Fact Sheet No. 1, April 1997

TRANSFER OF PERSONAL DATA OUTSIDE HONG KONG: SOME COMMON QUESTIONS

6. Should all agreements regulating transfers outside Hong Kong be contractual?

In most circumstances, an agreement is unlikely to provide sufficient protection to discharge the due diligence requirement unless it is legally binding. However, the terms of the model contract also provide a useful basis for non-contractual agreements providing for the protection of personal data following transfer. There are at least two situations where non-contractual agreements are likely to be adhered to notwithstanding their non-binding nature:

• Agreements between a company and an overseas affiliate where identical internal procedures are applicable.
  
  
• Agreements between data users who are both subject to an acceptable international code of practice applying to the processing of personal data in the relevant sector.

7. What are the limitations of contractual and other agreements?

The model contract will be adequate as regards simple point-to-point transfers between parties in different jurisdictions but is less suitable for more sophisticated transfers passing through various intermediate data processing entities who make sub-transfers of the data. In these circumstances, a vertical chain of agreements would be required.

8. Does section 33 cover telecommunication service providers transmitting personal data for other data users?

The provision only applies to a "data user". Section 2(12) of the Ordinance provides that a person who is merely transmitting data on behalf of another and not for any of his own purposes is not a data user in relation to that data. Accordingly the person using the means of telecommunication to transfer the data but not the service provider will be subject to section 33.

9. Is section 33 in force yet?

When the other provisions of the Ordinance were brought into force on 20 December 1996, the operation of section 33 (together with s.30 regulating data matching) was delayed. A reason for this was to enable the Privacy Commissioner to prepare and issue this guidance on appropriate contractual terms.

10. When will section 33 be brought into force?

There is no specific date yet, but the issue of the model contract will facilitate the provision being brought promptly into force.

11. What other requirements of the Ordinance govern transfers outside Hong Kong?

Section 33 supplements the application of data protection principle 3, which requires that all transfers of personal data (whether effected in or from Hong Kong) accord with the purpose for which the data were collected. Furthermore, if following their transfer, control is retained over the data by the Hong Kong data user, all the other provisions of the Ordinance continue to apply.

12. What is the role of the Hong Kong Privacy Commissioner regarding transfers?

The Privacy Commissioner's prior consent is not required for transfers outside Hong Kong. It is up to the data user to fulfill one of the requirements mentioned in the answer to question 3. The Privacy Commissioner has the power to investigate suspected breaches either in response to a complaint or at his own initiative. If he concludes that a contravention is likely to be repeated, he can issue an enforcement notice. Contravention of an enforcement notice is an offence under section 64(7). A contravention of section 33 is also an offence under section 64(10) and hence may be the subject of a prosecution.

Data Protection Principles

Model Contract