Data Transfers: Frameworks for organising cross-border data transfers
27Oct2022There are serious legal consequences to a mishandled cross-border personal data transfer. In this article, Pádraig Walsh from our Data Privacy practice explores the steps a business should take when conducting an international data transfer process.
Policy and process
Good practice does not happen by itself. Rather, it arises from good policy, process and proper implementation that are reviewed and improved on a continuous basis. The same principles apply to data transfers. The data user should have a policy and procedure that outlines the key considerations, steps and precautions for data transfers to data processors.
The policy should contain a clear statement that a data transfer to a third party must have a lawful basis, and must be conducted in full awareness and compliance with the legal and regulatory obligations that apply. The policy should enshrine the principle that the data user must take all reasonable steps to protect personal data from unauthorised use and disclosure.
Key considerations will include:
- What personal data is actually necessary for the identified purpose?
- Is it necessary for the effective and efficient conduct of the business that the personal data is transferred?
- What is the nature of the personal data?
- What is the amount of the personal data being transferred?
- What damage or distress might be caused to individuals from issues arising from the data transfer?
- What damage or loss might be caused to the data user from issues arising from the data transfer?
In complex instances, the best method for constructively and systematically taking these considerations into account may be to conduct a transfer impact assessment in respect of the proposal to transfer the personal data for the purposes intended.
The procedures underpinning the policy should:
- contain concise, clear guidance to assess the impact, relevance and necessity for the data transfer;
- have a chain of control for the conduct of the transfer, with appropriate signing and approval processes at each stage;
- contain standards for authentication of the receiving party;
- mandate the use of data minimisation principles;
- apply high standards of security for all aspects of the data transfer process. In particular, the procedures should outline the recommended best means of securely transferring personal data and discourage and prohibit unsecure means (such as unencrypted email or removable storage devices);
- contain guidance on identifying when a formal risk assessment for the data transfer is needed;
- outline the accountability of key persons in the data transfer process;
- provide for contractual protections to be initiated and implemented before data transfer occurs;
- outline the responsibilities of the privacy officer (if any) in respect of data transfers;
- refer to procedures on incident reporting if an issue arises in the course of the data transfer;
- have a review process in which the policy and procedures are reviewed at least annually;
- have a commitment to training and awareness to support adoption of the policy;
- contain a list of useful resources, including applicable laws and regulations and other policies.
Framework for assessing cross-border data transfers
One of the most widely adopted frameworks for conducting a cross-border, data transfer process is the six step framework published by the European Data Protection Board (EDPB). This six step framework does not directly apply in Hong Kong. Some of these principles are constructive and relevant in respect of all international data transfers.
Let’s apply and examine key principles in the context of a Hong Kong data user that is a data exporter transferring data from Hong Kong to a data importer in a foreign jurisdiction. Some relevant steps and principles are:
- A data exporter should know its transfers. This starts with a data inventory that is a reliable record of the personal data held by the data exporter. Then, the data exporter should map all data transfers of personal data to third countries so that it is aware of where the personal data goes. This is a basic foundational requirement to assess whether the transferred personal data will be afforded an equivalent level of protection wherever it is processed. This step also helps to verify that the personal data to be transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- The data exporter should verify the lawful basis for the proposed personal data transfer. The Hong Kong data exporter should review its Personal Information Collection Statement (PICS) to determine whether it has properly disclosed that personal data may be transferred as specifically contemplated, and whether the transfer may constitute a new purpose for which the prescribed consent of the data subject is needed. This step is markedly less onerous in Hong Kong than under GDPR.
- The data exporter should assess the laws and practices of the third country. The basic requirement for a Hong Kong data exporter is to take all reasonable precautions and exercise all due diligence to ensure that the personal data will not, in the jurisdiction of the data importer, be collected, held, processed, or used in any manner which, if that took place in Hong Kong, would be a contravention of a requirement under the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). This does not require a measure-by-measure comparison by organisations of foreign laws with Hong Kong laws. However, the data exporter should take into consideration all material elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime, or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.
- The data exporter should identify and adopt supplementary measures that are necessary to bring the level of protection of the personal data transferred up to Hong Kong standards. This step is only necessary if the data exporter’s assessment reveals that the foreign jurisdiction’s legislation or practices do not meet the standards required under the PDPO. These measures could be:
- Technical measures: These might include techniques such as encryption, anonymisation or pseudonymisation, or split or multi-party processing.
- Contractual measures: These might include additional contractual provisions that impose obligations on audit, inspection and reporting, beach notification, and compliance support and co-operation.
- Organisational measures: These might impose obligations on the data importer in respect of its policies, methods and procedures. The policies of the data importer must be sufficiently robust and include training for staff and effective security measures. A critical policy will be the data retention policy to ensure that the data processor has committed to keeping the transferred personal data only for so long as necessary, and then will return and destroy the personal data.
The data exporter is ultimately responsible for assessing the effectiveness of the proposed supplementary measures.
- Technical measures: These might include techniques such as encryption, anonymisation or pseudonymisation, or split or multi-party processing.
- The data exporter should re-evaluate, at appropriate intervals, the level of protection afforded to the personal data it has transferred to third countries and to monitor if there are any developments in the third country that may affect its initial assessment.
Other principles
The Privacy Commissioner for Personal Data (“PCPD”) has also stressed other principles that data exporters should take into account when conducting a cross-border data transfer. These include:
- A data exporter should always begin with due diligence on the intended data importer. The data exporter must satisfy itself that the data importer has the capability, competence, credentials, reputation and resources to meet the obligations imposed on it.
- A data exporter should adhere to principles of data transparency as part of its general commitment to good data ethics. As a matter of good practice, data exporters should consider notifying data subjects of the fact that their personal data may be transferred outside Hong Kong and the underlying grounds.
- The data exporter should consider taking legal advice in respect of its contractual arrangements with data importers to confirm that the provisions will be enforceable in the location of the data importer.
- The data exporter should keep proper records of all personal data that has been transferred, and also all efforts it has taken to fulfil requirements for cross-border data transfers.
Conclusion
There are a multitude of considerations in data transfers. In these circumstances, planning and process will support prevention and can help to avoid the pain and penalty that will follow if issues arise from cross-border data transfers. Hong Kong does not have an adequacy regime or statutory restrictions on cross-border data transfers. However, it is not true to say there are no protections under Hong Kong law in respect of cross-border data transfers. Data users must have a lawful basis under Hong Kong law for data transfers. Businesses need to be mindful of the obligations that exist, as well as best practice and ethical standards in their governance of personal data. We have helped a number of businesses with policy and process reviews and in conducting transfer impact assessments. We, at Tanner De Witt, can help you.
Pádraig Walsh
If you would like to discuss any of the matters raised in this article, please contact:
Pádraig Walsh
Partner | E-mail
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.