OLN

Featured Home

A Review of In Vitro Fertilisation Regulations in Different Jurisdictions

by

(This article was published in the February 2025 Issue of the Hong Kong Lawyer)

In vitro fertilisation (“IVF”) has emerged as a cornerstone of assisted reproductive technology, offering hope to same sex couples, single people, couples facing infertility and/or mothers in high-risk pregnancies. With advancements in medical science, the procedure has become more accessible with increasingly higher success rates, yet the legal frameworks governing IVF vary significantly around the world. This article examines the legal landscape of IVF across a number of jurisdictions, highlighting key regulations, ethical considerations as well as societal implications.

The Rising Importance of IVF

The dawn of IVF began in 1978 with the birth of Louise Joy Brown, the world’s first “test-tube baby”. By 1982 when Brown’s sister was born, the latter was already the world’s 40th IVF baby. Since then, the procedure has evolved, becoming a common solution for men and women struggling to become parents due to various factors as diverse as age, medical conditions and/or lifestyle choices. Since 2001, the World Health Organization has recognised infertility as a significant global health issue affecting millions of people, estimating that worldwide, one of every six persons of reproductive age will experience fertility at some point in their lives; it emphasises the need for equitable access to reproductive technologies.

Jurisdictional Variations and Legal Considerations

Australia

Australia has established a comprehensive legal framework for IVF through the Reproductive Technology Accreditation Committee and the National Health and Medical Research Council. The Assisted Reproductive Technology Act 2007 in New South Wales allows IVF for both medical and social reasons. Publicly supported and private IVF clinics may impose their own age limits on IVF patients. One of the stated objects of the legislation is to prevent the commercialisation of human reproduction – hence the sale of human embryos is not legal in Australia. If donated embryos are used in IVF, they must be donated as altruistic gifts, although the payment of reasonable expenses is allowed. Consent is also a critical component, requiring both partners to agree on the use of their gametes. In New South Wales, providers must seek the approval of the Secretary of the Ministry of Health if embryos over 15 years old are to be used.

Canada

In Canada, the Assisted Human Reproduction Act (“AHRA”) regulates IVF practices, emphasizing patient safety and informed consent. The Act permits IVF for medical reasons, while social IVF is less clearly defined. Storage of embryos is limited to a maximum of 10 years and public healthcare coverage for IVF varies by province, with some offering partial public funding or tax credits for IVF treatments. In the province of Ontario, for example, the government provides treatment for one IVF cycle for one patient per lifetime, provided the patient is a resident of Ontario under 43 years of age. The AHRA prohibits the sale of ova, sperm and/or embryos and specifically states that altruistic donations are in line with Canadian values.

Germany

Germany maintains a conservative stance on IVF. The Embryo Protection Act dates back to 1990 and prohibits egg donation, surrogacy, the creation of embryos for non-medical reasons and limits the number of embryos that can be transferred in one cycle. A few states offer subsidies for IVF to same sex couples and unmarried couples, but the vast majority of states only provide assistance to heterosexual couples. The outdated legal framework reflects societal values that have apparently evolved. The current German coalition government set up an expert commission which in April 2024 recommended legalising and regulating egg donation and making surrogacy legal in limited circumstances.

Hong Kong SAR

Hong Kong’s Code of Practice on Reproductive Technology & Embryo Research was published by the Council of Human Reproductive Technology in 2002 and also reflects conservative values. Since same sex marriage is not yet legally recognised in Hong Kong, couples in same sex marriages and single women are not yet able to access post egg freezing services leading to live pregnancies. Only altruistic IVF is allowed in Hong Kong – commercial surrogacy is not legal. A few public hospitals provide public IVF services to couples where the wife is a Hong Kong permanent resident under the age of 40 years with no biological children. Unfortunately, the waiting period for the initial IVF appointment could be up to three years.

Japan

Japan has seen a rise in IVF popularity – in 2021, 1 in every 11.6 babies born was an IVF baby. Yet legal support for IVF remains limited. The Act on Regulation of Human Cloning Techniques governs IVF practices, only allowing the procedure under strict regulations. Embryo storage is permitted, but the law emphasizes that embryos should not be created for non-medical reasons. Due to the declining birth rate, IVF and other infertility treatments were added to national health insurance in 2022 but are only available to married couples. There are no legal provisions regulating surrogacy in Japan.

