Multinational businesses must familiarise themselves with the growing suite of statutory or regulatory data protection requirements being put in place globally to govern the cross-border transfer of personal data.

Recent guidance issued in the Hong Kong Special Administrative Region (SAR) should serve as a trigger for businesses to carry out data transfer risk assessments in relation to the jurisdictions they are active in.

New model clauses to use in Hong Kong

In many jurisdictions around the world, businesses face strict rules governing the cross-border transfer of personal data. Like as has happened in Europe, the privacy authority in Hong Kong SAR has been active recently in clarifying issues around cross-border data transfers. 

In Hong Kong, section 33 of the Personal Data (Privacy) Ordinance (PDPO) regulates the cross-border transfer of personal data. This section 33 has existed on the statute book since 1996, when the bulk of the PDPO began to apply, but has never been brought into force. Despite this, the Office of the Privacy Commissioner for Personal Data (PCPD) issued a guidance note in May 2022 (12-page / 405KB PDF) with the intention of setting out the best practices to be adopted and new recommended model contractual clauses that can be used to facilitate the cross-border transfer of personal data out of Hong Kong.

The PCPD believes that it is the responsibility of businesses, as data users, to protect personal data privacy of individuals, even if their data is transferred outside Hong Kong

Even though the guide does not have the force of law, it outlines the PCPD’s vision and expectation of the parties’ compliance standard in a cross-border data transfer arrangement. It is a useful starting point for businesses, as data users, for reflecting their existing, and devising future, data transfer arrangements. The guide sets out the PCPD’s approach to cross-border data transfers, explains the rationale for the new recommended model contractual clauses, and includes the clauses themselves.

When do the clauses apply?

The clauses are applicable to cross-border transfers of personal data from a Hong Kong entity to another entity outside Hong Kong, or between two entities where both are outside Hong Kong but the transfer is controlled by a Hong Kong data user.

How to use the clauses

There are two sets of clauses that the PCPD has prepared. Each set caters for a different scenario in cross-border data transfers – both are voluntary to adopt.

The first set of clauses can be used for data transfers from one data user to another data user. The second, for data transfers from a data user to a data processor. The clauses are designed as free-standing – businesses that use them are not required to do so in their entirety. Data users can use the clauses as base terms and conditions and incorporate other appropriate terms into their own data transfer agreements or commercial service agreements.

Why should you use the clauses?

Businesses that adopt the recommended model contractual clauses will illustrate that they have taken reasonable precautions and exercised due diligence to ensure that the personal data being transferred outside of Hong Kong is treated in compliance with PDPO. Businesses can expect the PCPD to take into account the efforts they have gone to in incorporating the clauses to the relevant agreements, especially if and when there are complaints or reports of suspected or alleged breach of the PDPO.

Additional contractual assurances

The PCPD believes that it is the responsibility of businesses, as data users, to protect personal data privacy of individuals, even if their data is transferred outside Hong Kong. The new clauses provide a practical framework to facilitate transfers of personal data from Hong Kong, enabling businesses to come to a clear agreement for transferring personal data in line with the PDPO requirements and good data ethics.

However, businesses should also consider whether there is an agreement in place beyond their own that impacts on how that data is protected. Given the views of the PCPD, in such circumstances, businesses should consider what suitable contractual assurances they can obtain, such as warranties and indemnities, to manage the legal risks.

Further contractual protections to consider

Whether the recommended model contractual clauses are adopted or not, when negotiating data processing or transfer arrangement with third parties, for example an external party providing data processing service or cloud service provider providing data sharing or storage service, businesses should consider and set out clearly their respective rights and obligations in relation to the use or processing of personal data. Companies with existing contracts should review them to ensure they have adequate contractual protections.

Specific issues to consider include:

  • Reporting, audit and inspection rights – data users may want to retain rights to inspect the data processor's data processing facilities or carry out security audits in relation to the data processor's systems and equipment. In addition, the data user may also wish to receive regular reports on the results of a data processor's data security tests and reviews.
  • Notification of breach – data user may want to contractually require the data processor to notify the data user as soon as possible after it becomes aware of any suspected data incident. This allows data user to examine the circumstances, report to authorities and take appropriate remedial actions to contain the damage and prevent further harm to the affected individuals, etc. This is especially important for multinational companies and companies with a global presence.
  • Compliance support and cooperation – this is particularly important for those in regulated industries. Companies in these regulated industries should require the transferees to cooperate with them in respect of regulatory compliance investigations and reviews, and in respect of matters such as data subjects' data access and correction requests, to keep the data accurate.

Developments in China

The Cyberspace Administration of China issued a circular earlier this year in relation to data transfers too. It asked for public comment on a set of draft provisions on a new standard contract for outbound cross-border transfer of personal information.

The China circular and the Hong Kong SAR guidance have similar outline. However, while there are many parallels, there are slight operational and technical differences in the details. For example, under the Cyberspace Administration of China proposals, in addition to conducting personal information protection impact assessment before the transfer as set out in the Personal Information Protection Law, data processors are also required to file the relevant standard contract with the authority within a designated timeframe.

As regulations for cross-border data transfer continue to evolve, businesses will need to keep up to date with the latest regulatory developments in the relevant jurisdictions to ensure compliance.

Co-written by Sara Chan of Pinsent Masons.