Day: May 6, 2025

The rapid expansion of the economy of Hong Kong has brought with it a wealth of opportunities for businesses and individuals. With so much personal data being transferred across boundaries, it is important to understand the regulation that governs such transfers. Padraig Walsh from the data privacy team at Tanner De Witt walks through how to comply with the various regulatory requirements in Hong Kong with regards to transferring personal information to overseas entities.

The first step in understanding the regulation that applies to data hk is determining whether the transfer of personal data falls within the scope of the Hong Kong Data Protection Act (PDPO). PDPO covers the collection, holding, processing and use of personal data and the rights and obligations associated with such activities. For the purposes of PDPO, “personal data” refers to information relating to an identified or identifiable natural person. This definition is broadly consistent with other legal regimes such as the Personal Information Protection Law that applies in mainland China and the GDPR that applies in the European Union.

A second consideration in assessing whether the regulations apply is to determine whether the data being transferred is actually personal data. Personal data must be collected for a specific purpose and be used in accordance with the prescribed laws and other provisions of the PDPO. For example, it is illegal to display an individual’s name alongside their HKID number or for such information to be made available to anyone other than those who need it to carry out activities that are related to the purpose in which the data was collected.

It is also against the law to transfer personal data outside of Hong Kong unless certain conditions are fulfilled, including that the destination jurisdiction offers a level of protection that is at least comparable with that provided under the PDPO. This is referred to in section 33 of the PDPO.

When section 33 was first enacted, increased cross-border data flow was seen as the lifeblood of Hong Kong’s economy and facilitating that free flow of data was seen as an irreplaceable attribute of Hong Kong’s success under the one country, two systems principle. However, resistance to implementing section 33 from the business community was strong and this meant that the requirement to implement it never came into effect.

Nevertheless, the PCPD continues to keep its focus on cross-border data flows and has published two sets of recommended model clauses that are suitable for inclusion in contracts involving the transfer of personal data. These model clauses can be used by a data exporter to verify that the intended destination of a transfer meets its obligation to notify the data subject of the classes of persons to whom it may transfer their personal data and that the data will be only be used for the purposes specified in the PICS. This is a markedly less onerous requirement than would be required under the GDPR.