United Kingdom

The United Kingdom offers a progressive legal environment for IVF pursuant to the Human Fertilisation and Embryology Act 1990, which also established the Human Fertilisation and Embryology Authority. IVF is permitted for both medical and social reasons, with no age restrictions for women, although clinics may impose their own policies. Public funding for IVF is available depending upon where a patient lives but typically reserved for couples facing medical infertility. Altruistic surrogacy with paid expenses is legal in the UK, but surrogacy agreements are not enforceable.

United States

In the United States, IVF and surrogacy laws are primarily regulated at the state level, leading to significant variations and a complex landscape. While many states have adopted supportive legislation for IVF and commercial surrogacy, others impose restrictions based on ethical or religious beliefs. Insurance coverage for IVF also varies widely, with some states mandating coverage for infertility treatments. In February 2024, IVF treatments came to a standstill in Alabama when the state’s supreme court ruled that frozen embryos should enjoy the same rights as children. Fertility providers paused IVF treatments for fear of prosecution for “wrongful death” in the event any embryos were destroyed during treatment. It was not until certain protections were carved out for fertility providers that IVF treatments resumed.

Conclusion – Ethical and Societal Implications

The legal frameworks surrounding IVF vary considerably across jurisdictions, guided by significantly different cultural, ethical and societal values. Issues such as embryo rights, consent and access to reproductive technologies are at the forefront of public discourse and legislation. 

Disclaimer: This article is for reference only. Nothing herein shall be construed as Hong Kong legal advice or any legal advice for that matter to any person. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.

Navigating Cross-Boundary Data Transfers in the Guangdong-Hong Kong-Macao Greater Bay Area: What Enterprises Need to Know

by

Introduction

The Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”) is one of the world’s most consequential economic integration projects, comprising three distinct legal jurisdictions. Anchored by the Pearl River Delta, the GBA brings together eleven cities across three distinct legal jurisdictions — the nine Chinese Mainland Guangdong provincial cities of Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing, together with the Special Administrative Regions of Hong Kong and Macao — under a single regional development framework. The GBA is envisaged under the China State Council’s 2019 Outline Development Plan as China’s premier platform for international technology and innovation centre with global influence.

The free flow of data across jurisdictional boundaries is essential to realising the GBA’s potential. This article examines the legal frameworks governing cross-boundary data transfers between Hong Kong and the Mainland GBA cities, and some of the key compliance obligations that enterprises operating in the region need to understand.

Part I: Hong Kong — Ongoing obligations amid a dormant provision

Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) has contained a cross-border data transfer restriction provision (“Section 33”) since its enactment in 1995 but has remain to this date not in force. Section 33, if brought into force, would generally prohibit transfers of personal data outside Hong Kong unless one of several conditions is satisfied — including that the destination jurisdiction provides a comparable level of protection, or that the data subject has given separate and voluntary consent, or that the data user has taken all reasonable precautions and exercised due diligence to ensure the data will be protected to PDPO standards (typically achieved through contractual safeguards).

The latest position of the relevant Hong Kong government bureau has been that there are concerns about the potential financial strain on small businesses if Section 33 is to be implemented. The general position of the Office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”), by contrast, has been one of encouraging voluntary compliance in anticipation of eventual commencement — issuing successive guidance notes and developing model contractual clauses for enterprises’ adoption (see further below).

Absent Section 33, cross-border data transfers from Hong Kong remain subject to the six Data Protection Principles (“DPPs”) set out in Schedule 1 to the PDPO, which apply to all personal data processing regardless of whether the data leaves Hong Kong. The most directly relevant are:

  • DPP1 (Purpose and Collection): Personal data must be collected for a lawful purpose directly related to the data user’s function or activity, and must not be collected by means that are excessive relative to that purpose. Where data is being transferred internationally as part of a broader processing chain, the original collection must legitimately anticipate this use.
  • DPP3 (Use Limitation): Personal data must not be used for a new purpose without the prescribed consent of the data subject. Cross-border transfer for a purpose different from — or not directly related to — the purpose for which the data was collected will constitute a breach of DPP3 unless consent has been obtained. This is an in-force obligation and a common source of breach.
  • DPP4 (Data Security): Data users must take all practicable steps to ensure that personal data is protected against unauthorised or accidental access, processing, erasure, loss or use. Critically, DPP4 applies to overseas processors: if a Hong Kong data user transfers data to a third-party processor in the Mainland or elsewhere, and that processor suffers a breach, the Hong Kong data user may still be found to have breached DPP4 if it failed to implement adequate contractual and technical safeguards over that processor.
  • Section 65(2) of the PDPO — Liability for acts of agents: A data user in Hong Kong remains liable for contraventions of the PDPO committed by a data processor acting on its behalf, where the data user has not taken adequate precautions. This provision applies regardless of where the processor is located, including in the Chinese Mainland.

