Equinix Colocation in Hong Kong – How the PCP Recommends Model Contractual Clauses to Protect Personal Data When Transferred Abroad

Hong Kong is an important digital hub for numerous businesses. Equinix offers colocation services in Hong Kong that allow customers to interconnect into a dense concentration of enterprises, networks and IT service providers. In addition, our carrier-dense data centers in the city enable connectivity to a regional internet exchange and one of Asia’s most carrier-dense network hubs. This allows them to reach customers across the region and deliver critical applications and services reliably, securely and with low latency.

The PDPO provides for a number of safeguards to protect personal data when it is transferred abroad, including the requirement that data users must obtain consent from data subjects prior to transferring their data and that data users must make transparent to data subjects the purposes for which their data will be used. These requirements are also extended to data transfers between data users, and to situations where a data user has an arrangement with another entity, such as a contractual agreement. The PCPD has published a set of recommended model contractual clauses to cover these scenarios.

However, in Hong Kong the concept of a “data user” is broader than the term used in many other jurisdictions. In Hong Kong, a “data user” is defined as any person who controls the collection, holding, processing or use of personal data either alone or jointly or in common with other persons. This includes a business that transfers personal data to another business and to an individual in his capacity as an employee.

In this context, the PCPD’s recommendations regarding model contractual clauses are designed to ensure that such arrangements will meet the requirements of the PDPO, in particular in respect of cross-border data transfers between entities outside of Hong Kong and within Hong Kong. The model contractual clauses will help to minimise the risk of potential legal action in connection with any data transfer between these two categories of entities, and will make it more straightforward for a business that transfers personal data abroad to comply with its obligations under the PDPO.

When a Hong Kong data user sends personal data to a data importer in another location, it will be necessary for the data exporter to carry out a transfer impact assessment to determine whether the level of protection afforded by the law in that location is adequate. This will involve considering the purpose for which the personal data is being transferred, and the class of individuals to whom it is being transferred.

Increased cross-border data flow is a key component of the global economy, and facilitating such flows is a legitimate policy objective. Nevertheless, increased cross-border data flow has caused some resistance to the implementation of section 33 in Hong Kong, given the perceived negative impact on business and the difficulties associated with compliance. Ultimately, the need to maintain our competitive advantage may drive change. In the interim, we should continue to be mindful of the need for strong data protection laws and best practices.