Filter
Back

The regulatory trend for cross-border data transfers: A (temporary) step away from globalisation?

2021-09-29

The regulatory trend for cross-border data transfers:  A (temporary) step away from globalisation?


Introduction


When Australia and Hong Kong entered into a landmark bilateral free trade agreement back in 2019, one of the cornerstone features of the agreement includes both respect jurisdictions declaration of commitments to the policy of free flow of data. Such policies reflect the growing importance of services and investment to trade where the liberalization of trade is no longer just about tariffs, but also has a digital emphasis with the impact of data flows for trading services (e.g. e-commerce) and investing in foreign markets gaining ever greater importance.


Suffice it to say, much has happened since the early months of 2019 and with nations around the world backtracking away from globalization (for the time being at least) owing to political intrigues, such divides are echoed in some reversals of cross-border data transfer policies.



Current events


Fast-forward to 2021, as the polarization of geopolitics continues, China has recently been observed to have implemented a number of data protection/control policies. Following the Cybersecurity Law of 2017, the Data Security Law of China came into force on 1 September 2021, limiting cross-border data transfer in China unless a security assessment is satisfied. Another piece of similar legislation, namely the Personal Information Protection Law (the “PIPL”), has also been passed in August 2021 that will take effect on 1 November 2021.


The enactment of the Data Security Law and PIPL would appear to be a backtracking of the region’s previous commitment to free flow of data as between party states (notably, ASEAN members).


As seen from the General Data Protection Regulation (the “GDPR”) in the EU enacted in 2016 and various federal and state privacy laws in the US, governments worldwide have acknowledged the need to ensure adequate data protection laws are in place in order to protect their constituents. Yet, a balance must also be made with policy, as free flow of data is a corner stone for global digital economy. Overzealous regulations may result in suffocating this new economy.


Given the extra territorial effect of existing laws however, companies are expected to face great compliance hurdles when transmitting customer data overseas. Further, with the rapid roll out of 5G network globally, the world must also be prepared to handle new cyber threats based on these new technologies (greater computing power leads to more sophisticated threats).



Limitations on data flow under the new PIPL


While many multi-national companies are still trying to orientate themselves from the sudden announcement of the new Data Security Law, the need to calibrate business operations became more pressing with the passing of the PIPL. Under the PIPL, entities must obtain a consent from each data subject when seeking to transfer personal information overseas.


Further, a unique feature of PIPL is the security assessment requirement which is undergone by the authority, not only to a “critical information infrastructure operator” as it does in the Cybersecurity Law, but also to other companies whose information storage exceeds a “designated threshold”.


Other requirements going in tandem include obtaining a “personal information certificate” from a professional institution and signing a contract drafted by the authority with overseas information recipients.



Comparison with other regulatory developments in other major economies


European Union


The GDPR is renowned of its stringent requirements and wide coverage. It applies to all the organisations which target and collect data from the EU residents. Since the GDPR first operated in 2016, general transfer of data to countries outside the EU and European Economic Area has been prohibited, unless the recipient’s country has obtained adequacy decision from the European Commission for having a data protection regime satisfactory to the Commission. The sending entity should also put in place a comprehensive protection to the data.


Under the GDPR, the European Commission has the power to create standard contractual clauses (the “SCCs”) as appropriate safeguard for transfers of personal data to third countries that have not obtained adequacy decisions. In June 2021, new sets of SCCs were introduced to replace the decade-old clauses, taking into account the ruling of the Court of Justice of the EU in July 2020 in the landmark Schrems II (Case C311/18) judgment. The judgment invalidated the regulatory framework (the EU-US Privacy Shield) that allows the free transfer of data from the EU to certified companies in the US, because the far-reaching powers conferred on the US authorities in relation to personal data collection rendered the data protection law of the US not commensurate with the EU standards. In the Schrems II judgment, the Court concluded that a case-by-case transfer impact assessment should be conducted to determine whether the personal data will be sufficiently protected.


The recommendation paper published in November 2020 (revised in June 2021) by the European Data Protection Board (the “EDPB”) provides guidance on the substance of the transfer impact assessment by proposing a six-stage process to assess the risks related to transfers:


·         Step 1 – Identifying data transfers including onward transfers and sub-processing chains.


