Cross-border Transfer of Personal Data – Key Considerations for the HR Function By Rowan McKenzie, Baker McKenzie Partner, Employment Law; Marcia Lee, Baker McKenzie Special Counsel, IP Tech; Emma Pugh, Baker McKenzie Knowledge Lawyer, APAC Empl
Key takeaways:
- As the volume of cross-border personal data transfer and the complexities involved in handling it continue to grow, best practices are required to protect the privacy of data subjects.
- Issued recently by the Hong Kong Office of the Privacy Commissioner for Personal Data, the guidance provides recommended model contractual clauses for cross-border transfer of personal data.
The employment landscape has changed considerably over the past decade, giving rise to developments in cloud computing, digitalisation, and remote working. These changes have had implications not only in an employment law context but also in relation to how personal data is managed by employers. Cross-border transfer of personal data is becoming much more commonplace which in turn means that Hong Kong employers as data users, need to understand their obligations in transferring personal data overseas. In this article we take a look at the key considerations for employers when it comes to transferring the personal data of their employees outside Hong Kong.
Background
The Personal Data (Privacy) Ordinance (PDPO) took effect in 1996 but notably section 33 of the PDPO concerning cross-border transfer of personal data has not come into force. Section 33 prohibits a data user from transferring personal data to a place outside Hong Kong unless an exception applies. Exceptions include, for instance, obtaining the written consent of the data subject or if the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the PDPO (Due Diligence Requirement).
As section 33 of the PDPO is not yet in force, does this mean employers are free to transfer personal data overseas without restriction?
Notwithstanding the fact that section 33 has not come into force yet, the PDPO contains other provisions which nonetheless have implications on the cross-border transfer of personal data by employers.
The Data Protection Principle (DPP) 3 of the PDPO provides that personal data shall not, without the prescribed consent of the data subject (i.e., the employee), be used for a new purpose. A “new purpose” is essentially a purpose other than the purpose for which the data was to be used at the time of its collection (or a directly related purpose). Under the PDPO, the “use” of personal data includes the transfer of personal data. DPP 1(3) of the PDPO contains certain notification obligations that apply during or before collecting personal data, such as notifying data subjects of the purposes of the use of their data and the classes of transferees. Such notification is typically achieved by providing employees with a personal information collection statement (PICS) during or before the collection of the personal data. As such, employees must ensure that any intended transfer of personal data falls within the scope of such notification. Otherwise, where transfer of personal data overseas involves using personal data for a “new purpose”, employees’ express consent will be required (unless one of the limited exemptions under Part 8 of the PDPO applies).
The PDPO also contains general provisions concerning the management of personal data which are also relevant in the context of cross-border transfer of personal data. Examples include:
- an obligation on data users to ensure they take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use (DPP 4 on security of personal data); and
- an obligation to take all practicable steps to ensure that personal data is accurate and is not kept longer than is necessary for the fulfilment of the purpose for which the data is used (DPP 2 on accuracy and retention of personal data).
Where an employer seeks to transfer personal data to a data processor (who may be located outside Hong Kong), the PDPO also contains certain obligations on a data user where it engages a data processor to process personal data on its behalf. In such circumstances, the data user must adopt contractual or other means of protection to (i) prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data, and (ii) prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.
New Guidance on recommended model contractual clauses for cross-border transfer of personal data
On 12 May 2022, the Office of the Privacy Commissioner for Personal Data (PCPD) issued the “Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data” (Guidance). Apart from outlining the legal requirements that currently apply to the cross-border transfer of personal data, the Guidance also provides two sets of Recommended Model Contractual Clauses (RMCs) to cater for two different cross-border data transfer situations, namely:
(i) from one data user to another data user; and
(ii) from one data user to a data processor.
The RMCs lay down the general terms which would apply to the transfer of personal data from a Hong Kong entity to another entity outside the city; or between two entities both of which are outside Hong Kong when the transfer is controlled by a local data user.
The RMCs are drafted as free-standing clauses, such that they may be incorporated into more general commercial agreements between data transferors and data transferees. The Guidance is intended to supplement the PCPD’s 2014 Guidance on Personal Data Protection in Cross-border Data Transfer (2014 Guidance).
Although section 33 of the PDPO is not presently in force, the Guidance recommends that data users, particularly small and medium-sized enterprises, adopt the best practices set out in the Guidance as part of their data governance responsibility to protect and respect the personal data privacy of data subjects. To ensure compliance with the requirements imposed by the PDPO, notwithstanding the transfer of data outside Hong Kong, the Guidance recommends that data users utilise the RMCs in cross-border data transfer arrangements.
Both sets of RMCs (data user to data user; and data user to data processor) also incorporate a data transfer schedule to cover the operational and technical aspects of the transfer.
