Data hk is a global hub for data centre infrastructure with world-class security, a simple tax regime and a highly skilled workforce. As a result, Hong Kong is increasingly a destination for international businesses to host their data centres. This creates a need for efficient, reliable and transparent methods of transferring personal data between Hong Kong and the rest of the world.
In the context of this need, it is worth examining how the PDPO addresses cross-border data transfer and the use of contracts to protect personal information in such transfers. Specifically, this article will consider whether it is possible for the PDPO’s six data protection principles to apply to such transfers and how contract provisions can be used to enforce such provisions.
It is important to note that the PDPO does not contain any statutory restriction on the transfer of personal data outside of Hong Kong. Instead, the PDPO requires that any person who uses personal data within Hong Kong must fulfil certain obligations with respect to that data and any person who receives that data from Hong Kong. A key requirement is that the data user must inform the data subject of the purposes for which the personal data will be collected and of the classes of persons to whom it will be transferred. The PDPO also provides for certain restrictions on the transfer of personal data and requires consent to such transfers.
The data protection authority (the “PCPD”) has published guidance on cross-border data transfer and recommended model clauses to include in contracts dealing with the transfer of personal information. It has also been working with the Mainland and Hong Kong governments to help facilitate the implementation of section 33.
It may seem surprising that Hong Kong does not have any statutory restriction on the transfer of personal information, particularly in light of the fact that the PDPO’s definition of “personal data” is broadly similar to the meaning of this term in other legal regimes, such as the PIPL and the GDPR that apply in the Mainland and the European Economic Area respectively. Essentially, “personal data” means information that can be linked back to an identifiable individual, and the six PDPOs provide a comprehensive set of privacy obligations for anyone who collects or uses such information in the territory.
It is perhaps even more interesting to note that there has been a significant level of resistance in the business community to introducing an adequacy or equivalent regime. However, the need for efficient, effective and transparent means of transferring personal data with the Mainland and internationally will continue to drive such efforts. Nonetheless, it remains to be seen if the business community can find common ground on which to reach such a solution in the future. In the meantime, those who are involved in the transfer of personal data should continue to be mindful of their responsibilities and should review existing contract provisions with an eye to ensuring compliance with Hong Kong law.