Simon Cheng Managing Associate
Free Movement of Personal Data? Cross-Border Transfer vs Localisation – Part 2
In the previous part of this 2-part article, we have discussed the rules in the EU and the UK governing the transfer of personal data. But what about transferring data from Asian countries? Is there a GDPR equivalent in Asia? In this second part of the article, we will discuss the relevant rules in Hong Kong, Mainland China, India and the APEC.
The primary legislation in Hong Kong providing protection for personal data is the Personal Data (Privacy) Ordinance. Section 33 of the Ordinance specifically regulates the transfer of personal data out of Hong Kong. It is quite similar to Chapter V of the GDPR. Personal data can be transferred out of Hong Kong if the receiving jurisdiction provides an adequate level of protection, the transferor has made sure the data will be adequately protected (for example by adopting model contractual clauses for data protection), or the data subject has consented in writing.
In theory, Section 33 of the Ordinance offers strong protection for data transferred out of Hong Kong. However, it is important to note that the Section has not yet come into operation despite being enacted more than 20 years ago. In other words, the transfer of personal data out of Hong Kong is not specifically regulated (although data users should still be mindful of the other general data protection obligations imposed by the Ordinance).
The Hong Kong Government said it would “formulate the steps forward” after receiving the outcome of a study being conducted by the Office of the Privacy Commissioner for Personal Data on some issues related to the implementation of Section 33. Although it is not clear when Section 33 will come into force, it is hoped that Section 33 (embodying the principle that data transfer should be allowed as long as there is adequate protection) is an ultimate aim that will one day be realised.
Although Hong Kong and Mainland China are just on the opposite sides of a river, the latter has taken a very different approach in regulating cross-border transfer of personal data. In the EU and in Hong Kong, the major goal of the data protection laws is to protect the privacy of data subjects. In contrast, in Mainland China, the protection of national interest is a goal as important, if not important, than the protection of individuals’ privacy.
The Cyber Security Law  enacted in 2017 is China’s first comprehensive law providing protection for personal data. Article 37 of the Law provides that personal data and important data collected or generated by Critical Information Infrastructure Operators (CIIOs) within the PRC should be stored domestically. If there are genuine business needs to transfer the data abroad, the CIIOs must conduct security assessments in accordance with the measures set out by the relevant authorities. Critical Information Infrastructure is described in the Law as infrastructure that, if it is damaged, loses its functionality or there is data leakage, may seriously harm national security, people’s livelihoods or public interest. Although this is a rather wide definition, it is understood that this is not intended to include every entity that collects or generates personal data. Many of those entities will more likely be classified as Network Operators instead.
Network Operators are defined in Article 76 of the Law as owners or administrators of a Network or network service providers. Network is defined in the same article as any system comprising computers or other information terminals and related equipment which collects, stores, transmits, exchanges or processes data following certain rules or programmes. It is foreseeable that many businesses operating in China will be classified as Network Operators under these wide definitions.
The draft Personal Data and Important Data Outbound Transfer Security Assessment Measures  will, once enacted, regulate the transfer of personal data by Network Operators out of Mainland China. Similar to Article 37 of the Cyber Security Law, the draft Measures provides that personal data and important data collected or generated by Network Operators within the PRC should be stored domestically. If there are genuine business needs to transfer the data abroad, the Network Operator must first conduct security assessments on its own. And if the data to be transferred is large in scale, relates to sensitive industries or may otherwise affect national security or public interest, the security assessment will be performed by the government authorities. It is explicitly made clear in Article 11 of the draft Measures that the data must not be transferred abroad if the data subject has not consented, the transfer of data will affect national security or public interest, or when the relevant authorities decide that the data cannot be transferred abroad.
Although some subsidiary legislations are still in draft form, it is easy to see that the data protection laws in Mainland China have a heavy focus on protecting national interest. This may explain why China is requiring localisation of personal data and imposing rather stringent conditions on the transfer of personal data abroad. The Chinese Government has been fairly active on the data protection front during the first few months of 2019 in an effort to strengthen data protection in China, and further changes to the Chinese data protection legal regime is expected.