PCPD Guidance: Voluntary but consequential

In May 2022, the PCPD issued Guidance on Recommended Model Contractual Clauses for Cross-Border Transfer of Personal Data (“RMC Guidance”), providing two sets of model contractual clauses (“RMCs”):

  • Data User to Data User (DU-DU): For transfers where the receiving entity will use the data for its own purposes.
  • Data User to Data Processor (DU-DP): For transfers to entities processing data solely on behalf of the transferring data user.

The RMC Guidance is expressly non-binding. However, enterprises should not underestimate its practical weight. The PCPD has stated that compliance with the RMC Guidance – particularly incorporation of the RMCs or equivalent provisions – will be taken into account when investigating any suspected breach of the PDPO. In other words, an enterprise that has implemented the RMCs is in a materially stronger position if data transferred overseas is misused or subjected to a breach. One that has not done so faces heightened exposure.

It should further be noted that most of the obligations embedded in the RMCs already reflect in-force PDPO requirements — particularly under DPP3 and DPP4. The RMCs are not merely aspirational; a substantial portion of what they require is already mandatory under the PDPO as it stands today.

Interface with the Protection of Critical Infrastructures (Computer Systems) Ordinance

The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) (the “PCIO”) was enacted on 19 March 2025 and came into force on 1 January 2026. It represents Hong Kong’s first piece of legislation specifically targeting cybersecurity in respect of critical infrastructures. Although the PCIO is not a data privacy statute per se, it intersects in important ways with the PDPO, and is therefore of particular relevance to enterprises operating in the Greater Bay Area that engage in cross-boundary processing of personal data.

The PCIO regulates designated operators of critical infrastructures (“CIOs”) across eight specified sectors, including energy, information technology, banking and financial services, transportation (covering aviation, land and maritime transport), healthcare, and telecommunications and broadcasting. It imposes statutory obligations requiring CIOs to adopt appropriate measures to safeguard their computer systems, with a view to reducing the risk of disruption or damage to essential services caused by cyberattacks, thereby maintaining the normal functioning of society and protecting public interests. In particular, the PCIO requires CIOs to establish and maintain comprehensive cybersecurity management systems, implement a computer-system security management plan, conduct regular risk assessments and audits, incident reporting, and setting up a structured incident preparedness and response regime.

Although the PCIO primarily focuses on the technical security of critical computer systems, its framework also strengthens the broader data protection landscape. These requirements enhance the protection of personal data stored, processed, or transmitted within critical infrastructures, and align closely with the PDPO’s data protection principles — particularly the obligation on data users to take all practicable steps to safeguard personal data against unauthorised or accidental access, loss, or misuse. By introducing mandatory organisational and technical safeguards, the PCIO supports CIOs in discharging these obligations with greater rigour.

What Hong Kong enterprises should do now

Enterprises transferring personal data from Hong Kong to the Chinese Mainland should consider the following as a baseline compliance programme:

  1. Data mapping: Identify all categories of personal data leaving Hong Kong, the legal basis for collection, the purposes for which data is being transferred, and the identity and location of recipients.
  2. Purpose alignment (DPP3): For each transfer, assess whether the purpose is the same as, or directly related to, the purpose for which the data was collected. Where it is not, either obtain fresh consent or restructure the data flow.
  3. Processor contracts (DPP4 / s.65(2)): Enter into written data processing agreements with all Mainland processors, incorporating data security standards, sub-processing restrictions, breach notification obligations, audit rights, and data retention requirements. The DU-DP RMCs provide a useful starting template.
  4. Data User to Data User transfers: Where the Mainland recipient uses the data for its own purposes, DU-DU contractual protections are needed, covering purpose limitations, data subject rights, security, and accountability.
  5. Privacy notices: Ensure collection notices adequately describe the possibility of cross-border transfers and the safeguards in place. Inadequate privacy notices are a routine finding in PCPD investigations.
  6. Preparing for Section 33: Implementing the RMCs now is good practice regardless of timing, and will reduce the compliance burden if and when Section 33 is eventually commenced.
Part II: Chinese Mainland — A comprehensive statutory framework with multiple transfer mechanisms

