Former Privacy Commissioner, Hong Kong
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
In reality, there are different conceptions and regulations on human rights, including privacy, in different local jurisdictions, depending on their political structures, legal systems, histories, cultures and economic developments, etc. This is particularly true in terms of the applicability of the universality of human rights in jurisdictions which are not “western”.
1. Arguably, the differences can be justified by the fact that state parties may opt in certain optional protocols and/or enter reservations or declarations when they become signatories of the international human rights instruments. One thing that is quite certain though, is namely all signatories intend to pursue and ultimately practise human rights protection acknowledged around the globe, their own interpretation of the universal standards and individual circumstances permitting.
2. Privacy and personal data protection regulations have been, and will continue to be, on the heels of technological development. While privacy protection has been strongly affected by technological development in a digital economy, privacy remains somewhat a culturally nuanced concept. The fragmented regulations around the globe in data protection in the 20th and the beginning of the 21st centuries did, in one way or another, expose the vulnerability of individuals’ personal data protection and the associated misuse or abuse of their personal data by organisations, including the public authorities. The advancement of ICT developments, coupled with the increased awareness of the privacy right as a fundamental human right, has come to show that the “technology-neutral” and “principle-based” regulations are becoming unrealistic and outdated. It is no exaggeration to say that the implementation of the GDPR has brought about a mini-tsunami of privacy legislative reforms outside EU.
3. The demand for de-fragmented and stronger privacy protection regulations and enforcement is intensified by the surge of data-related crimes and cross-border transfers of data. Cross-border transfers of data may, in exceptional circumstances, act as facilitator of transnational data-related crimes. Where transnational data-related crimes have an impact on national security, the entire issues of personal data privacy protection, freedom of expression and other related human rights as enshrined in the international human rights instruments (many of which are incorporated in the constitutional documents of individual jurisdictions), as well as the balancing against the public interest, would be revisited, first within the local community and second in courts. Universality of privacy and other human rights will certainly be put forward as an argument but certainly no straight-jacket to resolving the issues.
4. Take the example of cross-border transfesr of data between EU and other jurisdictions in the CJEU case of Schrems II (Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18). The CJEU, considering also the powers and functions of the US National Security Agency, found that US laws do not provide essentially equivalent data privacy right protection owing to the lack of proportionate governmental access to data and the appropriate redress for EU individuals in the US, mandated obligations to assess and verify the adequate protection in relation to, inter alia, “access by public authorities” of the importing jurisdiction.
5. It may not be fair to ask EU data exporters alone to assess the impact of, e.g. national security laws (and the related statutory exemptions and appropriate redress), of jurisdictions outside EU, in particular, where there are distinctly different jurisdictions and legal systems within one country, as in the case of Hong Kong vis-à-vis the mainland of China. This will inevitably place the dutiful responsibility on the data importer in Hong Kong to assist EU data exporter in assessing her compliance with the Standard Contractual Clauses (absent an EC Adequacy Decision). This assessment will also be part and parcel of verifying jointly whether Hong Kong is a jurisdiction equivalent to EU’s in respect of, inter alia, data access by public authorities for the purpose of national security in the context of the recently implemented Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region effective 30 June 2020 (, as well as the related statutory exemptions and appropriate redress. All stakeholders have a significant role to play in constructing the “data travel bubbles”, if not the universal privacy culture.