Data Transfers in Hong Kong

Hong Kong is a key business hub, with a dense concentration of enterprises, networks, and IT service providers. The city’s data centers are ideally located to provide customers with direct connections into a rich industry ecosystem in Asia and beyond. This makes them an ideal choice for hosting cloud services, interconnecting with other service providers, and connecting to business partners.

However, despite this robust industry infrastructure, it is important for companies to understand the potential risks associated with data transfers in Hong Kong. Specifically, how these transfers can impact the compliance of data privacy regulations in Hong Kong and elsewhere. In this article, Padraig Walsh from Tanner De Witt’s Data Privacy practice group walks through the key points to consider.

Data Transfers in Hong Kong

One of the main concerns about data transfers is that the PDPO contains no statutory restriction on the transfer of personal data outside of Hong Kong. Moreover, it looks increasingly likely that section 33 will never come into operation in Hong Kong. This doesn’t mean that businesses have no protections in place for cross-border data transfers, but they must be aware of the significant and onerous obligations that exist.

To understand how these protections work, it is necessary to first define who a data user is under the PDPO. A data user is a person who, alone or jointly with others, controls the collection, holding, processing, or use of personal data. A data user may be an individual, a legal entity, or an organisation.

Once a business understands who a data user is, the next step is to determine whether a transfer of personal data to another location will require a PICS. This can be determined by conducting a transfer impact assessment. The assessment will look at the level of protection available in the destination country, and whether supplementary measures are required to bring that level of protection up to Hong Kong standards.

These supplementary measures can take many forms, but the most common are technical measures (such as encryption, anonymisation or pseudonymisation) and contractual measures (such as data audits, beach notification, and compliance support and co-operation). In addition to these methods, it is also possible to transfer personal data between two entities in Hong Kong without a PICS.

Ultimately, the most important thing to remember is that any transfer of personal data will require a PICS if it is not carried out in accordance with the PDPO’s six core data protection principles. This means that a company must undertake a thorough and comprehensive assessment of its own processes, as well as the processes of any third parties that will process or store that personal data. If the requirements are met, then the company can rest assured that it will have satisfied its statutory obligations in respect of data transfers. This will help reduce the risk of sanctions and penalties in the event of a breach. If it is not, then the risks and implications are far greater.