As another rapidly developing economy with a huge population, the approach India is taking as reflected in the Personal Data Protection Bill, 2018  can be said to be a combination of the EU approach and the Chinese approach. The Bill will likely be tabled in India’s legislature in June.If it is passed, it will introduce a data protection regime based on principles somewhat similar to those in the GDPR but with certain localisation requirements.
Chapter VIII of the Bill regulates the cross-border transfer of personal data. It requires that there must be at least one copy of the data stored in India. The Indian government will also be empowered to classify categories of personal data as critical personal data that shall only be processed in India. Data other than critical personal data may be transferred out of India if conditions in Article 41 of the Bill are met.
Article 41 allows transfer to a country if the Indian government decides that that country provides an adequate level of protection of personal data. This is very similar to the “adequacy” basis for transfer under the GDPR. Article 41 also allows transfer when the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Data Protection Authority of India (to be established under the same Bill). This is quite similar to the “appropriate safeguards” basis under the GDPR.
Although the Bill has not yet been adopted, there are already several types of personal data which are required to be stored in India only by virtue of other legislative documents. For example, the Notification on Storage of Payment System Data issued by the Reserve Bank of India requires that the entire data relating to payment systems must be stored only in India.
One can see from the Bill that India is willing to allow free transfer of most types of data but at the same time it wants to make sure it has control over critical data that affects national interest.
Apart from the Bill, the India Government has also recently published a draft e-commerce policy in February 2019 , which proposes further regulations on cross-border data transfer, including placing proposed restriction on the what types of data that can be transferred overseas, and in the case of sensitive data stored overseas, a proposed restriction not to share that information any other entity or third party regardless of whether consent has been given by the data subject. Similar to the Bill, the draft policy aims is to protect India’s national interest as “Indian citizens and companies should get the economic benefits from the monetization of data” .
Asia-Pacific Economic Cooperation
As this part of the article discusses the data transfer rules in Asia, it would be odd to leave out the Asia-Pacific Economic Cooperation (APEC), one of the largest inter-governmental forums in the region. It has 21 members on both sides of the Pacific Ocean, including China, Japan, Korea, Singapore, Russia, Australia, the United States, etc. APEC also has a data transfer framework called Cross Border Privacy Rules (CBPR). Before we go on to discuss the CBPR, it is important to note that the CBPR is a voluntary system which APEC members may join. Currently, there are 8 economies participating in the CBPR: the United States, Mexico, Japan, Canada, Singapore, South Korea, Australia and Taiwan, with more expected to join soon. 
Organisations in the participating economies may apply to be CBPR-certified. A requirement of certification is that the organisation provides protection to personal data at a level not lower than that required by the CBPR. As the CBPR does not displace the domestic law of a participating economy, whether a CBPR-certified organisation can freely transfer data across the border still depends on domestic laws. Nonetheless, the certification will help organisations earn the trust of customers and business partners. A person who wishes to export personal data will likely pick a CBPR-certified organisation over one that is not so certified to be the recipient of data.
While CBPR is arguably less powerful than the EU GDPR due to its voluntary nature, it is still helpful in facilitating data transfer for those who is willing to embrace it.
It is expected that an increasing number of jurisdictions will enact or reform their data protection laws in this era of data. At first sight, it would appear that the freedom to transfer personal data across the border has become more restricted. This is indeed true when compared to the time when there is a lack of modern data protection laws. However, one cannot expect the legal vacuum to last forever on a matter with great public importance. To look on the bright side, the ways in which one can transfer personal data across the border is now more clearly defined so there is less uncertainty as to what can be done and what cannot. Although some jurisdictions are relatively conservative when it comes to data affecting national interest, many others are showing signs that they are willing to allow the cross-border transfer of personal data as long as the data can be adequately protected, and this will likely remain the trend in the future.
 As stated in the draft policy - https://dipp.gov.in/sites/default/files/DraftNational_e-commerce_Policy_23February2019.pdf