How to Protect Personal Data Across Borders
As one of the most significant and important business centres in Asia, Hong Kong is at the heart of international trade. This is a key economic advantage, but it also raises questions about the protection of personal data across borders. There are, of course, ways to ensure that data transfers between Hong Kong entities and outside entities comply with the requirements of the PDPO, but these must be carefully considered. One way is to adopt the recommended model contractual clauses published by the PCPD. These cover two scenarios: a transfer between one entity from Hong Kong to an entity outside Hong Kong; and a transfer between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user.
As a general principle, a data user must expressly inform a data subject on or before collecting his personal data of the purposes for which it will be used and the classes of persons to whom the personal data may be transferred. This is because data use and transfer are both forms of data processing, and a data user must meet the six core data protection principles (DPPs) in respect of each.
In 2020, increased cross-border data flow was seen as a fundamental business objective and essential attribute of Hong Kong’s economy. The free flow of information was viewed as an irreplaceable part of the world’s information infrastructure. At that time, there was strong support for the implementation of section 33 in order to protect privacy in cross-border data flows.
However, as the business community weighed the pros and cons of section 33 implementation, there was a shift away from its application as a policy objective to a view that it should not be implemented at all. This was largely due to the perceived adverse impact on business, difficulties in achieving compliance, and cost of compliance.
The current position of the PCPD and the Hong Kong government is that there are still a number of business benefits to a free flow of data between Hong Kong entities and those overseas, and that it would be difficult or even impossible to implement an adequacy regime in Hong Kong given the scale and variety of the international business landscape. This approach does seem to be out of step with trends in Europe and elsewhere.
However, it remains to be seen whether this will remain the case in the long run. There is a growing need for efficient and reliable means of transferring data between Hong Kong and mainland China, and internationally. This could drive change. If it does, it will be good for businesses in Hong Kong, and for the global business community as a whole. A good example of this is HealthyHK, which is engineered by the Department of Health to integrate various databases and provide public access to data for policy formulation, needs assessment, and monitoring and evaluation of public health services. This data was collected from a wide range of stakeholders including the public, healthcare professionals and non-governmental organisations.