Hong Kong is an ideal location for regional data centres due to its well-developed infrastructure, free trade policy and straightforward tax regime. Furthermore, its large pool of mobile, agile and multilingual ICT professionals make Hong Kong an attractive option. However, privacy law plays an equally crucial role here; providing businesses with a conducive and trustworthy operating environment is key.

The Hong Kong Personal Data Protection Policy (“PDPO”) lays out principles to safeguard personal information during collection, use and transfer. Under these principles, data users must clearly inform data subjects of its intended purposes for use and classes of recipients before collecting their personal information; use in this sense can include any disclosure or transfer.

Before transferring personal data from Hong Kong to another jurisdiction, a data impact assessment must be completed first. This requires reviewing both legal environments, laws and practices regarding protecting personal data and national security; additionally the data exporter must take any additional measures necessary to meet Hong Kong standards of protection.

Additional measures could include encryption or pseudonymisation as a supplementary measure, split processing, beach notification and compliance support and co-operation; alternatively the “data exporter” could negotiate and implement contractual provisions for audit, inspection and reporting, compliance review/breach notification as well as beach notification.

The PDPO defines personal data to refer to any data that identifies an individual, such as their name, identification number or email address. This definition of identifiable information differs significantly from what other data protection regimes include (such as Personal Information Protection Act that applies in mainland China or General Data Protection Regulation in Europe Economic Area).

Businesses across industries use data hk to enhance customer experiences and drive sales, so it’s imperative that it is collected and handled according to statutory and regulatory requirements so as to minimise risks to business.

This paper describes Hong Kong’s interpretation of key privacy concepts and compares them with their European equivalents, before exploring how telecom service providers treat IP addresses when responding to data access requests from their customers. It then presents the AMI:HK project, an intuitive website which enables users to make data access requests to their telecommunications service providers and assess whether these providers are fulfilling their obligations under the PDPO. It is anticipated that this project will uncover inconsistencies in how telecom service providers fulfill their access request obligations under the PDPO, as well as any technical restrictions such as automated tool limitations preventing fulfillment or impediments to fulfilment.