By: ONC Lawyers
Hong Kong, Hong Kong (SAR)
Introduction
Employers in Hong Kong are subject to different kinds of obligation under various employment related legislations. As such legislations are revised from time to time, employers shall be aware of the changes of the legislations and to take necessary action to comply with the “new” law.
New Minimum Wage Rate With effect from 1 May 2015, the statutory minimum wage rate (which is governed by the Minimum Wage Ordinance) (“MWO”) will be adjusted to HK$32.5 per hour. Therefore, employers shall ensure that wages are paid in compliance with the new minimum wage rate.New Guidance Note for Cross-border Data Transfer Apart from the new minimum wage rate, employers shall also be aware of the possible changes under the Personal Data (Privacy) Ordinance (“PDO”) in relation to the transfer of their employees’ personal data outside Hong Kong. Most of the provisions contained in the PDO had come into effect in 1997. However, s.33 of the PDO regarding the “Prohibition against transfer of personal data to a place outside Hong Kong” has yet to come into effect. However, recently, the Office of the Privacy Commissioner for Personal Data (“the Commissioner”) issued the Guidance on Personal Data Protection in Cross- border Data Transfer (“Guidance Note”) to “assist organizations to prepare for the eventual implementation of s.33 of the PDO and enhance privacy protection for cross-border data transfer”. In its media statement for the publication of the Guidance Note, the Commissioner commented that “data is moving across borders, continuously and in greater scales……, data are stored in different jurisdictions via the cloud or by outsourcing activities to contractors around the world……electronic international data transfers are now an integral part of the global economy. It is high time for the Hong Kong Administration to have a renewed focus on the implementation of s.33 to ensure that the international status of Hong Kong as a financial centre and a data hub will be preserved.” There is no indication as to when s.33 of the PDO will become effective. However, employers (especially those companies with related companies outside Hong Kong and companies which engage foreign contractors to process, store or deal with employees’ personal data) shall understand their obligations under s.33 of the PDO and to prepare for its implementation. Application of s.33 of the PDO Section 33(2) of the PDO prohibits the transfer of personal data to a place outside Hong Kong unless one of the following situations applies: 1. the place is specified by the Commissioner by notice in the Gazette that there is in force in that place any law which is substantially similar to, or serves the same purposes as the PDO; 2. the data user (e.g. the employer) has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as the PDO; 3. the data subject (e.g. the employee) has consented to the transfer in writing; 4. the data user (e.g. the employer) has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject (e.g. the employee); it is not practicable to obtain the consent of the data subject in writing; and the data subject would give the consent if it was practicable to obtain such consent; 5. the exemptions under the PDO are applicable (e.g. the transfer of the personal data is for the prevention or detection of crime); or 6. the data user has taken all reasonable precautions and exercised all due diligence to ensure that the collection, holding, processing or use of the personal data in that place will not violate the PDO if that place were Hong Kong. Possible Preparation The Guidance Note set out a list of good practices for data users in relation to s.33:- 1. Data users (e.g. employers) shall review their existing data transfer arrangement to identify any cross-border transfer of personal data (e.g. adopting offshore database system, outsourcing data processing and storage functions, or sharing data with intra- group companies outside Hong Kong). If there are such data transfer arrangements, the data user shall assess whether such transfer is really necessary. 2. Data users shall control unnecessary cross border data flow (e.g. structuring the information technology system to prohibit access or download by employees outside Hong Kong). 3. If data transfer is necessary, obtain the written consent of the data subject. 4. Data users shall keep an inventory of the personal data being transferred outside Hong Kong (if any) and monitor the handling process of the transferees, to continue assess the associated privacy risks and to avoid such risks. 5. Contracts shall be signed between the parties to the transfer to ensure that the personal data transferred is given equivalent protection as provided in the PDO. Conclusion |
IMPORTANT: The law and procedure on this subject are very specialized and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors. |
For more information about ONC Lawyers, please visit the International Society of Primerus Law Firms.