Hong Kong’s rapidly evolving digital infrastructure is being driven by global demand for data centers, leading to an explosion of both existing and newly opened data centres. Businesses should understand how Hong Kong regulates personal data transfers in order to facilitate expansion in this sector. Padraig Walsh from Tanner De Witt’s data privacy practice group discussed some key considerations related to sending personal information abroad from or to Hong Kong.
At first, it is essential to determine how Hong Kong defines personal data. Although not explicitly defined in the PDPO, “personal data” generally refers to any information which identifies living individuals; this definition conforms with international norms and similar data privacy regimes such as GDPR.
As a general rule, all personal data collected by businesses must be processed in compliance with the Personal Data Protection Order (PDPO). In most instances, this means obtaining individual’s voluntary and express consent before collecting their personal information and using it for its specified purpose. It’s also generally necessary to meet use limitations and access requirements specified by PDPO; however some exemptions exist from this restriction, such as when collecting an employee card data to perform duties like security clearance checks or tax assessments as long as individuals are informed about this data’s purpose as well as any categories of persons to whom it will be passed on.
When sending personal data outside Hong Kong for processing, data users must consult the PICS to make sure that it was collected legally and used fairly. They must also obtain written consent from each subject before doing so – this must include specifying only for certain uses and renewed at least every 12 months.
Finally, data users must also take steps to ensure that any third parties with whom they share personal data comply with at least as stringent protection standards as the PDPO requires. This may involve contractual or other measures designed to shield personal data against unauthorised access, erasure, processing or loss, while at the same time not holding onto it longer than necessary for its intended use.
However, Hong Kong’s Privacy and Data Protection Ordinance does not contain any formal restrictions regarding the transfer of personal data outside its territory.