Whether you need a point of presence or a bespoke multi-megawatt data hall solution Global Switch Hong Kong has you covered. Our world-class infrastructure features best-in-class technical solutions focussed on resiliency and offer power densities of up to 10MW per rack.
Padraig Walsh, Partner, Data Privacy
One of the key areas of uncertainty surrounding the implementation of Hong Kong’s new data protection laws has been the interpretation of the law’s provisions on cross-border personal data transfers. The new rules impose significant and onerous obligations on data users in respect of such transfers, and there has been extensive guidance on how those obligations might be met, including the use of standard contractual clauses and contributions to transfer impact assessments (where necessary).
Under section 33 of the PDPO, a data user who has operations controlling the collection, holding, processing or use of personal data in Hong Kong may not export such data outside of Hong Kong unless certain conditions are fulfilled. However, it is clear that the scope of this rule will have to be clarified to take into account the “one country, two systems” arrangement with mainland China, which will undoubtedly increase the volume of personal data transferred across the boundary in future.
The PDPO defines personal data to include any information that relates directly or indirectly to an identified or identifiable natural person, and includes the name, identification number, address, telephone number, online identifier, factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity. This definition is very broad, and a wide range of activities could be caught, such as the taking of a photograph of a crowd at a concert (provided that it is not intended to identify individuals) or CCTV recordings of people entering car parks or records of meetings that do not specifically identify speakers or participants.
It is also important to note that the PDPO requires a data user, on or before collecting a person’s personal data, to expressly inform the individual of the purposes for which the data will be used (including any possible third-party processing) and of the classes of persons to whom the data may be transferred. The requirement to provide this information is an essential element of a data user’s obligation to expressly obtain the person’s consent prior to such processing, which means that it would not be possible to transfer a person’s personal data from Hong Kong to another jurisdiction without complying with the requirements of the PDPO in respect of his consent.
A further important factor to consider in assessing the compatibility of a proposed foreign jurisdiction’s laws and practices with those required under the PDPO is that, where the data user’s assessment shows that this level of protection cannot be achieved, the data user must identify any supplementary measures that will be necessary to bring such arrangements up to the standards required under the PDPO. These might include technical measures such as encryption, pseudonymisation or split processing, or contractual measures such as additional provisions on audit, inspection and reporting, beach notification and compliance support and cooperation.