Jan 202015

An Update on the Hong Kong Data Transfer Guidance

Sidley Data Matters Contributors
, , ,

Section 33 of the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (the PDPO) deals with the transfer of personal data, and prohibits the transfer of personal data outside Hong Kong except in specified circumstances, such as when:

  • the data protection laws of the foreign country are similar to the PDPO; or
  • the data subject has consented in writing to the transfer.

However, Section 33 has yet to be brought into force since its enactment in 1995, and there is at present, no timetable for its implementation. Nevertheless, on December 29, 2014, the Hong Kong Privacy Commissioner issued updated guidelines on Section 33, known as the “Guidance on Personal Data Protection in Cross-border Data Transfer” (the Revised Guidance), which includes a Model Contract for data transfer. The Revised Guidance gives more comprehensive insight into how the Privacy Commissioner will interpret Section 33. As Section 33 is still not in force, it does not significantly affect the way entities must handle the transfer of personal data currently. That said, the Privacy Commissioner has urged the Hong Kong Government to renew its focus on the implementation of Section 33; and to assist with its implementation, the Privacy Commissioner has provided the Government with a “White List” of jurisdictions with laws similar to Section 33 (the countries on the White List have not been made publicly available to-date). Given the growing global emphasis on data protection, and the recent attention paid to Section 33 by the Privacy Commissioner, the Revised Guidelines could very well be an indication that Section 33 will be implemented in the near future.

On a related note, the Privacy Commissioner also issued the “‘Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry” in October 2014, and one of its guidelines included the recommendation that if banks and financial institutions wish to transfer their customers’ personal data to a place outside Hong Kong, they should inform their customers of the kinds of data to be transferred, the purpose of the transfer, and if appropriate, the place to which the data is to be transferred.

The incumbent Privacy Commissioner has been particularly active in enforcing and broadening the scope of the PDPO. As such, companies with operations in Hong Kong or which hold data belonging to customers based in Hong Kong would be well-advised to implement the provisions in the Guidance, especially since the provisions are not particularly onerous and doing so would bring the data protection policies for the company in line with many other jurisdictions in Asia.

If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work or

Yuet Ming Tham
Partner
yuetming.tham@sidley.com
+852.2509.7645/+65.6230.3969		     Joanne Mok
Associate
jmok@sidley.com
+852.2509.7653		     Lisa Thompson
Associate
lisa.thompson@sidley.com
+852.2509.7846

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.