Last review date: 31 December 2024
No.
While the PDPO contains a provision concerning cross-border transfers of personal data (Section 33 of the PDPO), it is not currently in force.
In December 2014, the PCPD issued Guidance on Personal Data Protection in Cross-border Data Transfer to serve as a practical guide for data users to prepare for the implementation of Section 33. However, the Guidance is purely voluntary as it relates to a Section that is not in force yet.
In May 2022, the PCPD issued the Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data, which provides the recommended model clauses that may be used when engaging in cross-border transfer of personal data. While the use of such clauses is not mandatory, the PCPD indicates that adoption of the recommended model clauses will serve to illustrate that the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in the jurisdiction of the transferee, be collected, held, processed, or used in any manner which, if that took place in Hong Kong, would be a contravention of a requirement under the PDPO, based on the due diligence ground for transferring personal data overseas under Section 33 (which, as noted above, is not currently in force).
With respect to cross-border data transfer within the Guangdong - Hong Kong - Macau Greater Bay Area (GBA), following the issuance of the Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (Implementation Guidelines) by the Cyberspace Administration of China and the Hong Kong Innovation, Technology and Industry Bureau, in December 2023, the PCPD issued Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong – Hong Kong – Macao Greater Bay Area (Mainland, Hong Kong). It makes clear that the requirements under the Implementation Guidelines do not affect the PCPD's supervisory and management roles within the scope of its functions under the PDPO, and that data users are still required to comply with the requirements under the PDPO when they transfer personal data to places outside Hong Kong, including the Data Protection Principles as set out in Schedule 1 to the PDPO.
Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies: N/A.
Please see separate question for information on data localization provisions that are not restricted to personal data.