On July 16, 2021, the U.S. Departments of State, the Treasury, Commerce, and Homeland Security jointly issued a Business Advisory for Hong Kong Special Administrative Region (Hong Kong) of the People's Republic of China (China or the PRC). 

The Business Advisory lists risks and considerations for businesses operating in Hong Kong that have arisen since the implementation of the PRC National Security Law (NSL) in both China and Hong Kong.

The Business Advisory discusses four categories of risk:

  1. Risks for businesses and individuals that are related to freedom of speech;
  2. Data privacy risks;
  3. Risks regarding transparency and access to critical business information;
  4. Risks for businesses with exposure to sanctioned HK or PRC entities or individuals.

The business risks related to data privacy, access to critical business information, and conducting business with sanctioned HK or PRC entities and individuals are particularly important.

At the same time, the PRC has created frameworks that could be used as countermeasures against companies for complying with foreign sanctions to the detriment of Chinese parties.  On July 23, 2021, the PRC Ministry of Foreign Affairs responded by imposing sanctions on seven U.S. individuals and one entity (the Hong Kong Democratic Council) under the PRC Anti-Foreign Sanctions Law.  The seven individuals are current and former U.S. government officials or involved with democracy promotion activities focused on Hong Kong.  Thus, companies should be cognizant of the risks and need for compliance in both the U.S. and PRC laws.

1. Data Privacy and Critical Business Information Risks

Hong Kong and the PRC operate separate legal regimes for data and data privacy.  The Business Advisory warns of a risk that the PRC has the ability under the NSL to institute the PRC laws or policy in Hong Kong.

In the PRC, there is a web of current and pending laws that control data collection, localization, cross-border transfer, and protection measures, including the Cybersecurity Law (CSL), draft Data Security Law (DSL), and draft Personal Information Protection Law (PIPL).  The CSL created the basic framework for regulating data transfers and security in China.  The DSL will become effective on September 1, 2021, and the PIPL is expected to become effective before the end of 2021, though no date has been set.  Together, the CSL, DSL, and PIPL will be the framework for dealing with personal and business data within the PRC and will have a large effect on the requirements for collection, storage, transfer, processing, provision, and publication of data.

The Hong Kong Personal Data (Privacy) Ordinance (Cap 486) (PDPO) sets out how data users should collect, store, transfer, and protect personal and business data and applies to both the private and public sectors.  It also prohibits the transfer of personal data outside Hong Kong, although this part of the law on data localization has not been brought into operation. Notably, the PDPO provides for certain exemptions from its provisions where personal data is used to safeguard the security of Hong Kong and where the use of personal data is authorized by any other local law in Hong Kong. On the other hand, interceptions of communications and covert surveillance by law enforcement agencies is regulated by the Interception of Communications and Surveillance Ordinance (the ICSO). The ICSO prohibits public officers from carrying out any interception and conducting any covert surveillance except if (1) the interception is authorized by a judge or the head of a law enforcement department (i.e. the Police, Customs, ICAC, Immigration); or if (2) the interception is permitted or required to be carried out under any other local law in Hong Kong.

Accordingly, the NSL acts as the local law that supplements the above exemptions under the PDPO and ICSO. It gives the police and the Office for Safeguarding National Security the power to collect data in the form of "intelligence and information concerning national security" and the power to conduct wiretaps or electronic surveillance on approval of the chief executive. It also empowers the police to require Internet service providers to provide or delete data and other information relevant to national security cases, all without judicial oversight. 

Perhaps most strikingly, the NSL incorporates the Criminal Procedure Law of the PRC into the procedure for the handling of national security cases in Hong Kong and provides that where Hong Kong's existing local laws are inconsistent with the NSL, the NSL shall prevail. In other words, PRC criminal law procedure may be applied in national security cases in Hong Kong.

On July 6, 2021, the Personal Data (Privacy)(Amendment) Bill 2021 was published in the gazette and will go through the legislative process.  If the amendment becomes effective, it will be the first such modification since 2012. The Amendment would establish doxing offences and confers on the Privacy Commissioner the power to prosecute data-related criminal offences. Anyone who fails to comply with a cessation notice to remove offending content may face up to two years in prison. Right after the publication of the Amendment, tech companies expressed concern that their local staff may face prosecution for failing to remove the offending content even when they do not have control over the online platform contents. Note the Amendment provides that it is a defense to show the defendant does not have the technology necessary to comply with the cessation notice.

