Transfer of personal data – will section 33 finally come into force?

What is section 33?

Generally, section 33 of the Personal Data (Privacy) Ordinance (Cap.486) (PDPO) prohibits the transfer of personal data to a jurisdiction outside Hong Kong unless the data subject has consented to the transfer, or the jurisdiction has similar data protection legislation to Hong Kong. Section 33 covers transfers from Hong Kong to a place outside Hong Kong and transfers between two other jurisdictions where the transfer is controlled by a Hong Kong data user. Although section 33 has been law since 1995, it has never come into force. However, there have been recent indications that the Government is preparing to bring this long-dormant provision into effect.

According to section 33, the transfer of personal data to places outside Hong Kong is prohibited unless at least one of a number of conditions is met. The conditions are that:

• the destination has been approved by the Privacy Commissioner in writing;
• the data user has reasonable grounds for believing that the place has privacy laws which are substantially similar to, or serve the same purpose as, the PDPO;
• the individual has consented in writing to the transfer;
• the data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the data subject's consent but, if practicable, such consent would be given;
• the data are exempt from Data Protection Principle 3 by virtue of Part VIII of the PDPO which exempts personal data held for certain purposes such as domestic purposes, employment or staff planning, the prevention or detection of crime, the security or defence of Hong Kong, legal professional privilege, news activities etc;
• the data user has taken “all reasonable precautions and exercised all due diligence to ensure” that the data will not be collected, held, processed or used in any manner that would constitute a contravention of the PDPO if it occurred in Hong Kong.

The current position

Currently, the transfer of personal data to entities outside of Hong Kong (including other group entities) is permissible provided that organisations have complied with the other general provisions of the PDPO. These are Data Protection Principle 1 concerning the Collection of Personal Data and Data Protection Principle 3 concerning the Use of Personal Data. Data subjects must be notified at the time of collection that such data may be transferred out of Hong Kong for the purposes specified. Typically organisations discharge their obligation to notify the data subject by including a statement to this effect in the Personal Information Collection Statement issued to individuals before collecting the personal data from them. However, once section 33 comes into force, mere notification will not be sufficient.

So long as a data user is able to control, in or from Hong Kong, the holding, processing or use of the personal data outside Hong Kong, the provisions of the PDPO will apply. If a data user outsources the processing of the personal data to an offshore agent, any act done by its offshore agent in breach of the PDPO, will be treated as done by the data user and the data user will be liable.

The fact that section 33 is not in force means that there is no current restriction on the transfer of personal data to jurisdictions that do not have a data protection regime. It also means that parties wishing to protect personal data transfer to such jurisdictions must rely on contractual terms to restrict the use of the transferred data.

So what now?

The issue has been the subject of recent discussions in LegCo. Some members feel that the section should be brought into operation as soon as practicable to prohibit the transfer of data territories that lack comparable privacy protection. However, there is concern that it will not actually be practical to regulate data processing outside Hong Kong, given the prevalence of cross-boundary data transfer activities.

Since section 33 provides that data users may transfer personal data to places with legislation substantially similar to, or serving the same purposes as, the PDPO, the Privacy Commissioner needs to specify a list of such jurisdictions, before the provision can come into operation. In December last year, the Commissioner sent out invitations to tender for the provision of consultancy services for preparatory work on the implementation of section 33. The initial intention is to come up with a “White List” of places with privacy laws comparable to Hong Kong. The Commissioner has already identified a list Hong Kong's principal trading partners and a list of other relevant jurisdictions to be reviewed.

Although there is no specific timetable for the implementation of section 33, it is thought that the Privacy Commissioner intends to implement section 33 as soon as possible after the Data User Return Scheme (DURS) has been implemented. Consultation on this issue is currently in progress and it is expected that DURS will be launched in mid 2013. However, since the implementation of section 33 will clearly have significant implications on the data transfer activities of all sectors of the community, potentially affected parties should start reviewing their data transfer policies as soon as possible.