Cross-border data transfers between Hong Kong and mainland China - what do we need to know?

如欲閱讀繁體中文版，請點擊這裡 。
如欲阅读简体中文版，请点击这里 。

Whilst travel between Hong Kong and mainland China may still be subject to constraints, data and information still continue to flow seamlessly across the two regions every second with the help of modern technology. With new rules and measures on data protection being rolled out globally, what is the position of Hong Kong and mainland China on cross-border data transfers?

Hong Kong

In Hong Kong, the Privacy Commissioner for Personal Data (” PCPD “) is responsible for overseeing the implementation of and compliance with provisions of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). Whilst the PCPD strives to ensure that personal data are protected in Hong Kong, it also recognises the need to exercise their power within a defined boundary so as not to stifle free flow of information, which is believed to be the life-blood of a data driven economy.

In this regard, it is understandable why section 33 of the PDPO is still not yet in operation even though the legislation was enacted in 1995. Whilst it is not obligatory to comply with section 33, the PCPD highly recommends its compliance and has since issued two guidance notes, one in 2014 and a recent one in 2022, to prepare for the implementation of section 33.

Section 33 restricts the transfer of personal data outside of Hong Kong unless one of the following conditions is met:

• the place is specified by the PCPD where there is in force any law which is substantially similar to, or serves the same purposes as, the PDPO;
• the data user has reasonable grounds for believing that the place has in force any law which is substantially similar to, or serves the same purposes as, the PDPO;
• the data subject has consented in writing to the transfer;
• the data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the consent in writing of the data subject to that transfer; but if it was practicable, such consent would be given;
• the data is exempt from Data Protection Principle (“DPP”) 3 by virtue of an exemption under the PDPO; or
• the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed, or used in any manner which, if that place is Hong Kong, would be a contravention of a requirement under the PDPO (the “Due Diligence Requirement”).

Although fulfilling any one of the above conditions would be sufficient, the PCPD recommends data users to adopt multiple measures so as to enhance protection. In the two guidance notes issues by the PCPD, recommended model clauses (” RMCs “) have been provided for data users to adopt in their data transfer agreements to fulfil the Due Diligence Requirement. In light of the detailed guidance offered by the PCPD, it is arguable that complying with the Due Diligence Requirement would be regarded as a minimal requirement insofar as the conditions under section 33 are concerned.

The RMCs are drafted with all the relevant DPPs in mind to ensure compliance. They can be adopted when transfer of personal data outside of Hong Kong is intended, and they would be relevant when the data transfer occurs between two entities both of which are outside Hong Kong, but the transfer is controlled by a Hong Kong data user. The RMCs provide a practical basis for facilitating transfers of personal data from Hong Kong, enabling organisations to agree on (1) the scope of personal data being transferred; (2) the purposes for which it will be transferred; and (3) the specific allocation of responsibilities between themselves in areas such as data security, managing data access and correction rights, as well as the transferee’s authority to make onward transfers to other jurisdictions or to other recipients.

Other than adopting the RMCs, data users should be reminded of the existing regime pertaining to the transfer of data, irrespective of whether the transfer is cross-border in nature or not:

• DPP1 (3) – data users should explicitly inform data subjects of the classes of persons to whom the data may be transferred;
• DPP3 – data users should obtain the prescribed consent of data subjects when there is a change of use of the personal data collected;
• DPP4 (2) – data users should adopt contractual or other means to prevent any personal data transferred to the data processors, whether within or outside Hong Kong, from unauthorised or accidental access, processing, erasure, loss or use of the data being transferred for processing; and
• DPP2 (3) – data users should adopt contractual or other means to prevent any personal data transferred to the data processors, whether within or outside Hong Kong, from being kept longer than is necessary for data processing.

The law surrounding data protection has continued to evolve globally and cross-border data transfer could happen in any context. Organisations should be aware of their data governance responsibilities and endeavour to follow best practices when conducting their business, engaging in a larger transaction or relocating their operations.

Mainland China

The rules on cross-border transfer of personal information in mainland China are still in the development stage, and the regulatory framework includes the following fundamental laws and regulations:

• Personal Information Protection Law (“PIPL”);
• Cybersecurity Law;
• Data Security Law;
• Measures on Security Assessment of Outbound Data Transfer, which will come to effect on 1 September 2022 (“Security Assessment Measures”); and
• Cybersecurity Standard Practice Guidelines – Security Specifications for Personal Information Cross-Border Processing Certification (the “Guidelines”).

