Hong Kong businesses transferring personal data overseas may need to conduct a transfer impact assessment under the Personal Data Protection Ordinance (“PDPO”). This analysis serves to ascertain if the level of protection in the destination country or territory is sufficient for its intended use, and whether any additional steps need to be taken such as encryption, anonymization or pseudonymization; or contractual provisions including audit/inspection provisions, beach notification agreements and support programs for compliance support/co-operation.

If a PDPO transfer impact analysis indicates that the level of protection in the destination country does not meet its requirements, the transferring entity must either suspend or implement additional measures in order to bring its laws or practices closer to those found within PDPO standards. Under some limited circumstances these additional steps might not even be necessary.

An importing entity must not only conduct a transfer impact assessment, but must also adhere to the six core data protection principles outlined by PDPO. For example, they must secure voluntary and express consent from data subjects when sharing or using their personal data beyond what was stated in PICS or for an unintended purpose.

As with the importing entity, an importer must also implement adequate technical and organisational safeguards to protect personal data received from transferring entities, in accordance with PDPO requirements. These measures must ensure adequate protection of personal information transferred.

As China deepens its economic integration with Hong Kong under the “one country, two systems” principle, there will likely be an increased volume of data traffic between jurisdictions – underscoring the importance of having an efficient and reliable legal basis to transfer personal data across borders.

As part of its efforts to promote good data governance, the PCPD has issued several recommended model clauses which can be included into contracts that involve data transfers. These models describe data transfers between data users and their own processors or between entities controlled by Hong Kong data users which share one data processor outside Hong Kong. The recommended model clauses also address the transfer of personal data from Hong Kong entities to those on mainland China, thus contributing to good data governance and best practices. However, they do not provide a comprehensive solution to the challenges faced by businesses reliant on data transfers for global operations. Their full benefits will only become evident upon being implemented effectively and consistently – an arduous task which requires both government and business communities working in concert to achieve.