The Hong Kong PDPO came into force in 1996 to protect users' personal information from unlawful collection and unlawful use. It allowed people to opt-out of the collection of their data.
Section 33, which deals with the transfer of personal data outside Hong Kong, has never been brought into force.
The Office of the Privacy Commissioner for Personal Data (PCPD) said in early 2015 that organisations using personal data should prepare for the implementation of section 33.
The most important part of section 33 for employers is section 33(2), which says that a data user must not transfer personal data outside Hong Kong, except under certain circumstances:
- the receiving country is on a 'White list', which has yet to be published, naming countries that have an equivalent data protection law;
- the employer has reasonable grounds to believe there is an equivalent law in the receiving country;
- the data subject has given written consent;
- the user has reasonable grounds to believe that:
- the transfer will help to avoid or lessen damage to the data subject;
- it is not practical to get consent in writing; and
- if it were practical to get consent, that the data subject would give it.
- the data is covered by exemptions listed in the PDPO;
- the user has take all reasonable precautions to make sure the data will not be used in a way that would contravene Hong Kong's PDPO.
The law is similar to provisions in other jurisdictions, notably in the European Union which strictly controls the transfer of personal data outside the European Economic Area and demands that it should only be sent to jurisdictions with an adequate level of protection.
In 2014 the PCPD told the Hong Kong government that it should consider bringing section 33 into force. It issued a guide for data users called Guidance on Personal Data Protection in Cross Border Transfer to help users prepare.
The PCPD said that the 'white list' will soon be published and will contain around 50 countries.
Organisations operating in Hong Kong that use personal data must now consider carefully where their data can be stored and what transfers are allowed.
What activity is covered
All employers store data on employees, whether in filing cabinets in the office or electronically. This data is often communicated within the company and transferred between departments and offices within the organisation.
In addition, data sometimes has to be sent to external organisations, and in a small environment like Hong Kong there is a significant chance that this will mean sending it outside of the jurisdiction – making it subject to section 33(2).
All of the following are likely to fall under the ordinance, if the other party is outside Hong Kong:
- emailing personal data such as a CV or resume to an office or subsidiary;
- outsourcing HR functions or data storage;
- the use of cloud storage; and
- a centralised data storage system.
All of these are common practices and it would be unusual for an employer not to engage in at least one of them.
How to comply
If section 33(2) comes into force, an employer will be in breach of the PDPO if it transfers personal data outside of Hong Kong without checking that it satisfies the conditions.
Organisations must be able to show reasonable grounds for: believing that the country to which they are sending the information has a law that is substantially similar to the PDPO, or serves the same purposes; or that they have taken all reasonable precautions to check that the data will not be used in a way that contravenes the PDPO.
No white list has been published yet, and it will be subject to change even after publication. This makes the test of whether an employer has complied with the rules rather subjective, and it will be difficult for any employer to be certain they are complying with the rules.
With that in mind, the safest and most effective way to be sure is to ask employees to give content in writing.
While employers often have a personal information collection statement on file for each employee, this is often not signed.
A clause could therefore be added to employment contracts, giving consent to the transfer of personal data to another jurisdiction for business purposes.
For existing staff, a simple written consent form can be signed. A sample form is included in the PCPD's guidance note, although employers should check that this meets their specific needs.
Section 33 has not yet come into force and some employers will prefer to wait until a date is announced before making changes. However, the measures set out here make good business practice, and will ensure compliance with the PDPO with or without the new section.