© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Charles Mok Legislative Councillor (Information Technology)

Data privacy & compliance considerations on using cloud services

Benefits of moving to public cloud

• Flexibility• Disaster recovery• Reliability• Cut costs• Scalability for expansion• Performance

Cross-border data operations

Dispersed data storage in multiple jurisdictions through cloudOutsource data processing procedures to contractors around the world.

Are these your concerns on using cloud services?

How to know the location at any point in time, its security, and who will have access?

What laws must I follow when engaging a cloud service provider to store personal data in a cloud server that is accessible outside Hong Kong?

How can my company achieve regulatory compliance with the data protection regulations in my jurisdiction?

Challenges to privacy in cloud computing

• Location of data and blurred division of responsibilities• Complexity of risk assessment in a cloud environment• Emergence of new business models and their

implications for consumer privacy• Data sovereignty and retention requirements

Implications on data protection and privacy

Security

Is the data protected from theft, leakage,

spying or attacks?

What is the level of control and protection?

Residency

Where is the data stored?

geographically disbursed?

What to do with data in transit &

outside territory?

Privacy

Who can see personally identifiable information

(PII)?

Storing, transferring, locating and protecting PII

Challenges of cloud

and security

Maintaining ownership

and control of data

Info on 3rd party service

and distributed

infrastructure Deliver resiliency, availability

and flexibility of cloud services

Data protection law in HK: DPP3 of PDPO

By virtue of Data Protection Principle 3 under the Ordinance, personal data can be transferred outside Hong Kong only if the purpose of the transfer of personal data is the same as or directly related to the original purpose of collecting the data, or with the consent of the data subject.

Hong Kong:Section 33 Personal Data (Privacy) Ordinance

• prohibits the transfer of personal data to places outside Hong Kong unless one of a number of conditions is met.

• Data users who, without reasonable excuse, contravene Section 33 commit an offence under Section 64A of the Ordinance which carries a fine of up to HK$10,000.

• The Commissioner may also issue enforcement notices • The only provision in the PDPO not been executed since

1995

What are the legal requirements of Section 33?

Section 33 prohibits the transfer of personal data to places outside Hong Kong unless 1 of the following 6 conditions is met:

• Destination of transfer included in “white list” specified by the Commissioner• Destination of transfer have comparable data protection law as PDPO• Data subject’s consent in writing to the transfer• Avoidance or mitigation of adverse action against data subject (proof

required)• Exemption under Part VIII towards DPP3 (purpose) applies• Taken all reasonable precautions and exercised all due diligence against

mishandling

Who is required to comply with Section 33?

Data Usera person who either alone or jointly or in common with

other persons, controls the collection, holding, processing or use of the data.

…what does that mean?

A person who is merely transmitting data on behalf of another and not for any of his own purposes is not a data user in relation to that data.

What types of transfers are subject to s.33?

(i) transfers of personal data from Hong Kong to a place outside Hong Kong(ii) transfers of personal data between two other jurisdictions where the transfer is controlled by a Hong Kong data user…when data users "consciously" engage outside parties to handle personal data and the process involves data transfer outside Hong Kong.

Voluntary compliance

Status to-date

Business Impact Assessment by government to assess compliance measures required of data usersReviewing of “White List” jurisdictionsConsider setting a commencement date?

Still a long way to go...

• Policies and laws should evolve with cloud computing technology

• Is HK’s legal framework relevant and adequate? Multiple stakeholder approach in policy-making

• Maintaining standard and reliability - importance of testing & certification of cloud service providers