Cross-Border Data Transfers and Cybersecurity Compliance in Hong Kong

Introduction

The global digital economy has made cross-border data flows a routine feature of business operations. For companies operating in or through Hong Kong, transferring personal data to recipients in other jurisdictions raises specific legal obligations under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), as well as sector-specific requirements and international regulatory considerations.

This guide addresses the key legal requirements for cross-border personal data transfers from Hong Kong and the cybersecurity compliance obligations relevant to businesses operating in the city.

Cross-Border Data Transfers Under the PDPO

Section 33 of the PDPO restricts the transfer of personal data to a place outside Hong Kong, but this section has not been brought into force. Businesses may therefore transfer data offshore without being subject to a general adequacy or whitelist requirement under Hong Kong law at this time.

However, the Office of the Privacy Commissioner for Personal Data (PCPD) has issued guidance on recommended practices for overseas data transfers, including the use of contractual safeguards. The PCPD has published a recommended model data transfer agreement (similar to the EU's standard contractual clauses) that organisations can use to provide safeguards for cross-border transfers on a voluntary basis.

Data Processor Obligations

Even absent a general cross-border transfer restriction, data users in Hong Kong must comply with the PDPO's requirements when engaging data processors (contractors who process personal data on the data user's behalf). Data Protection Principle 2(3) requires data users to adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss, or use of personal data transferred to and processed by a data processor.

In practice, this means that data sharing agreements and data processing agreements should include appropriate security and confidentiality provisions, regardless of whether the data processor is located in Hong Kong or overseas.

Sector-Specific Requirements

Several Hong Kong regulatory sectors impose additional requirements on cross-border data transfers:

• Banking and finance: The HKMA expects authorised institutions to apply appropriate controls to cross-border data flows involving customer data, consistent with their overall risk management framework. For cloud services in particular, the HKMA's guidance requires institutions to assess data residency, localisation, and access control
• Insurance: The Insurance Authority's guidelines require insurers to apply appropriate safeguards for customer data processed by overseas service providers
• Licensed corporations (SFC-regulated entities): The SFC's cybersecurity guidelines require licensed corporations to implement controls around data access and to notify the SFC promptly of significant cybersecurity incidents

Cybersecurity Obligations

Hong Kong does not have a general cybersecurity law equivalent to, for example, the EU's NIS Directive or China's Cybersecurity Law. However, cybersecurity obligations arise from several sources:

• The PDPO's data protection principles require data users to take all practicable steps to ensure that personal data held by them is protected against unauthorised or accidental access, processing, erasure, loss, or use
• The HKMA's Cybersecurity Fortification Initiative (CFI) sets out a framework for assessing and improving the cybersecurity maturity of authorised institutions
• The SFC's circular on cybersecurity sets out expected standards for SFC-licensed corporations
• The Telecommunications Authority regulates cybersecurity for telecommunications service providers

China's Cybersecurity and Data Laws: Implications for Hong Kong

Companies operating in both Hong Kong and Mainland China must navigate China's Cybersecurity Law (2017), Data Security Law (2021), and Personal Information Protection Law (PIPL) (2021). These laws impose significant restrictions on the cross-border transfer of "important data" and personal information of PRC residents, and require security assessments or standard contract filings for certain cross-border transfers. Companies should assess whether their data flows involving Mainland China trigger these requirements.

Data Breach Notification

While Hong Kong does not yet have a mandatory data breach notification law, the PDPO was amended in 2021 to give the PCPD stronger powers. The PCPD can direct organisations to notify affected individuals or the PCPD itself in certain serious breach scenarios. Organisations should have an internal breach response plan that includes assessing notification obligations in Hong Kong and any other relevant jurisdictions.

How Alan Wong LLP Can Assist

Alan Wong LLP advises businesses on data privacy compliance under the PDPO, cross-border data transfer arrangements, data processing agreements with vendors and service providers, and cybersecurity governance frameworks. For clients operating across Hong Kong and Mainland China, we coordinate advice on both Hong Kong privacy law and PRC data legislation. We also assist with breach response, regulatory engagement with the PCPD, and training for data governance programmes.