Personal Data Protection in Data Hk
Data hk is a key component of Hong Kong’s vibrant economy, supporting pillar industries such as finance & insurance and trading & logistics and emerging service industries such as high frequency stock trading. It is also one of Asia’s most carrier-dense network hubs, with over 1,300+ global IT and communications service providers in our data centres. With the free flow of information and no censorship of content, Hong Kong is an ideal location for global data centre operations.
The Hong Kong personal data protection regime is regulated by the Personal Data Protection Ordinance (“PDPO”). The PDPO establishes data subject rights and provides specific obligations to data controllers through six data protection principles. In addition, it prohibits the transfer of personal data outside Hong Kong without compliance with the PDPO’s provisions on cross-border transfers (section 33).
For businesses operating in a global environment, there are numerous considerations when transferring personal data across borders, including compliance with local law and ensuring the integrity of personal data. The issue of data hk is a complex one, with the need to balance the protection of personal data with the competitive benefits of international trade.
To ensure a high level of privacy protection when transferring personal data across jurisdictions, the PCPD has endorsed the use of standard contractual clauses and conducted a transfer impact assessment framework to facilitate the implementation of cross-border data transfers. However, the business community has resisted implementing these provisions in the light of perceived adverse impact on the efficiency of business activities and difficulties in complying with the PDPO’s requirements.
As a result, there is no statutory restriction in the PDPO on the transfer of personal data outside Hong Kong. It is therefore possible that section 33 may never come into operation, despite the fact that it was originally a policy objective of the PCPD.
The data user must expressly inform a data subject on or before the collection of his personal data of the purposes for which his personal data will be used, and the classes of persons to whom his personal data will be transferred. The purpose of the transfer must be directly related to the function or activity of the data user. The data user must also state in his PICS whether the personal data will be kept longer than is necessary for those purposes.
For data importers from the EEA, they will be required to agree to the new standard contractual clauses and contribute to a transfer impact assessment framework in circumstances where they intend to transfer personal data of EEA citizens to Hong Kong. However, for data exporters from the EEA, the PCPD’s position on the requirement to implement such clauses is not clear at present. It is possible that the PCPD will revise its view in the light of changes in global data protection standards. This could lead to the phasing in of the new standard contractual clauses and the phasing out of section 33.