Hong Kong is one of the world’s fastest growing data hubs, thanks to its strategic location between China and Asia Pacific. The territory is home to over 15 submarine cables, including the Asia Pacific Gateway (APG), Google/Facebook cable, Pacific Light Wave, and the newer APG-TKO, as well as several fairly new colocation data centers.
The Hong Kong Data Landscape
The personal data landscape in Hong Kong is governed by the Hong Kong Personal Data (Privacy) Ordinance, which regulates data collection, handling and use. Administered by the Office of the Privacy Commissioner for Personal Data, the PDPO contains a number of data protection principles (the “DPPs”) that data users should take into account when collecting, handling and using personal data in Hong Kong.
Data Transfer Rules
There are a number of regulatory requirements in Hong Kong for the cross-border transfer of personal data. Among them is section 33 of the PDPO, which requires that a data user may only transfer personal data outside Hong Kong to a place where that transfer is subject to certain conditions, such as that the person receiving the data is a data controller and that the person taking steps to ensure that the data will not be collected, held, processed or used in a manner that would be a breach of a PDPO requirement if it were transferred to Hong Kong.
However, transferring personal data to another country is not always straightforward. For example, a potential merger or acquisition (M&A) transaction often involves the transfer of personal data from Hong Kong to the target company. This can create a complex data transfer challenge, particularly where the target group is a Hong Kong-controlled entity that processes and uses personal data on its own or with its third party service providers.