The flow of personal data across borders is an essential feature of modern business. However, there are a number of issues that must be considered when transferring personal data, both domestically and internationally.

This article, written by Padraig Walsh from the Tanner De Witt Data Privacy practice group, takes a look at some key points to consider regarding personal data transfers, whether they are being transferred within Hong Kong or from other locations.

A good starting point is to remember that the territorial scope of PDPO only extends to a person who controls operations controlling collection, holding, processing or use of personal data in, or from, Hong Kong. This differs from some other jurisdictions which have included some form of extra-territorial application in their laws.

In addition, it is worth recalling that the PDPO imposes a range of statutory obligations on a data user in relation to personal data collected. These include the obligation to obtain the voluntary and express consent of a data subject on or before the collection of their personal data (DPP 1) and the requirement to inform a data subject of the purposes for which and the classes of persons to whom the personal data will be transferred on or before collecting it (DPP 2). It is also required that a data user obtains the prescribed consent of a data subject if he wishes to use the personal data for a new purpose (DPP 3).

For businesses in Hong Kong, there are a growing number of circumstances in which a data importer may need to carry out a transfer impact assessment prior to importing data from another jurisdiction, especially if the transfer is governed by the law of the European Economic Area. Such an assessment can be a useful tool in helping the data importer to verify that their lawful basis for importing the data is sound, and that they are complying with their data protection obligations.

Finally, the PDPO makes it clear that any personal data transferred to Hong Kong will be subject to the PDPO and its DPPs. This is in contrast to some jurisdictions which, for example, permit the transfer of personal data between entities both within their territory and to non-residents, where that data will be subject to local data protection regulations.

As increased cross-border data flows continue to grow in frequency and volume, businesses need a legal mechanism for transferring personal data that can be trusted. The PDPO’s section 33 will remain a powerful tool in that regard, as the data transfer provisions will ensure that any personal data transferred outside of Hong Kong is treated with the same respect and protection as personal data within the territory.