Overseas Jurisdictions
This policy only relates to the Hong Kong law requirements on personal data privacy. However, there may be situations where the personal data privacy requirements of overseas jurisdictions will also be relevant. For example, when the University needs to enter into a collaboration contract with an academic institution abroad and personal data will be handled by both parties. When the laws of more than one jurisdiction are relevant, there may be conflicting legal requirements on personal data privacy.
The possible handling of a situation where there is a conflict of legal requirements depends on the actual facts. Relevant factors may include where the data is held and where it is processed. Specific advice will need to be sought in the event of an actual case of conflict arising.
It is therefore better to try to avoid situations of conflicting legal requirements and see how differences can be mitigated upfront. A good starting point in situations where there are cross- border personal data needs is to try to enter into a contract governed by Hong Kong law, where possible. Staff could then require the overseas institution to have the contract reviewed for compliance with their local laws. If the contract needs to be governed by foreign law, it should be reviewed to ensure that provisions relating to personal data would also suit Hong Kong law compliance. Staff should carefully consider what their personal data needs are during the contract negotiation stage so that appropriate arrangements that are compatible with the laws of both jurisdictions could be set out in the contract to minimize the risk of uncertainty later on. For example, whether there is a specific need for the school/department/unit/office to access certain personal data such that if access is not granted, the school/department/unit/office won’t be able to carry out a particular function (e.g. print academic certificates).
Staff should also be mindful of section 33 of the Personal Data (Privacy) Ordinance. Section 33 prohibits the transfer of personal data to a place outside Hong Kong unless one of the preconditions are satisfied. Normally, the easiest precondition to satisfy is to ensure the data subject has consented in writing to the transfer. It is important to note that section 33 is currently not yet in force and there is no timeline when it will come into operation. However, as good practice data users are encouraged to comply with it as if it is already in force so that when it does take effect they would already be in compliance with the requirements. Broadly speaking, if a data subject signs a Personal Information Collection Statement that informs the data subject that his/her personal data will be transferred outside Hong Kong, this should be sufficient for section 33 purposes. The Office of the Privacy Commissioner on Personal Data has issued a guidance note on section 33. Staff dealing with situations involving cross-border personal data needs should further consult this guidance note which can be accessed at: https://www.pcpd.org.hk/english/resources_centre/publications/files/GN_crossborder_e.pdf
Staff are also reminded that situations involving cross-border personal data needs can be complicated and there will likely be differences in legal requirements on the subject of personal data privacy. Each case turns on its own facts. Therefore, in situations where there are cross- border personal data needs, staff should seek specific legal advice on how to ensure personal data privacy requirements of the relevant jurisdictions are complied with while addressing actual personal data needs.