Data hk
Hong Kong is an important business hub and is home to the most carrier-dense network infrastructure in Asia. Equinix colocation facilities in Hong Kong connect customers into this rich industry ecosystem with a range of services. Padraig Walsh from the Data Privacy practice group at Tanner De Witt explains how data transfers are regulated in Hong Kong and what businesses need to do to comply with the PDPO.
The PDPO defines personal data as information that relates to an identifiable natural person. This definition has not changed since the PDPO was first enacted in 1996 and is consistent with international norms. However, in other legislative regimes (such as the Personal Information Protection Law that applies to mainland China and the GDPR that applies to the European Economic Area), the definition of personal data is more extensive and includes a greater variety of identifiers.
The PDPO establishes data subject rights and specific obligations to data controllers through six data protection principles. Unlike some other data privacy regimes, the PDPO does not contain any express provisions conferring extra-territorial application. In determining whether the PDPO applies, the correct test is to consider whether a data user controls all or any part of the data cycle (including collection, processing, holding, and use) in, or from, Hong Kong. If not, the PDPO does not apply. Similarly, if a data user engages a processor to process personal data on its behalf, it is liable for the processor’s breach of the PDPO.