Introduction
Cloud computing is becoming increasingly popular as a means to increase data storage, streamline organisational procedures and reduce costs. Across industries, organisations are leveraging cloud services to store, process and manage a vast amount of data, including sensitive information and personal data. However, this growing reliance on cloud services raises concerns about personal data privacy. In recent years, several data breach incidents involving cloud platforms have exposed their vulnerabilities, highlighting the potential risks of cloud computing.
Against this background, my Office published the “Guidance on Cloud Computing” (the Guidance) in January 2025 to explain the relevant requirements of the Personal Data (Privacy) Ordinance (the PDPO) with a view to assisting organisations that use cloud computing in enhancing the protection of personal data privacy. The Guidance is highly relevant for legal practitioners, as many law firms have already adopted or are gradually adopting cloud-based systems to optimise their management and retrieval of documents and emails that may contain personal data.
Key takeaways from the Guidance
First, although organisations as data users may outsource data processing to cloud service providers, they cannot “outsource” their responsibilities under the PDPO, including the Data Protection Principles (DPPs) in Schedule 1, when holding, processing, or using personal data. The non-delegable obligation of data users is expressly stipulated in the PDPO.
Under the PDPO, when data users engage cloud computing services to process personal data on their behalf, they must adopt contractual or other means to prevent (i) personal data from being kept longer than is necessary (DPP 2(3)); and (ii) the unauthorised or accidental access, processing, erasure, loss or use of the relevant data (DPP 4(2)).
Section 65(2) of the PDPO also provides that any act done or practice engaged in by a person as agent for another person with the authority (whether express or implied, and whether precedent or subsequent) of that other person shall be treated as done or engaged in by that other person as well as by the agent. In other words, any data breach or misuse of personal data by the cloud service provider may, depending on the circumstances, be treated as performed by the organisation in question as well as by the service provider.
Shared responsibility between organisations and cloud service providers
Premised on the PDPO’s legal requirements, the Guidance not only highlights the shared responsibility between organisations and cloud service providers to ensure data security in a cloud environment but also provides recommended measures on various aspects for organisations to better protect personal data privacy arising from the use of cloud computing. The aspects include:
Service and deployment models
Organisations should carefully assess the risks associated with the chosen service and deployment model to ensure that appropriate data security measures are in place. When cloud service providers update their services to offer new features or configurations, for example, organisations should take corresponding actions and update relevant software and/or adjust configurations in a timely manner. Adequate and effective security measures should also be adopted to prevent unauthorised or accidental access, processing, erasure, loss or use of personal data stored on the cloud.
Standard services and contracts
Organisations should evaluate whether the services and the contractual terms of cloud platforms meet all applicable standards for security and protection of personal data privacy. If there is a gap between the service offered and the standards required, organisations should request customised services and negotiate contractual terms that meet their compliance requirements, rather than relying on standard service terms only. In this context, organisations should note that the International Organization for Standardization has published a number of standards relevant to the use of cloud services, the details of which are set out in the Guidance.
Outsourcing arrangements
Organisations are recommended to ascertain the sub-contracting arrangements of cloud service providers. If cloud service providers engage sub-contractors, organisations should ensure that they obtain contractual assurance from the service providers that the same level of protection and compliance controls also apply to their sub-contractors.
Cross-border data transfers
Cloud service providers may have data centres in different jurisdictions. When organisations transfer personal data to a place outside Hong Kong, they must ensure compliance with the PDPO. Specifically, organisations must inform data subjects that their personal data will be transferred to recipients outside Hong Kong and specify the purposes for which their personal data will be used (DPP 1). If the transfer constitutes a new purpose, organisations are required to obtain the data subjects’ express and voluntary consent (DPP 3).
Conclusion
Although personal data may be stored remotely, the responsibility lies with organisations as data users. It is imperative for organisations and cloud service providers to work together to implement robust and effective security measures to protect personal data privacy in a cloud environment while leveraging the benefits of cloud computing.