Privacy Law and Policy Reporter
The Hong Kong Privacy Commissioner has issued a Model Contract to assist data users in complying with s 33 of Hong Kong’s Personal Data (Privacy) Ordinance. Section 33 covers two types of transfers of personal data:
(i) transfers from Hong Kong to a place outside Hong Kong; and
(ii) transfers between two other jurisdictions where the transfer is controlled by a Hong Kong data user.
Section 33 is not yet in force, although the other provisions of the Ordinance came into force on 20 December 1996 (see 3 PLPR 179). The Commissioner notes that one reason for this ‘was to enable the Privacy Commissioner to prepare and issue this guidance on appropriate contractual terms’, and that its issue will ‘facilitate the provision being brought promptly into force’. Hong Kong personal data export restrictions may therefore become a reality for Australian businesses well before the European Union’s restrictions take effect in October 1998.
The Model Contract is contained in Fact Sheet No. 1 Transfer of Personal Data Outside Hong Kong: Some Common Questions (accessible on the Commissioner’s web site at http://www.pco.org.hk/info/fact.html), issued in April 1997.
The Commissioner explains the purpose of the Model Contract:
Section 33 of the Personal Data (Privacy) Ordinance prohibits the transfer of personal data to places outside Hong Kong unless one of a number of conditions is met. One of these conditions is that the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data concerned are given equivalent protection to that provided for by the Ordinance. One method for achieving this is for the parties to the transfer to enter into a contract, or other acceptable agreement applying the data protection principles to the data upon its transfer to the place outside Hong Kong. The main purpose of this Fact Sheet is to assist data users in complying with section 33 in this manner.
Section 33 requires at least one of the following requirements to be satisfied before a data user may transfer personal data outside Hong Kong:
In relation to this last requirement, the Commissioner considers that:
The law of contract and similar agreements represent the principal mechanism whereby transfers may fulfil this requirement of due diligence. The contract, or other agreement, would be between the data user transferring the personal data and the recipient.
To assist data users adopting this contractual solution, the Privacy Commissioner has prepared a model contract. The clauses of the model contract are based on an agreement jointly prepared by the Council of Europe, the Commission of the European Communities and the International Chamber of Commerce. They have been adapted to meet the requirements of the Ordinance.
The Commissioner notes that there are limits on when such a contract will suffice:
In most circumstances, an agreement is unlikely to provide sufficient protection to discharge the due diligence requirement unless it is legally binding. However, the terms of the model contract also provide a useful basis for non-contractual agreements providing for the protection of personal data following transfer. There are at least two situations where non-contractual agreements are likely to be adhered to notwithstanding their non-binding nature:
- agreements between a company and an overseas affiliate where identical internal procedures are applicable;
- agreements between data users who are both subject to an acceptable international code of practice applying to the processing of personal data in the relevant sector.
The model contract will be adequate as regards simple point-to-point transfers between parties in different jurisdictions but is less suitable for more sophisticated transfers passing through various intermediate data processing entities who make sub-transfers of the data. In these circumstances, a vertical chain of agreements would be required. ..
Furthermore, if following their transfer, control is retained over the data by the Hong Kong data user, all the other provisions of the Ordinance continue to apply.
The Hong Kong Ordinance’s ‘due diligence’ exception to data export restrictions, on which the effectiveness of this supplier-recipient contract is based, does not have an exact equivalent in the European Union’s privacy Directive (see (1995) 2 PLPR 105 for discussion). It is still an open question whether and when supplier-recipient contracts, which do not in themselves afford any contractual rights to the person whose privacy is affected, will constitute ‘sufficient guarantees’ under A 26(2) of the Directive.
Graham Greenleaf, General Editor.