A mainland enterprise plans to launch a co-branded business with a Hong Kong partner, and needs to provide that partner with a customer list — names, telephone numbers, and certain consumption preferences. In-house counsel takes a glance and concludes that, as both sides are within one and the same country, this is merely an internal data transfer for which a confidentiality agreement will suffice.
That view is the most common, and potentially the most costly, misjudgment in cross-border data compliance involving Hong Kong. The transfer of personal information from the mainland to Hong Kong is governed by the same rules as a transfer to London or New York; its character is not “internal transfer” but “outbound data transfer.” This article follows that misjudgment through, and sets out the compliance pathway for transfers of personal information from the mainland to Hong Kong.
I. “Outside the territory” is a legal concept, not a geographical one
In addressing cross-border provision, the Personal Information Protection Law (PIPL) uses the expression “provide … outside the territory of the People’s Republic of China”1, not “abroad.” The choice of words is deliberate. “Outside the territory” has a settled meaning within our legal system: the “exit” defined in Article 89 of the Exit and Entry Administration Law includes travel from the mainland to the Hong Kong and Macao Special Administrative Regions2. Hong Kong is part of China’s territory, yet it is a separate jurisdiction and a separate customs territory; and as regards data flows, the instrument jointly issued by the national cyberspace authority and the Government of the Hong Kong SAR expressly characterises movement between the mainland and Hong Kong as “cross-border flow”3.
“Outbound transfer” is therefore a legal construct, and does not vary according to whether a party subjectively regards the transfer as “internal.” From the moment personal information is transmitted from a mainland server to a Hong Kong server, it has been transferred outside the territory, and the cross-border regime under Articles 38 and 39 of the PIPL is engaged.
Once this is understood, the question to be answered is not “whether to treat the transfer as outbound,” but “by which pathway it is to be made.”
II. The pathway turns on the number of data subjects, the sensitivity of the information, and whether important data is involved
The common impression of outbound transfer stops at “a security assessment is required.” That was the position prior to March 2024. Following the entry into force of the Provisions on Promoting and Regulating Cross-Border Data Flows issued by the Cyberspace Administration of China, the triggering thresholds were substantially raised and tiered by volume4. To determine the applicable pathway, three elements must first be examined: the number of recipients, whether sensitive personal information is involved, and whether important data is involved.
By tier (for a processor that is not a critical information infrastructure operator, that does not involve important data, and counting cumulatively from 1 January of the year): fewer than 100,000 individuals of ordinary personal information are exempt from all three procedures — security assessment, standard contract and certification; 100,000 to fewer than 1,000,000 individuals, or fewer than 10,000 individuals of sensitive personal information, call for a standard contract or protection certification at the processor’s election — the two being alternatives, not a sequence of contract first and certification afterwards; 1,000,000 individuals or more, or 10,000 individuals or more of sensitive personal information, or any involvement of important data, or where the processor is itself a critical information infrastructure operator, require a declared security assessment.
The three qualifiers are indispensable: “cumulatively from 1 January,” “whether sensitive,” and “whether important data.” Omit one, and the conclusion may fall into the wrong tier. Important data warrants particular care: once involved, a security assessment is required regardless of volume, with no volume-based exemption.
What the tier determines is the pathway. Beyond the pathway, two obligations remain and are not waived by a lower tier: separate notice to, and separate consent from, the individual5, and a prior personal information protection impact assessment6. One point is frequently misunderstood: separate consent is required only where consent is itself the lawful basis for processing the information; where the basis relied upon is, for example, “necessity for the conclusion or performance of a contract” or another lawful ground, the transfer need not be predicated on separate consent. To treat “every outbound transfer requires separate consent” as an inviolable rule is to oversimplify.