A high-level overview of the main transferee obligations addressed in the RMCs
| Use / processing of personal data | Only use/process personal data for the purposes of transfer agreed with the transferor/designated by the transferor (or directly related purposes) and for which the personal data was collected in the first place by the transferor |
| Personal data not excessive | Ensure that the personal data transferred is adequate but not excessive in relation to the purposes of transfer |
| Security measures | Apply agreed security measures to the use/processing of the personal data |
| Retention of personal data | Retain the personal data only for a period which is necessary for the fulfilment of the purposes of transfer or for the duration of any specific retention period as agreed |
| Erasure of personal data | Take all practicable steps to erase the personal data transferred, once the retention period or the need to retain the personal data has lapsed |
| Inaccurate personal data | Take all practicable steps to ensure that the personal data is accurate, with regards to the purposes of transfer Take all practicable steps to ensure that any inaccurate personal data (i) should not be used/processed unless it is rectified or (ii) should be erased |
| Onward transfer of personal data | Not make any onward transfer of personal data to any third party except as agreed by the parties in the Data Transfer Schedule or with the transferor’s consent Ensure that onward transfer of personal data meet the requirements of the RMCs Not make any onward transfer of personal data to any other jurisdictions except as agreed/with the transferor’s consent |
| Additional RMCs in the data user to data user RMCs | Take all practicable steps to ensure that data subjects are able to access its policies and practices in relation to the personal data Comply with its obligations as a data user in respect of the access and correction rights of data subjects Comply with its obligations to cease direct marketing using the personal data upon receipt of a written notice from the transferor |
The more technical information to be contained in the data transfer schedule includes the:
- categories of personal data being transferred
- purposes for which the personal data is transferred
- destinations to which the personal data will be transferred
- maximum retention period applicable to the transfer
- agreement on the onward transfer of the personal data which the transferee may make
- security measures which the transferee is required to apply to its use/processing and storage of the personal data
- parties’ arrangements for handling data subjects’ access and correction requests
The Guidance notes that the parties may incorporate additional tailored contractual measures covering the rights and obligations in relation to the use or processing of the personal data by the transferee in light of the specific data transfer. The 2014 Guidance contains additional recommended clauses in the context of cross-border transfer of personal data such as clauses on liability and data loss notification.
Although following the Guidance is not a mandatory obligation, it provides employers with best practice recommendations. Furthermore, the Guidance also stipulates that the adoption of the RMCs will help to show that the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in the jurisdiction of the transferee, be collected, held, processed, or used in any manner which, if that took place in Hong Kong, would be a contravention of a requirement under the PDPO i.e., the Due Diligence Requirement in section 33 of the PDPO.
[中文版本]
跨境轉移個人資料 – 人力資源職能部門需要考慮的重要事項
撰文:Rowan McKenzie,貝克·麥堅時律師事務所僱傭法合夥人
李文琪,貝克·麥堅時律師事務所知識產權與技術業務特別法律顧問
Emma Pugh, 貝克·麥堅時律師事務所 Knowledge Lawyer, APAC Employment Law
隨著跨境轉移個人資料的數量與日俱增,兼且轉移的過程亦愈趨複雜,各方應採取最佳的措施以保障資料的私隱。
香港個人資料私隱專員公署最近發出指引,為跨境轉移個人資料提供建議合約條文範本。
過去10年,整體就業情況和格局產生了巨大的變化,致令雲端運算、數碼化和遠程工作應運而生。這些變化不單對僱傭法產生影響,更牽涉僱主應如何管理個人資料。跨境轉移個人資料日漸普遍,香港僱主作為資料使用者,須知道轉移個人資料到海外所應負上的責任。就此問題,本文深入探討僱主將僱員的個人資料轉移至香港境外時必須考慮的重要事項。
背景
《個人資料(私隱)條例》(《私隱條例》)於 1996 年正式生效,但值得注意的是,《私隱條例》第 33 條有關跨境轉移個人資料的條例尚未執行。第 33 條禁止資料使用者將個人資料轉移至香港以外地方,除非能符合多項規定中的其中一項,如有關資料當事人以書面同意該項轉移,或有關資料使用者已採取「所有合理的預防措施及已作出所有應作出的努力」,以確保有關資料不會在該地方被收集、持有、處理或以任何方式使用。若該地方為香港,則違反《私隱條例》其中一項規定(作出所有應作出的努力)。
《私隱條例》第 33 條尚未生效,這是否意味著僱主可以罔顧一切,任意將個人資料轉移到海外?
