Hong Kong could be ideal data depository for Greater Bay Area: report

Its international positioning and robust data protection framework make it the ideal location for the region.

Hong Kong is poised to be the global technology innovation hub for the Greater Bay Area (GBA), which is the ideal location to implement a strategic pilot scheme on data flow, according to a new research conducted by City University of Hong Kong.

Commissioned by Microsoft Hong Kong, the independent research examined the legal issues related to cross-border data transfer and recommended Hong Kong as a suitable location to serve as a data depository and processing center for GBA.

According to Lei Chen, associate dean & associate professor for the School of Law at the City University of Hong Kong in mainland China, Hong Kong and Macau have different legal frameworks for data protection and cybersecurity, as they were developed to meet their unique local needs.

Also read: Hong Kong inches closer to Singapore in digital transformation: study

One of the key findings from the study highlighted how Hong Kong’s data protection law focuses on the protection of privacy and security of personal data. To date, there is no legal/regulatory restriction on cross-border transfer of data to and from Hong Kong. Section 33 of the Personal Data (Privacy) Ordinance governs the transfer of personal data from Hong Kong to the overseas jurisdictions, but the section is not yet in force, despite being a provision of the Ordinance since 1996.

Section 33 provides one may transfer data out of Hong Kong if certain criteria are met, such as if the receiving jurisdiction provides similar protections to personal data as in Hong Kong, if data subject’s consent has been obtained, or if certain due diligence exercise has been carried out to ensure data will be handled properly in the receiving jurisdiction. In a nutshell, the legal regime in Hong Kong does not restrict Hong Kong from being a global data hub to receive, store and share data.

“With GBA, the governments need to reconsider how to facilitate data flow. Hong Kong has been actively participating in international agreements about cross-border data transfer. Coupled with Hong Kong’s international positioning and robust legal framework, all these factors put the city in the forerun as the ideal location for being the data center hub for the area, and potentially for the entire China in the long run,” he explained.

The research also recommended establishing a mechanism to categorise data entering and exiting the three jurisdictions in various situations. The “white list” permits certain categories of data try and exit in certain circumstances, whilst the “negative list” is able to ascertain the scope of data that are not allowed to be transferred freely. The mechanism will need to identify specific industries or categories such as financial services, healthcare, small to medium sized businesses, and identify specific purposes like e-commerce and enterprises/multinational corporations intergroup communication.

These criteria should be amendable and adjusted according to the changes in the systems, technologies and other factors of mainland China, Hong Kong and Macau, the report noted.

Also read: Hong Kong consumers more willing to share data than UK and Germany: survey

“With proper big data governance, Hong Kong can take a leading role facilitating cross-border data flow and establishing itself as the data hub for GBA, for Asia, and possibly globally in the long run. With the diverse policies and legal frameworks on data protection and cybersecurity, a pilot scheme is the logical next step to coordinate data transfer matters within the Area,” Allen Yeung, founding chairman of Institute of Big Data Governance (IBDG), a non-profit, neutral platform to promote better protection of big data, said in a statement.

Hong Kong may also serve as a data center hub to connect China with the rest of the world at a personal level, as there are over 800 million Internet users in China with cross-border data transfer activities occurring on a day-to-day basis.

The report’s authors also noted that there are needs to transfer data within GBA at the government level, for example for public health reasons. On a business level, cross-border data transfer is necessary, for example for collaboration purposes by private entities in their business activities, especially for multinational corporations to transfer internal data within different affiliates within the organisation, and for research, regulatory compliance and litigation purposes.