Data Hk – Key Points to Consider When Transferring Personal Data Across Borders
Data hk provides a platform for discussion and analysis of the latest developments in data protection law in Hong Kong. It is not intended to provide legal advice or substitute for advice from a qualified professional.
In a world of rapid technological change, the ability to move and store data globally is increasingly essential to business success. It is therefore important that businesses understand the regulations imposed on personal data transfer, and take steps to ensure compliance with them. Padraig Walsh from the Data Privacy practice group of Tanner De Witt takes a look at the key points to consider when transferring personal data across borders.
A major point to consider when transferring personal data is the definition of “data user”. A data user is defined in PDPO as a person who controls the collection, holding, processing or use of personal data. “Use” includes transferring it to another person for a new purpose or to a different category of persons, and so it is crucial that any planned personal data transfer is reviewed to see whether this would trigger a PICS and other statutory obligations under PDPO.
One of these statutory obligations is that a data user must obtain the voluntary and express consent of a data subject to transfer his or her personal data, unless an exception applies. Whether an exception applies depends on a number of factors, including the purposes for which the personal data is collected and the nature of the personal data. This step is markedly less onerous in Hong Kong than it is under GDPR, but it is still a vital aspect of any data transfer that must be taken into account.
Another key issue to consider is the scope of PDPO. While some data privacy regimes include extra-territorial application, PDPO does not contain an express provision conferring such a right. Rather, the PDPO applies only to a data user who controls operations which collect, hold or process personal data in, or from Hong Kong.
This may prove problematic for many global companies with substantial operations in Hong Kong, particularly if they are unable to comply with section 33, or if the extra-territorial application of PDPO does not extend to them. This is a concern which could be addressed in the future, especially in light of the increased cross-border flow of personal data between Hong Kong and mainland China under the “one country, two systems” principle.
As a leading global data center operator, Equinix offers a strategic digital infrastructure foothold in a top Asian business hub for financial services institutions, professional services firms and fintech startups. We connect customers and partners to the most critical cloud, network and IT services they need to drive innovation and growth in Asia’s most important markets. Our Hong Kong data centers are a highly secure, resilient and connected global platform for the industry’s most demanding applications.