In an interconnected world, seamless international business operations routinely require the cross-border sharing of personal data for critical functions like payroll, outsourcing, and customer service. However, this necessity must conform to a complex and varied landscape of global data protection laws.
Regulatory Frameworks
- The “Adequate Protection” Standard
This framework mandates that transfers outside the local region (e.g., the European Economic Area or EEA) are restricted unless the destination guarantees an essentially equivalent level of data protection to the originating jurisdiction.
Compliance typically relies on a tiered system:
- Adequacy Decisions: Transfers are freely permitted to countries deemed “adequate” by the relevant authority, such as the European Commission (EC) for the GDPR. Current EU adequate countries include: Japan, South Korea, United Kingdom, and the EU-US Data Privacy Framework (DPF) participants.
- Appropriate Safeguards: Transfers to non-adequate countries require mechanisms that provide enforceable data subject rights and effective legal remedies. The main tools are:
- Standard Contractual Clauses (SCCs): EC-approved model clauses.
- Binding Corporate Rules (BCRs): Approved internal rules for intra-group transfers.
Other countries, including Israel, Switzerland, Argentina, and New Zealand, follow a similar adequacy-focused model.
This article provides an overview of the key regulatory approaches adopted worldwide, with a particular focus on the stringent and multilayered regimes in China and several prominent nations in Southeast Asia. It also details the distinct position of Hong Kong’s un-enforced cross-border laws.
- Countries with Other Transfer Restrictions (e.g., Australia)
These countries mandate precautions like taking reasonable steps to ensure continuous protection, obtaining governmental approvals, or securing explicit consent. Examples include Canada and Mexico.
China’s Cross-border Export Regime
China’s personal data export framework under the Personal Information Protection Law (PIPL) is highly prescriptive, requiring data exporters (excluding Critical Information Infrastructure Operators or CIIOs) to comply based on the volume and sensitivity of the data transferred.
Effective March 2024, the Cyberspace Administration of China (CAC) significantly revised the compliance thresholds:
Transfer Volume (Non-CIIOs) | Mandatory Compliance Mechanism |
Sensitive PI of over 10,000 individuals (cumulative per calendar year) | CAC Security Assessment |
General PI of over 1 million individuals (cumulative per calendar year) | CAC Security Assessment |
General PI of 100,000 to 1 million individuals (cumulative per calendar year) | CAC Standard Contract (filing required) or Certification |
Non-Sensitive PI of fewer than 100,000 individuals (cumulative per calendar year) | Exempted from all cross-border mechanisms (S.C., Certification, or Assessment) |
Key Exemptions
Transfers are exempted from the three compliance routes (Assessment, Contract, or Certification) if they are strictly necessary for:
- Contractual Necessity: Execution or performance of a contract to which the data subject is a party (e.g., cross-border purchases, air ticket reservations).
- HR Management: Cross-border human resource management (e.g., transferring employee data to an overseas parent company) in accordance with legally executed labor rules.
- Re-export: Personal information previously collected or generated outside China, transferred in, and then transferred back out (provided it contains no important data or data originating in China).
Southeast Asia and APEC CBPR
The Asia-Pacific region embraces various data protection models, often leveraging frameworks like the Asia-Pacific Economic Cooperation’s (APEC) program to facilitate transfers across differing legal standards.
APEC CBPR and PRP Systems
The APEC Cross-Border Privacy Rules (CBPR) System is a voluntary but enforceable certification system for data controllers, based on the APEC Privacy Framework. A certified business demonstrates that its privacy practices meet a baseline standard, which can be used to satisfy transfer restrictions in participating economies.
- Participants: Economies currently participating in the CBPR System include Singapore, the Philippines, South Korea, Japan, Canada, and the US.
- Processors: A parallel Privacy Recognition for Processors (PRP) System exists for data processors, in which Singapore and the US participate.
Country-Specific Southeast Asia Regimes
Country | Transfer Framework | Key Mechanisms |
Singapore | Equivalent Protection Standard | Transfers permitted if the recipient is legally bound to provide a comparable standard of protection to the PDPA, commonly met via contracts or CBPR/PRP Certification. |
Malaysia | Equivalent Protection Standard (Effective April 2025) | Transfers permitted to countries with “substantially similar” or “adequate” laws, or via exceptions. Exceptions include explicit consent, contractual necessity, or the demonstration of Reasonable Precautions and Due Diligence (e.g., BCRs or Contractual Clauses). |
Thailand | Adequacy/Appropriate Safeguards (Effective March 2024) | Transfers permitted to destinations with “adequate data protection standards” (whitelist to be published) or via Appropriate Safeguards such as BCRs (approved by the PDPC) or SCCs (including ASEAN Model and EU GDPR SCCs). Data merely in transit or stored on a cloud where no third party can access is generally excluded from the transfer restrictions. |
Vietnam | Strict Assessment and Reporting | Transfers of personal data of Vietnamese citizens require the transferor to conduct and proactively submit a Cross-Border Transfer Impact Assessment (TIA) dossier to the Ministry of Public Security (MPS) within 60 days of commencing the transfer. |
Hong Kong’s Position
Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) contains a cross-border data transfer restriction under Section 33, which, as of the date of this article, has not been brought into effect.
Once Section 33 is enacted, a data user will generally be prohibited from transferring personal data outside Hong Kong unless certain conditions are met, such as:
- The recipient country has laws substantially similar to the PDPO.
- The data subject has provided written consent.
- The data user has taken all reasonable precautions and exercised due diligence (typically achieved through binding contractual clauses).
Data in Transit
Crucially for businesses with international hosting or cloud arrangements, the restrictions generally do not apply when data is merely in transit (i.e., data that passes through a server outside Hong Kong during internet routing) if no one accesses or substantively processes the data during its transit through the foreign jurisdiction.
Key Takeaways
Successfully navigating the global transfer landscape requires a holistic strategy, which includes:
- Map Data Flows: Identify the origin, destination, sensitivity (e.g., China’s sensitive PI), and volume of all data transferred.
- Verify Compliance Route: Determine the specific mechanism required: Is it an EU Adequacy Decision, a Chinese CAC Security Assessment (if exceeding 1 million PI or 10,000 sensitive PI), or an APEC CBPR Certification?
- Use Binding Contracts: Always use written data transfer agreements, incorporating specific clauses (like EU SCCs, ASEAN Model Clauses, or Malaysia’s prescribed clauses) to demonstrate “appropriate safeguards” or “reasonable precautions”.
- Employee Training: Educate employees to identify cross-border issues, especially concerning email transfers or access by personnel in foreign offices.
Contact our team today for a confidential consultation.
Alfred Leung, Partner
alfredleung@hkytl.com | +852 3468 7202
