Hong Kong’s Emergence As a Global Data Hub
Hong Kong’s emergence as an international data hub is one of the region’s key strengths, according to industry heavyweights and experts. They believe that the city’s openness, rule of law and excellent business reputation will propel it to become a major global player in data governance and amplify its voice on international issues and solutions in data ethics. Speaking at the launch of the Greater Bay Area International Information Technology Industry Association (GBAITA) and Institute of Big Data Governance (iBDG), they urged the government to promote data flows, build an integrated digital infrastructure, hasten the transformation of scientific research results and nurture digital talents.
In Hong Kong, the personal data protection regime is governed by the Personal Data (Privacy) Ordinance (PDPO), which provides specific rights for data subjects and sets out obligations for data users through six data protection principles. A core obligation is to fulfil the PICS requirement, which entails expressly informing a data subject on or before the collection of personal data of the purposes for which it will be used and of the classes of persons to whom it may be transferred.
A key issue is that a transfer can only occur if the purpose for which it was collected remains unchanged, unless the consent of the data subject has been reaffirmed or it falls within the exceptions in Part 8 of the PDPO. The latter include the handling of personal data in the context of crime prevention, litigation and the performance of judicial functions.
If the transferring data user engages a foreign processor to process the personal data, it must also undertake to adopt contractual or other measures to ensure that the personal data will not be kept for longer than necessary, and will not be used in a manner which is likely to cause distress to the data subject. In addition, the data processor must not permit the use of personal data transferred by the transferring data user in places outside Hong Kong other than those which have been expressly agreed between the parties. These requirements are reflected in the GBAITA and iBDG recommended model clauses, which should be incorporated into the data processing agreement between the data exporter and the foreign processor.
Another key consideration is that a cloud service provider must disclose personal data to a Hong Kong authority or regulator where there are legal grounds to do so, such as a request from a law enforcement agency or a court order. This is a fundamental obligation that must be fulfilled by all businesses, regardless of their jurisdiction. Consequently, it is important that they understand the limitations of their jurisdiction and are well-versed in data laws in other countries. For example, in the United States, companies are required to provide their data to federal agencies such as the Department of Homeland Security and the Justice Department under the US Freedom of Information Act and the Electronic Communications Privacy Act. In addition, some US state laws also impose obligations on cloud service providers to disclose their customers’ data to local authorities and law enforcement bodies.