Overview of the Guidance
The introductory sections of the Guidance explain that the PCPD is concerned that the globalization of business and increasing use of mobile and cloud technologies make it more important for organizations to take concrete steps to ensure that the PDPO is complied with in respect of personal data leaving Hong Kong.
Section 33 of the PDPO, if brought into force, would specifically address this issue, requiring organizations processing personal data (“data users” under the PDPO’s terminology) to satisfy one of six requirements. Of particular relevance to the Guidance is section 33(2)(f), which would permit cross-border transfers where the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in its destination jurisdiction, be processed in a way that would breach the PDPO (the “Due Diligence Requirement”).
The Recommended Model Contractual Clauses
The Guidance explains that a key aspect of the Due Diligence Requirement is the use of contractual clauses to ensure that the offshore recipient of the personal data complies with the PDPO.
The RMCs cover two cross-border data transfer scenarios: (a) transfers from a data user to another data user ("DU-DU RMCs"); and (b) transfers from a data user to a data processor ("DU-DP RMCs").
A "data user" is a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. A "data processor" is a person who processes personal data on behalf of another person and does not process the data for any of its own purposes.
It is important to understand that although the RMCs are prepared with an eye to eventual compliance with section 33, as and when it is brought into force, the content of the RMCs reflects PDPO requirements that are in force today.
To briefly summarize the key features of the RMCs and the relevant PDPO requirements:
|
|
Relevant DPP principles
|
DU-DU RMCs
|
DU-DP RMCs
|
|
Purpose of data transfer
|
DPP1
|
The transferee will use the transferred personal data for its own business purposes, but only for those specific purposes specified in the agreement
|
The transferee will only process the personal data for purposes of providing services to the transferor
|
|
Data is adequate but not excessive
|
DPP1
|
The transferee does not use data which is excessive for the purposes of transfer
|
The transferee does not use data which is excessive for the purposes of transfer
|
|
Data is securely processed and only retained for as long as it is needed
|
DPP2, DPP4
|
The transferee is required to apply security measures specified in the agreement and take all practicable steps to erase the personal data once the purposes of transfer have been fulfilled (and subject to any specific retention period in the agreement)
|
The transferee is required to apply security measures specified in the agreement and take all practicable steps to erase the personal data once the purposes of transfer have been fulfilled (and subject to any specific retention period in the agreement)
|
|
Restrictions on onward transfer/ sub-processing of personal data
|
DPP3
|
The transferee will not:
-
make any onward transfer of personal data without the transferor’s prior consent, or as authorized under the agreement; or
-
process the personal data in a place other than as specified in the agreement
|
The transferee will not:
-
make any onward transfer of personal data without the transferor’s prior consent, or as authorized under the agreement; or
-
process the personal data in a place other than as specified in the agreement
|
|
Data subjects' access and correction rights
|
DPP6
|
Each party will comply with its obligations in respect of data subject access and correction rights, including the procedures for administering these set out in the agreement
|
n/a
|
Both RMCs incorporate a Data Transfer Schedule which sets out the agreements between the transferor and transferee on specific operational and technical aspects of the data transfer, including the categories of data transferred, purposes of transfer, permitted jurisdiction to which data is transferred, retention period, onward transfer and sub-processing, and security measures.
Additional commercial terms
The Guidance notes that the RMCs are intended to be free-standing clauses and do not incorporate commercial terms, which the data user may choose to separately agree with the transferee(s). Data users are therefore encouraged to include separate commercial terms, such as additional assurances may include rights and obligations in relation to the use and processing of personal data by the transferee, audit reporting and data security reviews, notifications of security breaches, as well as regulatory compliance support and cooperation with regards to data access and correction requests.
Next Steps
It is important to understand that the Guidance does not just serve as best practice recommendations for an inoperative provision of the PDPO. As explained in the table above, most of the provisions set out in the RMCs are mandatory requirements already applicable to organizations by virtue of the various DPPs under the PDPO. The introduction of section 33’s cross-border controls would add an additional compliance requirement for Hong Kong businesses, but the intention of section 33 is that existing controls already applicable under the PDPO be explicitly applied to overseas data users and data processors. Organizations need to take steps now to confirm that the requirements of the RMCs are in place with their business partners.
The PCPD recommends that data users incorporate or adapt the RMCs into their commercial agreements (such as data transfer agreements and wider service agreements) to demonstrate compliance with data protection requirements under the PDPO and ensure adequate measures have been taken in respect of cross-border data transfers. As part of their data governance responsibilities to protect the personal data of data subjects, data users are encouraged to be transparent about their data processing activities, such as notifying data subjects that their personal data may be transferred outside Hong Kong. These factors will also become relevant when defending against any suspected or alleged breach of the PDPO, including the DPPs.
This Guidance supplements the "Guidance on Personal Data Protection in Cross-border Data Transfer", including the Recommended Model Clauses in the Schedule annexed thereto, issued by the PCPD in December 2014.
Click here to read the Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data (May 2022)
Click here to read Guidance on Personal Data Protection in Cross-border Data Transfer (December 2014)
Authored by Mark Parsons and Anthony Liu.
