Background

While the cross-border transfer controls under Hong Kong's data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 ('PDPO'), are not yet in effect, it is recommended that Hong Kong organisations implement the updated recommended model contractual clauses ('RMCs'), appended to the 2022 Guidance, in their commercial contracts as a matter of best practice. While the RMCs would cover data privacy compliance for transfers of data from Hong Kong to an outside jurisdiction, often there are two-way data flows with a counterpart (whether inter-group, or with a third party processor) located outside of Hong Kong. As such, international organisations would also need to consider compliance with the data transfer requirements of the applicable data privacy regime from the jurisdiction in which the counterpart is transferring its data into Hong Kong, e.g. the EU for a counterpart based in the EU.

For those organisations which already have an internal international group data transfer agreement ('IGDTA') based on the EU SCCs, such an IGDTA covers almost everything in the updated RMCs. Therefore, it is unlikely that such organisations will need to incorporate the RMCs wholesale into their IGDTA. Instead, it will be sufficient to have a Hong Kong specific annex which applies the EU SCCs for any cross-border transfers subject to the PDPO, but with some small modifications to track the obligations which are specific to the RMCs.

Building on existing guidance

This latest guidance supplements the previous PCPD 'Guidance on Personal Data Protection in Cross-border Data Transfers' issued in 2014 ('the 2014 Guidance')², and updates the RMCs previously annexed to the 2014 Guidance.

In the 2014 Guidance, the PCPD maintained that, though Section 33 of the PDPO (imposing controls on cross-border data transfers outside Hong Kong) was not yet in operation, data users were still encouraged to follow that regime.

In other words, data users were recommended not to transfer personal data outside Hong Kong unless one of the conditions was met, one of which involved putting in place contractual clauses between the parties to fulfil the data user's obligations to take all reasonable precautions and exercise due diligence to permit cross-border transfers.

Eight years later, even with the 2022 Guidance, we have not moved far, with no new amendments to the PDPO and no indication of timing as to when Section 33 of the PDPO will be brought into operation.

Key aspects of the 2022 Guidance and RMCs

The new RMCs contained in the 2022 Guidance are similar in substance to those laid out in the 2014 Guidance, but cover the (typical) PDPO requirements in a more 'user friendly' format.

It also conveniently covers two cross-border data transfer scenarios:

• transfers from a data user to another data user; and
• transfers from a data user to a data processor.

The RMCs are largely grouped to target the following PDPO requirements:

• Purpose limitation: a transferee should only use or process the personal data for the purposes and the relevant scope of collection.
• Security: a transferee should apply agreed security measures to the use or processing of the personal data.
• Retention and erasure: a transferee should retain the personal data only for a period which is necessary for the fulfilment of the purposes of the transfer and take all practicable steps to erase the personal data once the purposes of transfer have been achieved.
• Accuracy and transparency: a transferee should take reasonable steps to ensure the data is kept accurate, and make its processing policies and practices transparent.
• Onward transfers: onward transfers should meet the requirements of the applicable RMCs.

Noting that many multinational corporations' outsourcing arrangements are complex and long term, the 2022 Guidance also encourages data users to include additional contractual assurances as appropriate, including:

• rights and obligations around reporting transferees' data security tests and reviews;
• audit and inspection of transferees' systems;
• notifications of data security breaches; and
• regulatory compliance support and co-operation with data access and correction requests.

Comparison against the EU SCCs

Many multinational corporations which are subject to the EU's data privacy regime under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') will already have put in place the EU SCCs which were released in 2021. Often these EU SCCs will be incorporated into an IGDTA, which will be used by the multinational corporation in order to transfer personal data across its group companies around the world.

A key question for such organisations will be to consider whether the use of the SCCs in its IGDTA will be sufficient to cover data transfers by a Hong Kong-based entity in compliance with Section 33 of the PDPO (as if it was in legal effect) and the 2022 Guidance. Put differently, the question arises whether EU SCCs cover everything in the updated RMCs.

The short answer is yes, with a few minor exceptions. The vast majority of the obligations in the RMCs will be covered with the use of the EU SCCs. For example, the obligations mentioned above regarding purpose limitation, retention and erasure, accuracy and transparency, and notifications of data breaches are already covered if your organisation uses the EU SCCs. The minor exceptions are in relation to onward transfers where the obligations in the RMCs and the EU SCCs contain some small, but material differences. For example, the transfer of personal data from the importer data user to a third party requires consent under the RMCs, whereas no such explicit consent is required in the EU SCCs. In addition, the RMCs contain obligations on direct marketing whereas no such obligations are present in the EU SCCs.

This means that for organisations which have an IGDTA based on the 2021 EU SCCs for the transfer of personal data across their group companies around the world, it is unlikely that such organisations will need to incorporate the RMCs wholesale into their IGDTA. Instead, it will be sufficient to have a Hong Kong-specific annex which applies the EU SCCs for any cross-border transfers subject to the PDPO, but with some small modifications to track the onward data transfer and direct marketing obligations which are specific to the RMCs.

What does this mean for you?

The PCPD recommends that where cross-border transfers of personal data is required outside Hong Kong, data users should incorporate the updated RMCs (whether in its self-contained form, or adapted equivalents) into their commercial agreements.

Whilst the 2022 Guidance and RMCs are considered best practice guidance, much of the subject matter covered by the RMCs represents existing data privacy requirements applicable to organisations operating in Hong Kong under the PDPO.

Use of the RMCs will give confidence to a data user transferring personal data outside Hong Kong that such transfers comply with the PDPO (including Section 33 when it is brought into force).

Further, including these updated RMCs help demonstrate that an organisation has exercised reasonable due diligence and put adequate protections in place when defending against any alleged breach of the PDPO.

For many multinational corporations which are subject to the EU's data privacy regime under the GDPR who already have put in place the EU SCCs and also need to undertake data transfers to and from Hong Kong entities or suppliers, a key consideration will be how to adopt the RMCs and comply with the 2022 Guidance when they have already incorporated the EU SCCs into an IGDTA. The good news is that, generally speaking, the EU SCCs already cover nearly everything in the updated RMCs and it is unlikely that such organisations will need to incorporate the RMCs wholesale into their IGDTA. Instead, it will be sufficient to have a Hong Kong-specific annex which applies the EU SCCs for any cross-border transfers subject to the PDPO.

Hong Kong organisations should therefore take steps to review and confirm if their current and future commercial agreements contain requirements equivalent to the RMCs, and for those who have already adopted the EU SCCs under their IGDTA, to consider whether they wish to adopt a specific annex to apply PDPO-specific nuances for their cross-border transfers subject to the PDPO.

Albert Yuen Counsel & Head of TMT
[email protected]
Yang Fan Managing Associate
[email protected]
Eunice Lee Associate
[email protected]
Linklaters, Hong Kong

1. Available at: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_model_contractual_clauses.pdf
2. Available at: https://www.pcpd.org.hk/english/resources_centre/publications/files/GN_crossborder_e.pdf