Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
Developing a unique culture, which blends traditional client care with modern technology and working practices since 1851.
Stay up to date on the latest news and legal insights.
News & Insights
Authored by: Kelley Loo
Although Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) has been in force since December 1996, the specific cross-border transfer of data provisions contained in section 33, are still not yet in force. The provisions are intended to prohibit the transfer of personal data outside Hong Kong unless certain conditions are fulfilled. The framework is to ensure that data should only be transferred to jurisdictions that give a similar level of protection as provided under the PDPO.
There is still no timetable for implementation of the cross-border data transfer provisions. However, in May 2022, the Hong Kong Privacy Commissioner issued an updated Guidance Note on “Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data”. The Guidance Note includes two sets of recommended model contractual clauses (RMCs) to cater for different scenarios in cross-border data transfers. It is important to be note that many of the general protections of the PDPO also apply in the context of cross-border data transfers and the RMCs are consistent with existing data privacy requirements under the PDPO, including the six Data Protection Principles that govern, amongst others, the purpose and manner of collection of personal data, use and disclosure of personal data.
Although the Guidance Note is not legally binding, it should be considered as best practice, and compliance with the guidance by a business will be taken into account when investigating any suspected or alleged breach of the PDPO. It is recommended that businesses incorporate the RMCs (which have been prepared as free-standing clauses) into agreements with third parties on cross-border transfers of data. It should be emphasised that the sharing or transferring of personal data from a business to its parent, subsidiary, affiliated, related or other company within the same group of companies, whether located in or outside of Hong Kong, will still be regarded as “transferring out” of data and, as such, will still need to comply with the general requirements of the PDPO.
Businesses should also be aware that, while the RMCs appear similar to the Standard Contractual Clauses recently published pursuant to China’s Personal information Protection Law (PIPL), they are separate regimes and compliance with PIPL will need to be considered independently. The Guidance Note is a reminder for businesses to review their contracts on transfer of personal data to check for compliance with the guidance and the other requirements of the PDPO.
Please contact Deacons Intellectual Property Department for further information.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.