Understanding the European Commission’s New Standard Contractual Clauses for the Transfer of Personal Data From the EU to Non-EU Regions

The European Commission has adopted a new set of Standard Contractual Clauses for the transfer of personal data from the European Union (EU) to Non-EU Regions (New SCCs), which came into effect on 27 June 2021. The New SCCs have taken account of the requirements of the General Data Protection Regulation (GDPR) and the judgment of the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Case C-311/18 (commonly known as the “Schrems II Judgment”).

The New SCCs will be relevant to a local entity in Hong Kong if the obligations under the GDPR apply to it as an exporting party on an extra-territorial basis. For instance, the requirements of the GDPR apply even though a Hong Kong entity does not have an establishment in the EU so long as its data processing activities are related to the offering of goods or services to, or the monitoring of the behaviour of individuals in the EU. For Hong Kong entities which are not subject to the GDPR but import EU personal data, they may also be required to adopt the New SCCs when entering into data transfer agreements, and submit themselves to the jurisdiction of the data protection supervisory authorities identified therein (Clause 13(b)).

From 27 September 2021 onwards, data exporters and data importers can only conclude contracts incorporating the New SCCs for the transfer of personal data out of the European Union. Entities that engage in cross-border data transfers involving the EU/EEA data subjects are also advised to pay heed to the New SCCs, in particular the parties’ obligations thereunder, and plan ahead for the proper arrangements of data transfer in good time.

To assist Hong Kong entities to understand the New SCCs, the PCPD has published, for public reference, a set of frequently asked questions and answers on the implementation framework of the New SCCs and the obligations of parties entering into cross-border data transfer agreements using the New SCCs.

The PCPD also organised a webinar on “The New Standard Contractual Clauses of the EU for Transfer of Personal Data from EU to Non-EU Regions” on 6 September 2021. The webinar was hosted by Privacy Commissioner Ms Ada CHUNG Lai-ling, with guest speakers including Mr Ralf SAUER, Deputy Head, Unit for International Data Flows and Protection, European Commission; Mr Eduardo USTARAN, Partner & Global Co-head of Privacy and Cybersecurity Practice, Hogan Lovells, London and Mrs Ina WEYGANT, Group Data Protection Officer, Cathay Pacific Airways.

At this webinar, the expert speakers explained the requirements on international personal data transfers under GDPR, the effect of Schrems II Judgment and the features of the new SCCs. They also shared practical experience of local entities in transferring personal data from the EU to Hong Kong.

This webinar was one of the events organised to celebrate PCPD’s 25th Anniversary.

Left top:          Privacy Commissioner Ms Ada CHUNG Lai-ling
Left bottom:    Mr Eduardo USTARAN, Partner & Global Co-head of Privacy and                             Cybersecurity Practice, Hogan Lovells, London
Right top:        Mr Ralf SAUER, Deputy Head, Unit for International Data Flows and                         Protection, European Commission
Right Bottom: Mrs Ina WEYGANT, Group Data Protection Officer, Cathay Pacific                             Airways

PRIVACY 101

What is a Personal Data Inventory?

Organisations should be clear about what kinds of personal data they hold and how the personal data is being processed, and document the information in the personal data inventory. A personal data inventory is thus a key component of a Personal Data Privacy Management Programme (PMP), as it assists an organisation to:

• understand the type of consent that the organisation needs to obtain from data subjects;
• determine how the data is protected (e.g. the more sensitive the data is, the higher level of security is required) ;
• comply with data access and correction requests ; and
• in case when a personal data leakage incident happened owing to the hacking of an organisation’s database, the organisation can easily find out the types of personal data contained in the database, whether the personal data is encrypted, etc. from the personal data inventory so as to assess the impact of the incident and take corresponding remedial measures.

Organisations should update their personal data inventory annually to ensure that all the personal data they hold is well recorded in the personal data inventory. In this connection, the procedures for updating personal data inventory, the time for updating, the persons-in-charge, the processes of updating and reviewing, and the persons responsible for filing the inventory should be established.

An example of a personal data inventory is as follows:

Organisations are also encouraged to implement a PMP to embrace personal data protection as part of their corporate policies and culture and implement it as a business imperative throughout the organisations, so as to gain the trust of their customers and other stakeholders and enhance their competitive edge.  For more details of PMP, please click here.

PRIVACY COMMISSIONER'S FINDINGS

Use of Electronic Health Records for Other Purposes Without the Data Subject’s Consent

A patient consulted a doctor of a medical centre. The patient was dissatisfied with the medicine prescribed to him by the doctor and hence lodged a complaint to the Medical Council of Hong Kong (“Medical Council”). The complaint was dismissed by the Medical Council on the ground that there was insufficient evidence as proof of any misconduct.

