Hong Kong is an international trading and logistics hub. It is home to the regional offices and headquarters of many global corporations, which generate great demand for secure data centres. However, the local market is not without its challenges. There is a strong appetite for open data, but this is balanced by concerns over privacy, security and business costs.
Hong Kong’s legal framework focuses on personal data protection and includes six data protection principles. The Hong Kong Personal Data (Privacy) Ordinance (“PDPO”) establishes data subject rights and specific obligations for data controllers. It also regulates the collection, processing, and holding of personal data through a series of provisions.
The PDPO prohibits the export of personal data outside of Hong Kong. It does, however, permit a data user to transfer personal data abroad if it is necessary in the course of conducting its business activities or for the purposes of providing a service to its data subjects. It requires a data user to notify the data subjects of the proposed transfer and the underlying grounds, and to obtain their consent for such transfer.
If a data exporter does not comply with the PDPO, it may be liable for a fine of up to $2,000,000. The PDPO also provides that a data exporter must take all reasonable measures to ensure that the data it transfers is protected against unauthorised access, use or disclosure and is not disclosed to any third party without lawful authority. This is a less onerous requirement than the GDPR’s broader data security obligation.
Moreover, the PDPO permits a data user to transfer personal data abroad where the recipient agrees to safeguard the transferred personal data and provide a level of protection that is at least comparable to that afforded by the PDPO. The PDPO requires that the data transfer agreement is compliant with the PDPO and does not contain any express provisions conferring extraterritorial application.
The PCPD has published two sets of recommended model contractual clauses. These cater for the transfer of personal data from a data user to its own data processor and between entities both of which are in Hong Kong when they control the data being transferred. Both arrangements require the transferee to not use or hold the personal data transferred in a place other than that specified in the agreement, and to process and otherwise handle such data in accordance with the written instructions of the transferring data user.
In addition, the model clauses require the data user to ensure that the transferee does not disclose personal data of the transferring data subject to any third party for direct marketing purposes or for other purposes that are not agreed in writing between the data users. The transferring data user must retain a right to access and inspect the data transferred. In the event of a breach, the data user will be liable for damages.
