Following is a question by the Hon Kenneth Leung and a written reply by the Secretary for Constitutional and Mainland Affairs, Mr Raymond Tam, in the Legislative Council today (April 29):
While the Personal Data (Privacy) Ordinance (Cap. 486) was enacted in 1995, section 33 of it, which regulates the acts of transfer of personal data to places outside Hong Kong, is not yet in operation. In this connection, will the Government inform this Council :
(1) as Cap. 486 has been enacted for 20 years, why the Government has not yet implemented section 33 of it; when the Government plans to implement this provision;
(2) of the measures currently in place to regulate the acts of transfer of personal data to places outside Hong Kong and to protect the personal data concerned; and
(3) whether the authorities and the Privacy Commissioner for Personal Data have assessed and studied the current situation of the transfer of personal data to places outside Hong Kong (including the purposes, modes and scales of transfer, protective measures, as well as the types and sensitivity of the personal data involved); if so, of the details?
(1) Bringing section 33 of the Personal Data (Privacy) Ordinance (the Ordinance) into force will impose more stringent regulation on cross-border data transfers in different sectors, and requires preparation on multiple fronts. The Government is working closely with the Office of the Privacy Commissioner for Personal Data (PCPD) on the tasks involved, including commissioning a consultant to look into compliance measures required of data users to meet the requirements of the provision, studying the relevant practices of other jurisdictions in compliance and law enforcement, and examining the implementation details (e.g., the arrangement for reviewing the list of specified places), etc. Such preparation work is to ensure that the conditions necessary for implementing the provision are in place. The Government will also closely monitor the actual situation of and feedback from relevant sectors in their voluntary compliance with the Guidance on Personal Data Protection in Cross-border Data Transfer issued by the PCPD. When all the preparation work has been completed, the Government will consider setting a commencement date for the provision.
(2) Although section 33 of the Ordinance is not yet brought into force, the acts of data users in cross-border transfers of personal data, including the holding, processing or use of the personal data transferred outside Hong Kong by the data user or by a person authorised by the data user, are subject to regulation by other provisions of the Ordinance.
By virtue of Data Protection Principle 3 under the Ordinance, personal data can be transferred outside Hong Kong only if the purpose of the transfer of personal data is the same as or directly related to the original purpose of collecting the data, or with the consent of the data subject. According to section 65(2) of the Ordinance, if a data user transfers personal data to an overseas person authorised by the data user to engage in any activity (such as data processing), the acts of the authorised person shall be treated as acts done by the data user and regulated by the Ordinance.
If a data user engages a data processor to process personal data outside Hong Kong on the data user's behalf, Data Protection Principles 2(3) and 4(2) require that the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from (i) being kept longer than is necessary for processing the data or (ii) unauthorised or accidental access, processing, erasure, loss or use.
(3) In the PCPD's assessment, with the advancement of technology and changes in the modes of operation and practices of organisations, international electronic data transfer is taking place in an increasing scale. Transfer of digitised personal data has become common, with diversified modes of cross-border data flow. For instance, some organisations adopt dispersed data storage in multiple jurisdictions with the use of cloud computing technologies, while some organisations outsource data processing procedures to contractors around the world.
As mentioned in part (1) above, the Government will engage a consultant to conduct an assessment on the conditions needed for bringing section 33 of the Ordinance into force. The actual situation of current cross-border transfers of personal data by data users will be covered by that study.
Ends/Wednesday, April 29, 2015