The patient subsequently received a SMS notification which stated that the doctor had accessed his electronic health record on the Electronic Health Record Sharing System (eHRSS). As a result, the patient lodged the second complaint to the Medical Council for an alleged violation of his privacy by the doctor. The case was referred to the PCPD for follow-up upon the patient’s consent.

Upon preliminary enquiry, the PCPD found that when the doctor accessed to the patient’s electronic health record, the doctor was not providing medical treatment to the patient but the access was made for refreshing the doctor’s memory to deal with enquiry from Medical Council. In this connection, the purpose of the doctor’s access and use of the patient’s health records at the material time was inconsistent with the original purpose for which the data was collected, thereby contravening the Data Protection Principle 3 of Schedule 1 to the PDPO. Hence, the PCPD issued a written warning to the doctor. In response, the doctor undertook that he would abide by the principle of “need-to-know” when he accesses any patient’s Electronic Health Record on the eHRSS in future, and confirmed that he had not accessed the patient’s electronic health record through eHRSS since then.

For further details of the case, please click here.

GET TO KNOW THE MAINLAND'S PERSONAL INFORMATION PROTECTION LAW

Webinar on “The Personal Information Protection Law of the Mainland” 

The Personal Information Protection Law (PIPL), the first piece of legislation in the Mainland dedicated to the protection of personal information, will come into effect on 1 November 2021. As Hong Kong’s economy and daily life are closely intertwined with the Mainland, the transfer of personal information between the two places takes place from time to time.  Local enterprises or organisations therefore have a need to know and understand the provisions of the PIPL.

Against this background, the PCPD, supported by the City University of Hong Kong School of Law, will organise a webinar on “The Personal Information Protection Law of the Mainland” on 13 October 2021 (Wednesday), 3:00pm to 4:30pm. Mainland’s renowned expert on civil law and seasoned legal practitioner are invited to explain the contents and features of the PIPL to participants, so as to assist enterprises or organisations understand the new law, and prepare themselves for compliance. Don’t miss the chance.  Enrol now!

PCPD Publishes Highlights of the Mainland's Personal Information Protection Law

The PCPD has also updated the PIPL’s thematic webpage to highlight the key provisions of the PIPL for public’s reference. For more information, please visit here.

WHAT'S ON

The Legislative Council Passed the Personal Data (Privacy) (Amendment) Bill 2021

The resumption of the Second Reading debate and Third Reading of the Personal Data (Privacy) (Amendment) Bill 2021 (Amendment Bill) took place at the Legislative Council (LegCo) on 29 September 2021, and the Amendment Bill was passed by the LegCo. The Secretary for Constitutional and Mainland Affairs, Mr Erick TSANG Kwok-wai, IDSM, JP, delivered speeches at the meeting of the LegCo.
 
Please click here for the speech by the Secretary for Constitutional and Mainland Affairs at the resumption of the Second Reading debate on the Amendment Bill (in Chinese only).
 
Please click here for the speech by the Secretary for Constitutional and Mainland Affairs at the Committee Stage Amendments of the legislative process (in Chinese only).

Please click here for the speech by the Secretary for Constitutional and Mainland Affairs in adopting the report by the Legislative Council (in Chinese only).
 
Please click here for the speech by the Secretary for Constitutional and Mainland Affairs at the setting down of the Third Reading of the Amendment Bill (in Chinese only).

Event Organised in Celebration of PCPD’s 25th Anniversary – Webinar on “The Ethical Development and Use of Artificial Intelligence"

The PCPD organised a webinar on “Ethical Development and Use of Artificial Intelligence” on 13 September 2021 in celebration of its 25th Anniversary. Privacy Commissioner Ms Ada CHUNG Lai-ling explained and elaborated on the principles and good practices recommended in the “Guidance on the Ethical Development and Use of Artificial Intelligence” recently issued by the PCPD. 

Two experts from the government, Mr Tony WONG, JP, Deputy Government Chief Information Officer and Mr Anthony CHIU, Chief Systems Manager (Data Analytics), of the Office of the Government Chief Information Officer (OGCIO) also spoke at the webinar as guest speakers.  They elaborated on the development of artificial intelligence and highlighted the essential features of the “Ethical Artificial Intelligence Framework” recently issued by OGCIO for government departments. 

The webinar was held with great success and attracted more than 240 participants from government departments, professional associations and various industries including the banking, insurance, education, retail and real estate, etc.

Left top:    Privacy Commissioner Ms Ada CHUNG Lai-ling

Right top:  Mr Tony WONG, JP, Deputy Government Chief Information Officer, OGCIO
Bottom:     Mr Anthony CHIU, Chief Systems Manager (Data Analytics), OGCIO

Privacy Commissioner Publishes an Article on “Guidance on the Ethical Development and Use of Artificial Intelligence” at Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling also published an article at Hong Kong Lawyer to introduce the “Guidance on the Ethical Development and Use of Artificial Intelligence”.  Please click here to read the article.

