Cross-border data transfer: How does Hong Kong's PDPO compare to Europe's GDPR?
Po Kan Lo – The Chinese University of Hong Kong.
-- The law on personal data protection in Hong Kong is contained primarily in the Personal Data (Privacy) Ordinance 1995 (PDPO), as amended in 2012 (Cap 486). In the EU meanwhile, the law in this area was amended in 2016 with the passing of the General Data Privacy Regulation (GDPR). There has been much discussion over the relative strengths and weaknesses of the European Union and Hong Kong’s legislation on the protection of personal private data in recent years. In fact, as is noted by Greenleaf and McLeish, the two pieces of legislation are related, as the original PDPO was introduced in 1995 by the colonial British administration in an attempt to ensure the continued flow of data from the EU to Hong Kong in the wake of the EU’s passing of the GDPR’s predecessor legislation, the Data Protection Directive. Both the EU and Hong Kong have, in the years since the introduction of these laws in the mid-1990’s rapid technological development, created a need for both to be updated to deal with the rigours of the vast increases in the scale of data being uploaded by individuals, and the increased diversity of the type of data so uploaded.
Nevertheless, Section 33 of the PDPO, which deals with cross-border data transfers, has never been in force. Given the monumental increase in personal data now uploaded and processed online, and given the vast amounts of personal data transferred out of jurisdiction, and given the huge technological increases in data analysis and processing techniques, this legislation might be outdated. This led to amendments being made in 2012, in order to update the law. The adequacy of these new provisions will be compared to the law introduced within the European Union under the GDPR, which will serve as a basis for comparison when determining the adequacy of Hong Kong’s data protection regime.
One of the major concerns faced by legislators in the wake of the digital revolution in protecting personal data is how to balance between the need to ensure that these data can be used for economically efficient and utilitarian purposes and the need to ensure that the individual has their personal privacy protected, and their data protected from what might potentially be harmful misuse. This tension is illustrated nowhere better than in the difficulty which regulators have in determining the conditions under which data might be transferred out of, and into a jurisdiction other than that governed by the law of the regulating state. There may be many valid reasons why transfers of data should, generally, be allowed, including to allow individuals to access resources on the internet which are located physically outside of the state’s jurisdiction, or to allow vital development or capitalisation of technology for example.
The European Commission’s legal protections afforded to their citizens under the GDPR (and indeed under its predecessor legislation in the form of the Directive) do have the potential to significantly improve the protection of individual data from abuse, even when transferred abroad. An example supporting this assertion can be seen from the famous case of Schrems v Data Commissioner, in which the Court of Justice of the European Union declared the Commission’s adequacy decision in favour of the United States under the “Safe Harbour” agreement to be null and void on the basis that it contravened the Commission’s own safeguard proposals. These safeguards remain in place under the GDPR, and so the same level of protection is seemingly assured, and is now arguably strengthened further by the GDPR’s additional levels of protection offered.
By contrast, the PDPO, as has been seen, fails to provide the same degree of protection to personal data in transfer situations. The fact that the user’s consent is not necessary for transfers to take place in certain situations constitutes the most significant concern for the law in Hong Kong under the PDPO when compared to the GDPR, as this creates situations in which it is possible that user data will be transferred out of jurisdiction without the user’s consent in a case in which they would not have given it if they had the opportunity to consider such a transfer. The fact that the controller requires only reasonable grounds for such a transfer to be lawful is a problem in this respect, as it prevents the user from then effectively taking any legal action against the controller based in Hong Kong.