Data is a key element of innovation and technology. And the data hk initiative will allow Hong Kong to harness technological progress and support productivity growth. But there is a catch: The city needs to have enough data centre capacity to handle the demand.
This is why the government has announced plans to build more data centres by 2028. This will boost Hong Kong’s position as a regional data hub and reinforce its goal of connecting the GBA. The new facilities will also help to create high-skilled jobs in the sector.
As part of the plan, the city will set up a new office to draw up digital policies and promote smart-city initiatives. The office will be staffed by experts from around the world, and will be open to external input and research. In addition, it will work to foster a culture of innovation and technology. This will ensure that the Hong Kong Special Administrative Region can continue to thrive in the future.
Several data privacy regimes have a provision that requires a data user to provide certain information to a data subject on or before the collection of his personal data. However, this requirement does not apply to a transfer of personal data between data users that is not governed by PDPO.
A data exporter should carefully consider the lawful basis for transferring personal data before doing so. Specifically, a data exporter should review its Personal Information Collection Statement to determine whether it has properly disclosed that the personal data may be transferred as specifically contemplated and, if not, consider whether a lawful basis exists for the transfer.
If a data exporter is satisfied that the lawful basis for transferring personal data to a data importer does exist, it should take appropriate contractual or other measures to prevent prolonged retention (DPP2(3)), unauthorised access, processing, erasure, loss or use of the transferred personal data by the data importer (DPP4(2)) and any other matter that would be a breach of PDPO. These measures could include technical or contractual provisions, for example, encryption, anonymisation and pseudonymisation, split or multi-party processing, beach notification and compliance support and co-operation.
In the case of a transfer to the Mainland, a data exporter should identify and adopt supplementary measures where necessary to bring the level of protection of personal data in the Mainland up to Hong Kong standards. These measures could include technical or contractual provisions, such as those relating to audit, inspection and reporting, beach notification and compliance support and co-operation.
Finally, a data exporter should consider whether it is practicable to adopt a lawful basis for the transfer, considering whether the personal data in question is necessary and proportionate to the purpose for which it is being processed and the risks involved. This is a more onerous step under GDPR than in Hong Kong, where the data exporter need only show that it has considered all of the applicable lawful bases for the transfer.