Background
The Office of the Privacy Commissioner for Personal Data, Hong Kong* (PCPD) has recently issued a guidance on recommended model contractual clauses for cross-border transfer of personal data (Guidance) which is supplementary to the 2014 Guidance on Personal Data Protection in Cross-border Data Transfer.
The Guidance (link here) provides two sets of recommended model contractual clauses (RMCs) to cater for two types of cross-border data transfers: (i) from one data user to another data user; and (ii) from one data user to a data processor. The RMCs are prepared as free-standing clauses so that organisations can directly incorporate them into more general commercial agreements between data transferors and data transferees. The RMCs are intended to have a broad use and can be applied to (i) cross-border transfers of personal data from a Hong Kong entity to another entity outside Hong Kong; or (ii) between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user.
Comparison to GDPR and PIPL
Use of the RMCs will effectively enable parties transferring personal data between jurisdictions to have confidence that their business arrangements comply with the requirements of the Personal Data (Privacy) Ordinance (PDPO). However this should not be taken as compliance with other data protection laws that have extra-territorial effect, most notably the EU’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL).
Fundamentally, section 33 of the PDPO (assuming it becomes operational), the PIPL and GDPR all provide for transfer mechanisms for organisations to export personal data to a third country outside of their respective jurisdictions. Many parallels can be drawn in various aspects but differences still exist in the details.
For instance, the PIPL provides fewer transfer mechanisms and additionally imposes different cross-border data transfer restrictions based on the status of the entity, that is whether the exporting entity is an operator of critical information infrastructure and whether a threshold processing amount was met. The Chinese regime is known for its hybrid self-assessment and governmental assessment regime whereas GDPR and PDPO do not impose a governmental security assessment.
The EU’s 2021 standard contractual clauses (SCCs) are notably tougher than the RMCs. First, by entering into a data transfer agreement consisting of the SCCs, a data importer may be required to submit itself to the jurisdiction of and cooperate with the competent EU supervisory authority in any procedures aimed at ensuring compliance with the SCCs. Second, the SCCs require the parties to conduct a privacy impact assessment and consider a wide list of factors before warranting that the parties have no reason to believe that the relevant laws and practices in the destination of transfer prevent the data importer from fulfilling its obligations under the SCCs.
At the time of writing this article, the Cyberspace Administration of China (CAC) has not yet released a first draft standard contract for the purpose of cross-border data transfer and so no direct comparisons could be made with the RMCs yet. However, by drawing trends and themes from the draft Security Assessment Measures for Cross-Border Data Transfer (issued by CAC in October 2021), the key provisions that may be adopted under the Chinese standard contract would possibly require the parties to specify:
- The purpose, means and scope of the data export and the use and means of the data processing by the overseas recipient;
- The period of data retention outside of China, and the measures to be adopted after the retention period or the contract term expires, or the processing purposes are fulfilled;
- The security measures to be taken by the overseas recipient in the event of a material change in its actual control or business scope, or a change of the legal environment of the jurisdiction in which the overseas recipient is located which renders it difficult to ensure data security;
- Apportionment of liability for breach of security obligations, and binding and enforceable dispute resolution clauses; and
- The remedial measures to be taken in the event of a data breach and the obligations to ensure effective channels for individuals to exercise their rights.
Going forward, organisations will need to keep abreast of global data protection laws and be agile to assess and update their data contracts as appropriate. The next major development is likely to be CAC’s release of its draft standard contract for the purpose of exporting personal data outside of China.
*Any reference to "Hong Kong" or "Hong Kong SAR" shall be construed as a reference to "Hong Kong Special Administrative Region of the People's Republic of China".