When transferring personal data outside Hong Kong, businesses should take into account a range of statutory provisions and compliance measures. In this article, Padraig Walsh from Tanner De Witt’s data privacy practice group outlines key points to consider in relation to international data transfers, either into or out of Hong Kong.
First, the jurisdictional scope of the PDPO must be considered. The definition of a ‘data user’ under the PDPO only extends to persons who control the collection, holding, processing or use of personal data in, or from, Hong Kong. It does not include any express provision conferring extra-territorial application.
Once a person has been determined to be a data user, it triggers a host of obligations, including ensuring that the six core data protection principles (DPPs) are complied with. These DPPs set out an individual’s right to be informed about how his data is used, the purposes for which it is collected and the identity of the person whose data is being processed. In addition, the PDPO requires that a person obtain the voluntary and express consent of an individual before he transfers his personal data to another data user or uses it for a new purpose.
Furthermore, the PDPO states that personal data must be collected for a lawful purpose and must not be excessive in relation to that purpose. It is advisable that businesses review their current practices and consider the implications of any proposed changes to data-related technologies, such as artificial intelligence or machine learning, which may have an impact on individuals’ privacy rights.
The PDPO also requires that personal data be stored securely and only made available to those who need it for the purpose for which it was collected. For example, the combination of personal data contained on a staff card, which typically exhibits a person’s name, company name, photograph and employee number is likely to constitute personal data under the PDPO, so such details should not be publicly displayed together or made available to anyone beyond those who need it for the purposes in question.
Finally, the PDPO places an obligation on data users to ensure that any agent or contractor who processes personal data on their behalf complies with their responsibilities under the PDPO. If this is not the case, the data user himself is liable for any breach of these obligations.
With our leading edge data centers in Hong Kong, Equinix enables customers to tap into one of the world’s busiest network hubs and connect with their partners across the Asia-Pacific region. Customers can access a wide variety of IT and network service providers in the city’s carrier-dense data center ecosystem. To learn more about our colocation services in Hong Kong, visit our Explorer feature. For more information about our other global locations, click on the links below. Or contact us for more information on data storage, interconnection and managed services. Our team is ready to help you find the solution that best fits your needs.