The personal data protection regime in Hong Kong is governed by the Personal Data Protection Ordinance (PDPO). It establishes data subject rights and specific obligations to data controllers through six data protection principles. The PDPO was first enacted in 1996 and was significantly amended in 2012 and 2021.
The PDPO defines personal data as any information that relates to a living individual who can be identified from the data. This definition is consistent with that in other legislative regimes, including the Personal Data Protection Law in mainland China and the European Union’s General Data Protection Regulation.
Personal data must be collected for a lawful purpose and the collection must be fair and proportionate to that purpose. A data user must also ensure that any personal data processed is secure, accurate and not retained for longer than is necessary. A data user must also inform a data subject of the purpose for collecting personal data and any use that will be made of it, and obtain the consent of a data subject to do so. The PDPO prohibits the disclosure of personal data without a data subject’s consent, which is known as “doxxing.” Those who engage in doxxing can be fined up to HK$1 million or jailed for up to three years. The PDPO also restricts the disclosure of personal data in certain circumstances, such as to legal professionals for the purpose of litigation or for public interest journalism.
The PDPO requires a data user to implement security measures to protect personal data against unauthorised access, accidental or unlawful destruction or loss, and unauthorised processing, erasure or modification. In addition, a data user must provide a breach notification to the Data Protection Commissioner within 72 hours of becoming aware of any personal data breaches.
Despite these restrictions, the PDPO does not contain a statutory restriction on the transfer of personal data outside Hong Kong. However, a data exporter should consider the underlying grounds before transferring personal data abroad. This is important in order to ensure that the transfer is enforceable under applicable laws and regulations in the destination jurisdiction.
In addition, a data exporter should consider contractual arrangements with data importers to ensure that the PDPO’s six steps framework is adhered to in respect of cross-border transfers of personal data. Moreover, a data exporter should keep records of all personal data that it has transferred and the underlying grounds for such transfer.
Global Switch’s colocation facilities in Hong Kong offer a range of power and connectivity solutions, providing best-in-class technical solutions focused on resiliency. The data centers are located in one of Asia’s most carrier-dense network hubs, and interconnect directly to a diverse community of enterprises, networks and IT service providers. With a 100MVA utility power supply capacity, fully redundant distribution to technical areas, and a raised floor system, the data centres are designed for optimal performance and maximum uptime. Visit our website to learn more.