Datahk is an international business hub, hosting regional headquarters and offices of many international corporations. Such businesses place great demand on secure data centres to support industries like financial services and insurance, trading, logistics as well as emerging service industries such as high frequency stock trading, e-commerce and cloud computing. Hong Kong stands out as a desirable location due to its robust infrastructure, strong economic policies, free information flow without interference by governments or censorship of content and efficient compliance data transfer regime.

businesses need to understand the data privacy regulations imposed on personal data transfers in order to reduce business risk and promote efficient compliance across their organizations. Padraig Walsh, Director of Tanner De Witt’s Data Privacy practice group discusses key points under Hong Kong Personal Data (Privacy) Ordinance (“PDPO”).

Under Section 33 of the PDPO, data users who intend to transfer personal data outside Hong Kong have certain obligations. These include adhering to all six data protection principles (DPPs) and having a legal justification for doing so; additionally they must notify data subjects as to why personal data will be collected as well as whom it could be transferred (DPP 3).

Key in data transfers is determining if they require an impact assessment for transfer (IFT). IFT assessments may be conducted either independently by third parties or directly by the exporting company itself and can review legal environments, laws and practices, national security concerns and any other potential concerns in destination jurisdictions that might impact upon protection levels as per Hong Kong standards. An IFT can help identify necessary steps necessary for successful data protection levels at destination countries.

Another critical consideration of the PDPO is its territorial scope. While many data privacy regimes now extend extra-territorially, but Hong Kong’s Privacy and Data Protection Ordinance only applies to data users residing or conducting operations from Hong Kong – unlike in Europe where an organization must first establish itself before sending personal data overseas for processing.

Finally, users who transfer personal data overseas must put contracts in place to cover those transfers. Contracts could take the form of separate agreements or schedules to the main commercial agreement or contractual provisions within an overall arrangement; although they will not cover every aspect of a transfer they should at least ensure statutory obligations are fulfilled and best practice and ethical standards remain intact.

O n the surface, Hong Kong seems out of step with international trends regarding cross-border personal data transfers; however, increased cross-border flow is critical to economic success; it is therefore likely that increased momentum towards stricter implementation of an adequacy or equivalent regime will eventually force change.