Date: 15 April 2020
Response to media enquiry on data localisation
Thank you very much for your enquiry about data localisation. The response from the office of the Privacy Commissioner for Personal Data (PCPD) from personal data privacy perspective is as follows:
Data localisation and section 33 of the PDPO
The PCPD, as a regulator, enforces personal data privacy protection according to the Personal Data (Privacy) Ordinance (PDPO).
The PDPO regulates the entire data management cycle on an end-to-end basis from collection, storage, use, security to destruction as long as the control of these processes is in or from Hong Kong.
The PDPO does not provide for express extra-territorial application if a data user does not exercise control over the collection, holding, processing or use of the personal data in or from Hong Kong. Even though there are Zoom users in Hong Kong, it appears that Zoom1 does not exercise control over any of the aforesaid aspects of the data cycle in or from Hong Kong.
We have no conclusive information demonstrating that data localisation would help secure data collection/storage when using Zoom or TikTok. Suffice to say that free flow of information is a unique and irreplaceable attribute to Hong Kong being an international trade, finance and commercial centre.
The PCPD notes that there are different approaches of data localisation as practised in different jurisdictions, for example:
1) A strict prohibition of certain kinds of data from being transferred outside a jurisdiction;
2) Prohibition of cross-jurisdictional transfer by default, but allowing transfer in certain circumstances, such as fulfilling the adequacy requirements (this approach is similar to one of the six permissible conditions provided for in section 33 of the PDPO, which is not yet operative); and
3) Allowing transfer of data outside a jurisdiction, but at the same time requiring that a copy of the data be stored locally.
Section 33 of the PDPO restricts the transfer of personal data to a place outside Hong Kong unless one of the specified conditions is met. When the PDPO came into effect in 1996, section 33 has not been brought into operation. The main reason is that at the material time, there had been fragmented privacy protection legislation in different jurisdictions, including the USA; and it was then not uncommon for overseas jurisdictions not to impose restrictions on cross-border / boundary data transfer.
While there have been calls for tighter controls on cross-jurisdiction data transfer from Hong Kong, the PCPD acknowledges that cross-jurisdiction data flow is the life-blood of our data driven economy. In fact, over the years, the business sector (especially SMEs) has been wary of the implementation of section 33 as they anticipate difficulties in full compliance with the legal requirements (such as lack of human resources and requisite knowledge) and the adverse impact on the free flow of information which is pivotal to cross-jurisdiction business operations.
Although section 33 has not been brought into operation since its enactment, the existing provisions of the PDPO have already provided safeguards for cross-border / boundary data transfer to ensure that the personal data transferred outside Hong Kong would be afforded with the same level of protection under the current regulatory regime. In this connection, data users are required to:-
i) give notice to explicitly inform data subjects of the classes of persons to whom the data may be transferred (Data Protection Principle 1(3));
ii) obtain the prescribed consent of data subjects for change of use of the personal data collected (Data Protection Principle 3);
iii) adopt contractual or other means to prevent any personal data transferred to the data processors, whether within or outside Hong Kong, from unauthorised or accidental access, processing, erasure, loss or use of the data being transferred for processing (Data Protection Principle 4(2)); and
iv) adopt contractual or other means to prevent any personal data transferred to the data processors, whether within or outside Hong Kong, from being kept longer than is necessary for processing of the data (Data Protection Principle 2(3)).
To safeguard personal data privacy without stifling ICT development and economic growth, the PCPD issued the “Guidance on Personal Data Protection in Cross-border Data Transfer” in 2014, which provides practical guidance to organisations which need to transfer personal data outside Hong Kong during their business operations. To further enhance practicability and user-friendliness to organisation data users, including the SMEs, the PCPD is going to revise its Guidance to specify the recommended good practices and provide two sets of recommended model clauses to cater for both data transfers between “data user and data user” as well as between “data user and data processor”. The PCPD has also reviewed the latest global regulatory framework on cross-border/boundary data flow and communicated with the Government on the ways forward which best suit the local circumstances in Hong Kong so as to continue to facilitate free flow of information as an irreplaceable attribute of Hong Kong’s success without compromising the protection of data privacy right of individuals and economic development.
Over the years, the PCPD has not received any complaints from individuals or enterprises about the cross-border/ boundary data transfer provisions not coming into operation.
Zoom is headquartered in San Jose, California and listed in Nasdaq. It has offices in the Unites States, the United Kingdom, France, Netherland, Australia and Japan, but not in Hong Kong.