Hong Kong’s ambition to become a regional data and innovation hub is threatened by an increasingly complicated web of security data rules and outdated local ones that complicate the flow of data between the two territories, according to experts. In a fresh blow to Hong Kong’s efforts to stand out as the gateway between China and the rest of the world, the Cyberspace Administration of China on Sunday published a draft regulation, which is open to public feedback until December 13, making it clear that certain mainland companies seeking initial public offerings in the special administrative region would be subject to a cybersecurity review on national security grounds. It is the first time the government said such reviews would apply to listings in the city, exposing a divide between Hong Kong and Beijing in aligning data regulations. One potential positive for the city is the fact that the rules pertaining to Hong Kong are in a clause separate from those for foreign markets, suggesting it may still be easier for mainland companies to list in the southern city. Tom Chan Pak-lam, chairman of the Hong Kong Institute of Securities Dealers, a local brokers’ industry body, said the regulation “will encourage mainland tech companies with a significant amount of big data to go for an IPO in Hong Kong instead of overseas markets, as the rules related to the city are still more lenient than others”. New cybersecurity probe rules apply to Hong Kong IPOs, complicating options Still, experts warn that Hong Kong risks falling behind in bridging the divide between different data regimes because of the outdated Personal Data (Privacy) Ordinance (PDPO), which has been barely changed since it came into force in 1996. “Hong Kong’s own rules relating to the protection of personal data set out in the PDPO are outdated and do little to protect data belonging to Hongkongers,” said Paul Haswell, a partner at the law firm Pinsent Masons in Hong Kong. On the mainland, Beijing has updated the country’s data governance standards with multiple new laws and regulations this year. Most notable are the Data Security Law and the Personal Information Protection Law (PIPL), introducing standards that further restrict the flow of cross-border data. “With the advent of the PIPL, this means that Hong Kong has a data governance regime inferior to that on the mainland, but at the same time Hong Kong must now comply with the mainland’s new rules,” said Haswell. “So Hong Kong does not fit at all into Beijing’s data governance regime, and I feel this will have to change.” Hong Kong has been known as the “brain” of mainland China operations because data from the mainland is often stored on servers in Hong Kong before being passed on to regional or global offices. Its stock market has also made it a global financial hub, which many mainland companies may now wish to avoid because of the vagueness of the latest draft regulation. “The subjective nature of ‘may affect national security’ could well generate enough uncertainty to act as an effective block on any tech companies seeking to list in Hong Kong SAR without tacit approval from mainland China’s internet regulator,” Alex Roberts, counsel for technology, media and telecommunications at Linklaters in Shanghai, wrote in an article published on the law firm’s website. Hong Kong has been negotiating with Beijing to determine whether the city should be treated as “within China” under the new rules, according to Zuo Xiaodong, vice-president of the China Information Security Research Institute, in an article published on WeChat in August. While Beijing in principle supports data flows between Hong Kong and the mainland, Beijing insists that the mainland has ultimate decision-making authority over data transmissions, with the ability to screen both senders in the mainland and recipients in Hong Kong, Zuo wrote. Hong Kong must set up a data regulation regime that is in the hands of “patriots”, Zuo added. How China’s new data export guidelines affect foreign companies China’s new data laws have come into force in a year of crackdowns targeting the power and influence of Big Tech companies. The laws affect how tech giants are able to conduct business, but they also offer additional protections to consumers, and experts say Hong Kong has not kept up. Hong Kong law does not require user consent for the collection and processing of personal data, and there are no obligations for reporting data breaches or protections against automated decision making, said Marcelo Thompson, deputy director of the Law and Technology Centre at the University of Hong Kong. “It is important to remember that some of the most significant contemporary forms of restrictions to individual liberty do not come from the state, and that we in fact need the state in order to respond to these,” Thompson said. “Today, the mainland is doing much more to reign in the power of technological platforms than we, for various reasons, have been able to do in Hong Kong. ” While some have long suspected that Hong Kong’s privacy law has not been updated to make it easier to transfer data to the mainland, now that China has updated its laws, it is harder for data to travel the other way, according to Haswell. “In terms of Hong Kong’s role in the Greater Bay Area as a data and innovation hub, this is a problem that needs to be solved,” he said. While this presents a challenge for Hong Kong, it is an opportunity for Beijing to test its new data regime under the “one country, two systems” framework. In July, Hong Kong Financial Secretary Paul Chan Mo-po told the South China Morning Post that Hong Kong remains the ideal choice for mainland Chinese firms to go public because of the city’s strong privacy protections. But Zuo, of the China Information Security Research Institute, said it is up to Beijing to decide whether a company going public in Hong Kong affects political or national security. How China’s new data laws will make cross-border business much harder However, there is still a chance that Hong Kong could update its laws to maintain its status in the region, according to Allen Yeung, chairman of the Institute of Big Data Governance, which established data governance principles and a certification programme for easing the free flow of data. “From a long-term perspective, in order to facilitate free data flows and become a data hub in the region, Hong Kong should strive to become a whitelisting place with the EU and mainland China by having comparable data protection regulations and compliance in place,” Yeung said. Additional reporting by Enoch Yiu