The Hong Kong data center is an international business hub, connecting customers to a rich industry ecosystem in one of Asia’s busiest network hubs. Whether you’re looking to access the leading regional internet exchange or connect directly to customers and partners in one of the world’s most carrier-dense locations, our data centers provide secure colocation services that reduce your IT infrastructure costs and enable you to focus on your business.
The starting point for understanding the requirements of data hk is to understand how Hong Kong law interprets core data privacy concepts. This starts with the interpretation of the term ‘personal data’, which is defined in PDPO as information relating to an identified or identifiable natural person. This definition is in line with international norms, but it can differ from the definition used by other privacy regimes, such as the Personal Information Protection Law that applies in mainland China.
It is important to note that a person may not be considered a data user if the information is not personal data (DPP 2(1)). The term ‘data user’ also refers to an organisation, including its subsidiaries and affiliates, and it may include individuals working for such organisations. The PDPO recognises that, in some circumstances, data transfer may be necessary to achieve a legitimate purpose (DPP 4).
A further consideration is the jurisdictional scope of the PDPO. Several other data privacy regimes have some element of extra-territorial application, but the PDPO only has jurisdiction over a person who controls the collection, holding, processing or use of personal data in, or from, Hong Kong. This is a stricter test than that used in other regimes, and it means that fewer people will be covered by the provisions of the PDPO in respect of cross-border data transfers from Hong Kong.
Finally, it is important to consider the nature of the information being transferred and the reasons for the transfer. The PDPO requires the data user to clearly and expressly inform a data subject of the purposes for which the personal data is collected (DPP 1(1)) and, in the case of a data transfer, of the classes of persons to whom the personal data will be transferred (DPP 3(1)).
The PDPO has extensive guidance on fulfilling these obligations, which can be found here. The guidance is written with the intention of adoption by medium-sized enterprises, and has flexibility to be adapted (without diminishing substantive protection) to account for overall commercial arrangements. This can be achieved by inserting appropriate clauses in contractual agreements, or by incorporating them as schedules to main commercial agreements. In the latter case, it is important to ensure that such schedules are updated as the overall arrangement evolves. The statutory protections in respect of data transfer are therefore significant and onerous, but they can be largely mitigated by careful planning and good practice. By Padraig Walsh, senior associate at Tanner De Witt.