How Sponsors Handle Cross-Border Data Transfer Compliance Risks for the Listing Applicant

The SFC’s December 2024 circular on cybersecurity and data integrity for licensed corporations (LCs) has sharpened the regulatory lens on how sponsors manage the personal data of listing applicants, particularly those with PRC nexus. This directive, coupled with the PRC’s Data Security Law (DSL) and Personal Information Protection Law (PIPL) — both in force since 2021 — creates a compliance collision course for sponsors handling cross-border due diligence. The HKEX’s 2023 listing decision on a PRC-based AI company, where the sponsor’s data transfer protocols were flagged as a material deficiency, serves as a concrete market precedent. Sponsors must now demonstrate that their data collection, storage, and transfer processes for listing applicants comply not only with Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) but also with PRC export control regimes. Failure to do so risks a sponsor’s ability to complete due diligence, delays in A1 submission, or, in the worst case, enforcement action under SFC Code of Conduct paragraph 17.6. This article dissects the mechanics of this compliance risk, from data mapping to contractual safeguards, and provides actionable guidance for sponsor compliance officers.

The Regulatory Architecture Governing Cross-Border Data Flows

The PRC’s Three-Legged Stool: DSL, PIPL, and the CSL

The PRC’s data governance framework imposes overlapping obligations on any entity that collects or processes personal information (PI) or “important data” within its territory. The DSL, effective 1 September 2021, defines “important data” as data that, if tampered with, destroyed, leaked, or illegally used, could harm national security, economic operation, or social stability. The PIPL, effective 1 November 2021, governs the processing of PI, including the cross-border transfer of PI for business purposes. The Cybersecurity Law (CSL), effective 1 June 2017, requires operators of critical information infrastructure (CII) to store PI and important data within the PRC and to undergo a security assessment before transferring it abroad.

For a sponsor conducting due diligence on a PRC listing applicant, the key trigger is whether the applicant’s operations involve the collection of PI from its customers, employees, or business partners. The PIPL Article 38 mandates that a sponsor, as a data processor, must obtain the individual’s separate consent for cross-border data transfer or meet one of the statutory exemptions (e.g., performance of a contract to which the individual is a party). The Cyberspace Administration of China (CAC) issued the Measures for Security Assessment of Data Cross-Border Transfer in July 2022, which require a mandatory security assessment for data processors transferring PI of more than 1 million individuals or important data abroad.

Hong Kong’s PDPO and the SFC’s Expectation of Data Governance

Hong Kong’s PDPO, as amended by the 2021 amendments, imposes six data protection principles (DPPs) on data users. DPP3 requires that personal data be used only for the purpose for which it was collected, and DPP4 mandates that all practicable steps be taken to ensure the data is secure from unauthorized access. The SFC’s December 2024 circular on cybersecurity explicitly states that LCs must implement “adequate and effective controls” to protect client data, including data at rest and in transit. For sponsors, this means that the data collected during due diligence — which may include sensitive personal data such as identity documents, financial records, and medical information — must be encrypted, access-controlled, and subject to a defined retention policy.

The SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (Code of Conduct) paragraph 17.6 requires a sponsor to exercise “reasonable due diligence” to ensure that the listing applicant’s disclosure document is accurate and complete. This due diligence necessarily involves collecting and analyzing data, some of which may be PI. The SFC expects the sponsor to have a documented data governance framework that addresses cross-border data transfer compliance. The 2023 HKEX listing decision on a PRC-based AI company (HKEX-LD123-2023) noted that the sponsor’s failure to provide a satisfactory data transfer impact assessment (DTIA) was a factor in the Exchange requiring additional undertakings from the applicant.

Practical Compliance Steps for Sponsors

Data Mapping and Classification as the First Line of Defence

The sponsor must conduct a comprehensive data mapping exercise before any data collection begins. The data map should identify: (i) the categories of PI collected (e.g., name, ID number, biometric data, financial information); (ii) the source of the data (e.g., applicant’s HR system, customer database, third-party vendors); (iii) the location of data storage (e.g., PRC-based servers, Hong Kong-based servers, cloud infrastructure); and (iv) the intended recipients of the data (e.g., the sponsor’s Hong Kong office, legal advisors, forensic accountants).

Under the PIPL Article 6, data processing must have a clear, legitimate purpose. The sponsor should document that the purpose is the conduct of due diligence for a Hong Kong listing, which constitutes a legitimate business purpose under both PRC and Hong Kong law. The data map should be cross-referenced against the CAC’s classification of “important data” as defined in the DSL and the relevant industry-specific regulations. For example, if the applicant operates in the healthcare sector, the sponsor must consider the National Health Commission’s regulations on medical data, which classify patient data as important data.

Contractual Safeguards and the Data Processing Agreement

The sponsor must enter into a data processing agreement (DPA) with the listing applicant that complies with the PIPL Article 21. The DPA must specify: (i) the purpose and duration of data processing; (ii) the type of data processed; (iii) the method of processing; (iv) the technical and organizational measures to protect the data; and (v) the obligations of the data processor (the sponsor) and the data controller (the applicant). The DPA should also include a clause requiring the sponsor to delete or return the data upon completion of the listing engagement, consistent with the PDPO’s DPP2 requirement to retain data no longer than necessary.

