Business Advisory On Risks And Considerations For Business Operating In Hong Kong

• Published date: 04 August 2021
• Subject Matter: Corporate/Commercial Law, Government, Public Sector, International Law, Privacy, Compliance, Corporate and Company Law, Data Protection, Privacy Protection, Terrorism, Homeland Security & Defence, Export Controls & Trade & Investment Sanctions
• Law Firm: Winston & Strawn LLP
• Author: Winston & Strawn LLP

On July 16, 2021, the U.S. Departments of State, the Treasury, Commerce, and Homeland Security jointly issued a Business Advisory for Hong Kong Special Administrative Region (Hong Kong) of the People's Republic of China (China or the PRC).

The Business Advisory lists risks and considerations for businesses operating in Hong Kong that have arisen since the implementation of the PRC National Security Law (NSL) in both China and Hong Kong.

The Business Advisory discusses four categories of risk:

1. Risks for businesses and individuals that are related to freedom of speech;
2. Data privacy risks;
3. Risks regarding transparency and access to critical business information;
4. Risks for businesses with exposure to sanctioned HK or PRC entities or individuals.

The business risks related to data privacy, access to critical business information, and conducting business with sanctioned HK or PRC entities and individuals are particularly important.

At the same time, the PRC has created frameworks that could be used as countermeasures against companies for complying with foreign sanctions to the detriment of Chinese parties. On July 23, 2021, the PRC Ministry of Foreign Affairs responded by imposing sanctions on seven U.S. individuals and one entity (the Hong Kong Democratic Council) under the PRC Anti-Foreign Sanctions Law. The seven individuals are current and former U.S. government officials or involved with democracy promotion activities focused on Hong Kong. Thus, companies should be cognizant of the risks and need for compliance in both the U.S. and PRC laws.

1. Data Privacy and Critical Business Information Risks

Hong Kong and the PRC operate separate legal regimes for data and data privacy. The Business Advisory warns of a risk that the PRC has the ability under the NSL to institute the PRC laws or policy in Hong Kong.

In the PRC, there is a web of current and pending laws that control data collection, localization, cross-border transfer, and protection measures, including the Cybersecurity Law (CSL), draft Data Security Law (DSL), and draft Personal Information Protection Law (PIPL). The CSL created the basic framework for regulating data transfers and security in China. The DSL will become effective on September 1, 2021, and the PIPL is expected to become effective before the end of 2021, though no date has been set. Together, the CSL, DSL, and PIPL will be the framework for dealing with personal and business data within the PRC and will have a large effect on the...