Hong Kong is a business hub for numerous companies with a dense concentration of enterprises, networks and IT service providers. Equinix’s colocation facilities connect customers into this rich industry ecosystem, strategically situated in one of Asia’s busiest network hubs.
Hong Kong (also known as HK, and ) is a special administrative region of China. It is a world leader in financial services, international trade and telecommunications. Hong Kong is a global business and trading center, with an established legal system and a reputation for high standards of transparency and corporate governance.
The government has been encouraged to modernize data protection laws in Hong Kong and bring them into line with those of the mainland. However, it will take time to resolve differences in regulatory frameworks. Until then, companies must continue to comply with the PDPO and ensure they understand their obligations in respect of cross-border transfers of personal data.
First of all, they should determine whether the transfer of personal data falls within the scope of the PDPO. A key consideration is whether the data in question identifies a natural person. In Hong Kong, this means that the information must be capable of uniquely identifying a person. This includes a person’s name, identification number, location data or any other information that can be used to identify the person directly or indirectly.
If the data satisfies this definition, it is unlikely that the six principles of the PDPO will be breached by a transfer. However, the transferee should still ensure that he/she has a lawful basis for processing the data and that the purpose of collection is relevant to the underlying process. The transferee should also inform the data subject of the underlying reasons for processing the data and obtain the consent of the data subject.
In addition, a transferee should ensure that the data is only transferred for the purposes specified in his/her PICS. He/she should also keep records of all personal data processed by him/her and the steps taken to fulfil his/her obligation to notify data subjects of any transfer of their personal data outside Hong Kong.
Another key consideration is whether the data transfer relates to sensitive information. If the transfer relates to personal data that is regarded as sensitive under the PDPO, then it may be an offence to disclose that information abroad without the express consent of the data subject.
A final point is that a transferee should consider the possible impact on its business operations in Hong Kong. Although many data privacy regimes include some element of extra-territorial application, the PDPO does not. The territorial jurisdiction of the PDPO is restricted to those data users who control the collection, holding, processing or use of personal data in or from Hong Kong. The data users must also fulfil a range of other obligations, including compliance with the six DPPs. If these conditions are not met, the PDPO will not apply.