How to Protect Personal Data When Transferring It Away From Hong Kong

Hong Kong stands as an authoritative internet exchange point and one of Asia’s most carrier-dense network hubs, providing data center interconnection opportunities across industries. Customers can leverage our carrier-dense network to tap into an abundance of business ecosystems within this thriving region.

As there has been much talk of revamping Hong Kong’s data protection laws, businesses must understand their obligations under existing legislation and take precautionary steps when transferring personal information abroad.

Under Section 33 of the PDPO, transfer of personal data outside Hong Kong must meet certain conditions in order to be legal. The PCPD has recommended model clauses covering two scenarios involving such transfers of data: from one Hong Kong data user to a non-Hong Kong data user and between two entities outside of Hong Kong when both transfers are controlled by one Hong Kong data user.

Before exporting personal data abroad, data exporters must conduct a Transfer Impact Analysis. The assessment should take into account both local laws and practices at their destination jurisdiction, as well as whether their level of protection accorded personal data satisfies with four essential guarantees under PDPO. If any gaping holes emerge from this assessment process, data exporters must identify and take measures necessary to bring those into compliance with expected standards.

Technical measures could include encryption, anonymisation or pseudonymisation; as well as contractual measures like audit, inspection and reporting, beach notification and compliance support and co-operation. It may also be beneficial to assess why personal data is being transferred in order to determine if there are more suitable means of transfer (for instance a written contract between parties).

Consideration must also be given as to whether or not the personal data meets the definition of personal data outlined in PDPO. Personal data includes any data which directly or indirectly identifies or identifiable individuals, so failure to satisfy this standard does not trigger obligations under PDPO regarding transfer obligations.

As part of their obligations under PDPO, data exporters must inform data subjects of its intended uses and classes of persons to whom it may be transferred before collecting their personal data. Failure to do so constitutes a breach and can incur significant fines.