Practical Guidance
With the acceleration of digitalisation in various facets of our daily lives and the proliferation of globally connected business models, we have seen an exponential increase in cross-border transfers of personal data. The implementation of the Personal Information Protection Law in the Mainland in November 2021 has also brought about a whole new regulatory regime for transborder flows of personal information from the Mainland to other parts of the world. In the context of cross-border transfers of personal data involving data users in Hong Kong, I consider that it is of fundamental importance for stakeholders to shoulder up their responsibilities in protecting the personal data privacy of data subjects, notwithstanding the transfer of data outside Hong Kong.
It is against this backdrop that my office, the Office of the Privacy Commissioner for Personal Data, Hong Kong published the Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data (“Guidance”) on 12 May 2022. The Guidance provides detailed elaborations as to the substantive effect of the Recommended Model Contractual Clauses (“RMCs”), and how adherence to the same ensures that adequate protection be given to the personal data as provided for under the Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”), as if the data concerned were not transferred outside Hong Kong. The Guidance also recommends to data users, especially the small and medium-sized enterprises, the best practices to be adopted as part of their data governance responsibility to protect and respect the personal data privacy of data subjects.
In particular, the Guidance introduces two sets of RMCs, which may be incorporated into more general commercial agreements between data transferors and data transferees, in which other commercial considerations may also be addressed.
The Legal Requirements
Essentially, the protection should follow the data irrespective of the location of the data. Data Protection Principle (“DPP”) 3 of the Ordinance, which is directed against the misuse of personal data, specifies that personal data shall not, without the data subject’s express and voluntary consent, be used for a new purpose. Thus, transfer of personal data to a place outside Hong Kong would require the data subject’s prescribed consent under DPP3 if it is for a new purpose, unless such transfer falls within the exemptions under Part 8 of the Ordinance.
Further, if a data user engages a data processor to process personal data outside Hong Kong on behalf of the data user, the data user must adopt contractual or other means to, among other things, (i) prevent any personal data transferred to the data processor from being kept longer than is necessary for the processing of the data (under DPP2(3)), and (ii) prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing (under DPP4(2)). The data user remains liable for the act done by its agent with its authority under section 65 of the Ordinance.
To ensure compliance with the requirements imposed by the Ordinance notwithstanding the transfer of data outside Hong Kong, therefore, it is advisable for data users to incorporate the RMCs into agreements for cross-border data transfers. The adoption of the RMCs will also serve to illustrate that the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in the jurisdiction of the transferee, be collected, held, processed, or used in any manner which, if that took place in Hong Kong, would be a contravention of a requirement under the Ordinance. All these factors will be taken into account when there is any suspected or alleged breach of the Ordinance, including the DPPs.
The RMCs
The two sets of RMCs set out the general obligations of the contracting parties in respect of the protection of personal data privacy and cater for two different scenarios in cross-border transfers of personal data, namely, (i) from one data user to another data user; and (ii) from data user to data processor. They are applicable to the transfer of personal data from a Hong Kong entity to another entity outside Hong Kong; or between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user, with a view to facilitating the parties to cross-border transfers of personal data to take into account the relevant requirements of the Ordinance, including the DPPs under Schedule 1 thereof.
In the context of cross-border transfers of personal data outside Hong Kong, data users are advised to take all reasonable precautions and exercise all due diligence to ensure that the personal data transferred would not, in the destination jurisdictions, be handled in a manner which, if that took place in Hong Kong, would be a contravention of the requirements of the Ordinance. The RMCs provide, for instance, that a transferee should:
Good Data Ethics
Last but not least, the Guidance advocates that data users should adhere to the principles of good data ethics which, put simply, is about doing what is reasonably expected by data subjects and being transparent about data processing activities. A perceived lack of transparency around data processing activities can engender a sense of distrust between the data user and data subjects. By adopting RMCs and observing the principles of transparency and accountability, it will be conducive not only to maximising the value of data but also to developing and sustaining the trust of data subjects.
The Guidance is available in hard copy and accessible at https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_model_contractual_clauses.pdf