Data hk is one of the most carrier-dense network hubs in Asia, with a dense concentration of enterprises, networks and IT service providers. Equinix’s data centers in Hong Kong connect customers to this thriving industry ecosystem, providing access into one of the most trafficked routes for international finance and trade.
HK is at the forefront of modern data privacy laws, with its PDPO (Data Protection Policy Office) setting out a broad range of rights for data subjects and specific obligations on data users. It also regulates cross-border data transfers through six key data protection principles. The principle that a data user must inform a data subject on or before the collection of personal information is well established and is an important aspect of data transparency. It is also a core requirement of the PDPO that the personal data collected must be adequate but not excessive in relation to its purpose.
However, it is not clear whether this principle should also apply to the transfer of personal data from one jurisdiction to another. This is because the PDPO contains no express provisions conferring extra-territorial application, unlike most other data privacy regimes around the world.
In practice, this means that a data user does not have to provide a PICS when it collects personal information in Hong Kong (although there is a general obligation to do so). It also does not have to fulfil a duty to inform data subjects of the classes of transferees to whom it will transfer their personal data or of the purposes to which the transferred data will be put unless the original data user does so. Consequently, the only possible way to fulfil this obligation is through an adequacy or equivalent assessment – an additional obligation that should be undertaken by the data exporter prior to the transfer of personal information.
While this position seems out of step with the approach taken by many other countries, it is perhaps refreshing that Hong Kong has not adopted a full-blown adequacy or similar regime. It may, however, become increasingly difficult to operate in the region without a more robust system of data transfers and enforcement of data privacy law, especially given the deep integration between mainland China and Hong Kong under the “one country, two systems” principle.
A future in which there is more effective and consistent enforcement of data privacy law will certainly benefit all stakeholders. In the meantime, businesses that are relying on transfers of personal data between Hong Kong and mainland China should take appropriate legal advice. This should include assessing the risks to their business and taking steps to minimise those risks. They should also make sure that contractual arrangements with data importers comply with the PCPD’s recommended model clauses for cross-border data transfers. If they cannot do so, then they should consider suspending the transfer or implementing adequate supplementary measures. It would also be advisable to retain proper records of the efforts they have made to meet their data transfer obligations.