Yes, but they are not in force.

There are restrictions on overseas data transfers in Section 33 of the Hong Kong Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) ("PDPO"). However, Section 33 has not entered into force and there are no indications that it will in the near future.

The Section 33 restrictions include limiting transfers to "white list" jurisdictions only (though there is currently no white list) and obtaining data subjects' consent to the transfer. The Hong Kong Privacy Commissioner has issued Guidance on Personal Data Protection in Cross-Border Data Transfer (December 2014), which serves as a practical guide to prepare for the implementation of Section 33.

In addition, the PCPD has issued more recent Guidance on Recommended Model Contractual Clauses for Cross-Border Transfer of Personal Data (May 2022), which includes recommended model clauses for cross-border transfers of personal data pursuant to Section 33(2)(f) of the PDPO, known as the "due diligence requirement" (though, again, Section 33 is not in force and, therefore, compliance with Section 33 is not legally required).