Data hk is an important component of Hong Kong’s pillar industries, especially the financial services & insurance and trading & logistics sectors. These sectors are heavily reliant on data centre services, which are critical to the global economy and provide significant economic value. Data centres are also essential to supporting the growth of high-frequency stock trading, e-commerce and other emerging service industries in Hong Kong, and there is growing demand for additional capacity.
Data HK is a statutory body that administers data protection laws in Hong Kong. Its role is to protect the rights of individuals and the security of personal information through six data protection principles. In addition to establishing data subject rights, the Data HK Act also establishes a range of specific obligations on data users and provides for penalties for breaches of the legislation. The law was originally enacted in 1996, with major amendments in 2012 and 2021.
The law applies to all data users whose operations control the collection, holding, processing or use of personal data in Hong Kong or from Hong Kong. However, the definition of “data user” is not as broad as some other jurisdictions. For example, a photographer who takes a photograph of a crowd at a concert will not be considered a data user under the PDPO, even though individual members of the crowd can be identified in the photo. The same principle would apply to CCTV recordings, logs of persons entering car parks or records of meetings that do not identify individual speakers or participants.
In addition, the PDPO states that “data use” includes disclosure and transfer. As a result, a data user must expressly inform a data subject on or before collecting his personal data of the purposes for which it will be used, and of the classes of persons to whom it may be transferred. This requirement is particularly relevant in the context of data transfers, since a data transfer is a form of use.
A data importer will be required to conduct a transfer impact assessment and agree to standard contractual clauses where it intends to transfer the personal data of EEA citizens to a third party in a non-EEA jurisdiction. The assessment must cover both the potential benefits and risks of transferring the personal data, and the foreign jurisdiction’s laws and practices with respect to data protection.
If the assessment reveals that the foreign jurisdiction’s laws and practices do not satisfy the requirements of the PDPO, then the data importer must take supplementary measures to bring those laws and practices up to Hong Kong standards. These supplementary measures can be technical or contractual in nature, and include techniques such as encryption, anonymisation or pseudonymisation, split processing, and multi-party data management. They can also include additional contractual provisions imposing obligations on audit, inspection and reporting, beach notification, compliance support and co-operation, and compliance monitoring. If the supplementary measures are taken, then the data transfer will be permitted.