Ada Chung Lai-ling FCG HKFCG, Barrister, Privacy Commissioner for Personal Data (PCPD), discusses new guidance published by the PCPD in May this year and the compliance implications of transfers of personal data from Hong Kong to the Mainland or other places. 

In the light of the globalisation of business operations and unprecedented digitalisation in our daily lives, we have seen an exponential increase in cross-border transfers of personal data. The implementation of the Personal Information Protection Law in the Mainland in November 2021 has also brought about a whole new regulatory regime for transborder flows of personal information from the Mainland to other parts of the world.  

In the context of cross-border transfers of personal data involving data users in Hong Kong, local enterprises, especially the small and medium-sized ones, may experience practical difficulties in drafting appropriate contractual terms for effecting cross-border transfers of personal data while ensuring that the transfer is in compliance with the requirements of the Personal Data (Privacy) Ordinance (Cap 486) (Ordinance). 

In this context, governance professionals are very well placed within their respective companies or organisations to provide advice to the board and senior management on how personal data can be transferred across the border, from Hong Kong to the Mainland or other places. The Office of the Privacy Commissioner for Personal Data, Hong Kong, published the Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data (Guidance) on 12 May 2022.  

The Guidance provides detailed elaborations as to the substantive effect of the Recommended Model Contractual Clauses (RMCs), and how adherence to the same ensures that adequate protection be given to the personal data as provided for under the Ordinance, as if the data concerned were not transferred outside Hong Kong. The Guidance also recommends to data users, especially the small and medium-sized enterprises, the best practices to be adopted as part of their data governance responsibility to protect and respect the personal data privacy of data subjects.  

In particular, the Guidance introduces two sets of RMCs, which may be incorporated into more general commercial agreements between data transferors and data transferees, in which other commercial considerations may also be addressed.

The legal requirements

Essentially, the protection should follow the data irrespective of the location of the data. Data Protection Principle (DPP) 3 of the Ordinance, which is directed against the misuse of personal data, specifies that personal data shall not, without the data subject’s express and voluntary consent, be used for a new purpose. Thus, transfer of personal data to a place outside Hong Kong would require the data subject’s prescribed consent under DPP3 if it is for a new purpose, unless such transfer falls within the exemptions under Part 8 of the Ordinance. 

Further, if a data user engages a data processor to process personal data outside Hong Kong on behalf of the data user, the data user must adopt contractual or other means to, among other things: 

1. prevent any personal data transferred to the data processor from being kept longer than is necessary for the processing of the data (under DPP2(3)), and 
2. prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing (under DPP4(2)). The data user remains liable for the acts of its agent done with its authority under section 65 of the Ordinance.

To ensure compliance with the requirements imposed by the Ordinance, notwithstanding the transfer of data outside Hong Kong, it is advisable for data users to incorporate the RMCs into agreements for cross-border data transfers. The adoption of the RMCs will also serve to illustrate that the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in the jurisdiction of the transferee, be collected, held, processed or used in any manner which, if that took place in Hong Kong, would be a contravention of a requirement under the Ordinance. All these factors will be taken into account when there is any suspected or alleged breach of the Ordinance, including the DPPs.

The RMCs

The two sets of RMCs set out the general obligations of the contracting parties in respect of the protection of personal data privacy and cater for two different scenarios in cross-border transfers of personal data, namely:

1. from one data user to another data user, and 
2. from data user to data processor. 

They are applicable to the transfer of personal data from a Hong Kong entity to another entity outside Hong Kong, or between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user, with a view to facilitating the parties to cross-border transfers of personal data to take into account the relevant requirements of the Ordinance, including the DPPs under Schedule 1 thereof.  

In the context of cross-border transfers of personal data outside Hong Kong, data users are advised to take all reasonable precautions and exercise all due diligence to ensure that the personal data transferred would not, in the destination jurisdictions, be handled in a manner which, if that took place in Hong Kong, would be a contravention of the requirements of the Ordinance. The RMCs provide, for instance, that a transferee should:

1. only use or process the personal data transferred for the specified purposes of transfer
2. adopt the agreed security measures in the use or processing of the personal data transferred
3. retain the personal data transferred only for a period which is necessary for the fulfilment of the defined purposes
4. take all practicable steps to erase the personal data transferred once the purposes of transfer have been achieved
5. not make any onward transfer of personal data to any third party except as agreed by the parties, and ensure that parties to any onward transfer should be subject to the same (or substantially similar) RMCs, and 
6. comply with the data subjects’ access and correction requests (only for a transferee acting as a data user).

Good data ethics 

Last but not least, the Guidance advocates that data users should adhere to the principles of good data ethics which, put simply, is about doing what is reasonably expected by data subjects and being transparent about data processing activities. A perceived lack of transparency around data processing activities can engender a sense of distrust between the data user and data subjects. Adopting RMCs and observing the principles of transparency and accountability will be conducive not only to maximising the value of data, but also to developing and sustaining the trust of data subjects.

Recommendations for governance professionals

Governance professionals are recommended to read the Guidance and understand the practical implications of the RMCs in the context of cross-border transfers of personal data carried out by the companies or organisations which they serve. Given the important role which Hong Kong will play in the implementation of the Outline Development Plan for the Guangdong–Hong Kong–Macao Greater Bay Area, I envisage that there would be more frequent transfers of data, including personal data, between Hong Kong and other cities in the Greater Bay Area. Governance professionals should equip themselves with up-to-date knowledge of the legal requirements for cross-border data transfers to better serve businesses in the Greater Bay Area. Data governance, including cross-border data transfers, will undoubtedly take centre stage in the years to come.  

Ada Chung Lai-ling FCG HKFCG, Barrister  
Privacy Commissioner for Personal Data  

The Guidance is available in hard copy and accessible at: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_model_contractual_clauses.pdf.