Privacy Commissioner Delivered a Keynote Speech at an International Roundtable on Ethics of Artificial Intelligence

Privacy Commissioner Ms Ada CHUNG Lai-ling gave a keynote speech at the Ethics in Artificial Intelligence Research Initiative for the Asia Pacific Regional Roundtable co-organised by Facebook and the Centre for Civil Society and Governance (CCSG) of The University of Hong Kong on 10 September 2021. In her speech, the Privacy Commissioner discussed the governance of artificial intelligence (AI) and elaborated on the “Guidance on the Ethical Development and Use of Artificial Intelligence” recently published by the PCPD.

To support the research on AI ethics in the Asia Pacific Region, Facebook partnered with CCSG to invite academic institutions, think tanks and research organisations for research proposals in 2019, and awarded outstanding proposals with research grants. The PCPD participated in the assessment of the research proposals. More than 50 proposals across the region were received and eight winning proposals were selected. The Roundtable aimed to provide a platform for the winners to present and discuss their preliminary research findings.

Reaching Out to Enterprises - The Hong Kong Federation of Insurers

Privacy Commissioner Ms Ada CHUNG Lai-ling met with representatives of The Hong Kong Federation of Insurers (HKFI) on 2 September 2021.  The Privacy Commissioner was briefed on the background and scope of the Insurance Fraud Prevention Claims Database (IFPCD) established by the HKFI, together with the measures taken for protecting personal data privacy in relation to the IFPCD.

The Privacy Commissioner was pleased to note that in the course of implementing the IFPCD, the HKFI had put in place a robust Personal Data Privacy Management Programme. Besides, while the IFPCD involves the use of artificial intelligence to assess the risks of insurance fraud, it has adopted “Privacy by Design”.

The Privacy Commissioner welcomes continuous exchanges with the HKFI with a view to strengthening the protection of customers’ privacy in relation to personal data in the insurance industry.

Reaching Out to Students - Privacy Commissioner Shared with Students the Concept of “Privacy by Design”

Privacy Commissioner Ms Ada CHUNG Lai-ling spoke at a webinar on “Privacy by Design” organised by Ampower Talent Institute held on 4 September 2021. At the webinar, the Privacy Commissioner explained to over 100 students from Primary five to Secondary six on how public and private organisations should adopt “Privacy by Design” when they launch new products or services to effectively protect the personal data of citizens or customers. She also reminded the students of some personal data privacy risks in daily life.

MAINLAND CORNER

New Rules on Facial Recognition Technology Issued by the Supreme People’s Court 

(最高人民法院就使用人臉識別技術作出規定)

The Supreme People's Court published a set of new rules for civil cases concerning the processing of facial images by facial recognition technology, which came into effect on 1 August 2021. This article gives you a gist of the rules.

最高人民法院就使用人臉識別技術作出規定

最高人民法院於2021年7月28日公佈《最高人民法院關於審理使用人臉識別技術處理個人信息相關民事案件適用法律若干問題的規定》（下稱「《規定》」），並於2021年8月1日起實施。

《規定》適用於與使用人臉識別技術處理人臉信息¹相關的民事案件，為人臉信息處理行為提供更具體的規定。

《規定》列出屬於侵害自然人人格權益的人臉信息處理行為，包括²︰

• 在賓館、商場及車站等公共場所違規進行人臉驗證、辨識或分析；
• 沒有公開處理人臉信息的規則或明示處理目的、方式和範圍；
• 沒有徵得當事人或其監護人的單獨或書面同意；
• 沒有採取必要的安全措施以致人臉信息遭泄洩露、篡改或遺失；或
• 在違反法規或與當事人的約定的情況下向他人提供人臉信息。

《規定》亦指出，如信息處理者基於個人同意處理人臉信息，有關同意對於提供相關產品或服務而言須屬於必要，以及不能以捆綁其他授權或強迫的方式取得³。此外，《規定》訂明物業管理公司和建築物管

理人不得以人臉識別作為出入屋苑的唯一驗證方式，業主和租戶有權提出以其他合理的驗證方式取代⁴。

根據《規定》，受害人可依法以個人或聯同其他受害人的方式向違規的信息處理者追討民事和違約責任⁵。違規的信息處理者亦可能面對由人民檢察院等機關提出的民事公益訴訟⁶。

¹ 《規定》第一條列明，人臉信息的處理包括收集、存儲、使用、加工、傳輸、提供、公開等。

² 《規定》第二條

³ 《規定》第四條

⁴ 《規定》第十條

⁵ 《規定》第三條、第十二條和第十三條

⁶ 《規定》第十四條

RECOMMENDED ONLINE TRAININGS

PCPD’s 25th Anniversary Event - Webinar on “The Personal Information Protection Law of the Mainland”

