Cross-Border Data Transfers from Hong Kong – A Legal Compliance Guide

Introduction

For businesses operating across borders, the transfer of personal data between jurisdictions is a daily operational reality. Customer information, employee records, financial data, and transaction details routinely flow from Hong Kong to Mainland China, Singapore, the United States, and other jurisdictions. Each of these transfers engages Hong Kong's data privacy framework and, in particular, the cross-border transfer restrictions under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO).

This guide sets out the legal framework applicable to cross-border data transfers from Hong Kong, the conditions under which such transfers are permitted, and the practical steps businesses should take to ensure compliance.

The Legal Framework: Section 33 of the PDPO

Section 33 of the PDPO prohibits the transfer of personal data to places outside Hong Kong unless one of a prescribed set of conditions is met. However, Section 33 has not yet been brought into force by the Hong Kong government, meaning that it does not currently impose binding obligations on data users. Notwithstanding this, the Office of the Privacy Commissioner for Personal Data (PCPD) has issued a non-binding Guidance Note on cross-border data transfers which sets out recommended practices that the PCPD expects data users to follow.

The practical position is therefore that while the legal prohibition in Section 33 is not yet operative, businesses face reputational and regulatory risk if they disregard the PCPD's guidance — and the PDPO's existing Data Protection Principles impose obligations on the collection, use, and security of personal data that apply regardless of where the data is transferred.

When Section 33 is eventually brought into force, it will impose a positive obligation on data users not to transfer personal data to a place outside Hong Kong unless they are satisfied that the recipient jurisdiction provides a standard of protection substantially similar to that provided by the PDPO, or one of the following exceptions applies:

• The data subject has consented in writing to the transfer.
• The data user has taken reasonable precautions and exercised due diligence to ensure the data will not be collected, held, processed, or used in a manner that would contravene the PDPO if the recipient were in Hong Kong.
• The transfer is necessary for the performance of a contract between the data subject and the data user.
• The transfer is necessary for the taking of legal proceedings.
• The data is transferred to a jurisdiction on a "whitelist" of jurisdictions recognised as providing adequate protection.

The PCPD's Recommended Model Clauses

In its Guidance Note, the PCPD recommends that data users entering into cross-border data transfer arrangements incorporate model data transfer clauses (similar in concept to the EU Standard Contractual Clauses) into their agreements with overseas data processors and recipients. The PCPD's recommended model clauses address:

• The purposes for which personal data may be used by the recipient.
• The obligation to implement appropriate security measures to protect the data.
• Restrictions on further transfers of data by the recipient to third parties.
• The recipient's obligation to comply with standards equivalent to the PDPO's Data Protection Principles.
• Data subject access and correction rights.
• Breach notification obligations.

Incorporating these clauses into data processing agreements and vendor contracts is currently the most reliable way for Hong Kong data users to demonstrate that they have taken reasonable precautions in relation to cross-border transfers.

The Data Protection Principles and Cross-Border Transfers

Even before Section 33 is brought into force, the PDPO's six Data Protection Principles (DPPs) continue to apply to all personal data held by Hong Kong data users, regardless of where the data is sent:

• DPP1 (Collection): Data should be collected fairly, lawfully, and only to the extent necessary for the purpose.
• DPP2 (Accuracy and Retention): Data should be accurate and not retained longer than necessary.
• DPP3 (Use): Data should only be used for the purpose for which it was collected (or a directly related purpose), unless the data subject consents to a different use.
• DPP4 (Security): Practicable steps must be taken to protect data against unauthorised or accidental access, processing, erasure, loss, or use.
• DPP5 (Openness): Data users must make available to data subjects information about their policies and practices on personal data.
• DPP6 (Access and Correction): Data subjects have rights to access and correct their personal data.

A cross-border transfer of personal data that results in a breach of any of these principles — for example, because the overseas recipient uses the data for a purpose beyond the original collection purpose — will expose the Hong Kong data user to regulatory investigation and potential enforcement action.

Transfers to Mainland China

For businesses transferring data from Hong Kong to Mainland China, an additional layer of complexity applies. Mainland China has implemented its own comprehensive data protection regime under the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), which impose obligations on the export of personal data from Mainland China. These laws also have extraterritorial implications for businesses processing data about Mainland Chinese individuals.

Where a Hong Kong entity transfers data to a Mainland Chinese affiliate or data processor, it will need to consider both Hong Kong's PDPO obligations and the requirements imposed by the Mainland regime on the receiving entity. The Standard Contract for Cross-Border Transfer of Personal Information issued by the Cyberspace Administration of China may need to be entered into if the transfer involves personal data of Mainland Chinese individuals.

