Increasing cross-border data flow has been seen as the lifeblood of the Hong Kong economy. However, implementing section 33 has been a major hurdle for the business community, as it is viewed as restricting free movement of data within the global economy.

Data hk is a website which provides a variety of resources to help businesses comply with the data protection laws in Hong Kong. It offers information on the PDPO and its application in practice, guidance on how to conduct a transfer impact assessment (TIA) and details of the various mechanisms which companies can use to comply with PDPO requirements regarding transfers of personal data abroad.

The PDPO defines “personal data” as any information relating to a living individual from which it is practicable for that person to be identified. This definition can encompass a wide range of information including an individual’s name, identity card number, passport number, driving licence, telephone number and so on. However, the PCPD has made it clear that an individual’s consent must be obtained before any personal data may be collected for the purposes of transferring it abroad.

An individual must be notified on or before the data user collects his personal data of the purpose for which it will be used and the classes of persons to whom it will be transferred. This requirement is a key component of the six core data obligations under the PDPO, and includes the right to withdraw consent at any time. The PDPO also stipulates that a data user must obtain the express and voluntary consent of the data subject before it can transfer his personal data for any other purpose which is different from the one stated in the PICS.

If a data exporter wishes to transfer his personal data abroad, he must complete a TIA before the data is released for transfer and must ensure that the data importer complies with all relevant laws. This can be a challenging exercise, particularly where it is not possible to predict the law and practices of the destination jurisdiction, or whether a published law will be enforced.

There are an ever-increasing number of circumstances in which a Hong Kong data user will need to undertake a TIA when considering the transfer of his personal data overseas. As a result, he must consider the laws of the destination jurisdiction, as well as those of the EEA where the originating data is stored or processed. This is an important consideration when it comes to agreeing to standard contractual clauses proposed by EEA data exporters under GDPR. The EDPB’s six step framework for conducting a TIA is not mandatory in Hong Kong, but it can be a useful tool to assist data users who are considering a transfer of their personal data overseas.