The Privacy Commissioner for Personal Data of Hong Kong (“PCPD”) issued a “Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data” (the “New Guidance”) on 12 May 2022. The New Guidance supplements the “Guidance on Personal Data Protection in Cross-Border Data Transfer” issued by the Office of the PCPD in December 2014 (the “Previous Guidance”), in particular, by introducing two sets of Recommended Model Contractual Clauses (“RMCs”), catering for two cross-border data transfer scenarios:
Those familiar with the data protection regime in Hong Kong would note that Section 33 of the Personal Data (Privacy) Ordinance (Cap.486) (“PDPO”), which regulates the cross-border transfer of personal data from within Hong Kong to outside of Hong Kong, is not yet effective. The provision has been in the legislation since the enactment of the PDPO in 1996, and there is as yet no official timetable for implementation of this section.
Nevertheless, the New Guidance recommends and advises data users in Hong Kong to adopt the RMCs as part of their data governance responsibility to protect and respect the personal data privacy of data subjects. As such, adoption of the RMCs in commercial agreements between data transferors in Hong Kong and data transferees outside of Hong Kong is considered best practice rather than a mandatory obligation.
Pursuant to the New Guidance, the RMCs are intended to be general terms and conditions that are applicable to (i) cross-border transfers of personal data from a Hong Kong entity to another entity outside Hong Kong; or (ii) between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user. It is interesting to note that the New Guidance in particular seeks to clarify the scope of application of Section 33 of the PDPO to cover data transfers between two entities outside Hong Kong, as long as such transfer is controlled by a data user in Hong Kong.
The New Guidance also specifically provides that the use of RMCs contributes to fulfilling the Due Diligence Requirement under section 33(2)(f) of the PDPO for cross-border transfers, where data users can demonstrate they have taken reasonable precautions and exercised due diligence to ensure that the data will, in the jurisdiction of the transferee, be collected, held, processed or used in a way that complies with the PDPO and that the data users have taken into account of the Data Protection Principles (“DPPs”) under the PDPO.
The RMCs for the two cross-border data transfer scenarios can be summarised as follows:
Data user to another data user | Data user to data processor | |
Use/processing of data | The transferee will only use the personal data for the purposes of transfer agreed with the transferor (or directly related purposes). | Transferee will only process personal data for the purposes designated by the transferor. |
Data is adequate but not excessive | The transferee will ensure that Personal Data Transferred be adequate but not excessive for the purpose of transfer. | |
Security | The transferee should apply agreed security measures to the use or processing of the personal data. | |
Retention and erasure | The transferee will retain the personal data only for a period which is necessary for the fulfilment of the purposes of transfer and take all practicable steps to erase the personal data once the purposes of transfer have been achieved. | |
Onward transfer | A transferee will not make any onward transfer of the personal data except as agreed by the parties; and should ensure that onward transfers of the personal data meet the requirements of the applicable RMCs. | |
Access and correction rights of data subjects | Each party will comply with its obligation as a data user in respect of the access and correction rights of the data subject. | - |
When adopting the RMCs, the New Guidance suggests that organisations may develop their own form of data transfer agreements or incorporate RMCs into a wider service agreement. Unlike the Standard Contractual Clauses promulgated by the European Commission (“EU SCCs”), alternative wordings may be used to the extent the substance is consistent with the requirements of the PDPO. Note however the RMCs should not be taken as fulfilling requirements of the General Data Protection Regulation of the European Union (“GDPR”) or be considered as an alternative to the EU SCCs, when any transfers outside of the EU that are controlled by a Hong Kong data user.
The RMCs set out in the New Guidance have been prepared as free-standing clauses, which may be incorporated into wider commercial agreements between data transferors and data transferees. Specifically, the New Guidance advises data users to consider incorporating additional provisions, including:
The New Guidance also reminds data users that, as a matter of good practice and observance with the DPPs, in the event of any transfers of personal data outside Hong Kong, data users should notify data subjects of the transfer and the underlying grounds of such to ensure transparency between data users and data subjects. Data users are encouraged to make such notifications through adequate privacy policies and privacy notice. Where necessary, data users may also implement internal compliance policies and measures with respect to the handling of cross-border data transfers for its personnel to ensure compliance.
In the context of globalisation and digitalisation of the world economy, data protection laws around the world are adopting more sophisticated cross border transfer regimes to ensure adequate protection of personal data. The New Guidance provides Hong Kong data users with some useful guidance when implementing cross border transfers. Data users that adopt the RMCs are likely to be in a better position to demonstrate that they have considered the relevant risks relating to cross border data transfer, and have implemented appropriate measures or practices to mitigate the impact of such risks in the event of any alleged breaches, and avoid any potential liability and reputational damage.
The New Guidance is potentially a sign that Section 33 of the PDPO, or an updated and modified version of this section, may be imminent. Nevertheless, until Section 33 of the PDPO comes into force, the RMCs will likely only be adopted by those data users that are willing to adopt such provisions as a matter of international best practice.