Firms should review whether their commercial agreements contain requirements equivalent to the recommended model contractual clauses.
The adoption of technology in the financial services sector (commonly referred to as fintech) has rapidly accelerated in recent years, from implementation of electronic payments and remittances (e.g. e-wallet), financial investments technology (e.g. robo-advisors and algorithmic trading), open application programming interfaces (APIs), to exchange data to data analytics that support the operations of financial institutions (e.g. credit scoring), to increasing use of blockchain and distributed ledger technology (DLT), cryptocurrency, and migration to digital virtual asset platforms.
A core component of fintech is the collection, use and analysis of data in its various forms and the need to transfer such data across geographical boundaries as part of a financial organisation’s business, whether this be to an intra-group company located offshore or to an outsourced service provider providing fintech or other support functions back to the financial institutions.
Under the backdrop of globalised financial business operations and increasing digitalisation (especially in the financial services sector) in the handling of personal data, Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) recently released new Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data (2022 Guidance). The new guidance serves as a timely reminder for multinational corporations (especially multinational financial institutions) transferring personal data outside Hong Kong of their responsibilities to ensure adequate data privacy protections are placed in their contracts.
The 2022 Guidance supplements the previous version issued in 2014 and updates the recommended model contractual clauses (RMCs). It is intended to assist organisations in crafting appropriate contractual terms for effecting such transfers within Hong Kong’s data privacy regime. While the cross-border transfer controls are not yet in full effect, it is recommended that organisations operating in Hong Kong implement the updated RMCs appended to the 2022 Guidance in their commercial contracts as a matter of best practice.
Building on existing foundations
In the 2014 Guidance, the PCPD maintained that while Section 33 (s.33) of the Personal Data (Privacy) Ordinance (PDPO) – imposing controls on cross-border data transfers outside Hong Kong– was not yet in operation, data users were still encouraged to follow that regime as part of their corporate governance responsibility to protect personal data.
Simply put, data users were recommended not to transfer personal data outside Hong Kong unless one of the conditions were met, one of which involved putting in place contractual clauses between the parties to fulfil the data user’s obligations to take all reasonable precautions and exercise due diligence to permit cross-border transfers. However, eight years on and even with the latest 2022 Guidance, there has yet to be any government indication of timing as to when s.33 of the PDPO will be brought into operation.
Key aspects of the 2022 Guidance and RMCs
The new RMCs contained in the 2022 Guidance are similar in substance to the 2014 version but cover the typical PDPO requirements in a more “user friendly” format. It also conveniently covers two cross-border data transfer scenarios:
- Transfers from a data user (who controls the collection, holding and procession of personal data) to another data user; and
- transfers from a data user to a data processor (who processes personal data on behalf of another person/entity).
Furthermore, the latest RMCs have been categorised to target the various PDPO requirements of purpose limitation, security, retention and erasure, accuracy and transparency, as well as onward transfers.
The 2022 Guidance appears to acknowledge the complex and long-term nature of multinational corporations’ outsourcing arrangements, as it encourages data users to include additional contract assurances as appropriate. These include rights and obligations around reporting transferees’ data security tests and reviews, audit and inspection of transferees’ systems, notifications of data security breaches, and regulatory compliance support and co-operation with data access and correction requests.
What does this mean for the financial institutions operating in Hong Kong?
The PCPD recommends that where cross-border transfers of personal data are required outside Hong Kong, data users should incorporate the updated RMCs (whether in its self-contained form or adapted equivalents) into their commercial agreements, which includes data transfer agreements, services agreements involving data transfers, and outsourcing agreements.
Whilst the 2022 Guidance and RMCs are considered best practice guidance, much of the subject matter covered by the RMCs represents existing data privacy requirements applicable to organisations operating in Hong Kong subject to the data privacy principles under the PDPO. Conveniently, these types of model contractual clauses are consistent with typical standard contractual requirements relating to data transfers required of other leading data privacy regimes (such as EU’s General Data Protection Regulation (GDPR)) in connection with cross-border data transfers.
The use of RMCs or its equivalent can give confidence to a data user transferring personal data outside Hong Kong that such transfers comply with the PDPO, including s.33 when it is brought into force, and that adequate data protection measures are in place. It can also help demonstrate that a local or multinational organisation or financial institution has exercised reasonable due diligence and put adequate protections in place when defending against any suspected or alleged breach of the PDPO.
The 2022 Guidance acknowledges that the RMCs do not need to be enacted verbatim as the PCPD understands many organisations, such as global financial corporations, already have existing data transfer or other services agreements in place which may already address the subject matter or substance of the applicable RMCs. An example are those financial institutions in Hong Kong regulated by the Hong Kong Monetary Authority (HKMA) who will have met outsourcing requirements under the Supervisory Policy Manual SA-2 Outsourcing where involving related data transfers outside Hong Kong and considered critical publications such as HKMA’s General Principles for Technology Risk Management, HKMA’s Guidelines on Outsourcing, IOSCO Principles on Outsourcing of Financial Services for Market Intermediaries when crafting their relevant documentation.
Business organisations and financial institutions based, and operating, in Hong Kong should therefore take steps to review and confirm if their current and future commercial agreements contain requirements equivalent to the RMCs with their suppliers and other business parties, before undertaking cross-border data transfers outside Hong Kong.
Considerations for data transfers to and from the European Union (EU) and mainland China
While the updated RMCs contain some similar topic areas to standard contractual clauses (SCCs) used in the EU’s GDPR and mainland China’s Personal Information Protection Law (PIPL) for effecting cross-border transfers, it is important to note that the updated RMCs should not be taken as compliance with such data privacy regimes or considered as an alternative to those SCCs. This will be particularly important from the perspective of a multinational financial institution who is governed by GDPR and who will need to comply with using the SCCs as the basis for its data transfers from the EU to Hong Kong in respect of personal data. The mainland China equivalent SCCs for PIPL haven’t been finally released yet, but current indications are that it will likely adopt many themes from the EU’s SCCs.
Nevertheless, data users are still required to ensure that an adequate level of protection is provided to comply with the applicable data privacy regime when transferring personal data from those jurisdictions (whether it be the EU or mainland China) to an outside jurisdiction. Given the 2022 Guidance has indicated that substantial equivalent RMCs can be used by multinational organisations, it is likely that many financial institutions looking to transfer data from jurisdictions like the UK/EU and/or mainland China to Hong Kong SAR and receive data from Hong Kong to it, will likely adopt the more comprehensive set of data transfer contract clauses (such as the EU SCCs), implement international information security management standards and certification (such as the ISO/IEC 27001), and undertake any local supplements if needed to address the RMCs to the extent not already addressed.
The 2022 Guidance is a timely reminder of the added complexities of contractual data privacy compliance, as well as data privacy expectations from regulators for multinational financial institutions operating in an increasingly digitalised world where cross-border data transfers are fundamental to everyday operations.
The article is authored by Albert Yuen, Counsel & Head of Technology, Media & Telecoms – Hong Kong, Linklaters and Eunice Lee, Associate, Linklaters.