Hong Kong Privacy Commissioner Issues Guidance on Cross-Border Data Transfers
On 29 December, 2014, Hong Kong's Privacy Commissioner for Personal Data (the "Commissioner") published a guidance note concerning the potential implementation of section 33 of the Personal Data (Privacy) Ordinance (the "PDPO"), which would restrict the export of personal data from Hong Kong.
Section 33 in Context
As the Commissioner makes clear in his guidance, the data export controls set out in section 33 have not yet been brought into force. There has been no official announcement that the Hong Kong government intends to bring the provision into force. Minutes of the Legislative Council's Panel on Constitutional Affairs meeting of 17 March, 2014 show that the issue was discussed there at a high level as part of the Commissioner's annual report, but without any resolution to consider the issue of data transfers further or pursue implementation of section 33. At present then, we do not even know at this stage whether section 33, which was drafted as part of the PDPO's passage in 1995, would be brought into force in its present form, the wording upon which the guidance is based.
These uncertainties mean that the guidance has a very unusual status as a guide to compliance with the PDPO.
The Commissioner's view is that publication of his guidance will help businesses prepare for the eventual implementation of section 33 and that, in any event, businesses should comply with the guidance as a matter of their corporate governance responsibilities.
Please click here for full version