The PDPO and Hong Kong Pools


In addition to being one of Asia’s busiest financial centers, Hong Kong is a key data center hub for many international companies. Its dense concentration of enterprises, networks and IT service providers provides a powerful industry ecosystem for customers. Equinix’s Hong Kong colocation facilities allow you to connect directly with these businesses in this carrier-dense network hub.

One of the key issues is the scope of the definition of “personal data.” The PDPO defines personal information as information relating to an identifiable person. This definition has been endorsed internationally and is consistent with the meaning of personal information in other privacy laws such as the Personal Information Protection Act that applies in mainland China and the General Data Protection Regulation that applies in the European Economic Area (“EEA”).

Another issue relates to the obligation to expressly inform a data subject on or before collecting their personal data of the purposes for which it will be used, including transfer abroad. This requirement is similar to that in the EEA’s GDPR, but is less prescriptive than in most other jurisdictions. It may also be less burdensome than in other jurisdictions, where a data user must carry out a “transfer impact assessment” to assess the lawfulness of any proposed cross-border transfer.

The third issue relates to the obligation of a data user to ensure that transferred personal information is only processed in places which have been expressly agreed by the data transferor. This provision is similar to the transfer restriction in the EEA’s GDPR, and may be less prescriptive than in some other jurisdictions, where a data user is required to perform a “data protection impact assessment” to establish whether a transfer to a destination country would be lawful.

The fourth issue relates to the requirement of a data user to safeguard against unauthorised access, processing, erasure or loss of the personal data that they have transferred. This is a key element of the PDPO and it is similar to the safeguards in other privacy laws, such as the PIPL in mainland China and the GDPR in the EEA.

In summary, the PDPO contains a number of provisions that are intended to regulate the transfer of personal data to places outside Hong Kong, and it is generally more prescriptive than other privacy laws in the region. However, it has not yet been enforced and in our view, is unlikely to be so in the foreseeable future. As a result, the PCPD’s current policy view is one of “don’t fix what ain’t broke”. In other words, it is not necessary to change the existing provisions on cross-border transfers. This approach is consistent with the global business consensus that a robust set of legal safeguards is adequate to protect personal data privacy. However, it is not without its risks. If you are planning to transfer personal data to destinations outside the EEA, we suggest that you seek professional advice as soon as possible.