Learn about the factors organization should consider when hosting data in Cloud. What are the risks, benefits and implications for data protection and privacy when moving to the business data and applications to cloud?

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Charles Mok
​Legislative Councillor (Information Technology)
Data privacy & compliance considerations
on using cloud services

2. Benefits of moving to public cloud
• Flexibility
• Disaster recovery
• Reliability
• Cut costs
• Scalability for expansion
• Performance

3. Cross-border data operations
Dispersed data storage in multiple jurisdictions through
cloud
Outsource data processing procedures to contractors
around the world.

4. Are these your
concerns on using
cloud services?

5. How to know the location at
any point in time, its security,
and who will have access?

6. What laws must I follow when
engaging a cloud service
provider to store personal data in
a cloud server that is
accessible outside Hong Kong?

7. How can my company
achieve regulatory
compliance with the data
protection regulations in
my jurisdiction?

8. Challenges to privacy in cloud computing
• Location of data and blurred division of responsibilities
• Complexity of risk assessment in a cloud environment
• Emergence of new business models and their
implications for consumer privacy
• Data sovereignty and retention requirements

9. Implications on data protection and privacy
Security
Is the data
protected from
theft, leakage,
spying or attacks?
What is the level
of control and
protection?
Residency
Where is the data
stored?
geographically
disbursed?
What to do with
data in transit &
outside territory?
Privacy
Who can see
personally
identifiable
information (PII)?
Storing,
transferring,
locating and
protecting PII

10. Challenges
of cloud
and
security
Maintaining
ownership and
control of data
Info on 3rd party
service and
distributed
infrastructure
Deliver
resiliency,
availability and
flexibility of
cloud services

11. Data protection law in HK: DPP3 of PDPO
By virtue of Data Protection Principle 3 under the
Ordinance, personal data can be transferred outside Hong
Kong only if the purpose of the transfer of personal data is
the same as or directly related to the original purpose of
collecting the data, or with the consent of the data subject.

12. Hong Kong:
Section 33 Personal Data (Privacy) Ordinance
• prohibits the transfer of personal data to places outside Hong Kong
unless one of a number of conditions is met.
• Data users who, without reasonable excuse, contravene Section 33
commit an offence under Section 64A of the Ordinance which
carries a fine of up to HK$10,000.
• The Commissioner may also issue enforcement notices
• The only provision in the PDPO not been executed since
1995

13. What are the legal requirements of Section 33?
Section 33 prohibits the transfer of personal data to places
outside Hong Kong unless 1 of the following 6 conditions is met:
• Destination of transfer included in “white list” specified by the Commissioner
• Destination of transfer have comparable data protection law as PDPO
• Data subject’s consent in writing to the transfer
• Avoidance or mitigation of adverse action against data subject (proof
required)
• Exemption under Part VIII towards DPP3 (purpose) applies
• Taken all reasonable precautions and exercised all due diligence against
mishandling

14. Who is required to comply with Section 33?
Data User
a person who either alone or jointly or in common with
other persons, controls the collection, holding,
processing or use of the data.

15. …what does that mean?
A person who is merely transmitting data
on behalf of another and not for any of
his own purposes is not a data user in
relation to that data.

16. What types of transfers are subject to s.33?
(i) transfers of personal data from Hong Kong to a place
outside Hong Kong
(ii) transfers of personal data between two other
jurisdictions where the transfer is controlled by a Hong
Kong data user
…when data users "consciously" engage outside parties
to handle personal data and the process involves data
transfer outside Hong Kong.

17. Voluntary compliance

18. Status to-date
Business Impact Assessment by government to assess
compliance measures required of data users
Reviewing of “White List” jurisdictions
Consider setting a commencement date?

20. • Policies and laws should evolve with cloud computing
technology
• Is HK’s legal framework relevant and adequate? Multiple
stakeholder approach in policy-making
• Maintaining standard and reliability - importance of
testing & certification of cloud service providers

21. Thank You
@charlesmok
www.charlesmok.hk