Under the PIPL, personal data processors wishing to transfer personal data outside of mainland China must obtain separate consent from the relevant individuals. Depending on the nature of their data processing operation and the volume of data being processed, data processors must also take one of the following routes for legitimate data export:

• passing the security assessment conducted by the Cyberspace Administration of China (” CAC “) (“Mandatory Security Assessment Route”);
• obtaining relevant personal information protection certification from a CAC-accredited institution (“Certification Route”);
• signing a contract with the overseas data recipient(s) setting out the rights and obligations of each party in accordance with the standard form formulated by CAC (“Standard Contract Route”); or
• meeting other conditions set by CAC or relevant laws and regulations.

The Security Assessment Measures specify the scenarios where the Mandatory Security Assessment Route is required, including:

• a data processor is to transfer “important data” out of mainland China. “Important data” is broadly defined as any data, once tampered, damaged, leaked, or illegally acquired or used, may endanger national security, economic operation, social stability, public health and safety;
• an operators of critical information infrastructure is to transfer the personal information out of mainland China;
• a data processor that processes personal information of more than 1 million data subjects is to transfer the personal information out of mainland China;
• a data processor which has transferred personal information of more than 100,000 data subjects or sensitive personal information of more than 10,000 data subjects out of mainland China since 1 January of the previous year is to transfer personal information out of mainland China.

If none of the aforementioned scenarios applies, data processers may choose either the Certification Route or the Standard Contract Route.

According to the Guidelines, the Certificate Route is applicable to the following cross-border transfers:

• cross-border personal information processing activities among subsidiaries or affiliated companies within a multinational company or within the same economic/business entity; and
• overseas personal information processing activities related to personal information of individuals in mainland China, for purposes such as providing products or services in mainland China or analysing and evaluating the activities of individuals in mainland China, which are subject to the extra-territorial jurisdiction of the PIPL.

Such certification is voluntary but is recommended for both local personal information processors and overseas recipients. However, the Guidelines does not cover the specific certification procedures as well as accredited certification institutions, which will likely be covered in subsequent implementation rules.

As for the Standard Contract Route, a draft template for cross-border data transfer agreements, which is similar to the RMCs in nature, was released by CAC on 30 June 2022 under the draft Provisions on the Standard Contract for Export of Personal Information for public consultation (the “Draft Standard Contract”). The Draft Standard Contract mainly covers the following subject matters:

• identities of all parties related to the personal information processing activities;
• purpose, scope, type, sensitivity, amount, method, duration and place of data storage of data leaving the country;
• respective responsibilities and obligations of data processors and overseas recipients, and technical and management measures to be taken to ensure data security;
• impact that the personal information protection policies and regulations in the country or region where the overseas recipient is located may have on the fulfilment of the standard contract;
• data subjects’ rights, and channels and methods to safeguard data subjects’ rights; and
• remedies, contract termination, liability for data breach and dispute resolution.

Within 10 days of the standard contract taking effect, the personal information processor must file the standard contract and the protection assessment report with the local provincial-level cybersecurity office.

No matter which route will be taken, Chinese data processors need to conduct self-assessment in advance. Such self-assessment shall focus on evaluating the lawfulness, legitimacy and necessity of the intended transfer, the relevant risks, the overseas recipient’s capacity to safeguard data security, whether the data subjects have convenient channels to exercise their rights as provided under the PIPL, and whether the “legal document” to be signed between the data exporter and the overseas recipient has fully specified the data protection responsibilities and obligations of each party.

As the level of data protection is growing globally, we anticipate that there will be more stringent rules and regulations for cross-border data sharing. In fact, the incumbent Secretary for Innovation, Technology and Industry Professor Sun Dong has recently suggested to boost up Hong Kong’s competitiveness by making it a port of outflowing data from mainland China. This would require enactment of cybersecurity laws in Hong Kong and public consultation is expected to be rolled out by the end of 2022. To prepare themselves for the new era of data security and personal information protection, companies need to set up and implement a self-assessment system, so as to better manage potential risks in cross-border data transfers.