This has now changed, with the privacy laws of Québec, Hong Kong and Taiwan all imposing such restrictions, and Australia proposing similar restrictions as discussed above.
The Québec limitation is therefore limited to ensuring that the `finality' principle is observed in relation to exported data, and does not require that the recipient observe other principles such as subject access and correction rights, or adequate security.
The Québec restriction also applies to other Canadian provinces (`outside Québec'), a matter of considerable interest to other federations like Australia. It is therefore likely that the Québec law will increase the pressure on other Canadian provinces (or the Canadian federal government) to enact comprehensive privacy laws.
(a) the place has been specified (by the Commissioner) by a Gazette notice to
have laws which are substantially similar to, or serve the same purpose as, the
HK law; or
(b) the user has reasonable grounds for believing that the
place has such laws; or
(c) the data subject has consented in writing to
the transfer; or
(d) the user has reasonable grounds for believing that the
transfer is to mitigate adverse action against the data subject, who would have
consented to it if it was practicable to obtain their consent; or
(e) the
data are covered by an exemption from data protection principle 3 under Part
VIII (`domestic purposes', `security', `crime prevention', `health', reporting
news, and some others); or
(f) `the user has taken all reasonable
precautions and exercised all due diligence' to ensure that the data will not
be dealt with in any manner in that place which, if it had occurred in Hong
Kong, would contravene the Ordinance.
Breach of s33 can result in an enforcement notice by the Commissioner (s50), or an action for compensation for any damage, including injury to feelings (s66).
The s33 restriction applies not only to personal data which has (prior to export) been collected, held, processed or used in Hong Kong, but also to data which `is controlled by a data user whose principal place of business is in Hong Kong'. Such a `Hong Kong business' cannot therefore set up an `offshore' personal data processing operation to avoid the law, even in relation to data that has never entered Hong Kong. For example, if a Hong Kong business controls data being processed by its Singapore office or processing bureau, there cannot be data transfers between the Singapore office and Australia unless there is compliance with s33[48].
The rest of the Ordinance came into force on 20 December 1996, but s33 and s30 (concerning data matching) have not been proclaimed. A spokesman for the Secretary for Home Affairs said this was because users considered that they needed more guidance from the Privacy Commissioner, and was in line with a recommendation by the Commissioner.
Will the Hong Kong law survive? The Preparatory Committee (the People's Republic of China's `shadow' government for Hong Kong) has recommended for scrapping or amendment of fifteen Hong Kong laws protecting human rights. The recommendations have been made preparatory to the PRC assuming control of Hong Kong in July. Neither the Personal Data (Privacy) Ordinance as a whole, nor the s33 restriction have (at least at this stage) been included. The Legal Subgroup of the Preparatory Committee has only recommended that s3(2) of the Ordinance (concerning inconsistency with other laws) be repealed.
(i) to protect Taiwan's national interests;
(ii) where specially provided
for in an international treaty or agreement;
(iii) `Where the receiving
country lacks proper laws and / or ordinances to adequately protect personal
data and where there are apprehensions of injury to the rights and interests of
a concerned party'; and
(iv) `To indirectly transmit to and use from a
third country personal information so as to evade control of this law'.
The third reason is similar to the EU's requirement for `adequate protection'. The fourth reason is novel, as it explicitly allows prohibition of transfers to countries with `adequate' laws, if this is a sham to allow further transmission to a country without adequate laws. `Dirty data havens', beware!
Enforcement Rules (regulations) are required to implement the Act. Business organisations in Taiwan have made submissions requesting more certainty in the international transfer provisions, possibly in the form of a regulation naming countries with `adequate' laws - in which list they suggest Australia and the USA, for reasons best known to themselves!
Section 33 of the Hong Kong Ordinance closes this loophole, intentionally[50]. In contrast, Québec's s17 does not apply to data which has been imported into Québec (say, from the EU) about persons residing outside Québec, so it does not `close the loophole'.
The second approach, exemplified by the Hong Kong and Québec laws, and the previous Australian proposals, imposes an obligation on any data user who proposes to export personal data to ensure that there is some form of adequate protection in the jurisdiction of the recipient, and makes it a breach of the law by the data user to fail to do so, for which the data subject can take proceedings to obtain compensation or other remedies.
The two approaches can be combined in effect, as they are in the Hong Kong Act and the previous Australian proposals, by provision of regulations which specify those countries which are deemed to have an adequate level of protection. Data exporters need enquire no further if they are exporting to such a listed country.
The EU Directive is silent as to which approach is implemented by each of its member states, but a state that took the first approach would have an obligation to be comprehensive in the prohibitions it issued, to be in accordance with the Directive.
The first approach is likely to be driven by data protection authorities, whereas the second is more under the control of the data subject. Reidenberg sees data export laws such as that of Québec as the key to a `re-conceptualised' `contract model' of providing adequate protection[51], in which the data subject's interests are directly protected by the data subject's rights under the law of the exporting country, whereas `the implementation of standards for foreign treatment of personal information becomes a private contractual matter between the exporter and the recipient'[52]. This is a useful analysis, but it overstates the centrality of an exporter-recipient contract, for the simple reason that in some cases industry codes of conduct, professional rules or other sources of law may be basis on which the exporter concludes that the recipient's jurisdiction provides `adequate' protection.
[48] see M Berthold `Hong Kong's new privacy law' (1995) 2 PLPR 164
[49] See 2 PLPR 160 for a summary
[50] Berthold, ibid
[51] J Reidenberg 'Setting standard for fair information practices in the US private sector', (1995) Iowa Law Review, 545-548
[52] Reidenberg (1995) op cit, 547