A few weeks ago, the Chinese data protection authority and Hong Kong’s privacy watchdog signed a new cross-border deal that will allow for easier transfer of personal data between the two jurisdictions. The agreement aims to increase data flow from the mainland and reinforce Hong Kong’s role as a regional data hub.
The new deal should provide some relief to businesses that rely on the free flow of data, particularly in industries such as artificial intelligence, which require massive amounts of information to analyse. This increased data flow will also support Hong Kong’s efforts to connect the Greater Bay Area (GBA) and enhance its status as a regional financial services and technology hub.
However, with restrictions on international data transfers remaining in place, businesses need to remain vigilant of the obligations and risks arising from data transfer. Padraig Walsh from Tanner De Witt’s Data Privacy team explains some of the key issues to consider.
In Hong Kong, the obligation to fulfil a range of core data user obligations triggered by collecting personal data includes DPP1 (Purpose and collection of personal data) and DPP3 (Use of personal data). The PICS should disclose the classes of persons to whom the personal data may be transferred and must obtain the voluntary and express consent of the data subject before the information can be used for a purpose not contemplated in the original PICS. This requirement is a common ground for data transfers, but should be kept in mind as it is not explicitly included in the definition of “use” under the PDPO.
It is also a good practice to disclose the names of the recipients of the personal data to the data subjects as part of the PICS, and this should be a trigger for reviewing the lawfulness of the transfer. In addition, when a personal data exporter agrees to the standard contractual clauses or contributes to a transfer impact assessment as set out in GDPR, it is likely that the obligation to disclose will be a legal basis for the transfer.
As a further consideration, the PDPO requires a data user to notify the data subject of any changes to their use of the personal data they have collected. Therefore, when a data transfer is made from Hong Kong to another location, it should be considered whether the original PICS needs to be amended or the transfer constitutes a new purpose that requires the statutory consent of the data subject. This is not as onerous as it might seem, as a change to the use of personal data is not necessarily a transfer and does not automatically trigger a PICS. This point is reinforced by the fact that, under AMI:HK, the PCPD has advised participants not to deny access requests on this basis. This is a welcome move, as it would avoid data transfer costs and a potential delay in responding to an access request.