Data is now an essential ingredient in digital business, enabling companies to deliver innovative services and products. This new role for data is also creating challenges and risks, including the potential for privacy breaches and regulatory investigations. It is important to understand the key considerations in managing data hk in a global context.
In Hong Kong, the main legal framework for data protection is the Personal Data Protection Ordinance (PDPO) which establishes data subject rights and specific obligations on data users through six data protection principles. The PDPO applies where a person controls the collection, holding, processing or use of personal data even if it takes place outside Hong Kong. It also requires that a data user fulfil a range of core statutory obligations on data transfers and that it take a number of additional steps where necessary.
The first step is to review the proposed transfer to verify that it meets one of the statutory grounds for transferring personal data under the PDPO. The PDPO defines “personal data” as information that relates to an identifiable natural person, and the definition is broadly consistent with the international norms that apply in other legislative regimes such as the General Data Protection Regulation in Europe.
Once it has verified that the proposed transfer meets a statutory ground, the next step is to obtain the voluntary and express consent of the data subject before transferring personal data. The PDPO allows this to be done orally, but good practice suggests that this should be confirmed in writing.
A further step is to identify and adopt any supplementary measures required to bring the level of personal data protection in the foreign jurisdiction up to Hong Kong standards. These might include technical measures such as encryption or pseudonymisation, or contractual provisions imposing audit and inspection, beach notification and compliance support and co-operation. They may also include specific enforceable undertakings by the data exporter and the data importer, such as those contained in the recommended model clauses published by the PDPO. These are likely to have some practical limitations, but should provide a useful guide for interpreting the PDPO’s provisions. It is not, however, necessary to impose a requirement on the data importer to implement such measures. This article was written by the Equinix Asia Pacific team.
