The recent proposals to introduce more stringent data protection measures in Hong Kong will have significant implications for companies that handle personal data. Those organisations will have to review their compliance frameworks and implement new policies, such as data retention and breach notification.
However, there are some key differences between the regulatory regime in Hong Kong and that of other jurisdictions that should be taken into account when establishing such a policy.
First, it is important to consider whether the data transfer falls within the scope of the PDPO. This may seem obvious, but it is essential to remember that the PDPO applies only to a data user who has operations (that is, controls the collection, holding, processing or use of) in, or from, Hong Kong. This is in contrast to the extra-territorial scope of several other data privacy regimes. Consequently, data transfers to other locations should be carefully scrutinised, particularly if they involve the collection of personal data.
Secondly, it is important to consider whether the data subject consents to the transfer. A data exporter must expressly inform a data subject on or before the collection of personal data of the purposes for which it will be used and the classes of persons to whom the data will be transferred. It is also necessary to obtain the voluntary and express consent of a data subject before transferring personal data for a purpose other than those stated in the PICS, or for any other reason.
Thirdly, it is important to consider whether the data exporter has a lawful basis for the transfer. The PDPO requires that the data exporter verify, before transferring personal data to another location, that it has a lawful basis under applicable laws in the receiving jurisdiction. If not, it may be necessary to seek legal advice to ensure that the transfer complies with the relevant law.
Finally, it is important to consider whether the data importer has adequate security measures in place to protect the transferred personal data. The PDPO requires that the data importer demonstrate to the data exporter that it has in place appropriate technical and organisational measures to protect the personal data transferred.
The new measures are an important step to maintaining Hong Kong’s position as a global financial hub and a leading international data centre and digital economy hub. The data hk initiative will encourage the exchange of business insights and experiences between data providers, helping to build stronger connections between enterprises and support their growth in the global marketplace.
About Data Hk
Hong Kong’s world-class data infrastructure is home to an extensive network of carrier-dense data centers that serve as business hubs for numerous global businesses and provide secure, high performance connectivity to multiple clouds and networks. The city’s robust infrastructure supports the development of the Greater Bay Area as a global innovation and technology hub, solidifying its role as a platform for resource sharing and accelerating digital transformation and research development.