Introduction

In this digital era, cross-border data transfers have become an essential aspect of international business. As data flows seamlessly across borders, different jurisdictions have established unique regulatory frameworks to govern these activities.

This article will compare the cross-border data transfer requirements in Hong Kong, the European Union (EU), the People's Republic of China (PRC), and Singapore and set out their differences and commonalities in the table below, through which we aim to assist businesses to better comprehend the intricate and divergent legal landscapes that govern cross-border data transfers.

Table of comparison of cross-border data transfer requirements in Hong Kong, EU, PRC and Singapore

Commentary

1. Definitions of “Personal Data”

In these regulations, “personal data” or “personal information” are defined in similar terms, broadly encompassing information that can be used to identify an individual.

Notably, PIPL and GDPR impose more stringent requirements for processing of certain categories of sensitive personal data, whereas PDPO and PDPA have no such concept. PIPL determines sensitive personal information based on the potential impact of its use, whereas the GDPR categorises sensitive personal data based on the type of data.

De-identification and anonymization techniques may be applied to personal data so that it cannot be linked back to an individual and ceases to be “personal data”.

2. Applicability and Territorial Scope

Broadly speaking, these regulations apply to persons who collect, process or use personal data or have control over the same.

To a varying degree, all these regulations have or could have extra-territorial effects.  

For instance, PIPL and GDPR expressly apply to people outside of the PRC and the EU that offer goods or services to individuals in Mainland China or the EU respectively. PDPO and PDPA have a more restricted territorial scope, as they apply extraterritorially only if an organisation’s data processing activities are controlled from or within Hong Kong or Singapore, respectively. Simply put, a foreign entity without any physical presence in Hong Kong would only need to comply with PDPO if their data processing activities are controlled in or from Hong Kong.

3. Cross-border data transfers

Businesses conducting cross-border transfers of personal data in or involving subjects in the above jurisdictions should have regard to these regulations.

Their approaches vary. GDPR and PIPL are more prescriptive. GDPR allows transfers outside the EU only if the recipient country provides an ‘adequate’ level of data protection, primarily determined by the European Commission. PIPL requires personal information protection impact assessments and, in some cases, security assessment conducted by national cyberspace authorities.  PDPA adopts a hybrid approach, combining ‘white-listing’ of countries and contractual obligations to ensure comparable protection, whereas PDPO currently has no general restriction on cross-border data transfers as section 33 is not yet effective.

 

In summary, while data privacy laws in Hong Kong, PRC, EU and Singapore share commonalities, there are key differences in their definitions of personal data, territorial scopes, and requirements for cross-border data transfers. For businesses operating across these jurisdictions, it is important to be aware of these nuances and comply with the relevant data privacy requirements.

Notably, on 29 June 2023, the Cyberspace Administration of China (“CAC”) and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative signed a Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area, with a view to facilitate data flow in the Greater Bay Area. It remains to be seen what measures Hong Kong and Guangdong governments will take to facilitate data flow across the two jurisdictions within the current regulatory framework.

Businesses should stay abreast of the latest developments to navigate the complex data privacy regulatory landscape.

 

Pan Tsang and Min Sung

 

For specific advice on data privacy law and related matters in Hong Kong, please contact:- 
Pan Tsang | pan_tsang@robertsonshk.com | +852 2861 8487

Disclaimer: Please note that we are Hong Kong lawyers and we are qualified to practice law in Hong Kong only. The comparisons made in this article between Hong Kong laws and those of other jurisdictions are based on our understanding of the laws in question. This article is intended for informational purposes only and should not be considered as legal advice applicable to specific cases in Hong Kong or in any other jurisdictions. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.