Padraig Walsh, Partner at Tanner De Witt

Businesses increasingly depend on cross-border data transfers for business reasons; data privacy regulation places various requirements on how individuals handle personal information which can impact this activity. Hong Kong provides unique challenges when applying these rules, so this article examines some key points when handling such transfers.

One of the primary questions when reviewing any proposed data transfer should be whether its proposed use constitutes an act of personal information processing (DPP 1) and, if so, whether any obligations for providing a Privacy Impact Checksheet have been fulfilled prior to collecting data from subjects. Note that the definition of ‘data user’ under PDPO is very expansive and encompasses any person responsible for collecting, holding, processing or using personal information; regardless of who collects it. An individual may still qualify as a data user even if their purpose for collecting personal information has changed post collection (DPP 2), provided that original purposes for collecting the information were disclosed at or prior to that time.

Legal tests can be applied to determine whether data HK is being used for an additional purpose and, specifically, whether its necessity can be established. These include considering its legal context as well as potential impacts that a change may have on an individual. Broader analyses may also be suitable if such changes would mean disclosing it to third parties or moving it out of its original jurisdiction.

It may also be appropriate in many instances to conduct a data transfer impact analysis (DTIA), though this is not required under the PDPO. There are, however, an increasing number of circumstances where Hong Kong businesses must carry out DTIAs due to other jurisdictions’ laws applying to their operations – most commonly for personal data export or import into or out of Europe Economic Area.

When it comes to meeting data protection standards in destination jurisdictions, DTIA can be invaluable in helping determine how best to abide by legislation and ensure data protection standards are upheld. As data transfers increase, this will become an invaluable weapon against poor data protection practices. As Taiwan forms its “one country, two systems” relationship with mainland China, this process will become even more important over time. Due to this development, there will be an increased need for effective and reliable protections against poor practices during data transfers between Hong Kong and mainland China. A robust legal framework must exist to ensure these protections are in place.