儘管第 33 條尚未生效,但《私隱條例》亦包涵其他條文,對僱主跨境轉移個人資料作出指引和警示。
《私隱條例》的六項保障資料原則中,其中第3原則訂明,除非得到資料當事人(即僱員)事前同意,否則個人資料不得用於「新目的」,即原先收集資料時擬使用以外的目的(或直接相關的目的)。根據《私隱條例》,個人資料的「使用」包括轉移個人資料。 保障資料第1(3)原則包含在收集個人資料期間或之前應負上相當程度的通知責任,如告知資料當事人收集資料的目的,以及資料可能會被轉移給哪類人士。為履行通知責任,僱主在收集個人資料期間或之前,可向僱員發出「收集個人資料聲明」。因此,僱員須確保任何個人資料的轉移均列於「聲明」通知的範圍。否則,將個人資料轉移至海外並用於「新目的」,便需要獲得僱員的同意(除非有關轉移屬《私隱條例》第 8 部有限的豁免情況之一)。
《私隱條例》亦包涵如何管理個人資料的條文,而該等條文亦適用於跨境轉移個人資料的範圍,例如:
- 資料使用者有責任採取一切切實可行的步驟,保障個人資料不會未經授權或意外地被查閲、處理、刪除、喪失或使用(保障資料第4原則有關個人資料的保安),以及
- 資料使用者有責任採取所有切實可行的步驟,確保持有的個人資料準確無誤,而保留時間不超過達致原來目的實際所需(保障資料第2原則有關準確性及保留時期)。
某些情況下,僱主打算將個人資料轉移至資料處理者(該人士可能身處香港以外地方)。《私隱條例》對此亦有列明,僱主指令資料處理者代其處理個人資料時所須負上的責任,包括:資料使用者必須採取合約式或其他保障措施,以 (i) 防止轉移至資料處理者的個人資料的保留時間超過達致原來目的實際所需,以及 (ii) 防止轉移至資料處理者以作處理的資料未經授權或意外地被查閲、處理、刪除、喪失或使用。
跨境資料轉移建議合約條文新指引
個人資料私隱專員公署(私隱公署)於2022 年 5 月 12 日發出《跨境資料轉移指引 : 建議合約條文範本》(該指引)。除概述現時就跨境資料轉移所需的法律要求外,該指引亦就兩種不同的跨境資料轉移情況,擬備了兩套建議合約條文範本(建議條文範本),即:
(i)由一名資料使用者轉移予另一名資料使用者 ; 及
(ii)由一名資料使用者轉移予一名資料處理者。
建議條文範本列舉一般條款及細則,適用於由一香港機構轉移個人資料至另一境外機構;或由一香港資料使用者所控制兩個均屬香港境外機構之間的個人資料轉移。
建議條文範本屬可自由組合的獨立性條文,也可納入資料轉移者與資料接收者之間的一般商業協議中。該指引旨在補充私隱公署於2014年發出的《保障個人資料:跨境資料轉移指引》(2014年指引)。
儘管《私隱條例》第 33 條目前尚未生效,但該指引建議資料使用者,尤其中小企業,採取該指引所提出的最佳做法,作為其資料管治責任的一部分,以保障和尊重資料當事人個人資料的私隱。為確保各方遵守《私隱條例》的要求,包括資料轉移至香港以外地區,該指引建議資料使用者,在處理跨境資料轉移時使用建議條文範本。
兩套建議條文範本(由一名資料使用者轉移予另一名資料使用者 ; 及由一名資料使用者轉移予一名資料處理者)還包括資料轉移一覽表,以涵蓋資料轉移操作和技術上的事項。
概括建議條文範本闡述的資料接收者的主要責任
| 使用 / 處理個人資料 | 只為與資料轉移者協議 / 資料轉移者指示的轉移目的(或直接有關的目的)及資料轉移者原本收集有關個人資料的目的使用 / 處理個人資料 |
| 個人資料不超乎適度 | 確保就轉移目的而言,轉移的個人資料屬足夠但不超乎適度 |
| 保安措施 | 採取雙方協議的保安措施使用 / 處理個人資料 |
| 個人資料的保留期限 | 保留個人資料的時間只會是達致轉移目的所需的時間或雙方協議的特定保留時期 |
| 刪除個人資料 | 採取所有切實可行的步驟,在保留時期屆滿或不再需要保留個人資料時,刪除有關資料 |
| 不準確的個人資料 | 採取所有切實可行的步驟,確保在顧及轉移目的下,個人資料是準確的 採取所有切實可行的步驟,確保任何不準確的個人資料(i)在更正前不會被使用 / 處理或(ii)會被刪除 |
| 繼續轉移個人資料 | 除非雙方在資料轉移一覽表作出協議或資料轉移者給予同意,否則,不應繼續轉移個人資料予任何第三方 確保繼續轉移個人資料符合建議條文範本的規定 除非雙方有協議或資料轉移者給予同意,否則,不應繼續轉移個人資料至任何其他司法管轄區 |
| 由一名資料使用者轉移予另一資料使用者的額外建議條文範本 | 採取所有切實可行的步驟,確保資料當事人能查閱有關轉移個人資料的政策及做法 就資料當事人的查閱及改正資料權利,履行作為資料使用者的責任 在收到資料轉移者有關停止使用個人資料作直接促銷的書面通知後,履行其責任停止該等行為 |
資料轉移一覽表載列有關技術範疇的資料包括:
- 轉移個人資料的類別
- 轉移個人資料的目的
- 個人資料會被轉移至的目的地
- 轉移個人資料的最長保留時期
- 資料接收者或會繼續轉移個人資料,因此,有關人士應訂立協議,表示同意此種安排
- 資料接收者須就使用 / 處理及儲存個人資料而採取各種保安措施
- 雙方應就資料的查閱和更正等事項作出適當的安排
該指引指出,為針對特殊的資料轉移情況,雙方或會訂立額外特定的合約措施,闡明資料轉料移者在這些情況下使用或處
