Catch 33: Don’t send staff personal data to the wrong country
With the proliferation of cloud computing and the outsourcing of human resources and other personnel-related functions, employees need to be protected from having their personal information sent to countries that have no or insufficient data protection laws.
The Personal Data (Privacy) Ordinance (PDPO) was enacted in 1995 to establish a legislative framework for the protection of personal data. However, section 33, which deals with cross-border transfer of such data, is not yet in operation. A recent guidance note from the office of the Privacy Commissioner for Personal Data (PCPD) suggests that position might change soon.
All companies that hold personal data of their employees should ensure they understand their compliance obligations once section 33 comes into effect and take steps to ensure their existing arrangements are compliant.
Once it comes into effect, section 33 will prohibit the transfer of personal data from Hong Kong and between two other jurisdictions where the transfer is controlled by a Hong Kong data user, unless a statutory exception applies. This restriction is of particular relevance to employers, especially those who outsource certain functions (such as payrolls) to service providers in low-cost jurisdictions or who have offices in various countries.
This will inevitably be of interest to multinationals whose normal business operations involve the transmission of personal data between different offices for purposes relating to the business and the management of employees.
The prohibition applies not only to the transmission of data outside Hong Kong, but also to such data being made available (for example via a centralised database or storage in a cloud) where the servers are located in Hong Kong or are accessible from outside the city.
Where data is being transferred only to, or accessed only by, individuals who are located in a jurisdiction which has in force a data protection regime that is substantially similar to the PDPO, or serves the same purposes as the ordinance, the transfer will not fall foul of the section 33 prohibition. The PCPD will issue a white list of jurisdictions where personal data can be transferred to without breaching section 33.
While the PCPD will need to make his own assessment of the adequacy of legislation in particular recipient jurisdictions, it could reasonably be expected that the white list published by the PCPD will overlap in many instances with, for example, the list of countries determined by the European Commission as having adequate protection in place. That list includes New Zealand and Canada. Notably, however, the European Commission does not recognise the US as having adequate legislative protection for personal data. Businesses with operations in that jurisdiction will likely need to consider taking additional steps to ensure that another exception applies.
A further important exception applies when employers have taken all reasonable precautions to ensure personal data will not be handled in a manner that would be a contravention of PDPO. This might involve imposing contractual obligations for compliance on a third-party provider to whom data is to be transferred.
Companies with links to the United States should find out whether the recipient has signed up to the voluntary US Department of Commerce’s Safe Harbour Scheme. They should obtain an assurance from the recipient that they comply with their obligations under that scheme.
It is unclear whether the PCPD will adopt the same approach, but the European Commission has taken the view that personal data sent to the US under the voluntary safe harbour scheme will be considered to be subject to adequate protections.
In the case of intra-group transfers, companies may choose to adopt non-contractual means of satisfying this exception. This includes the implementation of adequate internal safeguards, policies and procedures that apply to the group as a whole and serve as a baseline protection for the processing of employee data in all jurisdictions.
The Written Consent
Another exception will be in cases where the employee has consented to the transfer in writing. This is a more onerous burden than that which currently exists under the PDPO. For the most part, the PDPO requires that employees be informed of certain information regarding the handling of personal data, but falls short of requiring their consent.
Employers who transfer employees’ personal data outside of Hong Kong, or who use cloud storage solutions, should ensure the terms of their arrangements are subject to a standard of protection which is at least comparable to that under the PDPO; that the transferee will protect, retain, store and destroy personal data in their possession in full compliance with the PDPO, and only process and use data according to the written instructions of the data user; and that the employer retains a right to control access to the data and conduct audits.
Employers should also consider revisiting and, where appropriate, updating their employment documentation for compliance. Such documents would typically include contracts of employment, personal information collection statements issued to employees and job applicants, personal data or privacy policies, and procedures for the handling of personal data.
Gareth Thomas is head of Herbert Smith Freehills’ HK commercial litigation team, and is responsible for the Greater China employment practice.
Gillian McKenzie is an associate in the Hong Kong employment practice and has a wide range of experience in employment matters.
Herbert Smith Freehills has 2,800 lawyers and 460 partners in over 20 offices globally. It advises on dispute resolution and employment, among other areas.