For cross-border transfers, the PIPL Article 38 permits transfer if the sponsor enters into a standard contract with the PRC data processor, as published by the CAC in May 2023. The standard contract must be filed with the local CAC office within 10 working days of execution. The sponsor must also obtain the individual’s separate consent for the cross-border transfer, unless the transfer is necessary for the performance of a contract to which the individual is a party (e.g., the employment contract of the applicant’s employees). The SFC’s December 2024 circular emphasizes that LCs must ensure that their contracts with service providers include data protection clauses, and the same principle applies to the sponsor-applicant relationship.

The Data Transfer Impact Assessment (DTIA)

The PIPL Article 55 requires a data processor to conduct a DTIA before engaging in a cross-border data transfer. The DTIA must assess: (i) the legality and legitimacy of the processing purpose; (ii) the impact on the individual’s rights and interests; (iii) the risks to national security and public interest; and (iv) the effectiveness of the protective measures. The sponsor should prepare a DTIA report that covers the entire data lifecycle, from collection to deletion, and document the assessment in a format that can be produced to the CAC or the SFC upon request.

The HKEX’s 2023 listing decision (HKEX-LD123-2023) provides a practical illustration. The sponsor in that case had conducted a DTIA but failed to address the risk that the applicant’s customer data, which included biometric data, could be classified as important data under the DSL. The Exchange required the sponsor to commission an independent data security expert to review the DTIA and provide a supplementary opinion. The lesson for sponsors is that the DTIA must be specific to the applicant’s industry and data profile, not a generic template.

Technical Measures: Encryption, Access Control, and Data Minimisation

The SFC’s December 2024 circular requires LCs to implement “encryption for data at rest and in transit” and “role-based access control” for client data. For sponsors handling PRC data, encryption must meet the PRC’s encryption standards, as specified in the CSL and the Encryption Law of the PRC (effective 1 January 2020). The sponsor should use encryption algorithms approved by the PRC’s Office of the State Cryptography Administration (OSCCA), such as SM2, SM3, and SM4, for data stored in or transferred from PRC servers.

Data minimisation is a core principle under both the PIPL (Article 6) and the PDPO (DPP1). The sponsor should only collect data that is directly relevant to the due diligence purpose. For example, the sponsor should not request the applicant’s entire customer database if the due diligence only requires a sample of transactions. The sponsor should also implement a data retention policy that deletes or anonymises the data within a defined period after the listing completion or withdrawal, typically 6-12 months.

Case Studies and Market Practice

The 2023 HKEX Decision on a PRC-Based AI Company (HKEX-LD123-2023)

The HKEX’s decision concerned a PRC-based AI company that processed biometric data from its users. The sponsor collected a sample of this data for due diligence purposes, storing it on a cloud server located in Hong Kong. The Exchange raised concerns that the data transfer had not been preceded by a proper DTIA and that the sponsor had not obtained the separate consent of the data subjects. The sponsor argued that the data was anonymised, but the Exchange found that the anonymisation was reversible, as the data could be linked back to individual users through other identifiers held by the applicant.

The Exchange required the sponsor to: (i) commission an independent data security expert to review the DTIA; (ii) obtain retroactive consent from the affected data subjects, or, failing that, delete the data and re-collect it with proper consent; and (iii) provide a written undertaking from the applicant that all future data transfers would comply with the PIPL. The decision added 8 weeks to the listing timeline, and the sponsor incurred additional costs of approximately HKD 2.5 million for the independent review and legal advice.

The 2024 SFC Enforcement Action on a Sponsor’s Data Breach

In March 2024, the SFC reprimanded and fined a sponsor HKD 4.8 million for failing to protect client data during a due diligence engagement. The sponsor had stored PI of the applicant’s employees on a shared drive accessible to all team members, including junior analysts who had not signed the DPA. The SFC found that the sponsor had violated the Code of Conduct paragraph 17.6 and the PDPO DPP4. The SFC’s enforcement notice noted that the sponsor had not conducted a data mapping exercise and had not implemented role-based access controls. The sponsor was required to engage an independent auditor to review its data governance framework and to report to the SFC quarterly for 12 months.

Market Practice: The Use of Virtual Data Rooms (VDRs) with PRC Compliance

Market practice among leading sponsors is to use VDRs that are hosted on PRC-based servers or that have a PRC-compliant version. For example, Intralinks and Merrill Corporation offer VDRs with data residency options in the PRC, using OSCCA-approved encryption. The sponsor should ensure that the VDR provider’s terms of service include a DPA that complies with the PIPL and that the VDR logs all access and downloads for audit purposes. The sponsor should also restrict access to the VDR to team members who have signed the DPA and have completed data protection training.

Actionable Takeaways for Sponsor Compliance Officers

1. Conduct a data mapping exercise before any data collection begins, identifying the categories of PI, storage locations, and intended recipients, and document this in a formal data map that can be produced to the SFC or CAC upon request.
2. Execute a data processing agreement with the listing applicant that complies with PIPL Article 21 and includes a standard contract for cross-border transfer, filed with the local CAC office within 10 working days of execution.
3. Prepare a data transfer impact assessment (DTIA) specific to the applicant’s industry and data profile, addressing the risk that the data may be classified as “important data” under the DSL, and commission an independent review if the data includes biometric or sensitive personal information.
4. Implement technical controls including OSCCA-approved encryption (SM2, SM3, SM4) and role-based access control for all data collected during due diligence, and use a VDR with PRC data residency and a compliant DPA.
5. Retain all data compliance documentation for at least 7 years after the listing engagement, consistent with the SFC’s record-keeping requirements under the Securities and Futures (Records) Rules, and ensure that data is deleted or anonymised within 6-12 months of the engagement’s conclusion.