III. What the Greater Bay Area standard contract offers is not an exemption but a shorter route, subject to three constraints
Where the transfer takes place within the Guangdong–Hong Kong–Macao Greater Bay Area, a more convenient channel is available. At the end of 2023, the Cyberspace Administration of China and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong SAR jointly issued the Standard Contract for the Cross-Border Flow of Personal Information within the Greater Bay Area (Mainland, Hong Kong)7. Its most practical benefit is that it sets no threshold as to the volume or sensitivity of the personal information transferred: a situation that would otherwise require a security assessment for exceeding the thresholds may, within the GBA framework, instead proceed by the lighter standard-contract route.
This shorter route, however, is subject to three constraints, and one should not be too quick to celebrate. The first is territorial: on the mainland side it is confined to the nine mainland GBA cities, and the recipient is confined to Hong Kong. The second concerns the type of data: important data is excluded and remains subject to the stricter rules. The third concerns the obligations: what is simplified is the content and route of the assessment, not the obligations themselves — an impact assessment must still be carried out, and the standard contract must still be filed.
It should also be stated candidly that the legal status of this facilitation arrangement is not free from academic debate: what it relaxes are thresholds set by departmental regulation, and the question of “a lower-ranking rule relaxing a higher-ranking one” has not been entirely dispelled. In practice it is the prevailing approach; but when advising a client this background should be noted, rather than treated as a fail-safe shortcut.
IV. Once in Hong Kong the data is subject to Hong Kong law; although section 33 is not in force, obligations remain
Once the data enters Hong Kong, it is subject to the Personal Data (Privacy) Ordinance. One contrast deserves specific mention: section 33 of the Ordinance, which restricts the transfer of personal data to places outside Hong Kong, has never come into operation since its enactment in the 1990s8. In other words, as to “data being further transferred out of Hong Kong,” the Hong Kong side has, conversely, no mandatory statutory transfer control.
Yet “no dedicated transfer control” does not mean “no constraint.” What in fact operates are the data protection principles, and in particular the limitation on the purpose of use: a new purpose going beyond that for which the data was collected requires the further express consent of the data subject; the Privacy Commissioner for Personal Data has likewise issued recommended model contractual clauses for cross-border transfers for organisations to adopt, though these are advisory rather than mandatory9. In 2021, Hong Kong further criminalised “doxxing,” giving personal data protection criminal teeth.
For a mainland enterprise, this means that completing the outbound procedures on the mainland side does not entail the absence of obligations on the Hong Kong side. How the Hong Kong recipient uses the data, for what purposes, and whether it onward-transfers the data, constitute a separate set of rules to be satisfied at the same time.
V. Dual-jurisdiction compliance is not the simple sum of two sets of rules
What the enterprise above truly needs to resolve has never been “so many provisions on the mainland, so many in Hong Kong,” to be printed out as two checklists and ticked off side by side. What it needs to resolve is a matter of judgment: the lawful basis for processing determines whether separate consent is required; the number of recipients, and whether sensitive or important data is involved, determine whether the transfer proceeds by security assessment, standard contract or the GBA channel; and the mainland’s consent and filing, together with Hong Kong’s use restrictions and contractual arrangements, must coexist within one and the same transaction without conflict.
Where two jurisdictions overlap, the difficulty lies not in the number of provisions, but in placing that specific data flow accurately within the pathway to which it properly belongs.
For the same list, sound judgment yields a compliant and efficient channel; unsound judgment leads, at best, to rejection of the filing and, at worst, to an unlawful outbound transfer. It is for this reason that matters of this kind warrant review, before any data is transferred, by someone conversant with the rules on both sides. As for the individual case, it remains necessary to verify the specifics — the type and volume of the data, and the negative list of the pilot free trade zone concerned. What this article addresses is the framework for judgment, not the conclusion for any particular transaction.
This article is general information only and does not constitute legal advice for any specific matter; a specific data flow should be separately verified against the facts of the case.
Knowledge anchors
- Outbound transfer of personal information
- Security assessment / standard contract / certification
- Separate consent
- GBA standard contract
- PDPO · section 33