Introduction
On 12 May 2022, the Hong Kong Privacy Commissioner for Personal Data (PCPD) issued a Guidance Note on the Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data (2022 Guidance).
The 2022 Guidance is split into three “parts”:
- Part 1 is an introduction of the 2022 Guidance and the rationale underpinning it;
- Part 2 is an explanation on the use of the Recommended Model Contractual Clauses; and
- Part 3 is the Schedule which sets out the recommended model clauses.
The PCPD last issued a guidance note on Personal Data Protection in Cross-border Data Transfer in December 2014 (2014 Guidance). The 2014 Guidance also included a set of model data transfer clauses, though the clauses made heavy reference to the Personal Data (Privacy) Ordinance (PDPO) and consequently had to be governed by the laws of Hong Kong in order to achieve certainty on the application and enforcement of the PDPO. The 2014 model clauses also did not distinguish between data users1 and data processors. In contrast, the recommended model clauses appear to be more self-contained, providing for defined terms and making fewer references to the substantive provisions of the PDPO, thus achieving a more user friendly guidance for personal data recipients outside of Hong Kong. Furthermore, in recognition of the growth in outsourced processing, and much like the Standard Contractual Clauses of the EU GDPR, the 2022 Guidance now contains two sets of recommended model clauses to cater for (i) data user to data user transfers, and (ii) data user to data processor transfers.
Background
Section 33 of the PDPO prohibits the cross-border transfer of personal data unless an exception applies. However, Section 33 has yet to come into effect and no timetable has been announced for its implementation despite the PDPO being in force since 1996.
Notwithstanding that Section 33 has yet to come into force, it is important for data users to have the appropriate protection for any cross-border transfers of personal data since data processors are not directly subject to the PDPO requirements and data users are ultimately responsible in the event of any breach of the PDPO by its data processors. The issuance of the 2022 Guidance by the PCPD is reflective of this, and addresses the relevant legal requirements, such as the Data Protection Principles (DPP) articulated in the PDPO.
The increasing digitalization of personal data and the proliferation of cross-border outsourced data processing operations are the main reasons for the 2022 Guidance. The recommended model clauses are presented as “free-standing clauses” that are meant to be incorporated into commercial agreements in order to help small and medium-sized enterprises adopt best practices as part of their data governance responsibilities.
The 2022 Guidance's Part 1 provides a good reminder of the relevant legal requirements that are engaged when data users carry out cross-border personal data transfers.
(a) Purpose Limitation
Under the PDPO, data subjects must be explicitly informed of the purpose for which the personal data is to be used and the classes of persons to whom the personal data may be transferred2. The PDPO further prohibits the use of personal data for new purposes without the data subject’s prescribed consent3.
The 2022 Guidance highlights the fact that cross-border personal data transfers constitute “use” within the meaning of the DPPs, and would therefore require the prescribed consent of the data subject if the transfer is for a new purpose, save for where an exception under Part 8 of the PDPO applies.
(b) Data Processors
Given the prevalence of cross-border outsourced data processing the 2022 Guidance highlights the relevant provisions of the PDPO when data users engage data processors, and which need to be addressed in the recommended model clauses, including:
- requiring data users to adopt contractual or other means to prevent personal data transferred to data processors from:
- being kept longer than is necessary;
- unauthorised or accidental access, processing, erasure, loss or use of the personal data ;
- adhering to the direct marketing requirements of the PDPO5; and
- remaining liable for any act done by agents with their authority6.
(c) Compliance
Lastly, the 2022 Guidance promotes the use of the recommended model clauses to demonstrate compliance with the PDPO when engaging in cross-border transfers.
Part 2
Unlike the GDPR standard contractual clauses, the recommended model clauses do not have to be included in their entirety. While the recommended model clauses are intended to form the base terms and conditions applicable to cross-border transfers, they are ultimately prepared as free-standing clauses which may be adapted by organisations and incorporated into a service agreement. The 2022 Guidance also states that alternative wording may be used so long as such wording mirrors the substantive requirements of the PDPO.
Notably, the recommended model clauses are also intended to be applied in contracts between entities that are both outside Hong Kong where the transfer is controlled by a Hong Kong data user (e.g., where the original independent contractor in turn sub-contracts the processing activities) since the recommended model clauses include provisions to ensure that the onward transfers of personal data are subject to the same or substantially similar data protection obligations.
