Amid the global trend toward open data, Hong Kong is positioned to become an international hub for data storage. This will create an urgent demand for city-based data centres, bolstering Hong Kong’s status as China’s data bridge to the world, and reinforcing its role as a regional hub. This new dynamic is expected to create a competitive advantage for our data centre industry, especially in mainland China where restrictions on data transfers remain in place. However, it also poses new challenges for companies wishing to transfer data to Hong Kong.
As a result, it is essential for businesses to understand the regulatory environment surrounding data hk and implement best practices in their data governance frameworks to comply with local law and regulations. A strong data governance team can help to ensure that the right balance is struck between business needs and data protection, while ensuring that the benefits of open data are maximised.
One important aspect of this is the definition of personal data. The PDPO defines “personal data” as information relating to an identified or identifiable person. This definition aligns with international norms and is consistent with the definition in the GDPR. However, it does not limit the scope of the PDPO to the territory of Hong Kong, as does the definition in the GDPR.
This means that the PDPO could apply to a Hong Kong data user that:
carries out processing in the territory of the European Economic Area, and either offers goods or services to data subjects in the EEA or monitors the behaviour of such data subjects in the EEA; or
transfers personal data outside Hong Kong for any purpose other than for storage, and in the course of that transfer, the data is used in a way that would breach the provisions of the PDPO, unless it is exempted from those provisions by an agreement with the recipient of the data. This is a very common provision in international agreements on data transfers.
To be exempted from the PDPO’s requirements, the data exporter must carry out a “transfer impact assessment”. This is an evaluation of the level of protection in the recipient jurisdiction and the adequacy of that protection in relation to the purposes for which the personal data is transferred. A number of supplementary measures may be recommended, depending on the findings of the assessment, including technical measures (e.g. encryption or pseudonymisation), as well as contractual provisions for audit, inspection and reporting, beach notification, and compliance support and co-operation. In addition, the data exporter must ensure that any sub-processors to whom it transfers personal data are bound by the terms of those agreements.