News & Insights

Hong Kong’s cross-border data transfer regime

View PDF

Authored by: Kelley Loo

Although Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) has been in force since December 1996, the specific cross-border transfer of data provisions contained in section 33, are still not yet in force. The provisions are intended to prohibit the transfer of personal data outside Hong Kong unless certain conditions are fulfilled. The framework is to ensure that data should only be transferred to jurisdictions that give a similar level of protection as provided under the PDPO.

There is still no timetable for implementation of the cross-border data transfer provisions. However, in May 2022, the Hong Kong Privacy Commissioner issued an updated Guidance Note on “Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data”. The Guidance Note includes two sets of recommended model contractual clauses (RMCs) to cater for different scenarios in cross-border data transfers. It is important to be note that many of the general protections of the PDPO also apply in the context of cross-border data transfers and the RMCs are consistent with existing data privacy requirements under the PDPO, including the six Data Protection Principles that govern, amongst others, the purpose and manner of collection of personal data, use and disclosure of personal data.

Although the Guidance Note is not legally binding, it should be considered as best practice, and compliance with the guidance by a business will be taken into account when investigating any suspected or alleged breach of the PDPO. It is recommended that businesses incorporate the RMCs (which have been prepared as free-standing clauses) into agreements with third parties on cross-border transfers of data. It should be emphasised that the sharing or transferring of personal data from a business to its parent, subsidiary, affiliated, related or other company within the same group of companies, whether located in or outside of Hong Kong, will still be regarded as “transferring out” of data and, as such, will still need to comply with the general requirements of the PDPO.

Businesses should also be aware that, while the RMCs appear similar to the Standard Contractual Clauses recently published pursuant to China’s Personal information Protection Law (PIPL), they are separate regimes and compliance with PIPL will need to be considered independently. The Guidance Note is a reminder for businesses to review their contracts on transfer of personal data to check for compliance with the guidance and the other requirements of the PDPO.

Please contact Deacons Intellectual Property Department for further information.

Key Contacts

Kelley Loo

Partner | Intellectual Property

Email or call +852 2825 9575

Related Services and Sectors:


Portfolio Builder

Select the legal services that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)