How Personal Data Transfer Regulations in Hong Kong Differ From Those in Europe

Managing cross-border data transfers is a significant challenge for many businesses. Padraig Walsh from Tanner De Witt discusses how the principles of personal data transfer regulation in Hong Kong differ from those in Europe and offers some practical advice to help businesses plan and execute a successful global data transfer.

In general, a data user must inform the data subject of the purpose for which personal data will be collected. This is typically done by providing the data subject with a personal information collection statement on or before the collection of the personal data. The PICS must specify the classes of persons to whom personal data may be transferred. The data user must also obtain the data subject’s voluntary and express consent to transfer personal data to a class of persons that was not contemplated in the PICS or for a purpose that is different from that which was specified in the PICS.

A key difference between the PDPO and most other data privacy regimes is its territorial scope. While several countries now include some element of extra-territorial application, the PDPO does not contain any express provisions conferring extra-territorial applicability. This means that the PDPO only applies where the data user controls all or part of its data cycle in, or from, Hong Kong. However, this test is sometimes misinterpreted as requiring that the entire data processing chain must take place in Hong Kong to be caught by the PDPO. This is incorrect and is likely to result in data users being exposed to significantly more onerous obligations than would otherwise be the case.

The data exporter must identify and adopt supplementary measures to bring the level of protection in the foreign jurisdiction up to Hong Kong standards. This is typically achieved by a combination of technical and contractual measures. The technical measures might include techniques such as encryption, anonymisation or pseudonymisation, or split or multi-party processing. The contractual measures might include additional terms relating to audit, inspection and reporting, beach notification, and compliance support and co-operation.

In addition to the requirements under the PDPO, data exporters should consider whether they need to implement an alternative arrangement under any applicable local or international laws. This will often be necessary to ensure that the lawfully transferred personal data receives sufficient protection in the destination jurisdiction.

As a leading global distributor and solutions aggregator, Tech Data Distribution (Hong Kong) Limited, a TD SYNNEX company, unites compelling IT products, services and solutions from 1,500+ best-in-class technology vendors. Headquartered in Clearwater, Florida and Fremont, California, our 23,500+ team members are dedicated to empowering customers around the world to maximize their technology investments and demonstrate business value. Find out more about how we can help you today. Visit us at or call 01285 241 000. TD SYNNEX and its subsidiaries are Equal Opportunity Employers. TD SYNNEX is an enrolled agent with the United States Internal Revenue Service.