User to User Recommended Model Clauses
The key purpose of the user to user recommended model clauses is to ensure that the transferor takes all reasonable precautions to ensure that the personal data transferred to the transferee data user is not processed in a manner that would otherwise be a violation of the PDPO. The provisions of the user to user recommended model clauses therefore apply requirements that a data user in Hong Kong would need to adhere to, in the form of contractual warranties from the transferee, including:
- only using personal data for the agreed transfer purposes and consistent with the original purpose of collection;
- ensuring that the personal data transferred is adequate but not excessive with regard to the purposes of the transfer;
- adopting security measures as agreed upon with the transferor;
- retaining the personal data only for as long as necessary or for the agreed retention period;
- taking all practicable steps to:
- erase personal data once personal data ought to no longer be retained;
- ensure that personal data is accurate with regards to the transfer purposes;
- ensure that inaccurate personal data is not used unless it is rectified or it should be erased;
- ensure that data subjects should be able to access its policies and practices in relation to the personal data;
- not to make any onward personal data transfers unless agreed;
- ensuring that any onward transfers are subject to the same or substantially similar data protection obligations provided by the recommended model clauses;
- not to make any onward personal data transfers to any other jurisdictions except as agreed;
- give effect to the data subject’s access and correction rights; and
- comply with obligations to cease direct marketing activities using the personal data upon receipt of written notice.
User to Processor Recommended Model Clauses
Similarly, the user to processor recommended model clauses reflect the requirements for the data user transferor to be accountable for the data processor transferee’s compliance with the PDPO, including:
- only processing personal data for the agreed transfer purposes and consistent with the original purpose of collection;
- ensuring that the personal data transferred is adequate but not excessive with regard to the purposes of the transfer;
- adopting security measures as agreed upon with the transferor;
- retaining the personal data only for as long as necessary or for the agreed retention period;
- taking all practicable steps to:
- erase personal data once personal data ought to no longer be retained;
- ensure that personal data is accurate with regards to the transfer purposes;
- ensure that inaccurate personal data is not used unless it is rectified or it should be erased;
- not making any onward personal data transfers unless agreed; and
- ensuring that any onward transfers are subject to the same or substantially similar data protection obligations provided by the user to processor recommended model clauses.
Recommended Model Clauses
(a) Data Transfer Schedule
Both types of recommended model clauses also incorporate a Data Transfer Schedule which sets out the agreements between the transferor and transferee vis-à-vis operational and technical aspects of the data transfer.
(b) Additional Contractual Measures
Helpfully, the 2022 Guidance recognises that the above provisions, by themselves, may be insufficient to ensure compliance with the PDPO, and provides suggestions as to additional assurances that may need to be given.
These include:
- Reporting, Audit and Inspection Rights
These rights are important in helping transferor data users ensure and ascertain that transferees are complying with their obligations under the respective recommended model clauses. This could include regular security reports or even include an audit right exercisable by the transferor data user. Drawing from our experience, regulators in other jurisdictions have found that notwithstanding the inclusion of relevant contractual provisions with its data processors, data users, by not exercising their audit rights, were found to have failed to take all practicable steps to protect the personal data in their possession.
- Data Breach Notification Obligations
There are no mandatory requirements under the PDPO for data users (much less data processors) to notify the PCPD or data subjects about data breaches in Hong Kong, let alone for data users or data processor outside of Hong Kong in respect of transferred data. Transferor data users may wish to impose contractual requirements for transferees to notify them immediately in the event of a data breach that occurs or is likely to have occurred as soon as reasonably possible. This is important to prevent situations where the PCPD may become aware of the data breach before the transferor data user becomes aware of it, and leads to them being caught off guard by an investigation initiated by the regulator in Hong Kong.
- Compliance Support and Co-operation Obligations
In the course of investigations and regulatory compliance reviews, transferor data users may require the co-operation of their transferees. To ensure that they obtain the necessary co-operation, transferor data users may wish to include a contractual provision to such effect.
Comments
The recommended model clauses impose certain obligations on the transferees that will likely be resisted especially by data processors as they may involve actions outside their control. These include:
- requiring the transferee to ensure that personal data transferred is adequate but not excessive7;
- taking all practicable steps to ensure that any inaccurate personal data is not used unless it is rectified or erased even though the transferee may not have direct contact with the data subject, and may be unaware of any inaccuracies if not otherwise informed by the transferor data user clause8; and
- taking all practicable steps to ensure that data subjects should be able to access their policies and practices in relation to personal data9.
Given these requirements, the recommended model clauses are likely to be heavily negotiated by both data users and their processors.
Data users will also now likely push for the inclusion of additional contractual measures in their data processing agreements.
Conclusions
This is the second iteration of guidelines that attempt to formulate procedures for cross-border transfers and it is perhaps time for Section 33 to be brought into force at last. For now, data users should comply with the 2022 Guidance lest a negative view is taken of them in the event of an investigation for non-compliance.
1 A “data user” is the PDPO equivalent of a “data controller” and is defined under the PDPO as a “person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.”
2 DPP 1(3), PDPO.
3 DPP 3, PDPO.
4 DPP 4(2), PDPO.
5 Direct marketing requirements are found in Part 6A of the PDPO.
6 Section 65, PDPO.
7 See Clause 4.2 of the user to user RMCCs, Clause 3.2 of the user to processor RMCCs.
8 See Clause 4.7 of the user to user RMCCs, Clause 3.7 of the user to processor RMCCs.
9 See Clause 4.8 of the user to user RMCCs.