Hong Kong is a global leader in data center and connectivity infrastructure. The city offers a rich industry ecosystem with dense concentrations of enterprises, networks and IT service providers. Equinix customers connect into our carrier-dense data centers in Hong Kong to access a diverse market of digital service providers and accelerate their business growth.
The PDPO defines personal data as information relating to an identifiable natural person (or “data subject”). An identifiable natural person can be identified directly or indirectly, in particular by reference to a name, identification number or any other prescribed data, and includes a person’s characteristics such as race, ethnicity, religion, political opinion, sexual orientation, social class, nationality, disability, education, employment, health, financial status and medical treatment.
As part of its efforts to strengthen data protection, the HK government is considering amendments to the PDPO that will make it more aligned with international standards and afford stronger protections for personal data in cross-border data transfers from Hong Kong. It is important for organizations to review their internal data policies and group data governance frameworks in anticipation of these changes, as well as taking any necessary actions to ensure that they remain in compliance with current law.
In addition to the requirements under the PDPO, an organization should also review its contractual arrangements with data importers to determine whether the provisions are enforceable in the country of destination. If not, the data exporter may need to identify and adopt supplementary measures to bring the level of protection to that of Hong Kong (i.e., to comply with the PDPO).
For example, the supplementary measures may include technical or other steps such as encryption or pseudonymisation, or split or multi-party processing. They could also involve contractual obligations on audit, inspection, reporting and beach notification, as well as compliance support and co-operation.
A key challenge in this area is that different jurisdictions have their own data protection laws. The cross-border deal between the mainland and Hong Kong that was signed in June will only be meaningful if both parties can find ways to bridge their differences, according to Vincent Chan, Greater Bay Area Consulting Partner and Leader at EY.
A broader approach to data transparency will be needed in this regard, as is the case with GDPR. Under GDPR, a data exporter is required to notify the data subject of any proposed transfer of their personal data outside the EU before it occurs, and provide them with a copy of the data transfer agreement in which the agreed safeguards are set out. This is not a requirement under the PDPO, but it is good practice. The data exporter should be aware that the notification process will be significantly more onerous under GDPR than it is under the PDPO. This will be especially true where the data is of a sensitive nature. If this is the case, it will be important to keep close contact with a data importer to ensure that they are keeping up to speed with the latest requirements.