Equinix Data Centres in Hong Kong and the PDPO
Hong Kong is the leading financial centre in Asia, and Equinix’s data centres are situated in one of its most important markets. Our data centres and colocation facilities provide a secure, resilient and highly available platform for businesses to connect, manage and distribute their critical business data across the region, enabling them to meet the demands of today’s digital economy.
Hong Kong’s position in this regard may seem out of step with international trends. But there are reasons why a jurisdiction such as Hong Kong would prefer to take this approach, which may be of benefit in the long term.
A key factor is the PDPO, which provides for the protection of personal data through six data protection principles. It establishes data subject rights and imposes specific obligations on data controllers, including a prohibition on knowingly sharing personal data that has been obtained by deception or misrepresentation. It also prohibits the disclosure of personal information without consent, a practice known as ‘doxxing’.
When it comes to transfers of personal data abroad, the PDPO imposes additional requirements. For example, it requires a data user to expressly inform a data subject on or before the collection of his personal data of the purposes for which the data will be used, and of the classes of persons to whom the personal data may be transferred. It further requires that such consent be freely given.
These are all obligations that are triggered by the processing of personal data, but are notably more stringent than those imposed on the original collection of the personal data itself. Furthermore, they have to be renewed every time the data is processed. This is a significant departure from the European Union’s standard contractual clauses, which do not impose such requirements.
In addition, the PDPO requires a data exporter to identify and adopt any supplementary measures to bring a foreign jurisdiction’s legislation and practices up to Hong Kong’s standards where they do not already do so. This could include technical measures such as encryption, anonymisation or pseudonymisation, or contractual provisions imposing enforceable obligations to audit, inspection and reporting, beach notification, and compliance support and cooperation.
In our view, these additional requirements make the PDPO a more robust regime than the standard contractual clauses that are often required of companies importing personal data from the European Union into Hong Kong. They are therefore likely to be of considerable value to the broader community of companies that need to transfer personal data between Hong Kong and other countries, especially when they face a legal or regulatory requirement to do so.