Data Protection in Hong Kong

The data hk is a website that provides free and easy-to-use tools for Hong Kong residents to make requests for information on the personal data held by their telecommunications providers. The site is a joint project between the Chinese University of Hong Kong’s School of Journalism & Communication, InMediaHK, Keyboard Frontline, Open Effect, and the Citizen Lab (developers of the original Access My Info project[5] in Canada).

Data protection in Hong Kong is regulated by the Personal Data (Privacy) Ordinance (“PDPO”). It establishes data subject rights, defines specific obligations to data controllers, and regulates the collection, processing, holding, and use of personal data through six data protection principles. It also includes provisions relating to the transfer of personal data abroad, including requirements for an impact assessment and standard contractual clauses.

The PDPO has been amended several times, most recently in 2012 and 2021. The latter amendments introduced the obligation to conduct an impact assessment where a business transfers personal data to a person in an overseas jurisdiction that does not have laws or practices comparable to those of Hong Kong. The business must also take supplementary measures to bring the level of protection provided by the transferred personal data up to Hong Kong standards. This might include technical measures such as encryption, anonymisation or pseudonymisation, or the use of split or multi-party processing. It may also include additional contractual provisions on audit, inspection and reporting, beach notification, and compliance support and co-operation.

Despite the challenges of securing energy for data centre operations and the high land prices in certain districts, the city remains a favoured choice for global operators looking to connect the GBA, partly due to its legal framework, reliability and superior industry-specific infrastructure. The Mainland’s restrictions on inter-national data transfer will further increase demand for the city’s services, reinforcing its role as a regional data hub.

As such, it is timely for the PDPO to revisit its extra-territorial application and consider adopting measures similar to those of the GDPR, which will help ensure that Hong Kong does not become a data protection laggard as the rest of the world moves forward. It should also give serious consideration to reforming the transfer of personal data out of Hong Kong to better align with international practice and reflect changes in the regulatory environment.