On 12 May 2022, the PCPD issued a Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data (the “New Guidance") which supplements the Guidance on Personal Data Protection in Cross-border Data Transfer issued in December 2014, introducing two sets of recommended model clauses (RMCs) to cater for the scenarios of cross-border data transfers between (i) “data user and data user” and (ii) “data user and data processor”, respectively.
The PDPO currently does not mandate model contractual clauses in the context of cross border data transfers. While Section 33 of the PDPO aims to regulate cross- border transfers of personal data from within Hong Kong to outside of Hong Kong, this section is not yet effective, and there is as yet no official timetable for implementation of this section.
Nevertheless, the New Guidance recommends and advises data users in Hong Kong to adopt the RMCs as part of their data governance responsibility to protect and respect the personal data privacy of data subjects. Hence, the adoption of the RMCs in commercial agreements between data transferors in Hong Kong and data transferees outside of Hong Kong is considered currently considered best practice rather than a mandatory obligation.
The RMCs for the two cross-border data transfer scenarios can be summarised as follows:
Data user to another data user | Data user to data processor | |
Use/processing of data | The transferee will only use the personal data for the purposes of transfer agreed with the transferor (or directly related purposes). | Transferee will only process personal data for the purposes designated by the transferor. |
Data is adequate but not excessive | The transferee will ensure that personal data transferred be adequate but not excessive for the purpose of transfer. | |
Security |
The transferee should apply agreed security measures to the use or processing of the personal data. | |
Retention and erasure | The transferee will retain the personal data only for a period which is necessary for the fulfilment of the purposes of transfer and take all practicable steps to erase the personal data once the purposes of transfer have been achieved. | |
Onward transfer | A transferee will not make any onward transfer of the personal data except as agreed by the parties; and should ensure that onward transfers of the personal data meet the requirements of the applicable RMCs. | |
Access and correction rights of data subjects | Each party will comply with its obligation as a data user in respect of the access and correction rights of the data subject. | - |
The RMCs set out in the New Guidance have been prepared as free-standing clauses, which may be incorporated into wider commercial agreements between data transferors and data transferees. Unlike the Standard Contractual Clauses promulgated by the European Commission (EU SCCs), alternative wordings may be used to the extent the substance is consistent with the requirements of the PDPO. Specifically, the New Guidance advises data users to consider incorporating additional provisions, including:
The New Guidance specifically provides that the use of RMCs contributes to fulfilling the “Due Diligence Requirement” under Section 33(2)(f) of the PDPO for cross-border transfers, where data users can demonstrate they have taken reasonable precautions and exercised due diligence to ensure that the data will, in the jurisdiction of the transferee, be collected, held, processed or used in a way that complies with the PDPO and that the data users have taken into account of the Data Protection Principles under the PDPO (DPP) under the PDPO. However, it should be noted that the RMCs should not be taken as fulfilling requirements of the General Data Protection Regulation of the European Union (GDPR) or be considered as an alternative to the EU SCCs, when any transfers outside of the EU that are controlled by a Hong Kong data user.
In the context of globalisation and digitalisation of the world economy, data protection laws around the world are adopting more sophisticated cross border transfer regimes to ensure adequate protection of personal data. It is interesting to note that the New Guidance in particular seeks to clarify the scope of application of Section 33 of the PDPO to not only cover cross-border transfers of personal data from a Hong Kong data user to an entity outside Hong Kong, but also data transfers between two entities outside Hong Kong, as long as such transfer is controlled by a data user in Hong Kong.
If you are engaged in the aforementioned cross-border transfers, you are recommended to adopt the RMCs, and when adopting the RMCs, the New Guidance suggests that you may develop your own form of data transfer agreements or incorporate RMCs into a wider service agreement.
According to the New Guidance, as a matter of good practice and observance with the DPPs under the PDPO, in the event of any transfers of personal data outside Hong Kong, you should also notify data subjects of the transfer and the underlying grounds of such to ensure transparency between data users and data subjects. You are encouraged to make such notifications through adequate privacy policies and privacy notice. Where necessary, you may also implement internal compliance policies and measures with respect to the handling of cross-border data transfers for your personnel to ensure compliance.
The New Guidance provides Hong Kong data users with some useful guidance when implementing cross border transfers. Although compliance with the New Guidance is not mandatory, data users that adopt the RMCs are likely to be in a better position to demonstrate that they have considered the relevant risks relating to cross border data transfer, have implemented appropriate measures or practices to mitigate the impact of such risks in the event of any alleged breaches, and avoid any potential liability and reputational damage.
The New Guidance is potentially a sign that the implementation of Section 33 of the PDPO, or an updated and modified version of this section, may be imminent. Nevertheless, until Section 33 of the PDPO comes into force, the RMCs will likely only be adopted by those data users that are willing to adopt such provisions as a matter of international best practice.
*Information is accurate up to 27 November 2023