Thus, the Business Advisory provides a general warning that personal information as well as critical business information may be at risk in Hong Kong. 

2. Risk of Violating U.S. Laws and Sanctions


Since the enactment of the NSL, the U.S. has taken multiple actions that increase the legal risks for companies subject to U.S. jurisdiction doing business in Hong Kong.  The U.S. has passed two laws: the Hong Kong Human Rights and Decency Act (HKHRDA) and the Hong Kong Autonomy Act (HKAA). 

The HKAA requires the Secretary of State to regularly update Congress on foreign persons who are materially contributing to, have materially contributed to, or attempt to materially contribute to the failure of the PRC to meet its obligations under the Sino-British Joint Declaration or Hong Kong's Basic Law.1   The HKAA requires the Secretary of the Treasury to regularly submit to Congress reports that identify any foreign financial institution (FFI) that knowingly conducts a significant transaction with a foreign person identified by the Secretary of State.  The HKAA authorizes and requires sanctions for both listed individuals and listed FFIs. 

Currently, the Secretary of State has identified a total of 34 individuals (ten individuals2 in the October 14, 2020 report and twenty-four individuals in the March 16, 2021 report).  The Secretary of the Treasury has issued two reports but has not identified an FFI that has knowingly conducted a significant transaction with a listed foreign person.


Executive Order 13936 (July 14, 2020), removed preferential treatment for Hong Kong under a number of U.S. laws, including the Export Control Reform Act of 2018, which removed Hong Kong as a separate destination from China under the Export Administration Regulations (EAR).  Thus, Hong Kong individuals and entities shall be treated as PRC individuals and entities for any U.S.-origin goods, services, or technology subject to the EAR.  


Currently, OFAC has placed 42 individuals on the SDN list related to Executive Order 13939 and the HKAA.

3.  Risks of Violating China Laws

The PRC has recently enacted laws and rules that can be used as countermeasures for compliance with foreign laws and regulations to the detriment of the PRC or Chinese parties. 

  • In January 2020, the PRC Ministry of Commerce issued its Rules on Blocking Unjustified Extraterritorial Application of Foreign Legislation and Other Measures, which could be used to combat compliance with secondary sanctions.
  • On June 10, 2021, the National People's Congress Standing Committee (NPCSC) passed the PRC Anti-Foreign Sanctions Law, which could be used to combat compliance with primary sanctions. On July 28, 2021, it was reported that the NPCSC is planning to insert the PRC Anti-Foreign Sanctions Law into Annex III of the Basic Law (Hong Kong's mini-constitution) in mid-August; to be implemented locally in Hong Kong, the PRC Anti-Foreign Sanctions Law would then either be promulgated immediately or be incorporated into domestic legislation at a later time. It is said that the PRC is likely to promulgate the PRC Anti-Foreign Sanctions Law in the same way it did the NSL, thereby bypassing the Legislative Council, Hong Kong's local law-making body. On July 23, 2021, the PRC Ministry of Foreign Affairs responded to the Business Advisory by imposing sanctions on seven U.S. individuals and one entity under the PRC Anti-Foreign Sanctions Law. 

In addition, on August 8, 2020, the Hong Kong Monetary Authority issued guidance instructing regulated institutions that "unilateral sanctions imposed by foreign governments are not part of the international targeted financial sanctions regime and have no legal status in Hong Kong." While the guidance does not explicitly prohibit compliance with U.S. sanctions, it informs companies that companies should assess legal, business, and commercial risks for compliance. 

Companies doing business in the U.S. and the PRC, including Hong Kong, should carefully analyze the legal and compliance issues arising under each legal regime.  Winston & Strawn has offices in the U.S., EU, UK, and Hong Kong, and the YuandaWinston strategic alliance is fully licensed to practice and advise on PRC law.



2 These ten individuals were sanctioned by OFAC on August 7, 2020, pursuant EO 13936.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.