A good environment for data centres to operate is essential. Hong Kong is a highly competitive and trusted international business centre, and we have a unique combination of strengths in technology infrastructure and services that makes our city the ideal location for regional data centres to set up their operations.
One important element of that environment is our comprehensive data protection regime, the Personal Data (Privacy) Ordinance (“PDPO”). Another is our local immigration policies, which facilitate the movement of mobile and agile ICT professionals from around the world to work in Hong Kong. Finally, our favourable taxation regimes and low cost of doing business are also attractive.
The PDPO provides that, except where expressly permitted by the PDPO or specified in other laws of the territory, no person may transfer any personal data out of Hong Kong for processing unless it has in place safeguards against unauthorised access, disclosure, erasure, loss or use of the transferred data (DPP 2(3)). It is also required to take contractual or other means to prevent its data processors, whether within or outside of Hong Kong, from keeping the transferred personal data longer than necessary for processing of the data and to ensure that the personal data transferred is protected against accidental or unauthorised access, processing, erasure, loss or use (DPP 4(2)).
This includes a requirement to inform data subjects of the classes of persons to whom their data may be transferred, and the purposes of the transfer, on or before the original collection of their personal data. In addition, it must be guaranteed that any personal data transferred may not be used in a way that would violate the rights and freedoms of data subjects in the destination jurisdiction (DPP 3(1)).
There are significant and onerous obligations in respect of cross-border data transfers from Hong Kong and extensive guidance on how to comply with those obligations. The PCPD has recommended model clauses that can be included in contracts for data transfers. These can be in separate agreements, schedules to the main commercial agreement or in the form of contractual provisions incorporated into the main commercial agreement. The form ultimately does not matter; the substance and content matters.
A growing number of circumstances will involve the need for a Hong Kong data exporter to undertake a transfer impact assessment, typically because of the application by the destination jurisdiction of laws and practices that differ from those in the PDPO. Those assessments can be time-consuming and complex, but are necessary if the PDPO’s standards are to be upheld. The most difficult part of these assessments is usually the identification and adoption of supplementary measures that are needed to bring the level of protection in the foreign jurisdiction up to the standards laid down in the PDPO. These can include technical measures such as encryption, anonymisation or pseudonymisation, or contractual measures such as additional audit and inspection arrangements, beach notification and compliance support and co-operation obligations.