The agreement aims to bolster Hong Kong’s goal of becoming an even more significant regional data hub. It should stimulate demand for data centres in the city, especially from mainland operators that are restricted to intranational transfer, and – assuming the deal’s terms are not watered down – reinforce our position as China’s bridge to the rest of the world.
But, as the article below by the Colliers team points out, there are many questions to be answered if the free flow of data between Hong Kong and mainland China is to have any practical effect. For example, what does it mean to have ‘personal data’? And how will the arrangement be enforced, if at all?
PDPO defines personal data as information that relates to an identifiable natural person and which is about the individual’s identity (DPP1). This definition is in line with international norms, and has been incorporated into other legal regimes – including those of mainland China and the European Economic Area.
However, the PDPO does not contain any express provisions conferring extra-territorial application. Instead, the test for jurisdiction is whether the data user controls all or part of the data cycle in, or from, Hong Kong. This is an important distinction from the approach taken in other jurisdictions, such as the US and Europe, where extra-territorial application is a central feature of their data privacy laws.
As a result, while the PDPO does not explicitly apply to data transfers from Hong Kong to foreign jurisdictions, a data exporter must still assess whether the law of a foreign jurisdiction is adequate to protect the personal data transferred, and take steps to bring that law up to our standards where appropriate. This may involve technical measures, such as encryption or anonymisation, or contractual arrangements that impose obligations on audit and inspection, beach notification, and compliance support and co-operation.
In addition, if a data exporter determines that the law of the destination jurisdiction is not sufficient, it must inform data subjects of the reasons why, and ask them to consent to the transfer. Similarly, it must notify the data importer of any breaches of the PDPO that occur in the course of the processing of the personal data transferred, and take reasonable steps to address those breaches.
These requirements have been a core element of the PDPO since it was first enacted in 1996, and they will remain so unless there is a legislative change. In our view, the free flow of data between Hong Kong and the mainland is an integral part of our economy, but it must be subject to robust enforceable safeguards. Without them, the full potential of this opportunity will not be realised. We look forward to working with the Mainland and other stakeholders to ensure that this objective can be achieved. In the meantime, we continue to believe that a strong local data protection regime is the best way to guarantee this. We will keep you updated on developments in this area.