Transferring Personal Data Across Borders
As businesses operate in an increasingly globalised economy, businesses require efficient and secure methods for the transfer of personal data across borders. Padraig Walsh from Tanner De Witt’s Data Privacy practice outlines key points when planning the transfer of data either between Hong Kong and another jurisdiction or from elsewhere into Hong Kong.
Hong Kong stands in stark contrast to mainland China in that it allows free flow of information with minimal restrictions placed upon data centre operations. Thanks to its legal framework, reliability, and superior industry-specific infrastructure – Hong Kong serves as a key regional hub for GBA. Furthermore, its mobile ICT professionals and immigration policies help international professionals to work successfully here.
Hong Kong offers international companies an ideal setting to establish regional data centres. The free flow of information enables smooth business operations within Greater Bay Area (GBA), and they can take advantage of Hong Kong’s low energy costs and high security standards.
As data centres become more and more popular, demand for data storage space continues to skyrocket and new facilities are projected to double by 2028. Hong Kong boasts an attractive legal framework, reliable electricity supply, and extensive industry infrastructure that are well equipped to attract international data centres as clients and provide services accordingly.
However, many international data transfer projects encounter difficulty complying with Section 33 of the Personal Data (Privacy) Ordinance due to its non-requirement for users to conduct a transfer impact assessment before moving personal data abroad.
Section 33 only prohibits the transfer of personal data outside Hong Kong unless certain conditions are fulfilled, and businesses seeking to export personal data abroad should carefully examine these conditions and consider preparing a transfer impact assessment prior to doing so.
Hong Kong data exporters only need to conduct a transfer impact assessment if they control the processing of personal data of persons within the European Economic Area (EEA), provide goods or services directly to these data subjects or monitor their behaviour; which is far less burdensome than GDPR’s six step model of transfer impact analysis.
PCPD recently made clear that data users, regardless of whether a transfer impact assessment is required, should consider making disclosures to data subjects prior to sending their personal data overseas (new Section 66K(1)). This ensures they will have full awareness of what will happen with their information after its transfer.
Hong Kong may appear out of step with international trends regarding data transfers, yet there may be valid reasons for its non-adoption of an adequate or equivalent regime. Perhaps rapid transformation of data laws within mainland China, which operates under “one country, two systems,” will prompt reform in this area.