Hong Kong seeks to become hub for China's cross-border data flow

Hong Kong Harbor

By Xu Yuan. 13 November 2017.

Hong Kong is seeking a deal with Internet authorities in mainland China regarding cross-border transfer of data, paving the way for the city to become a hub for data flows between China and the rest of the world, MLex has learned.

The Office of the Privacy Commissioner for Personal Data in Hong Kong, or PCPD, is involved in discussions with the Cyberspace Administration of China on a potential agreement to make data transfers between the mainland and Hong Kong easier than those between the mainland and other foreign jurisdictions, it is said.

Such an agreement is understood to aim at allowing a simplified or fast-track procedure to move data between the mainland and Hong Kong and to encourage foreign businesses to go through Hong Kong when exporting data from China.

In response to questions from MLex, the privacy commissioner's office referred to an initiative by a local business group to make Hong Kong a data hub. The initiative advocated by the Hong Kong Smart City Consortium, an industry-led advocacy group, includes a proposal to set up a simplified approval process with overseas and mainland jurisdictions on data transfers to Hong Kong.

"The PCPD fully cooperates with the relevant authorities for the said initiatives, and meanwhile monitors the privacy concerns that may arise," the office told MLex.

According to the PCPD, the group argues that Hong Kong's pro-business environment, sound legal system and free flow of talent and information technology give the city a competitive edge to become the region's premier data hub.

With its added advantages under "One Country, Two Systems" — which allows Hong Kong a greater degree of legal autonomy than cities on the mainland — and opportunities arising from the Belt and Road initiative — Beijing's plan to link China through infrastructure projects with the rest of Asia, parts of Africa and Europe — Hong Kong is well positioned to develop into an international data hub for hosting, storing and processing services, according to a research report conducted by the group.

Herbert Chia, chairman of the Smart City Group's Data Hub Committee, said previously during a conference on privacy in Hong Kong that the group has been in talks with mainland authorities on such an initiative for some time, and that regulators were receptive to the idea.

A simplified procedure for data transfers would provide foreign companies concerned about China’s data-export procedures an alternative by using Hong Kong as a buffer zone to move data collected on the mainland to other places.

With a significant amount of data traffic, it could also help transform Hong Kong into a regional data center.

Enforcing existing law

Currently, there is no restriction on transferring personal data outside of Hong Kong, because the section in Hong Kong’s privacy law regarding cross-border transfer restrictions has not yet been enforced.

The Personal Data (Privacy) Ordinance was enacted 22 years ago. Section 33 prohibits the transfer of personal data overseas except in specified circumstances, such as when it is to a place specified by the privacy commissioner as having in force a law substantially similar to the ordinance or where the data user can ensure the data will be handled in a manner that would not breach the ordinance.

Privacy Commissioner Stephen Wong in May urged that Section 33 be enforced and said his office was conducting analysis and assessment regarding the issue of personal-data transfer.

In preparation, the PCPD earlier submitted a "white list" to the government of jurisdictions with privacy-protection standards comparable to that of Hong Kong to which data transfers could be made under Section 33.

The Hong Kong government has revealed that trade sectors have expressed concerns over implementation of Section 33, and that small- and medium-sized enterprises may face difficulties in complying the law's provisions.

On the other hand, China has introduced arguably the strictest data-localization rules in the world, with a new Cybersecurity Law that came into effect in June.

Related cross-border data-transfer rules are expected to put tremendous burden on companies that need to transfer data out of China and have triggered ongoing concerns from foreign business communities.

US complaint to WTO

Most recently, the US submitted a complaint to the World Trade Organization targeting China’s cross-border data-transfer rules. The US described the rules as “burdensome,” “broad” and “vague,” and said they “would disrupt, deter, and in many cases, prohibit cross-border transfers of information that are routine in the ordinary course of business,” according to the complaint.

Although the Cybersecurity Law requires only network operators of critical-information infrastructure to store all personal information and important data within China, accompanying implementation rules appear intended to expand the scope of application of this rule to all network operators.

If network operators want to send data collected from Chinese operations overseas, they are required to conduct a security review, either by themselves or by a regulator when certain thresholds are met.

“As one aspect of our concerns, a need to demonstrate the necessity of transfers is very troubling," the US WTO complaint reads. "Since it impinges on commercial choices and longstanding business arrangements supported by robust trade rules, and many common transactions would not appear to meet the criteria set out.”

China has yet to release formal versions of its Measures for Security Assessment for Cross-Border Transfers of Personal Information and Important Data, and its Guidelines for Data Cross-Border Transfers Security Assessment.

In mid-October, representatives from both the PCPD and the Smart City Consortium participated in a China-Hong Kong cybersecurity forum in the Chinese city of Xiamen, according to a statement published by the Cyberspace Administration of China.

Countdown to the GDPR