As a global business hub, Hong Kong is home to a dense concentration of enterprises, networks and IT providers. Equinix data centers in the city provide a choice of interconnection options, connecting businesses to a rich industry ecosystem in one of Asia’s most carrier-dense network hubs.
The Hong Kong Personal Data (Privacy) Ordinance (“PDPO”) establishes a set of data subject rights and specific obligations to data users. It regulates the collection, processing, holding and use of personal data through six core data protection principles. It also prohibits the acts of disclosing personal data without consent, known as doxxing. Its underlying purpose is to protect the privacy of individuals against arbitrary interference with their family, home, health and correspondence, and unlawful attacks on their honour and reputation.
It is important to know the key points to consider when transferring personal data overseas, whether it is moving it within Hong Kong or from Hong Kong to other locations. Padraig Walsh from the Data Privacy practice group of Tanner De Witt guides us through the main aspects to consider.
Personal data is any information that can be used to identify an individual. This includes information such as name, ID number, address, telephone numbers, email addresses and other contact details. It may also include bank account and financial information, medical records, genetic data, opinions or other sensitive personal information.
A data user must expressly inform a data subject on or before collecting their personal data of the purposes for which it will be collected and the classes of persons to whom it will be transferred. This obligation is known as “DPP1”. It must be fulfilled before the data user can transfer the personal data or use it for a new purpose.
This is a key distinction from GDPR, which requires that the data subject give express consent to any further use of their personal data. In contrast, under the PDPO in Hong Kong, this is achieved through a PICS that identifies the classes of persons to whom the personal data will be transferred and the intended purpose.
The PICS must contain any supplementary measures that are necessary to bring the level of protection of the personal data being transferred up to Hong Kong standards. These might include technical measures such as encryption or pseudonymisation, or contractual provisions that impose obligations on audit, inspection and reporting, beach notification and compliance support and co-operation. It should also be clear that the supplementary measures do not constitute a change to the original purpose for which the personal data was collected. The PCPD is advising data exporters to take legal advice when entering into contracts for cross-border transfers to ensure they comply with the statutory requirements. It is also a good idea to keep comprehensive records of all efforts that are made to comply with the law on cross-border data transfers, including the PICS and any supplementary measures adopted.