The Chinese Mainland’s data governance framework for personal information is built on three interlocking statutes:

  • Cybersecurity Law 《网络安全法》(effective 1 June 2017): Establishes baseline requirements for network operators. Critical information infrastructure (“CII”) operators are subject to data localisation requirements, whereby personal information and important data gathered or produced during operations within the Chinese Mainland must be stored within the Chinese Mainland, and may only be transferred overseas after passing a security assessment. CII operators span sectors including telecommunications, energy, transport, finance, and public services.
  • Data Security Law 《数据安全法》 (“DSL”) (effective 1 September 2021): Introduces a tiered classification system for all data (not just personal data), based on its importance to national security, public interest, and economic development. “Important data” attracts heightened restrictions. The DSL has extraterritorial reach, applying to data processing activities outside the Chinese Mainland that harm China’s national security, public interest, or the lawful rights of Chinese citizens.
  • Personal Information Protection Law 《个人信息保护法》 (“PIPL”) (effective 1 November 2021): China’s comprehensive personal data statute, broadly analogous in structure — though not in substance — to the European Union’s GDPR. The PIPL governs the collection, processing, and transfer of “personal information” (broadly defined), imposes strict conditions on cross-border transfers, and applies extraterritorially to processing outside the Chinese Mainland that serves persons within the Chinese Mainland or analyses their behaviour. The implementation of the PIPL is further supported by specific implementing regulations governing the procedures and requirements for cross-border transfers, principally: the Measures for Security Assessment of Outbound Data Transfers 《数据出境安全评估办法》 (effective 1 September 2022); the Measures for the Standard Contract for Outbound Transfer of Personal Information 《个人信息出境标准合同办法》 (effective 1 June 2023); the Provisions on Promoting and Regulating the Cross-Border Flow of Data 《促进和规范数据跨境流动规定》 (effective 22 March 2024, the “2024 Provisions”); the Measures for the Administration of Personal Information Protection Compliance Audits 《个人信息保护合规审计管理办法》 (effective 1 May 2025); and the Measures for Certification of Cross-Border Personal Information Transfer 《个人信息出境认证办法》(effective 1 January 2026).

In addition, sitting below the three primary statutes, the State Council promulgated the Network Data Security Management Regulation 《网络数据安全管理条例》 (effective 1 January 2025) on 30 September 2024, providing comprehensive regulation of network data security management at the administrative regulation level. In the context of cross-border data transfers, the Network Data Security Management Regulation plays the following roles: first, it consolidates and confirms at administrative regulation level the three transfer mechanisms established under the Cyberspace Administration of China (“CAC”) departmental rules (see further below), lending the framework greater legal authority; second, it provides an operational general definition of “important data,” assisting enterprises in identifying which data assets trigger the mandatory security assessment requirement; third, it introduces additional exemptions beyond those in the 2024 Provisions; fourth, it requires overseas data processors to establish a designated organisation or appoint a representative within the Chinese Mainland, strengthening oversight of data processing activities conducted from abroad; and fifth, it reaffirms that data processors who have obtained security assessment approval must conduct their data export activities strictly within the purposes, methods, scope, types, and scale as determined in the assessment, and may not exceed the approved parameters.

Cross-border transfer mechanisms under PIPL and its relevant implementing regulations

A personal information processor (“PI Processor”) subject to PIPL that wishes to transfer personal information beyond the Chinese Mainland should generally satisfy one of three alternative mechanisms:

  • Mechanism 1 — Mandatory to undergo data export security assessment: (a) CII operators providing personal information or important data overseas; (b) data processors other than CII operators providing important data overseas, and that have cumulatively provided personal information of 1 million or more individuals (excluding sensitive personal information) or sensitive personal information of 10,000 or more individuals overseas since 1 January of the current year; or (c) other circumstances as stipulated by CAC requiring application for a data export security assessment.
  • Mechanism 2 — Standard Contractual Clauses (“China SCCs”): PI Processors other than CII operators that have cumulatively provided personal information of 100,000 or more but fewer than 1 million individuals (excluding sensitive personal information), or sensitive personal information of fewer than 10,000 individuals, beyond Chinese Mainland since 1 January of the current year, may enter into the CAC’s standard contract template (promulgated June 2023) with the non-Chinese Mainland recipient. The China SCCs require a prior Personal Information Protection Impact Assessment (“PIPIA”), which must be retained for three years. The executed SCCs must be filed with the competent local CAC within 10 working days of execution. This is the most commonly used mechanism for commercial enterprises below the large-scale thresholds.
  • Mechanism 3 — Personal Information Protection Certification: PI Processors may obtain certification from a CAC-designated certification body confirming that their cross-border processing activities meet applicable standards. This mechanism is particularly suited to intra-group transfers within multinational enterprises. The certification body evaluates the PI Processor’s compliance programme holistically rather than on a transfer-by-transfer basis.

