(29 December 2014) The Office of the Privacy Commissioner for Personal Data ("PCPD") published today a Guidance on Personal Data Protection in Cross-border Data Transfer (the "Guidance").
Section 33 of the Personal Data (Privacy) Ordinance (the "Ordinance") provides stringent and comprehensive regulation of transfer of data to outside Hong Kong. It expressly prohibits the transfer of personal data to places outside Hong Kong except in circumstances specified in the Ordinance. This ensures that the standard of protection afforded by the Ordinance to the data under transfer will not be reduced as a result of the transfer. However, section 33 of the Ordinance is not yet in operation.
The Privacy Commissioner for Personal Data, Mr Allan Chiang commented, "The situation of global data flows is markedly different today than in the 1990s when the Ordinance was enacted. Advances in technology, along with changes in organisations’ business models and practices, have turned personal data transfers into personal data flows. Data is moving across borders, continuously and in greater scales. Organisations, including small and medium enterprises, are enhancing their efficiency, improving user convenience and introducing new products by practices which have implications for global data flows. They vary from storing data in different jurisdictions via the ‘cloud’ to outsourcing activities to contractors around the world. Electronic international data transfers in areas such as human resources, financial services, education, e-commerce, public safety, and health research are now an integral part of the global economy."
"Against this background, the issue of regulating cross-border data flows is becoming more acute than ever before. Countries worldwide are adopting a range of mechanisms to protect the personal data privacy of individuals in the context of cross-border data flows. It is high time for the Administration to have a renewed focus on the implementation of section 33 to ensure that the international status of Hong Kong as a financial centre and a data hub will be preserved."
The Guidance assists organisations to prepare for the eventual implementation of section 33 and enhance privacy protection for cross-border data transfer. It helps organisations understand their compliance obligations under section 33. In particular, the PCPD has prepared a set of recommended model data transfer clauses to assist organisations in developing their cross-border data transfer agreement with the overseas data recipients. Organisations are encouraged to adopt the practices recommended in the Guidance as part of their corporate governance responsibility even before section 33 takes effect.
"I stress that this is a guide for voluntary compliance as the Administration has not set a firm date for implementation of section 33. I welcome feedback from the industry as regards the utility value of the Guidance and the problems, if any, that they face in following the Guidance," Mr Chiang added.
Read the Guidance and the Recommended Model Clauses at www.pcpd.org.hk/english/resources_centre/publications/guidance/files/GN_crossborder_e.pdf or obtain a copy at the PCPD office (12/F, Sunlight Tower, 248 Queen’s Road East, Wan Chai, Hong Kong).
- End -