Businesses with significant Mainland China operations should ensure their data governance framework addresses both Hong Kong and Mainland requirements, and that data classification and mapping exercises identify which data flows engage each regime.

Transfers to the EU and EEA

Businesses that collect or process personal data relating to individuals in the European Union or European Economic Area may also be subject to the EU's General Data Protection Regulation (GDPR), which applies on a territorial basis (where an EU-established business processes data) and on an extraterritorial basis (where a non-EU business targets EU individuals with goods or services, or monitors their behaviour).

Hong Kong has not been granted an adequacy decision by the European Commission, meaning that transfers from an EU entity to a Hong Kong entity cannot be made on the basis of adequacy alone. Standard Contractual Clauses or Binding Corporate Rules must be used for such transfers. Hong Kong businesses receiving EU personal data should be aware of their co-obligations under the GDPR as "data importers" under Standard Contractual Clause arrangements.

Practical Compliance Steps for Hong Kong Businesses

Businesses operating in Hong Kong that transfer personal data overseas should take the following practical steps:

• Data mapping: Identify all categories of personal data held by the business, the purposes for which it is processed, and the jurisdictions to which it is transferred. A clear data map is the foundation of any effective data governance programme.
• Vendor due diligence: Before transferring data to an overseas vendor, cloud provider, or group company, assess the recipient's data protection standards. Request copies of the recipient's data protection policies and security certifications.
• Contractual protections: Include data protection clauses in agreements with overseas vendors and processors, incorporating the PCPD's recommended model clauses where appropriate. Ensure the contract addresses the purposes of processing, security obligations, further transfer restrictions, and breach notification.
• Privacy notices: Update privacy notices to inform data subjects that their data may be transferred overseas and to which jurisdictions, consistent with DPP5.
• Consent: Where the transfer cannot be justified on any other basis, obtain written consent from the data subject for the overseas transfer. Ensure consent records are maintained.
• Security measures: Implement appropriate technical and organisational security measures for data in transit, including encryption for data transferred electronically and access controls limiting who can access transferred data.
• Incident response planning: Ensure your data breach response plan covers cross-border scenarios, including the notification obligations that may apply in multiple jurisdictions simultaneously.

Enforcement and Penalties

The PCPD has broad investigative and enforcement powers under the PDPO. Where a data user is found to have contravened the Ordinance, the PCPD may issue an enforcement notice requiring the data user to remedy the contravention. Non-compliance with an enforcement notice is a criminal offence, with penalties of up to HK$50,000 and two years' imprisonment for a first offence, and up to HK$100,000 and two years' imprisonment for subsequent offences.

Following amendments to the PDPO in 2021, the PCPD also has the power to initiate criminal prosecutions directly (without prior enforcement notice) for doxxing offences. The 2021 amendments introduced new offences relating to the disclosure of personal data with intent to cause harm.

Businesses that suffer a data breach involving personal data may also face significant reputational damage, particularly where the breach involves sensitive financial or health information.

Key Considerations for Specific Sectors

Cross-border data transfer obligations are particularly significant for businesses in the following sectors:

• Financial services: Banks, asset managers, and other licensed entities are subject to both the PDPO and sector-specific guidelines from the HKMA and SFC on data protection and cybersecurity. These guidelines impose additional obligations on the use of external data processors, including cloud service providers.
• Healthcare: Transfers of patient data are subject to heightened sensitivity requirements. The Code of Practice on Human Reproductive Technology imposes specific restrictions on the transfer of donor information.
• Human resources: Multinational employers routinely transfer employee data to regional HR systems. Such transfers should be governed by clear data processing agreements and employee privacy notices.
• Technology and SaaS: Businesses using cloud-based services that store or process data outside Hong Kong should ensure their vendor contracts include appropriate data protection provisions and that the cloud provider's security standards are adequate.

How Alan Wong LLP Can Help

Alan Wong LLP advises businesses on data privacy compliance in Hong Kong, including cross-border data transfer obligations, the preparation and review of data processing agreements, privacy notice drafting, and data breach response. We also advise on the interaction between Hong Kong's PDPO and other data protection regimes, including the GDPR and Mainland China's PIPL.

If your business transfers personal data outside Hong Kong and you are unsure whether your current practices comply with the PDPO and the PCPD's guidance, we can help you assess your exposure and implement appropriate safeguards.

Book a free consultation →