Exemptions and facilitation measures under the 2024 Provisions

The 2024 Provisions further introduced important exemptions from the transfer mechanisms and additional facilitation measures:

  • Exemptions from all three mechanisms (excluding important data) apply where: (i) data processors other than CII operators that have cumulatively provided personal information of fewer than 100,000 individuals (excluding sensitive personal information) overseas since 1 January of the current year; (ii) where it is genuinely necessary to provide personal information overseas for the conclusion or performance of a contract to which an individual is a party, such as cross-border shopping, cross-border courier services, cross-border remittances, cross-border payments, cross-border account opening, flight and hotel bookings, visa processing, and examination services; (iii) where it is genuinely necessary to provide employees’ personal information overseas for the implementation of cross-border human resources management in accordance with lawfully formulated internal labour rules and collective agreements concluded in accordance with law; or (iv) where it is genuinely necessary to provide personal information overseas in emergency situations to protect the life, health, and property of a natural person.
  • Free trade zones (“FTZs”) facilitation: FTZs may develop their own negative lists identifying categories of data subject to transfer restrictions; data falling outside the negative list may be exempt from the standard security assessment, SCC filing, and certification requirements that would otherwise apply.

Consent and sensitive personal information specific consent

The PIPL imposes separate and specific consent requirements for the cross-border transfer of personal information: data subjects must be informed of the overseas recipient’s identity and contact details, the purposes and methods of processing, the categories of personal information involved, and the data subject’s rights, and must provide separate consent to the cross-border transfer (as distinct from any consent obtained for the underlying processing).

For sensitive personal information (which under PIPL includes health and medical data, biometric data, financial account data, location tracking data, and information about minors), the consent bar is higher still: express and specific consent is required, and the purposes must meet the standard of being “truly necessary”.

Part III: The GBA-Specific Mechanism — The GBA Standard Contract
Background

Given the GBA initiative is a national strategy, it follows naturally that favourable policies and dedicated regulatory frameworks would be devised to facilitate cross-boundary activities conducive to the development of the GBA. A significant regulatory development for data governance is the Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) 粤港澳大湾区(内地、香港)个人信息跨境流动标准合同 (the “GBA Standard Contract”), jointly issued by the CAC and the Hong Kong Innovation, Technology and Industry Bureau on 13 December 2023, together with accompanying Implementation Guidelines. The GBA Standard Contract became effective immediately upon its issuance.

What is the GBA Standard Contract and what it does

The GBA Standard Contract creates a dedicated, streamlined transfer mechanism for personal information flows between the nine GBA Chinese Mainland cities and Hong Kong.  As a pre-approved contract template, the GBA Standard Contract provides Chinese Mainland PI Processors with a compliance pathway that, in certain scenarios, substitutes for the China SCCs, enabling the provision of personal information to Hong Kong without requiring a CAC security assessment — provided the transfer does not trigger the mandatory security assessment thresholds — and with a comparatively simplified overall compliance burden. At the same time, its eligibility conditions are not subject to quantitative volume thresholds, affording a degree of greater flexibility in application compared to the China SCCs. The GBA Standard Contract also streamlines the PIPIA requirements, reducing the assessment items from six to three. Its key features are as follows:

