In Hong Kong, a data user is anyone who controls the collection, holding, processing or use of personal data, even if the cycle takes place outside of the territory. The PDPO makes clear that the principles of the legislation apply to data users whether they are in Hong Kong or not, and that they must impose contractual or other measures to ensure that any person they engage with to process personal data for them complies with the requirements of the law. Direct marketing practices remain one of the most common areas of investigation and prosecution of breaches of data protection laws in Hong Kong, but this is likely to slow down as people become more aware of their rights.

The PDPO allows individuals to opt out of unsolicited marketing calls by registering their telephone numbers with the Do Not Call Registry. In addition, under the PDPO, it is an offence for a company to disclose the details of a person without their consent. If a data user discloses personal data to a third party for the purposes of direct marketing, and they do not have that person’s consent, it is a criminal offence punishable by fine or imprisonment.

A discussion paper published earlier this year explored potential changes to the PDPO. One change mooted is that the current definition of personal data could be revised to require that the information concerned relates to an ‘identifiable’ person, rather than simply an individual who can be identified from the data in question. This would have a significant impact on data-related technologies, and could force companies to adopt more compliance measures to ensure they are adhering to the law.

Telehouse Hong Kong CCC is one of the largest and most technologically advanced carrier neutral Data Center facilities in Hong Kong, and in the Asia Pacific Region. Located in the heart of the city, it offers high levels of security and redundancy to protect mission-critical business.