Yes.

A cloud service provider must comply with lawful requests for disclosure of its customers' data from law enforcement agencies in accordance with Hong Kong laws. This means that, generally, it must disclose data, including personal data, to a government body or regulator in Hong Kong where required to comply with applicable laws or regulations, a court order, subpoena or other legal process, unless there are legal grounds to refuse. The Hong Kong Monetary Authority and the Securities and Futures Commission ("SFC") both have powers to request that third parties, such as cloud service providers, provide information in certain circumstances. In the case of the SFC, this disclosure requirement is specifically contemplated as part of the Circular to Licensed Corporations on Use of External Electronic Data Storage dated 31 October 2019 ("EDSP Circular") and the electronic data storage providers FAQ.

Interception and surveillance by law enforcement agencies

The Interception of Communications and Surveillance Ordinance (Chapter 589 of the Laws of Hong Kong) ("ICSO") requires law enforcement agencies, including the police, the Immigration Department, Customs and Excise Department, and the Independent Commission Against Corruption, to apply for an authorization from either a designated judge or an officer of certain government departments to allow interception of communications. Under the ICSO, public officers may intercept communications where a "prescribed authorization" is obtained.

A prescribed authorization may require any person specified to provide to the department "such reasonable assistance for the execution of the prescribed authorization as is specified in the prescribed authorization," and Section 53 allows the commissioner on interception of communications and surveillance ("Commissioner") to require any person to provide to the Commissioner the content of intercepted messages or communications in their possession or control.

National security law

On 30 June 2020, the Law of the People's Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region ("NSL") came into operation in the Hong Kong Special Administrative Region ("HKSAR"). Broadly speaking, the NSL criminalizes four types of acts: (1) secession; (2) subversion; (3) terrorist activities; and (4) collusion with a foreign country or with external elements to endanger national security. The HKSAR Police Force has set up a designated department in charge of offenses endangering national security ("National Security Offenses"). Article 43 of the NSL empowers the police department to take specific measures when handling cases concerning National Security Offenses. These measures are in addition to the ones currently available under Hong Kong law for investigating serious crimes. The police department may require a person suspected on reasonable grounds of having in their possession information or material relevant to an investigation, to answer questions and furnish such information or produce such material. These measures require an order from the court of first instance.

Telecommunications Ordinance (Chapter 106 of the Laws of Hong Kong)

The powers of the Office of the Communications Authority, the Hong Kong telecommunications regulator, may give it incidental access to financial institutions' data held by a cloud service provider in certain circumstances (generally only to the extent that the cloud service provider is regulated under the telecoms licensing regime).

Requests for disclosure from foreign governments and regulators

There are no provisions under Hong Kong laws that oblige a Hong Kong-based cloud service provider to disclose data to a foreign government or regulator. The cloud service provider should first be satisfied that the overseas government or regulator has a valid legal basis to issue the request and that it has valid jurisdiction to request that the cloud service provider disclose data on its servers located in Hong Kong.

The cloud service provider should also refer to the relevant privacy policy of the financial institution to determine whether it is permitted to disclose to a foreign regulator or government entity personal data of the financial institution's customers that it may possess.

Exemptions to privacy obligations under the PDPO

The Hong Kong Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) ("PDPO") does not mandate the provision of personal data to a law enforcement agency or other body. However, the PDPO does list certain grounds that a data user may rely on as defense when disclosing a data subject's personal data without their consent for a new purpose (i.e., other than for a purpose originally notified to the data subject). One example is Section 58(1) PDPO, which relates to personal data held for purposes such as the prevention or detection of crime; the apprehension, prosecution or detention of offenders; the assessment or collection of any tax or duty; the prevention, preclusion or remedying of unlawful or seriously improper conduct, or dishonesty or malpractice; and the functions of a financial regulator.