Insight,

PCPD Issues Guidance on Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data

HK | EN
Current site :    HK   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

Background

The Office of the Privacy Commissioner for Personal Data, Hong Kong* (PCPD) has recently issued a guidance on recommended model contractual clauses for cross-border transfer of personal data (Guidance) which is supplementary to the 2014 Guidance on Personal Data Protection in Cross-border Data Transfer.

The Guidance (link here) provides two sets of recommended model contractual clauses (RMCs) to cater for two types of cross-border data transfers: (i) from one data user to another data user; and (ii) from one data user to a data processor. The RMCs are prepared as free-standing clauses so that organisations can directly incorporate them into more general commercial agreements between data transferors and data transferees. The RMCs are intended to have a broad use and can be applied to (i) cross-border transfers of personal data from a Hong Kong entity to another entity outside Hong Kong; or (ii) between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user.

Comparison to GDPR and PIPL

Use of the RMCs will effectively enable parties transferring personal data between jurisdictions to have confidence that their business arrangements comply with the requirements of the Personal Data (Privacy) Ordinance (PDPO). However this should not be taken as compliance with other data protection laws that have extra-territorial effect, most notably the EU’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL).

Fundamentally, section 33 of the PDPO (assuming it becomes operational), the PIPL and GDPR all provide for transfer mechanisms for organisations to export personal data to a third country outside of their respective jurisdictions. Many parallels can be drawn in various aspects but differences still exist in the details.

For instance, the PIPL provides fewer transfer mechanisms and additionally imposes different cross-border data transfer restrictions based on the status of the entity, that is whether the exporting entity is an operator of critical information infrastructure and whether a threshold processing amount was met. The Chinese regime is known for its hybrid self-assessment and governmental assessment regime whereas GDPR and PDPO do not impose a governmental security assessment.

The EU’s 2021 standard contractual clauses (SCCs) are notably tougher than the RMCs. First, by entering into a data transfer agreement consisting of the SCCs, a data importer may be required to submit itself to the jurisdiction of and cooperate with the competent EU supervisory authority in any procedures aimed at ensuring compliance with the SCCs. Second, the SCCs require the parties to conduct a privacy impact assessment and consider a wide list of factors before warranting that the parties have no reason to believe that the relevant laws and practices in the destination of transfer prevent the data importer from fulfilling its obligations under the SCCs.

At the time of writing this article, the Cyberspace Administration of China (CAC) has not yet released a first draft standard contract for the purpose of cross-border data transfer and so no direct comparisons could be made with the RMCs yet. However, by drawing trends and themes from the draft Security Assessment Measures for Cross-Border Data Transfer (issued by CAC in October 2021), the key provisions that may be adopted under the Chinese standard contract would possibly require the parties to specify:

  • The purpose, means and scope of the data export and the use and means of the data processing by the overseas recipient;
  • The period of data retention outside of China, and the measures to be adopted after the retention period or the contract term expires, or the processing purposes are fulfilled;
  • The security measures to be taken by the overseas recipient in the event of a material change in its actual control or business scope, or a change of the legal environment of the jurisdiction in which the overseas recipient is located which renders it difficult to ensure data security;
  • Apportionment of liability for breach of security obligations, and binding and enforceable dispute resolution clauses; and
  • The remedial measures to be taken in the event of a data breach and the obligations to ensure effective channels for individuals to exercise their rights.

Going forward, organisations will need to keep abreast of global data protection laws and be agile to assess and update their data contracts as appropriate. The next major development is likely to be CAC’s release of its draft standard contract for the purpose of exporting personal data outside of China.

 

*Any reference to "Hong Kong" or "Hong Kong SAR" shall be construed as a reference to "Hong Kong Special Administrative Region of the People's Republic of China".

LATEST THINKING
Insight
China’s key financial regulator, the National Financial Regulatory Administration (“NFRA”), has published its highly-anticipated uncleared margin rules. The NFRA’s uncleared margin rules impose initial margin (“IM”) and variation margin (“VM”) requirements on non-centrally cleared derivatives transactions entered into by Chinese banking and insurance sector financial institutions regulated by the NFRA. The new rules are broadly consistent with the global regulatory margin standards published by the Basel Committee on Banking Supervision and the International Organization of Securities Commissions (“Basel Margin Standards”).

10 January 2025

Publication
On 6 December 2024, the Hong Kong* Government published the highly anticipated Stablecoins Bill (Stablecoins Bill). On 18 December 2024, it was introduced into the Legislative Council of Hong Kong for First Reading.

23 December 2024

Insight
In July 2021, the European Commission presented “Fit for 55” package aimed at making the EU’s climate, energy, transport and taxation policies suitable for reducing net greenhouse gas (“GHG”) emissions by at least 55% by 2030 compared to 1990 levels, ultimately achieving climate neutrality by 2050.

19 December 2024