Given the increasing digitalisation in the handling of personal data and globalisation of business operations in recent years, the HK Privacy Commissioner for Personal Data (PCPD) has recently released a new Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data (2022 Guidance). This is intended to assist organisations in crafting appropriate contractual terms for effecting such transfers within Hong Kong’s data privacy regime. While the cross-border transfer controls are not yet in effect - it is recommended that Hong Kong organisations implement the updated recommended model contractual clauses (RMCs) (or equivalent) appended to the 2022 Guidance in their commercial contracts as a matter of best practice.
Building on existing guidance
This latest guidance, which is intended to have broad use, supplements the previous PCPD Guidance on Personal Data Protection in Cross-border Data Transfers issued in 2014 (2014 Guidance), and updates the RMCs previously annexed to the 2014 Guidance.
In the 2014 Guidance, the PCPD maintained that though s.33 of the PDPO (imposing controls on cross border data transfers outside Hong Kong) was not yet in operation, data users were still encouraged to follow that regime as part of their corporate governance responsibility to protect personal data.
In other words, data users were recommended not to transfer personal data outside Hong Kong unless one of the conditions were met, one of which involved putting in place contractual clauses between the parties to fulfil the data user’s obligations to take all reasonable precautions and exercise due diligence to permit cross-border transfers.
Eight years later, even with the 2022 Guidance, we haven’t moved far, with no new amendments to the PDPO relating to this issue and no indication of timing as to when s.33 of the PDPO will be brought into operation.
Key aspects of the 2022 Guidance and RMCs
The new RMCs contained in the 2022 Guidance are similar in substance to the 2014 version but cover the (typical) PDPO requirements in a more ‘user friendly’ format.
It also conveniently covers two cross-border data transfer scenarios: (1) transfers from a data user (who controls the collection, holding and procession of personal data) to another data user, and (2) transfers from a data user to a data processor (who processes personal data on behalf of another person).
The RMCs are largely grouped to target the following PDPO requirements:
- Purpose limitation - a transferee should only use or process the personal data for the purposes of, and the relevant scope of collection. No inadequate or excessive use.
- Security - a transferee should apply agreed security measures to the use or processing of the personal data.
- Retention and erasure - a transferee should retain the personal data only for a period which is necessary for the fulfilment of the purposes of the transfer and take all practicable steps to erase the personal data once the purposes of transfer have been achieved.
- Accuracy and transparency - a transferee should take reasonable steps to ensure the data is kept accurate, and make transparent its processing policies and practices.
- Onward transfers - onward transfers should meet the requirements of the applicable RMCs (data user to data user; data user to data processor).
For both sets of RMCs, there is a data transfer schedule template (now in a table format) to assist in the tracking and describing the data flows happening within a data user’s business.
Noting that many multinational corporations’ outsourcing arrangements are complex and long term, the 2022 Guidance also encourages data users to include additional contractual assurances as appropriate, including:
- rights and obligations around reporting transferees’ data security tests and reviews;
- audit and inspection of transferees’ systems;
- notifications of data security breaches; and
- regulatory compliance support and co-operation with data access and correction requests.
What does this mean for you?
The PCPD recommends that where cross-border transfers of personal data is required outside Hong Kong, data users should incorporate the updated RMCs (whether in its self-contained form or adapted equivalents) into their commercial agreements (e.g. data transfer agreements, services agreements involving data transfers and outsourcing agreements).
Whilst the 2022 Guidance and RMCs are considered best practice guidance, much of the subject matter covered by the RMCs represents existing data privacy requirements applicable to organisations operating in Hong Kong subject to the Data Privacy Principles under the PDPO. This also ticks off typical contractual requirements required of other leading data privacy regimes in connection with cross-border data transfers (although see note on EU and China below).
Use of the RMCs (or equivalent) will give confidence to a data user transferring personal data outside Hong Kong that such transfers comply with the PDPO (including s.33 when it is brought into force) and that adequate data protection measures are in place.
Further, including these updated RMCs (or equivalents) help demonstrate that a local or multi-national organisation has exercised reasonable due diligence and put adequate protections in place when defending against any suspected or alleged breach of the PDPO.
Hong Kong organisations should therefore take steps to review and confirm if their current and future commercial agreements contain requirements equivalent to the RMCs with their suppliers and other business parties before undertaking cross-border data transfers outside of Hong Kong.
But wait – what about data transfers to and from the EU and China?
While the updated RMCs may appear similar to standard contractual clauses (SCCs) used in the EU’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL) (which such PIPL SCCs still to be published) for effecting cross-border transfers, note that the updated RMCs should not be taken as compliance with such data privacy regimes or considered as an alternative to those SCCs.
Data users will still need to ensure that an adequate level of protection is provided to comply with the applicable data privacy regime when transferring personal data from those jurisdictions (whether it be the EU or mainland China) to an outside jurisdiction.