arrangements provide that (i) personal data transferred to and stored outside Hong Kong will be subject to a standard of protection which is at least comparable to that under the PDPO, (ii) the transferee will protect, retain, store and destroy personal data in their possession in full compliance with the PDPO, and only process and use (including disclosure and transfer) data pursuant to the written instructions of the data user, and (iii) data user retains a right to control access to the data and conduct audit.

As an additional measure to cover situations where potential data transferees are located in jurisdictions with limited statutory protection for personal data, employers should consider revisiting and, where appropriate, updating their employment documentation for compliance with the provisions of the Guidance Note. Such documents would typically include contracts of employment, personal information collection statements (PICS) issued to employees and job applicants, personal data or privacy policies and procedures for the handling of personal data.

[1] The PCPD encourages data users to adopt multiple measures to the extent practicable.

[2]     Examples of such exemptions include (A) where personal data is transferred for the purpose of prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct or dishonesty or malpractice; (B) emergency situations; and (C) subject to certain conditions, data is transferred for the purposes of a due diligence exercise to be conducted in connection with a proposed business transaction that involves (i) a transfer of the business or property of, or any shares in, the data user; (ii) a change in the shareholdings of the data user; or (iii) an amalgamation of the data user with another body.