Hong Kong saw itself as Asia’s data hub, but Beijing’s strict cybersecurity rules threaten that status

Hong Kong’s ambition to become a regional data and innovation hub is threatened by an increasingly complicated web of security data rules and outdated local ones that complicate the flow of data between the two territories, according to experts.

In a fresh blow to Hong Kong’s efforts to stand out as the gateway between China and the rest of the world, the Cyberspace Administration of China on Sunday published a draft regulation, which is open to public feedback until December 13, making it clear that certain mainland companies seeking initial public offerings in the special administrative region would be subject to a cybersecurity review on national security grounds. It is the first time the government said such reviews would apply to listings in the city, exposing a divide between Hong Kong and Beijing in aligning data regulations.

One potential positive for the city is the fact that the rules pertaining to Hong Kong are in a clause separate from those for foreign markets, suggesting it may still be easier for mainland companies to list in the southern city. Tom Chan Pak-lam, chairman of the Hong Kong Institute of Securities Dealers, a local brokers’ industry body, said the regulation “will encourage mainland tech companies with a significant amount of big data to go for an IPO in Hong Kong instead of overseas markets, as the rules related to the city are still more lenient than others”.

Still, experts warn that Hong Kong risks falling behind in bridging the divide between different data regimes because of the outdated Personal Data (Privacy) Ordinance (PDPO), which has been barely changed since it came into force in 1996.

“Hong Kong’s own rules relating to the protection of personal data set out in the PDPO are outdated and do little to protect data belonging to Hongkongers,” said Paul Haswell, a partner at the law firm Pinsent Masons in Hong Kong.

On the mainland, Beijing has updated the country’s data governance standards with multiple new laws and regulations this year. Most notable are the Data Security Law and the Personal Information Protection Law (PIPL), introducing standards that further restrict the flow of cross-border data.

“With the advent of the PIPL, this means that Hong Kong has a data governance regime inferior to that on the mainland, but at the same time Hong Kong must now comply with the mainland’s new rules,” said Haswell. “So Hong Kong does not fit at all into Beijing’s data governance regime, and I feel this will have to change.”

Hong Kong has been known as the “brain” of mainland China operations because data from the mainland is often stored on servers in Hong Kong before being passed on to regional or global offices. Its stock market has also made it a global financial hub, which many mainland companies may now wish to avoid because of the vagueness of the latest draft regulation.