Hong Kong and China Working on a Deal to Enable Cross-Border Data Transfers

Hong Kong and China are working on a deal to enable cross-border data transfers, but the success of the agreement will depend on how governments solve differences in their regulatory frameworks, according to EY Greater Bay Area Consulting Partner and Leader Vincent Chan. He spoke at a two-day forum on cross-border data flows hosted by EY in Shenzhen, China.

Currently, the Hong Kong data centre market is dominated by high-end facilities with price tags of over US$10 per square foot. These premium facilities are mainly built for single tenant or multi-tenant operations. Despite their expensive cost, these facilities are highly secure and offer fast connectivity to mainland China. However, these premium facilities are quickly becoming scarce as demand for them continues to grow.

The definition of personal data in the PDPO is consistent with international norms and other legislative regimes, including the Personal Information Protection Law that applies to people in mainland China and the General Data Protection Regulation that applies in the European Economic Area. The definition of personal data is information relating to an identified or identifiable natural person. This includes data that can be used to identify an individual, such as name; identification number; location data; and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.

While the PDPO does not directly regulate processors, it requires data users to take steps to ensure that their contractors or agents comply with the PDPO when processing personal data. This is important because the data user will be liable for any breach of the PDPO by an agent or contractor. A data user must also use contractual or other means to ensure that the personal data they transfer outside of Hong Kong is protected from unauthorised access, processing, erasure, loss or disclosure and that the information is not retained for longer than is necessary for the purpose for which it was transferred. A data transfer policy should set out these requirements and how they will be enforced.