The regulatory trend for cross-border data transfers: A (temporary) step away from globalisation?
Introduction
When Australia and Hong Kong entered into
a landmark bilateral free trade agreement back in 2019, one of the cornerstone
features of the agreement includes both respect jurisdictions declaration of
commitments to the policy of free flow of data. Such policies reflect the
growing importance of services and investment to trade where the liberalization
of trade is no longer just about tariffs, but also has a digital emphasis with
the impact of data flows for trading services (e.g. e-commerce) and investing in
foreign markets gaining ever greater importance.
Suffice it to say, much has happened since
the early months of 2019 and with nations around the world backtracking away
from globalization (for the time being at least) owing to political intrigues,
such divides are echoed in some reversals of cross-border data transfer
policies.
Current events
Fast-forward to 2021, as the polarization
of geopolitics continues, China has recently been observed to have implemented
a number of data protection/control policies. Following the Cybersecurity Law
of 2017, the Data Security Law of China came into force on 1 September 2021,
limiting cross-border data transfer in China unless a security assessment is
satisfied. Another piece of similar legislation, namely the Personal
Information Protection Law (the “PIPL”),
has also been passed in August 2021 that will take effect on 1 November 2021.
The enactment of the Data Security Law and
PIPL would appear to be a backtracking of the region’s previous commitment to
free flow of data as between party states (notably, ASEAN members).
As seen from the General Data Protection
Regulation (the “GDPR”) in the EU
enacted in 2016 and various federal and state privacy laws in the US,
governments worldwide have acknowledged the need to ensure adequate data
protection laws are in place in order to protect their constituents. Yet, a balance
must also be made with policy, as free flow of data is a corner stone for
global digital economy. Overzealous regulations may result in suffocating this
new economy.
Given the extra territorial effect of
existing laws however, companies are expected to face great compliance hurdles
when transmitting customer data overseas. Further, with the rapid roll out of
5G network globally, the world must also be prepared to handle new cyber
threats based on these new technologies (greater computing power leads to more
sophisticated threats).
Limitations on data flow under the new PIPL
While many multi-national companies are
still trying to orientate themselves from the sudden announcement of the new
Data Security Law, the need to calibrate business operations became more
pressing with the passing of the PIPL. Under the PIPL, entities must obtain a
consent from each data subject when seeking to transfer personal information
overseas.
Further, a unique feature of PIPL is the
security assessment requirement which is undergone by the authority, not only
to a “critical information infrastructure operator” as it does in the
Cybersecurity Law, but also to other companies whose information storage
exceeds a “designated threshold”.
Other requirements going in tandem include
obtaining a “personal information certificate” from a professional institution
and signing a contract drafted by the authority with overseas information
recipients.
Comparison with other regulatory
developments in other major economies
European Union
The GDPR is renowned of its stringent requirements and wide coverage. It applies to all the organisations which target and collect data from the EU residents. Since the GDPR first operated in 2016, general transfer of data to countries outside the EU and European Economic Area has been prohibited, unless the recipient’s country has obtained adequacy decision from the European Commission for having a data protection regime satisfactory to the Commission. The sending entity should also put in place a comprehensive protection to the data.
The recommendation paper published in
November 2020 (revised in June 2021) by the European Data Protection Board (the
“EDPB”) provides guidance on the
substance of the transfer impact assessment by proposing a six-stage process to
assess the risks related to transfers:
· Step 1 –
Identifying data transfers including onward transfers and sub-processing chains.
· Step 2 –
Identifying GDPR transfer tools that are relied on, such as SCCs, binding corporate
rules, code of conduct and etc.
· Step 3 –
Where relying on SCCs or binding corporate rules, assessing whether the tool is
effective in light of all circumstances of the transfer, including the third
country’s laws.
·
Step 4 –
Adopting supplementary measures where necessary.
· Step 5 –
Considering whether any procedural steps are required.
·
Step 6 –
Re-evaluating at appropriate intervals.
The EDPB published another recommendation
paper on the European Essential Guarantees (the “EEGs”)
in November 2020 to provide further guidance on assessing whether the
surveillance laws of a third country are justifiable in accordance with the EU
standards of protection. The paper establishes that four EEGs must be
considered: (i) data processing should be based on clear, precise and
accessible rules; (ii) necessity and proportionality with regards to the
legitimate objectives pursued need to be demonstrated; (iii) existence of an
independent and impartial oversight mechanism that has the power to adopt
decisions that are binding and can be relied upon by data subjects; and (iv)
effective remedies are available to individuals through redress rights and notification,
to enable the effective exercise of rights.
United States
There is yet to be an overarching federal
law overseeing data protection in the US. Instead, data transfer is governed by
state and sectoral policies, the most comprehensive of which is the California
Consumer Privacy Act which came into effect in 2020. Despite the widely
recognized strict data privacy law, the US however does not have any policy
keeping data within bounds. Notwithstanding that the US welcomes cross-border
data export and import with open arms, countries with more demanding protection
standards still back off in the face of the robust investigative power of the
US enforcement agencies. If the US remains apathetic to global reaction, it is
likely that a bar on the flow of data would be imposed between the US and the
rest of the world, and such decisions as the Schrems
II may be rendered again against the US.
How about Hong Kong?
Data protection has long been on the
schedule of Hong Kong Legislature. Since 1995, a cross border personal data
transfer restriction has been incorporated into the Personal Data (Privacy)
Ordinance (Cap 486) (the “PDPO”) under section
33. However, section 33 has not been brought into operation albeit years have
passed. Even though section 33 has yet to be put into effect, under the Data
Protection Principles provided in the PDPO, the data users are required to,
among others, obtain prescribed consent for change of use and adopt contractual
or other means to prevent unauthorised access or prolonged processing of the
data.
Although the global trend of heightened
restrictions and the gesture of the Chinese government may lead to the
implementation of section 33 in the future, in view of the potential adverse
impact on the free flow of information which is pivotal to cross-jurisdiction
business operations, any decision of the Hong Kong legislators would be
expected to be balanced between commercial viability and legal requirements – a
unique attribute of the Hong Kong system. That having been said, the fact that
the legislation has yet to undergone any major revamp since its inception
decades ago may call for further amendments with reference from standards and practice
in other jurisdictions.
Takeaway
The valuable business data are now widely used to develop new products or services, or make existing products or services more profitable. While companies are gaining expertise in exploiting their economic value, a global trend of rigorous restrictions may not only limit the potential of data on business development, but also leave them vulnerable to legal risks.
For enquiries,
please feel free to contact us at: |
E: techcyber@onc.hk T:
(852) 2810 1212 19th Floor, Three
Exchange Square, 8 Connaught Place, Central, Hong Kong |
Important: The law and
procedure on this subject are very specialised and complicated. This article
is just a very general outline for reference and cannot be relied upon as
legal advice in any individual case. If any advice or assistance is needed,
please contact our solicitors. |
Published by ONC Lawyers © 2021 |