Hong Kong Data Privacy


The Hong Kong Personal Data (Privacy) Ordinance (“PDPO”) regulates the collection, use and processing of personal data collected from individuals in Hong Kong. The Office of the Privacy Commission for Personal Data, Hong Kong (“PCPD”) oversees the execution and enforcement of the PDPO. In addition to the PDPO, the PCPD issues an information leaflet (“Cloud Computing Leaflet”) which aims to advise organizations on the factors they shall take into account in considering engaging cloud computing.

The main requirements for handling personal data are set out in the data protection principles (“DPPs”) of the PDPO. According to the DPPs, if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means (i) to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data, and (ii) to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing. The DPPs also require that personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.

The PDPO currently does not restrict the transfer of personal data outside of Hong Kong (Section 33 of the PDPO lists out certain restrictions on cross border personal data transfer, which however has not been brought into operation). The Cloud Computing leaflet recommends that data users should know the locations/jurisdictions where the personal data will be stored and should ensure that such data is treated with a similar level of protection as if it resides in Hong Kong, and data subjects should be made aware of the transborder arrangement with regard to how their personal data is protected.

Both the PDPO and the Cloud Computing Leaflet make it clear that data users are required to protect and prevent the misuse of personal data entrusted to them by data subjects regardless of whether such personal data is stored within the data user’s premises, or is outsourced to cloud providers.

AWS is vigilant about your privacy and data security. Security at AWS starts with our core infrastructure. Custom-built for the cloud and designed to meet the most stringent security requirements in the world, our infrastructure is monitored 24x7 to ensure the confidentiality, integrity, and availability of our customer's data. The same world-class security experts who monitor this infrastructure also build and maintain our broad selection of innovative security services, which can help you simplify meeting your own security and regulatory requirements. As an AWS customer, regardless of your size or location, you inherit all the benefits of our experience, tested against the strictest of third-party assurance frameworks.

AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and SOC 1, 2 and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of customer content.

For example, ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that AWS has a system of controls in place that specifically address the privacy protection of their content.

These comprehensive AWS technical and organizational measures are consistent with the goals of the PDPO to protect personal data. Customers using AWS services maintain control over their content and are responsible for implementing additional security measures based on their specific needs, including content classification, encryption, access management and security credentials.

As AWS does not have visibility into or knowledge of what customers are uploading onto its network, including whether or not that data is deemed subject to the PDPO, customers are ultimately responsible for their own compliance with the PDPO and related regulations. The content on this page supplements the existing Data Privacy resources to help you align your requirements with the AWS Shared Responsibility Model when you store and process personal data using AWS services.

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »