Hong Kong is a world-leading data centre hub and a key international trading center. The government offers a range of strategic advantages, sites and support to data centres, helping them to establish or expand their businesses in Hong Kong. We are committed to facilitating and supporting global data centre operators in every way possible.
The PDPO defines personal data as information relating to an identifiable natural person, and identifiers are things that can be used individually or in combination with other information to identify an individual, such as names, addresses, identification numbers, location data or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. The definition has not been updated since PDPO was first enacted and it is consistent with the definitions in other legislative regimes, such as the Personal Data Protection Law that applies in mainland China or the GDPR that governs data processing in the European Economic Area.
Under PDPO, when a data user wishes to transfer personal data overseas it is required to obtain the voluntary and express consent of the data subject before he can do so (DPP1 and DPP3). This is a more onerous requirement than the GDPR, and it requires the data user to inform the data subject on or before collecting his personal data of the purposes for which his data will be used, and of the classes of persons to whom his personal data may be transferred (DPP3).
If the data is transferred to a processor outside Hong Kong, the transferring data user must ensure that it is protected by contractual or other measures from unauthorised or accidental access, processing, erasure or loss and is not retained for longer than necessary for the agreed purpose of processing (DPP2 and DPP4). These requirements can be incorporated in separate agreements, schedules to commercial agreements or as contractual provisions within the main commercial agreement.
When the PDPO was first introduced, it was envisaged that increased cross-border data flow would be the life-blood of the economy and that regulation of such transfers would be important to protect privacy. However, over time there has been a movement from implementation of section 33 as a clear policy objective, to a view that the benefits of such regulation are not sufficiently compelling.
The PDPO sets out significant and onerous obligations for data users in relation to cross-border data transfers, and extensive guidance has been produced on how these can be met. The key point is that the data exporter should assess whether any supplementary measures are required to bring the level of protection of the personal data in the foreign jurisdiction up to Hong Kong standards. These might include technical steps such as encryption, anonymisation or pseudonymisation; or they might be contractual measures such as beach notification, audit, inspection and reporting, or compliance support and co-operation.