Data hk is a new initiative from the Hong Kong Government to promote the city as a global hub for data processing and storage. It comes at a time when the city faces heightened competition from mainland China, which is promoting its own data centre ecosystem and has recently concluded a number of major agreements with overseas companies in the sector. Nevertheless, the legal framework, reliability and superior industry-specific infrastructure of Hong Kong remain attractive, particularly to businesses seeking to connect with the huge market in the GBA.
Data protection is a vital public interest issue in Hong Kong. The Personal Data (Privacy) Ordinance (“PDPO”) seeks to protect data subjects’ rights of privacy, and to ensure that personal data is collected and processed fairly and lawfully. It requires data users to inform data subjects of the purposes for which they collect personal data and of the classes of persons to whom it may be transferred, and to obtain their voluntary consent. It also requires that data users delete personal data after they have exhausted their intended uses with the data subject, or after the expiry of a specified retention period.
The PDPO defines “personal data” as information relating to an identified or identifiable person. Its definition of personal data is similar to that used in other legal regimes, such as the Personal Information Protection Law in mainland China and the General Data Protection Regulation in the European Economic Area.
As a result, the PDPO applies to data users irrespective of where they operate, even if the collection or processing of personal data occurs outside Hong Kong. Its extra-territorial scope is much broader than that of other jurisdictions, but it is still less onerous than the GDPR’s.
Under the PDPO, data exports are permitted if the data subject has agreed to the transfer or has been expressly informed of it on or before the collection of his personal data, and if the transfer is made in accordance with the terms of the PICS. The PCPD has further specified that the purpose for which personal data is collected can only be changed if the voluntary and express consent of the data subject has been obtained.
In addition, a data user must use contractual or other means to ensure that personal data which it transfers abroad is protected against unauthorised access, processing, erasure, loss or use and is not retained for longer than necessary for the purposes of its processing. A data user is liable for its agent’s or contractor’s breach of the requirements of the PDPO.
Under proposed changes to the PDPO, it will become a requirement that data users formulate and publish their clear retention policies, specifying their maximum retention periods. This is a departure from the current stance taken by the Hong Kong Government, which recognises that it is not feasible to impose on all data users a mandatory uniform retention period.
