Data hk is the premier regional internet exchange and one of the busiest network hubs in Asia, connecting major global carriers as well as over one million enterprises. Thanks to a dense concentration of networks, IT services, and data center providers at our Hong Kong facilities, customers can leverage our industry-leading infrastructure to accelerate digital supply chains and optimize application performance.

Due to Hong Kong industries’ close links with their mainland business partners, cross-boundary data flow requirements have steadily grown over time. To facilitate and promote Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”) development, ITIB of the Hong Kong government signed a memorandum with Cyberspace Administration of China on 29 June 2023 aimed at increasing cross-boundary data transfer, driving digital economic development in GBA while strengthening Hong Kong as an innovation hub.

Cross-border data flow is essential to Hong Kong’s economy. During the legislative process for the Personal Data Protection Ordinance (“PDPO”), it was widely agreed upon that improving cross-border data transfer should be a cornerstone component. Unfortunately, however, implementation of Section 33 was eventually left out from the final version due to concerns over its adverse impact on business operations and compliance costs.

As such, Hong Kong data users’ obligations when it comes to transfer of personal data outside Hong Kong are typically less stringent than in other jurisdictions. One key requirement is that any transferred personal data must only be used for purposes outlined in their PICS. This may limit their freedom to transfer personal data for purposes not permitted in their PICS and can sometimes be taken as evidence that data transfer only supports legitimate commercial activities.

Secondly, data users who intend to transfer personal data out of Hong Kong must have a legal basis for doing so. This requirement can be more challenging to satisfy; meeting this test often requires providing evidence that justifies their actions legally. Furthermore, data users must notify affected data subjects about proposed transfer and its legal basis via either separate PICS documents or contractual provisions in main agreements.

Satisfying these regulations is no simple task, and failing to take all of the required steps may prove costly for businesses. It has led to the abandonment of implementation of Section 33 as an explicit policy objective in favor of more business-friendly approaches which permit data users to incorporate the necessary obligations into commercial arrangements that reflect their overall context and are easily enforced. This approach minimizes regulatory burden while simultaneously maintaining adequate substantive data protection for individuals, while upholding the principle that businesses should be allowed to operate freely in response to consumer and market needs. As data technologies increasingly become incorporated into daily business operations, such a pragmatic solution must also be considered.