The Hong Kong data hk position appears to be out of step with international trends, where an adequacy or equivalent regime has been adopted to address concerns about cross-border data transfers. However, this is because the current position in Hong Kong is driven by specific factors which make it a unique proposition.
The current situation in Hong Kong is that there is no statutory restriction on the transfer of personal data outside Hong Kong, except as expressly provided in section 33 of the PDPO. However, that does not mean there is no protection for individuals, as section 33 is still in place and requires a data user to obtain the voluntary and express consent of the data subject before transferring their personal data abroad for any new purpose.
A key issue is the definition of ‘personal data’. The current PDPO defines personal data to be information about an identifiable person. This seems to be a narrower scope than that used in many other jurisdictions, and it is therefore possible that not all cross-border transfers of personal data will trigger obligations under the PDPO. However, there is extensive guidance on how to comply with the PDPO requirements in respect of data transfer, and it is common for businesses to include the necessary provisions in contractual arrangements. These can take the form of separate agreements, schedules to a main commercial agreement or as contractual provisions within a main commercial agreement.
In the future, the PCPD is likely to publish recommended model clauses for use in contracts dealing with data transfers. These will be geared towards ensuring that data users comply with the PDPO and the DPPs, and that appropriate safeguards are in place to protect personal data against the risks posed by data transfer. It is also possible that the PCPD will seek to revise its current guidance on this topic, and expand the scope of the recommended model clauses to cover all transfers of personal data out of Hong Kong, whether from a Hong Kong entity to another overseas entity or between two entities both of which are located in Hong Kong.
Moreover, the PCPD is likely to require data importers in circumstances where they transfer personal data of EEA persons to agree to the standard contractual clauses proposed by the EEA data exporter. It will be expected that these clauses contain provisions requiring the data importer to submit itself to the jurisdiction of, and to co-operate with, the competent supervisory authority of the data exporter in connection with any proceedings concerning compliance with the’standard contractual clauses’.
Strategic digital infrastructure foothold in a top Asian business hub. Hong Kong is the home of many of Asia’s leading cloud providers, professional services firms and fintech startups. Equinix’s HK1, HK2 and HK5 IBX(tm) data centers offer direct network access to the region’s largest cloud providers and to global customers seeking a high-availability presence in this carrier-dense data center hub. Our Hong Kong campus gives customers a springboard to connect with China, Southeast Asia and the rest of the world.