Data privacy and security
7. Are there any data privacy and/or data security laws that would apply?

Yes.

The Hong Kong Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) ("PDPO") governs the handling of personal data by data users, a similar concept to data controllers under the EU General Data Protection Regulation. The PDPO requires data users to comply with six Data Protection Principles ("DPPs"):

  • DPP1 — Data Collection Principle. Personal data must be collected in a lawful and fair way, for a purpose directly related to a function/activity of the data user. Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred, among other notification requirements. Data collected should be necessary but not excessive.
  • DPP2 — Accuracy & Retention Principle. Personal data must be accurate and should not be kept for a period longer than is necessary to fulfill the purpose for which it is used.
  • DPP3 — Data Use Principle. Personal data may only be used for the purpose for which the data was collected or for a directly related purpose, unless voluntary and explicit consent to a new purpose is obtained from the data subject.
  • DPP4 — Data Security Principle. A data user needs to take all practical steps to safeguard personal data from unauthorized or accidental access, processing, erasure, loss or use.
  • DPP5 — Openness Principle. A data user must make known to the public personal data policies and practices regarding the types of personal data it holds and how the data is used.
  • DPP6 — Data Access & Correction Principle. A data subject must be given access to their personal data and be allowed to correct any inaccuracies.

However, if a cloud service provider is purely processing personal data on behalf of a financial institution as its customer and not for any of its own purposes, it would be considered a data processor and not a data user. Data processors are not directly regulated under the PDPO.

In such circumstance, the financial institution, as the data user, will remain liable for the actions or omissions of its authorized data processors (including the cloud service provider) and must monitor and control those data processors. Other requirements of particular relevance in a cloud context are that the financial institution, as a data user, would be obliged under the PDPO to adopt contractual or other means to ensure that the cloud service provider it engages does not retain data for longer than is necessary, and prevents unauthorized or accidental access, processing, erasure, loss or use of the data.

In practice, the regulator expects these requirements to be included as obligations in the written agreement with the cloud service provider, although a written agreement is not strictly mandatory.

As the PDPO is intended to be technology-neutral, there are no requirements that are specific to cloud services. However, the Privacy Commissioner for Personal Data has published an information leaflet on Cloud Computing (revised July 2015) ("Leaflet"), which provides an interpretation of how the DPPs apply to cloud service providers. The Leaflet sets out data privacy concerns in the cloud and how to address them. Key recommendations are as follows:

  • Cloud service providers should disclose to data users the locations/jurisdictions where the data will be stored so that this information may be made known to data subjects.
  • Cloud service providers should be transparent on their subcontracting arrangements.
  • If the cloud service provider's security standards fail to meet customer requirements, customers could seek personalized terms with the cloud service provider.
  • Customers should have the right to verify data protection and security commitments/audit rights.

There is also a more general information leaflet on Outsourcing the Processing of Personal Data to Data Processors (September 2012). This provides guidance to data users on the use of data processors and recommendations for their engagement.

On the other hand, if the cloud service provider will be processing personal data for its own purposes (and not purely on behalf of its customer), it will be considered a data user under the PDPO and must comply with the PDPO's requirements, including the six DPPs.