Hong Kong is one of Asia’s leading business hubs, home to a highly diverse concentration of enterprises, networks and IT service providers. Our data centers in Hong Kong connect customers to this rich industry ecosystem, providing direct interconnections into the region’s carrier-dense network hubs. In addition, Hong Kong is the top location for international finance and trade, providing a secure and reliable connectivity platform for global businesses.
For companies involved in cross-border data transfers, there is a need for a robust legal basis to ensure compliance with the Personal Data Protection (PDPO) Ordinance and the related data protection principles. The statutory provision under section 33 of the PDPO provides for this purpose. The provision imposes an obligation on data users to take steps to protect personal information transferred outside of Hong Kong by means of contractual clauses.
The guiding principle in this regard is that a data user must have operations controlling the collection, holding, processing or use of personal information before it can be considered to be controlled by the data user under the PDPO. The PDPO also makes it clear that an operation may control such information even if it does not actually hold or process it itself. This is the case for example with a contractual arrangement where a data processor has access to personal information of a person.
Despite this, some business leaders have been reluctant to implement the provisions under section 33 because of concerns over the impact on cross-border data transfers and difficulties in complying with its terms. This view has been exacerbated by the fact that mainland China, which is separate from Hong Kong under the “one country, two systems” principle, has its own laws relating to the protection of personal data.
As the pace of change in business and technology accelerates, there is a strong case for updating data protection laws to reflect this new reality. As such, a comprehensive policy review is now required to determine the optimal way forward.
This review will need to consider the impact of a broadened definition of a personal data, the implications of the upcoming GDPR, and the potential impact of a new legislative framework for cross-border data transfers in mainland China. It will also need to look at the implications for those operating in a dual jurisdiction where they must comply with the laws of both Hong Kong and mainland China. Regardless of the outcome of the review, companies will need to be proactive in ensuring that they have in place a legal framework which enables them to continue to operate effectively across the region. This is particularly important given the expected increasing volume of data transfers between Hong Kong and mainland China in the future. Those that do not are likely to be exposed to the risk of enforcement action by local authorities.