Key Points to Note When Carrying Out Cross-Border Data Transfers

Key Points to Note When Carrying Out Cross-Border Data Transfers

The need to transfer personal data across jurisdictions in order to conduct business has never been more essential than it is now. As a result, a number of jurisdictions have implemented or are considering implementing some form of data transfer regulation. In this article, Padraig Walsh from the Data Privacy practice group at Tanner De Witt discusses key points to note when preparing and executing cross-border data transfers to ensure that they are carried out in accordance with applicable data privacy laws.

The key point to remember is that when a person carries out a transfer of personal data, this is a “data use” and triggers a range of statutory obligations under Hong Kong’s PDPO (Data Protection Policy Ordinance). This includes the need to comply with the six core Data Privacy Principles in respect of any such transfer.

While it may seem odd that a data use should trigger an obligation to comply with the PDPO, it is important to bear in mind that, in the context of section 33, a transfer is not just a physical movement of data but a process that involves the processing of information (or data) by one entity on behalf of another entity. The definition of “data” used in the PDPO is broadly defined and covers any type of information that can be processed and which can be associated with an individual.

In relation to the processing of data that is transferred by a data user to a foreign jurisdiction, section 33 requires the data exporter to identify and adopt any supplementary measures necessary to bring such data transfer procedures up to Hong Kong standards. These supplementary measures can be technical in nature (such as encryption, pseudonymisation or split processing) and they can also take the form of additional contractual provisions (including provisions on audit and inspection, beach notification, and compliance support and cooperation).

If these measures are not taken, section 33 will not be satisfied and the data transfer may not be lawful. There are also other issues to consider, including the need for a legal basis for the processing of such data and whether or not it is in the public interest.

For example, HK-dir collects personal data and other information from visitors to its premises (for example, name, organisational affiliation, telephone number etc). This is collected by security cameras which are activated when the doorbell is rung and the information is stored on the data hk. This is done to ensure that only those authorised to enter the premises can do so and for other operational purposes such as security, fire safety and recording of attendance at courses and seminars.

This is a typical example of the need for a legitimate interest to outweigh a person’s right to privacy. The same would be true of the collection of CCTV video footage that records people in public places, or the use of the “Great Firewall” to restrict access to websites in mainland China.