The Personal Information Protection Law (PIPL), the first piece of legislation in the Mainland dedicated to the protection of personal information, will come into effect on 1 November 2021.  The PCPD, supported by the City University of Hong Kong School of Law, organises this webinar at which the Mainland’s renowned expert on civil law and seasoned legal practitioner will explain the contents and features of the PIPL to participants, so as to assist enterprises understand the new law, and prepare themselves for compliance. This webinar will cover the following topics:

Session 1: The Highlights and Features of the PIPL

Host and Moderator: Professor ZHU Guobin, Professor of Law, School of Law, City University of Hong Kong

Speaker: Professor WANG Liming, Renmin Law School, Renmin University of China

Session 2: How enterprises can prepare themselves to comply with the PIPL

Host and Moderator:  Privacy Commissioner Ms  Ada CHUNG Lai-ling

Speaker: Ms Barbara Li, Head of Corporate, Rui Bai Law Firm, Beijing

Date: 13 October 2021 (Wednesday)

Time: 3:00 pm – 4:30pm

Fee:  $450 / $360*

(*Members of PCPD's Data Protection Officers' Club may enjoy the discounted fee)

Language:    Putonghua for Session 1; English for Session 2

Who should attend: Legal professionals, Compliance Officers, Data Protection Officers, IT professionals and others who have business operations in the Mainland or have business relationships with the Mainland

Online Professional Workshop on Data Protection in Direct Marketing Activities

Organisations use various methods to promote their products, services and events to potential customers, such as emails, phone calls and mailouts. These activities may involve the use of personal data, and are thus governed by the PDPO. Any convictions of organisations for failing to comply with the requirements of the direct-marketing provisions of the PDPO will lead to reputational loss to the organisations concerned and weaken the trust of their customers and stakeholders. This workshop will help the participants to understand the requirements of the relevant provisions of the PDPO, so that they can meet their legal obligations and practise good personal data governance when conducting direct-marketing activities.

Date: 20 October 2021 (Wednesday)

Time: 2:15pm – 5:15pm

Fee: $750/$600*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Key Take-aways:

• Statutory requirements for collecting and using personal data in direct marketing activities
• The handling of an “opt-out” request
• Practical tips for compliance
• Conviction cases

Who should attend: Data Protection Officers, Compliance Officers, Company Secretaries, Administration Managers, IT Managers, Solicitors (in house or private practice), Database Managers, Marketing professionals

Online Professional Workshop on Recent Court and Administrative Appeals Board Decisions

Legal practitioners and compliance officers need to keep abreast of the latest decisions of the court and the Administrative Appeals Board in relation to personal data privacy, and the legal arguments therein. Hosted by PCPD lawyer, this workshop will take the participants on a deep-dive into the key issues of the cases and decisions, and the commonly applied provisions of the PDPO.

Date: 28 October 2021 (Thursday)

Time: 2:15pm – 5:15pm

Fee: $950/$760*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Key Take-aways:

• Thorough understanding of major personal data privacy issues raised in recent decisions of the Hong Kong Court and the Administrative Appeals Board
• In-depth discussion and interpretation of commonly deployed provisions of the PDPO
• Familiarisation of recent cases that can serve as legal reference and practical examples for resolving issues encountered in compliance work

Who should attend: Solicitors, Barristers, In-house Lawyers, Data Protection Officers, Compliance Officers, Company Secretaries and Administration Managers

Other Professional Workshops on Data Protection from November to December 2021

Online Free Seminar - Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. The details are as follows:

Time: 3:00pm - 4:30pm

Seminar Outline:

• A General Introduction to the PDPO
• The Six Data Protection Principles (illustrated with industry-related examples)
• Offences and compensation
• Direct marketing
• Q&A Session 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect the privacy of personal data is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and protecting the privacy of personal data, you can make a request for an in-house seminar via our online form. The outline of this seminar is provided below.

Seminar Outline:

• A general introduction to the PDPO
• The six data protection principles (industry-related cases will be illustrated)
• Direct Marketing
• Offences & Compensation
• Q&A Session

Duration: 1.5 hour

SUPPORTING EVENT

PCPD Supports the Practising Governance 2021 Annual Conference

The Practising Governance 2021 Annual Conference is now open for registration.  The PCPD is pleased to be one of the sponsors of this event.

The Conference will feature the following topics:

• "Post-covid": essential macro trends
• HKEX regulatory update: directors’ duties
• ESG: engaging investors + new HKEX rules
• Best practice sharing: cyber security, post-covid HR practices

For more details, please visit here. 

RENEWAL OF DPOC's MEMBERSHIP

Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables them to receive two memberships for the price of one annual fee (HK$350).

Renew your membership now to keep up-to-date with the latest news and legal developments!

Contact Us

Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.