·         Step 2 – Identifying GDPR transfer tools that are relied on, such as SCCs, binding corporate rules, code of conduct and etc.


·         Step 3 – Where relying on SCCs or binding corporate rules, assessing whether the tool is effective in light of all circumstances of the transfer, including the third country’s laws.


·          Step 4 – Adopting supplementary measures where necessary.


·         Step 5 – Considering whether any procedural steps are required.


·          Step 6 – Re-evaluating at appropriate intervals.

 

The EDPB published another recommendation paper on the European Essential Guarantees (the “EEGs”) in November 2020 to provide further guidance on assessing whether the surveillance laws of a third country are justifiable in accordance with the EU standards of protection. The paper establishes that four EEGs must be considered: (i) data processing should be based on clear, precise and accessible rules; (ii) necessity and proportionality with regards to the legitimate objectives pursued need to be demonstrated; (iii) existence of an independent and impartial oversight mechanism that has the power to adopt decisions that are binding and can be relied upon by data subjects; and (iv) effective remedies are available to individuals through redress rights and notification, to enable the effective exercise of rights.


United States


There is yet to be an overarching federal law overseeing data protection in the US. Instead, data transfer is governed by state and sectoral policies, the most comprehensive of which is the California Consumer Privacy Act which came into effect in 2020. Despite the widely recognized strict data privacy law, the US however does not have any policy keeping data within bounds. Notwithstanding that the US welcomes cross-border data export and import with open arms, countries with more demanding protection standards still back off in the face of the robust investigative power of the US enforcement agencies. If the US remains apathetic to global reaction, it is likely that a bar on the flow of data would be imposed between the US and the rest of the world, and such decisions as the Schrems II may be rendered again against the US.



How about Hong Kong?


Data protection has long been on the schedule of Hong Kong Legislature. Since 1995, a cross border personal data transfer restriction has been incorporated into the Personal Data (Privacy) Ordinance (Cap 486) (the “PDPO”) under section 33. However, section 33 has not been brought into operation albeit years have passed. Even though section 33 has yet to be put into effect, under the Data Protection Principles provided in the PDPO, the data users are required to, among others, obtain prescribed consent for change of use and adopt contractual or other means to prevent unauthorised access or prolonged processing of the data.


Although the global trend of heightened restrictions and the gesture of the Chinese government may lead to the implementation of section 33 in the future, in view of the potential adverse impact on the free flow of information which is pivotal to cross-jurisdiction business operations, any decision of the Hong Kong legislators would be expected to be balanced between commercial viability and legal requirements – a unique attribute of the Hong Kong system. That having been said, the fact that the legislation has yet to undergone any major revamp since its inception decades ago may call for further amendments with reference from standards and practice in other jurisdictions.



Takeaway


The valuable business data are now widely used to develop new products or services, or make existing products or services more profitable. While companies are gaining expertise in exploiting their economic value, a global trend of rigorous restrictions may not only limit the potential of data on business development, but also leave them vulnerable to legal risks.


Hong Kong, which has adopted an open position towards cross-border transfer of data, has maintained its position as a safe harbour for multinational companies involving frequent data transfer. That said, recent restrictions on nation-wide privacy law may threaten the free trade agreements between Hong Kong and other jurisdictions. Companies should (i) stay alert and implement appropriate safeguards; (ii) review existing contracts relying on bilateral agreements of Hong Kong and other jurisdictions to provide contingency in the event that these agreements are suspended; (iii) structure new contracts properly to pre-empt sudden changes in policies and distribute risks between contracting parties to help preserve business ties; (iv) companies having entered into agreements on data transfer should avoid chances of default and/or agreed mitigation plans in the event of such suspension of data transfer arrangements, for instance signing addendums to give effect to such contingency as appropriate.



For enquiries, please feel free to contact us at:

E: techcyber@onc.hk                                                        T: (852) 2810 1212
W: 
www.onc.hk                                                                 F: (852) 2804 6311

19th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong

Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors.

Published by ONC Lawyers © 2021


Our People

Dominic Wai
Dominic Wai
Partner
Dominic Wai
Dominic Wai
Partner
Back to top