Several data privacy regimes now include a statutory restriction on the transfer of personal data outside their jurisdiction. Nevertheless, the transfer of personal data is essential to business operations and it remains a key business activity worldwide. Consequently, a number of regulatory bodies have been adopting measures to streamline compliance arrangements in relation to personal data transfers. The Hong Kong Privacy Commissioner for Personal Data (“PCPD”) has recently published two sets of recommended model contractual clauses that cater for a situation in which a data user is transferring his personal data to another entity, or between entities both of which are outside of Hong Kong when the transfer is controlled by the data user (the “Data Transfer Model Clauses”).
The PCPD has clarified that a person who is a data user in respect of personal data is one who controls all or part of the collection, holding, processing and use of such data (section 65, PDPO). However, he does not control the personal data if it is gathered by or shared with his agent or subcontractor, unless the person who controls the data user is liable for the acts of the agent or subcontractor, or the agency or contract is governed by laws of Hong Kong.
For a transfer to be lawful under the PDPO, it must be made in accordance with the Data Protection Principles of the PDPO and the other applicable provisions of the PDPO. In addition, the transfer must be in a form that is practicable to access and process. It must also be true that a data user will not use the personal data transferred for a purpose that is inconsistent with the purposes specified in the PICS of the data subject. As the PCPD points out, this means that a data transfer cannot be for a new purpose or to a class of persons not notified to the data subject on or before the original collection of their personal data.
This is a significant departure from the position under GDPR, which allows for the transfer of personal data to third parties where the new purpose or the new group of persons to whom the data is transferred is compatible with the original purposes notified to the data subject. Under GDPR, such a change may require the data exporter to obtain the express consent of the data subject.
In summary, the Data Transfer Model Clauses allow for a higher degree of flexibility than that provided under GDPR, but they will still need to be reviewed carefully to ensure that they comply with all other requirements of the PDPO. This will be particularly important when a data exporter is making a personal data transfer to a country where the application of GDPR is in doubt. In the future, as the relationship between Hong Kong and Mainland China develops further and the Greater Bay Area (“GBA”) continues to grow, this may well become a key factor in facilitating a smoother and more efficient arrangement of cross-boundary data flows.