Standard Contractual Clauses for Cross Border Data Transfers in Hong Kong and Mainland China
In Hong Kong, section 33 of the Personal Data (Privacy) Ordinance (“PDPO”) provides that cross-border transfer of personal data is prohibited unless an exception applies. Although section 33 has yet to come into effect, data users should have appropriate cross-border data transfer arrangements in place, to avoid any breach of the PDPO. The Office of the Privacy Commissioner for Personal Data (“PCPD”) issued a guidance note in May 2022 to set out the best practices to be adopted and new recommended model contractual clauses (“RMCs”) to use for facilitating the cross-border transfer of personal data out of Hong Kong. Although the guidance note is non-binding, it sets out what the PCPD expects the compliance standard to be in cross-border data transfer arrangements. It is a useful starting point for businesses, as data users, when transfering data outside Hong Kong.
When, How, and Why
Businesses may consider using the model contract clauses when transfering personal data from a Hong Kong entity to another entity outside Hong Kong, or between two entities outside Hong Kong but where the transfer is controlled by a Hong Kong data user.
There are two sets of clauses, one for data transfers between two data users, and the other for data transfers from a data user to a data processor. Parties are free to choose and adapt the clauses as they wish to, and incorporate any other terms as appropriate.
Businesses who adopt the recommended model contractual clauses can show the PCPD that they have taken reasonable precautions and effort in ensuring that the data transfers is treated in compliance with the PDPO, in the event that there are complaints or reports of suspected or alleged breach of the PDPO by such businesses.
The general structure of the RMCs is as follows:
- Obligations of the transferor and transfree;
- Data subjects’ access and correction rights (if the transfer is between a data user and another data user);
- Provisions concerning direct marketing (if the transfer is between a data user and another data user);
- Categories of personal data transferred, purpose of the transfer, destination of transfer, retention period; and
- Security measures the transferee is required to apply to the transferred data.
Additional business considerations
The PCPD is of the view that businesses, as data users, have the responsibility to protect the personal data privacy of individuals, even if the data is transferred outside Hong Kong. Thus, to avoid and manage legal risks, businesses should set out clearly their respective rights and obligations in relation to the use and processing of personal data and consider suitable contractual assurances (such as warranties and indemnities).
Specific rights to consider adding include:
- Reporting, audit and inspection rights – data users may receive regular reports on the transferee’s security tests and reviews, inspect their facilities or carry out security audits on their systems and equipment;
- Notification of breach – transferee must notify the data user of any suspected data incident as soon as possible; and
- Compliance support and cooperation – transferee must cooperate with the data user in respect of regulatory compliance investigations and reviews.
Cross border transfer of personal data to any party outside of the People’s Republic of China (“PRC”) is prohibited unless a condition in Article 38 of the Personal Information Protection Law of the PRC (“PIPL”) is satisfied. One of such condition, is that the transferor has entered into a standard contract with the overseas recipient in accordance with that developed by the national cyberspace administration (“Standard Contract”). The Cyberspace Administration of China (“CAC”), being the national cyberspace administration, recently issued a draft Provisions on the Standard Contract for Outbound Cross-border Transfer of Personal Information (“Draft Provisions”) along with a draft Standard Contractual Clauses (“Draft SCCs”) for consultation on 30 June 2022.
The Draft Provisions
The Draft Provisions requires the data user to conduct a Personal Information Impact Accessment (“PIIA”) before transmitting the data out of China, this includes considering:
- The legitimacy, justifiability and necessity of the data processing by both the transferor and the foreign tranferee (e.g. purpose, scope and method);
- The quantity, scope, category and sensitivity of the data to be exported, and risks of the transfer;
- The responsibilities and obligations that the transfree undertakes to assume, and whether its management and technical measures and capacibilities are sufficient to ensure the security of the transfer;
- The risk of the data being disclosed, destroyed, tampered with or misused after the transfer, and whether there is a smooth channel for individuals to protect their rights and interests in the data;
- The impact of personal information protection policies and regulations in the transferee’s country on the performance of the SCCs; and
- Other matters that may affect the security of the data to be transferred.
The Draft Provisions also provides that the Standard Contracts entered into must be filed with the local authority along with the PIIA report.
It should also be noted that the Draft Provisions suggests that only organisations which satisfy certain preconditions may rely on the Draft SCCs as a legal basis to transfer data outside of China. This seems to deviate from Article 38 of the PIPL, which does not contain such limitation.
The Draft SCCs
The general structure of the Draft SCCs is as follows:
- The details of the parties;
- The purpose, scope, category, sensitivity, quantity, method, retention period, and storage location of the exported personal information;
- The responsibiities and obligations of the personal information handler as well as the foreign recipients, and the technical and management measures taken to prevent respective security risks;
- The impact of personal information protection laws and policies in the transferee’s country on the performance of the SCCs;
- The rights and interests of data subjects, and
- Legal remedies, termination, liability for breach, dispute resolution etc.
Unlike the Standard Contractual Clauses under the GDPR, the Draft SCCs do not touch on import of personal information into China, and is a one-size-fit-all standard contract for all data transfer scenarios. Ad hoc clauses also do not seem possible under Article 2 of the Draft Provisions, which also provides that other contracts entered into between the transferee and transferor in relation to the export of data shall not be in conflict with the Standard Contract.
It is also important to note that the Standard Contract must be goverened by the laws of the PRC, taking away the flexibility that parties may have in choosing the way of dispute resolution.
Business in Hong Kong and Mainland China wishing to transfer personal data to foreign data users or data processors should adopt the RMCs and be prepared to implement the Draft SCCs. If the destination is to Europe, the businesses should also keep in mind to align the RMCs or the SCCs with the existing GDPR SCCs
Article provided by INPLP member: Jennifer Wu (Pinsent Masons, Hong Kong)
Dr. Tobias Höllwarth (Managing Director INPLP)