Previous Page  2 / 6 Next Page
Information
Show Menu
Previous Page 2 / 6 Next Page
Page Background

2

Cloud Computing / July 2015

DPP4(2)

provides that if a data user engages a data processor, whether within or outside Hong Kong, to

process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent

unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for

processing

2

.

Section 65(2)

of the Ordinance provides that any data breach or misuse of personal data by a data user’s

contractor (such as a cloud provider) will be treated as performed by the data user as well as by his contractor. In

other words, a data user will be liable for the acts done by its contractor.

According to DPP2(3), DPP3, DPP4 and Section 65(2) of the Ordinance, data users are required to protect and

prevent the misuse of personal data entrusted to them by data subjects regardless of whether such personal data is

stored within the data users’ premises, or is outsourced to cloud providers.

Personal Data Privacy Concerns and How to Address Them

The personal data privacy concerns for data users in the use of cloud computing are largely related to the loss or

lack of control over the use, retention/erasure and security of personal data entrusted to cloud providers.

Specifically, four control-related characteristics of the cloud computing business model are of particular concern

with regard to personal data privacy protection

3

.

Data users using cloud services are advised to obtain satisfactory assurance from the cloud providers to address

these concerns before they entrust personal data to them.

These characteristics and how they should be addressed are detailed below:

I.

Rapid transborder data flow

For cloud providers that have data centres distributed across multiple jurisdictions, personal data entrusted

to them may flow from one jurisdiction to another based on an algorithm that optimises the use of the cloud

providers’ storage and processing resources.

Section 33

of the Ordinance regarding the restriction against the transfer of personal data to places outside

Hong Kong has not come into effect. However, if data users located in Hong Kong allow personal data

collected by them to be transferred to places outside Hong Kong, they should ensure that such data is

treated with a similar level of protection (as if it resides in Hong Kong) in order to meet the expectation of

data subjects who entrust their personal data to them. Furthermore, data subjects who entrust personal data

to them should be made aware of the transborder arrangement with regard to how their personal data is

protected

4

.

2

See footnote 1

3

Data users should note that these identified issues are by no means exhaustive. Data users should exercise due care and diligence to

ensure compliance with the Ordinance.

4

See further details in the “Guidance on Personal Data Protection in Cross-border Data Transfer” issued by the Privacy Commissioner,

available at:

www.pcpd.org.hk/english/resources_centre/publications/files/GN_crossborder_e.pdf
1 2 3 4 5 6  FlippingBook