Data hk is a community driven website that aims to build a community for data enthusiasts and promote the importance of openness, ethics and accountability in the data economy. The site features articles, events and interviews to help educate its audience about the potential of the data industry.
The emergence of the data economy is creating new opportunities and demands for businesses in the information technology sector. But while many of these opportunities are exciting, they come with risks that need to be carefully considered. One of the most significant is the impact of cross-border data transfers. These can create compliance issues for businesses and their stakeholders. This is why it is important to understand the regulations imposed on personal data transfer and to conduct a transfer impact assessment. This is an essential first step for businesses when preparing to transfer data across jurisdictions.
Padraig Walsh, a partner in the Data Privacy practice group of Tanner De Witt, walks us through some of the key considerations. He explains the process of conducting a transfer impact assessment and provides some useful links to resources.
The PDPO requires a data user to obtain the voluntary and express consent of the data subject before transferring his personal data outside Hong Kong. In order to comply with this requirement, a data user must first notify the data subject of the purposes for which his personal data is collected and of the classes of persons to whom the data may be transferred. The consent must be provided before the transfer is made, and the transferee must undertake not to use the personal data for any purpose other than those specified in the PICS.
Another key consideration is whether the personal data to be transferred is necessary for the purposes of the processing undertaken by the transferee. The PDPO defines ‘personal data’ to include data which can be used to identify an individual. If the personal data being transferred does not fall within this definition, then the obligations of the PDPO in respect of cross-border transfer do not apply.
A further consideration is the level of protection available in the destination jurisdiction. The PDPO provides a framework for assessing this, and the PCPD has published two sets of recommended model contractual clauses that are designed to address different scenarios, being either a transfer between data users or between a data user and a third party.
These models are helpful tools for ensuring that cross-border data transfers are compliant with the PDPO. However, they are not a comprehensive guide to the regulations in place and it is crucial to engage an experienced adviser who can provide advice on what steps need to be taken in each case. As a regional data hub with a strategic digital infrastructure foothold in a top Asian business center, Telehouse Hong Kong offers customers a highly resilient and cost-effective data storage solution at its carrier neutral Data Center Complex (CCC), located in Tseung Kwan O.