If your business is moving data outside Hong Kong, you will need to consider a number of obligations and best practice and ethical standards in doing so. It is a myth that there are no protections under Hong Kong law in respect of cross-border data transfer. The PDPO (Data Protection Ordinance) sets out a comprehensive set of rules for handling personal information.

It is important to understand who is a “data user”. Under the PDPO, a data user means any person who controls the collection, holding, processing or use of personal data within Hong Kong, regardless of where the data is located.

In the context of data transfers, this is typically a business entity that will transfer personal data from Hong Kong to another country for further processing. The data user must have a “data transfer agreement” in place with the recipient of the personal data. The agreement must contain standard model clauses that have been approved by the Privacy Commissioner for Personal Data. The model clauses are designed to protect the personal information being transferred from Hong Kong and the rights of the data subjects to whom the information pertains.

The standard contractual clauses impose a number of obligations on the data user making the transfer. For example, they must ensure that the recipient is able to protect the personal information against unauthorised access or processing, accidental loss, destruction or disclosure and against any other unlawful processing activities. They must also undertake not to keep the transferred personal information longer than necessary for its agreed processing purposes and, if the purpose changes, promptly notify the recipient before transferring any further personal data to it.

They must also ensure that the transfered data is not being used in a way that would be prohibited under the PDPO in Hong Kong. For example, the PDPO prohibits the use of personal data to identify or contact individuals for direct marketing or other purposes not related to their original purpose. In addition, the PDPO requires that the transfered data be processed only in accordance with the instructions of the data user.

In some cases, the data user will have to carry out a “transfer impact assessment” in relation to Hong Kong. This involves assessing whether the level of protection in Hong Kong is adequate to protect the personal information and the rights of the data subjects. If the transfer impact assessment is negative, the data exporter must either suspend the transfer or implement appropriate supplementary measures.

Whether you are looking for a small point of presence or a bespoke multi-megawatt data hall solution, Global Switch Hong Kong offers world-class services and state-of-the-art facilities. All of our data centres are built on an industry leading raised floor system with 100MVA utility power supply capacity and fully diverse distribution to technical areas – all focused on delivering resiliency, flexibility and power density. Our teams are on hand to answer your questions and help you find the right solution for your needs.