News
Standard Contractual Clauses for Cross Border Data Transfers in Hong Kong and Mainland China
Businesses around the world now face strict rules governing the cross-border transfer of personal data. Like as has happened in Europe, the privacy authorities in Hong Kong SAR and Mainland China has been active recently in clarifying issues around cross-border data transfers.
Hong Kong
In Hong Kong, section 33 of the Personal Data (Privacy) Ordinance (“PDPO”) provides that cross-border transfer of personal data is prohibited unless an exception applies. Although section 33 has yet to come into effect, data users should have appropriate cross-border data transfer arrangements in place, to avoid any breach of the PDPO. The Office of the Privacy Commissioner for Personal Data (“PCPD”) issued a guidance note in May 2022 to set out the best practices to be adopted and new recommended model contractual clauses (“RMCs”) to use for facilitating the cross-border transfer of personal data out of Hong Kong. Although the guidance note is non-binding, it sets out what the PCPD expects the compliance standard to be in cross-border data transfer arrangements. It is a useful starting point for businesses, as data users, when transfering data outside Hong Kong.
When, How, and Why
Businesses may consider using the model contract clauses when transfering personal data from a Hong Kong entity to another entity outside Hong Kong, or between two entities outside Hong Kong but where the transfer is controlled by a Hong Kong data user.
There are two sets of clauses, one for data transfers between two data users, and the other for data transfers from a data user to a data processor. Parties are free to choose and adapt the clauses as they wish to, and incorporate any other terms as appropriate.
Businesses who adopt the recommended model contractual clauses can show the PCPD that they have taken reasonable precautions and effort in ensuring that the data transfers is treated in compliance with the PDPO, in the event that there are complaints or reports of suspected or alleged breach of the PDPO by such businesses.
The RMCs
The general structure of the RMCs is as follows:
- Obligations of the transferor and transfree;
- Data subjects’ access and correction rights (if the transfer is between a data user and another data user);
- Provisions concerning direct marketing (if the transfer is between a data user and another data user);
- Categories of personal data transferred, purpose of the transfer, destination of transfer, retention period; and
- Security measures the transferee is required to apply to the transferred data.
Additional business considerations
The PCPD is of the view that businesses, as data users, have the responsibility to protect the personal data privacy of individuals, even if the data is transferred outside Hong Kong. Thus, to avoid and manage legal risks, businesses should set out clearly their respective rights and obligations in relation to the use and processing of personal data and consider suitable contractual assurances (such as warranties and indemnities).
Specific rights to consider adding include:
- Reporting, audit and inspection rights – data users may receive regular reports on the transferee’s security tests and reviews, inspect their facilities or carry out security audits on their systems and equipment;
- Notification of breach – transferee must notify the data user of any suspected data incident as soon as possible; and
- Compliance support and cooperation – transferee must cooperate with the data user in respect of regulatory compliance investigations and reviews.
Mainland China
Cross border transfer of personal data to any party outside of the People’s Republic of China (“PRC”) is prohibited unless a condition in Article 38 of the Personal Information Protection Law of the PRC (“PIPL”) is satisfied. One of such condition, is that the transferor has entered into a standard contract with the overseas recipient in accordance with that developed by the national cyberspace administration (“Standard Contract”). The Cyberspace Administration of China (“CAC”), being the national cyberspace administration, recently issued a draft Provisions on the Standard Contract for Outbound Cross-border Transfer of Personal Information (“Draft Provisions”) along with a draft Standard Contractual Clauses (“Draft SCCs”) for consultation on 30 June 2022.
The Draft Provisions
The Draft Provisions requires the data user to conduct a Personal Information Impact Accessment (“PIIA”) before transmitting the data out of China, this includes considering:
- The legitimacy, justifiability and necessity of the data processing by both the transferor and the foreign tranferee (e.g. purpose, scope and method);
- The quantity, scope, category and sensitivity of the data to be exported, and risks of the transfer;
- The responsibilities and obligations that the transfree undertakes to assume, and whether its management and technical measures and capacibilities are sufficient to ensure the security of the transfer;
- The risk of the data being disclosed, destroyed, tampered with or misused after the transfer, and whether there is a smooth channel for individuals to protect their rights and interests in the data;
- The impact of personal information protection policies and regulations in the transferee’s country on the performance of the SCCs; and
- Other matters that may affect the security of the data to be transferred.
The Draft Provisions also provides that the Standard Contracts entered into must be filed with the local authority along with the PIIA report.
It should also be noted that the Draft Provisions suggests that only organisations which satisfy certain preconditions may rely on the Draft SCCs as a legal basis to transfer data outside of China. This seems to deviate from Article 38 of the PIPL, which does not contain such limitation.
The Draft SCCs
The general structure of the Draft SCCs is as follows:
- The details of the parties;
- The purpose, scope, category, sensitivity, quantity, method, retention period, and storage location of the exported personal information;
- The responsibiities and obligations of the personal information handler as well as the foreign recipients, and the technical and management measures taken to prevent respective security risks;
- The impact of personal information protection laws and policies in the transferee’s country on the performance of the SCCs;
- The rights and interests of data subjects, and
- Legal remedies, termination, liability for breach, dispute resolution etc.
Unlike the Standard Contractual Clauses under the GDPR, the Draft SCCs do not touch on import of personal information into China, and is a one-size-fit-all standard contract for all data transfer scenarios. Ad hoc clauses also do not seem possible under Article 2 of the Draft Provisions, which also provides that other contracts entered into between the transferee and transferor in relation to the export of data shall not be in conflict with the Standard Contract.
It is also important to note that the Standard Contract must be goverened by the laws of the PRC, taking away the flexibility that parties may have in choosing the way of dispute resolution.
Conclusion
Business in Hong Kong and Mainland China wishing to transfer personal data to foreign data users or data processors should adopt the RMCs and be prepared to implement the Draft SCCs. If the destination is to Europe, the businesses should also keep in mind to align the RMCs or the SCCs with the existing GDPR SCCs
Article provided by INPLP member: Jennifer Wu (Pinsent Masons, Hong Kong)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010