Hong Kong’s role in China’s cross-border data flow regime ‘limited’ despite relaxed rules, lawyers say

Hong Kong does not play a major role in China’s cross-border data flow even under the newly relaxed rules, said Gordon Milner, a partner at law firm Morrison & Foerster

Firms looking to export data from the mainland to Hong Kong will need to go through the same compliance steps required for sending data elsewhere in the world

Reading Time:2 minutes

Hong Kong envisions itself as a regional data and innovation hub. Image: Shutterstock

Published: 8:00am, 25 Apr 2024Updated: 1:44pm, 26 Apr 2024

Beijing has relaxed its requirements for businesses sending data outside mainland China in finalised rules, but Hong Kong’s role in the new regime remains limited, according to legal experts.

Hong Kong, which envisions itself as a regional data and innovation hub, does not play a major role in China’s cross-border data flow even under the newly relaxed rules, Gordon Milner, a partner at law firm Morrison & Foerster, said in an online briefing on Tuesday.

In a highly anticipated move, China’s internet watchdog last month issued final rules for companies exporting data. The Provisions on Facilitating and Regulating Cross-Border Data Flows rules exempted a range of cases that were previously proposed to require compliance measures, including some data transfers involving shopping, shipping, flight and hotel bookings and employee information.

The relaxed rules, issued at a time when China is moving to boost confidence in its private sector, were widely welcomed by business communities. But a host of stringent requirements remain, including a security assessment for critical information infrastructure operators, and for cases involving important data or a sizeable amount of personal information.

Although observers had warned that such rules would damage Hong Kong’s status as a gateway to mainland China, the finalised rules did not grant the city any special treatment.

“Hong Kong is part of China, but under the One Country, Two Systems arrangement, it has its own separate legal jurisdiction, and it has its own privacy laws,” Milner said. That is why transfers of personal information from the mainland to Hong Kong have been considered “data exports” for the purposes of China’s privacy laws, he added.