Guidance on Personal Data Protection in Cross-border Data ...

1 Guidance on Personal data Protection in Cross-border data Transfer (a) The place is specified by the Privacy PART 1: INTRODUCTION Commissioner for Personal data (the Commissioner ) by notice in the Gazette that there is in force any law which is Section 33 of the Personal data (Privacy) substantially similar to, or serves the same Ordinance (the Ordinance ) prohibits the purposes as, the Ordinance;. transfer of Personal data to places outside Hong Kong unless one of a number of conditions is (b) The data user has reasonable grounds met. The purpose of such Cross-border transfer for believing that there is in force in that restriction is to ensure that the transferred place any law which is substantially Personal data will be afforded a level of similar to, or serves the same purposes as, Protection comparable to that under the the Ordinance.

2 Ordinance. (c) The data subject has consented in writing Although section 33 is not yet effective, this to the transfer;. Guidance serves as a practical guide for data users to prepare for the implementation of (d) The data user has reasonable grounds section 33 of the Ordinance. It helps data users for believing that the transfer is for to understand their compliance obligations the avoidance or mitigation of adverse for Cross-border data transfer once section action against the data subject; it is not 33 is effective. All the conditions for waiving practicable to obtain the consent in the transfer restriction are dealt with in this writing of the data subject to that transfer.

3 Guidance . but if it was practicable, such consent would be given;. Regardless of when section 33 will take effect, data users are encouraged to adopt (e) The data is exempt from data Protection the practices recommended in this Guidance Principle ( DPP ) 3 by virtue of an as part of their corporate governance exemption under Part VIII of the responsibility to protect Personal data . Ordinance; or The legal requirements (f) The data user has taken all reasonable Section 33(2) specifies that a data user shall not precautions and exercised all due transfer Personal data to a place outside Hong diligence to ensure that the data will Kong unless one of the following conditions is not, in that place, be collected, held, met: processed, or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance.

4 Guidance on Personal data Protection in Cross-border data Transfer 1 December 2014. Section 33 and DPPs Contravention DPP3, which is directed against the misuse data users who, without reasonable excuse, of Personal data , specifies that Personal data contravene section 33 commit an offence under shall not, without the data subject's prescribed section 64A of the Ordinance, which carries a consent, be used for a new purpose. New fine of up to HK$10,000. The Commissioner purpose means in essence any purpose other may also issue enforcement notices to data than the one for which the Personal data users who have contravened section 33 or was originally collected or a directly related DPP1.

5 Contravention of an enforcement notice purpose. Prescribed consent means consent issued by the Commissioner is an offence that is expressly and voluntarily given and has which carries a fine and imprisonment, and not been withdrawn by the data subject in a daily penalty in the case of a continuing writing, while use includes both disclosure offence after conviction2. and transfer of data . Thus, transfer of Personal data to a place outside Hong Kong would Who is required to comply with section 33? require the data subject's prescribed consent Section 33 applies to a data user , which is under DPP3 if it is for a new purpose unless defined under section 2(1) of the Ordinance such transfer falls within the exemptions under to mean, in relation to Personal data , a person Part VIII of the Ordinance.

6 Who either alone or jointly or in common with other persons, controls the collection, holding, Further, the trend of outsourcing and entrusting processing or use of the data . Personal data processing work by data users to their agents is increasingly common. If a Pursuant to section 2(12) of the Ordinance, data user engages a data processor to process a person who is merely transmitting data on Personal data outside Hong Kong on the behalf of another and not for any of his own data user's behalf, the data user must adopt purposes is not a data user in relation to that contractual or other means to (i) prevent any data . It follows that such person, not being a Personal data transferred to the data processor data user, is not required to observe section from being kept longer than is necessary 33.

7 For example, when a telecommunication for processing of the data (under DPP2(3)), ser vice pr ovider tr ansm its per so na l da ta and (ii) prevent unauthorised or accidental for other data users, it is not required to access, processing, erasure, loss or use of observe section 33 in relation to the data it the data transferred to the data processor for transmitted. On the other hand, a person using processing (under DPP4(2)). If a data user telecommunication means to transfer the data passes customers' Personal data to a contractor under his control will be subject to section 33. situated outside Hong Kong to make direct marketing phone calls, it is still required to What types of transfers are subject to observe the requirements under Part VIA of section 33?

8 The Ordinance in using Personal data in direct marketing. The data user remains liable for the Section 33 covers two situations, namely (i). act done by its agent with its authority under transfers of Personal data from Hong Kong to a section 65 of the Ordinance. place outside Hong Kong, and (ii) transfers of Personal data between two other jurisdictions data users are therefore reminded that where the transfer is controlled by a Hong compliance with section 33 does not exonerate Kong data user. their obligation under other requirements of the Ordinance. 1. Section 50. 2. Section 50A. Guidance on Personal data Protection in Cross-border data Transfer 2 December 2014.

9 The Ordinance itself does not define transfer'. Sending an email to a Hong Kong The ordinary meaning of the word, which recipient during which process the data is is transmission from one place or person to transmitted via a server/equipment situated another, applies. Transfer is distinguished from outside Hong Kong because of Internet mere transit. routing Transferring data outside Hong Kong is Unauthorised access of Personal data by often associated with the act of sending or third parties outside Hong Kong, such as transmitting Personal data from Hong Kong hacking3. to another jurisdiction for storage and/or processing, for instance, by sending paper or In the above examples of engaging third party electronic documents containing Personal data service providers, the data users consciously.

10 By courier, post or electronic means. Transfer engage outside parties to handle Personal data of data becomes a complex issue with the use and the process involves data transfer outside of the Internet and emerging technology. data Hong Kong. data users who are in possession movements across the borders can take various of Personal data owe a duty to data subjects to forms, and it may not be straightforward ensure that the third party service provider will to determine whether certain movement of not engage in any act such as storage and/or Personal data constitutes a transfer' for the processing of Personal data outside Hong Kong purpose of section 33.