A global business hub, Hong Kong is home to the largest banks and financial institutions in Asia, professional services firms and technology companies. Equinix’s data centers provide a strategic digital infrastructure foothold in one of the region’s most carrier-dense network hubs, with direct connections to international and Chinese cloud providers and the top tier of global IT brands.

Hong Kong’s Personal Data Protection Ordinance (PDPO) provides a strong foundation for data protection. The PDPO is based on six data protection principles and establishes the rights of individuals, specific obligations for data controllers and other businesses that process data, and prohibits certain acts such as disclosing personal data without consent, commonly referred to as “doxxing”.

One of the more significant aspects of the PDPO is its approach to cross-border data transfers. Unlike the EU’s General Data Protection Regulation (GDPR), which is directly applicable in Hong Kong, the PDPO provides no specific guidance on this subject. However, it does provide a set of principles that are constructive and useful to consider when planning a data transfer.

First, a data user must expressly inform a data subject of the purposes for which his or her personal data is collected. This is a necessary and important step to take before personal data can be used. Further, a data user must obtain the data subject’s voluntary and express consent before he or she can transfer personal data to a third party not included in the class of recipients notified to the data subject on or before the original collection of the personal data.

Second, a data exporter should assess a foreign jurisdiction’s laws and practices before transferring personal data to that jurisdiction. If the assessment reveals that the foreign jurisdiction’s laws and practices do not meet those of Hong Kong, the data exporter should identify and adopt supplementary measures to bring the level of protection to that of Hong Kong. These might include technical measures such as encryption, anonymisation or pseudonymisation and contractual provisions imposing obligations on audit, inspection and reporting, beach notification, compliance support and co-operation.

Third, a data user should not use personal data for direct marketing purposes unless the individual has given his or her consent. If an individual wishes to stop receiving unsolicited marketing communications, he or she can register with the PDPO’s ‘Do Not Call’ registry. It is also a criminal offence for data users to make unsolicited calls or send unsolicited SMS messages to people who have registered their telephone numbers on the ‘Do Not Call’ registry.

In the future, it may be interesting to see if the PDPO takes a similar approach to the definition of ‘personal data’ to that of the GDPR. This would significantly strengthen data protection for individuals and increase the compliance burden for businesses who process personal data. The current ‘personal data’ is defined as information which can be used to identify an individual, such as the name, identity card number, address, telephone or mobile phone number, or factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity.