HK-Mainland cross border data transfer: What do we need to know?

August 01, 2022 10:52
Photo: Bloomberg

Whilst travel between Hong Kong and mainland China may still be subject to constraints, data and information still continue to flow seamlessly with the help of modern technology. With new rules and measures on data protection rolled out globally, what is the position of Hong Kong and mainland China on cross-border data transfers?

Hong Kong

In Hong Kong, the Privacy Commissioner for Personal Data (” PCPD “) is responsible for overseeing the implementation of and compliance with provisions of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). Whilst the PCPD strives to ensure that personal data are protected in Hong Kong, it also recognises the need to exercise their power within a defined boundary so as not to stifle free flow of information, which is believed to be the life-blood of a data driven economy.

In this regard, it is understandable why section 33 of the PDPO is still not yet in operation even though the legislation was enacted in 1995. Whilst it is not obligatory to comply with section 33, the PCPD highly recommends its compliance and has since issued two guidance notes, one in 2014 and a recent one in 2022, to prepare for the implementation of section 33.

The PCPD recommends data users to adopt multiple measures to enhance protection. In the two guidance notes issues by the PCPD, recommended model clauses (” RMCs “) have been provided for data users to adopt in their data transfer agreements to fulfil Due Diligence Requirement. In light of the detailed guidance offered by the PCPD, it is arguable that complying with the Due Diligence Requirement would be regarded as a minimal requirement insofar as the conditions under section 33 are concerned.

The RMCs are drafted with all the relevant DPPs in mind to ensure compliance. They can be adopted when transfer of personal data outside of Hong Kong is intended, and they would be relevant when the data transfer occurs between two entities both of which are outside Hong Kong, but the transfer is controlled by a Hong Kong data user. The RMCs provide a practical basis for facilitating transfers of personal data from Hong Kong, enabling organisations to agree on (1) the scope of personal data being transferred; (2) the purposes for which it will be transferred; and (3) the specific allocation of responsibilities between themselves in areas such as data security, managing data access and correction rights, as well as the transferee’s authority to make onward transfers to other jurisdictions or to other recipients.

The law surrounding data protection has continued to evolve globally and cross-border data transfer could happen in any context. Organisations should be aware of their data governance responsibilities and endeavour to follow best practices when conducting their business, engaging in a larger transaction or relocating their operations.

Mainland China

The rules on cross-border transfer of personal information in mainland China are still in the development stage, and the regulatory framework includes the following fundamental laws and regulations:

• Personal Information Protection Law (“PIPL”);
• Cybersecurity Law;
• Data Security Law;
• Measures on Security Assessment of Outbound Data Transfer, which will come to effect on 1 September 2022 (“Security Assessment Measures”); and
• Cybersecurity Standard Practice Guidelines – Security Specifications for Personal Information Cross-Border Processing Certification (the “Guidelines”).

Under the PIPL, personal data processors wishing to transfer personal data outside of mainland China must obtain separate consent from the relevant individuals. Depending on the nature of their data processing operation and the volume of data being processed, data processors must also take one of the following routes for legitimate data export:

• “Mandatory Security Assessment Route”;
• “Certification Route”;
• “Standard Contract Route”; or
• meeting other conditions set by CAC or relevant laws and regulations.

No matter which route will be taken, Chinese data processors need to conduct self-assessment in advance. Such self-assessment shall focus on evaluating the lawfulness, legitimacy and necessity of the intended transfer, the relevant risks, the overseas recipient’s capacity to safeguard data security, whether the data subjects have convenient channels to exercise their rights as provided under the PIPL, and whether the “legal document” to be signed between the data exporter and the overseas recipient has fully specified the data protection responsibilities and obligations of each party.

As data protection is growing globally, we anticipate more stringent rules and regulations for cross-border data sharing. In fact, the incumbent Secretary for Innovation, Technology and Industry Professor Sun Dong has recently suggested to boost up Hong Kong’s competitiveness by making it a port of outflowing data from mainland China. This would require enactment of cybersecurity laws in Hong Kong and public consultation is expected to be rolled out by the end of 2022. To prepare for the new era of data security and personal information protection, companies need to set up and implement a self-assessment system, so as to better manage potential risks in cross-border data transfers.

Joyce He (senior legal and tax manager, Withersworldwide) and Winnie Weng (senior associate, Withersworldwide) are co-authors of this article.

-- Contact us at [email protected]



Partner, Withersworldwide