  • Scope: The GBA Standard Contract applies to cross-boundary transfers of personal information between GBA Chinese Mainland cities and Hong Kong in both directions — from the GBA Chinese Mainland cities to Hong Kong, and vice versa. Parties must be registered (if organisations) or located (if individuals) in the GBA Chinese Mainland or Hong Kong.
  • Relationship to PIPL mechanisms: For Chinese Mainland PI Processors, the GBA Standard Contract operates as an alternative to the standard China SCCs for transfers between the nine GBA Chinese Mainland cities and Hong Kong. It does not substitute the security assessment requirement for CII operators or large-scale processors who fall within the mandatory security assessment thresholds.
  • Voluntary adoption: The GBA Standard Contract is voluntary and does not replace existing statutory mechanisms. However, in practice it represents the most practical and administratively supported mechanism for structured GBA cross-boundary transfers, and its use provides a degree of regulatory certainty that bespoke or ad hoc contractual arrangements may not achieve.
  • PIPIA requirement: Prior to entering into a GBA Standard Contract, the Chinese Mainland PI Processor is required to conduct a PIPIA. Unlike under the standard China SCC regime, the PIPIA report is not required to be submitted to the competent authorities as part of the filing process — it is instead prepared and retained internally by the enterprise for subsequent regulatory inspection. Furthermore, compared to the PIPIA required under the China SCCs, the PIPIA under the GBA Standard Contract is simplified in scope: there is no requirement to assess the risks of personal information being tampered with, damaged, or otherwise compromised after transferred outside Chinese Mainland; the impact of the personal information protection laws and regulations of the jurisdiction in which the recipient outside Chinese Mainland is located on the performance of the standard contract; or other matters that may affect the security of the personal information transferred outside Chinese Mainland. Hong Kong-side data users are not required to conduct a PIPIA under the PDPO, though the PCPD recommends a non-mandatory privacy impact assessment as good practice.
  • Contractual protections for data subjects: The GBA Standard Contract incorporates mandatory provisions protecting the rights of data subjects on both sides of the boundary, including the right to access, correct, and delete their personal information, and the right to bring claims directly against either the PI Processor or the recipient for breaches of the contract. These provisions cannot be contracted out of or modified by the parties.
  • Supplementary commercial terms permitted: While the core terms of the GBA Standard Contract template are non-negotiable, parties may supplement the contract with additional commercial terms addressing their specific business arrangements, provided those terms do not contradict or diminish the protections set out in the GBA Standard Contract. In the event of any conflict, the GBA Standard Contract prevails.

It should be noted that the existing consent requirements and the heightened consent obligations for sensitive personal information are not exempted under the GBA Standard Contract mechanism. The GBA Standard Contract allocates obligations between the PI Processors and the Recipient through its contractual framework, but does not relieve PI Processors of the consent requirements imposed by the PIPL.

Filing requirements — A dual obligation

One of the GBA Standard Contract’s features is its dual-filing requirement. Unlike the China SCCs regime, which only require the data exporter to file with the competent local CAC, the GBA Standard Contract framework requires both the data user/PI Processors and the recipient to file with their respective supervisory authorities within 10 working days of the GBA Standard Contract’s effective date:

  • Chinese Mainland-based PI Processors/ recipients: File with the Guangdong CAC (or the relevant municipal CAC).
  • Hong Kong-based data users/ recipients: File with the Digital Policy Office.

The GBA Certification — A potential second track

In parallel with the GBA Standard Contract, the Chinese Mainland’s National Information Security Standardization Technical Committee issued the “Network Security Standard Practice Guide — Cross-Border Personal Information Protection Requirements in the Guangdong-Hong Kong-Macao Greater Bay Area (Draft for Comment)” on 1 November 2023, providing the technical basis for a GBA personal information protection certification mechanism (“GBA Certification”) as an alternative facilitation mechanism for intra-GBA data flows. The proposed model adopts a certification-based approach, involving a holistic assessment of an organisation’s data processing and transfer practices by an accredited body, and is particularly suited to organisations with high-volume, ongoing cross-boundary transfers for whom entering into individual contracts for each transfer relationship would be operationally impractical.

However, as of date of this article, the GBA Certification framework has not yet been formally implemented. Regulatory developments since 2025 have instead focused on finalising the nationwide personal information protection certification regime under the PIPL, while the GBA-specific certification mechanism remains at a draft stage and further operational guidance is awaited.

What the GBA Standard Contract Mechanism does not do

Several important limitations should be noted:

  • Data transferred under the GBA Standard Contract cannot be onward-transferred beyond the GBA (e.g. to a Singapore data centre or a UK headquarters) without separately complying with applicable PIPL cross-border transfer requirements.
  • The GBA Standard Contract does not override the PDPO. Hong Kong data users remain subject to all applicable obligations under the PDPO — including the DPPs, breach notification expectations and guidance, and data processor oversight obligations — even when using the GBA Standard Contract.
  • The GBA Standard Contract applies only to personal information and does not address “important data” under Chinese Mainland laws, which may require separate regulatory treatment, including CAC security assessment where applicable.

Concluding remarks

The regulatory landscape governing cross-boundary data flows in the GBA is complex, with rising enforcement expectations, increasing scrutiny, and a clear policy direction toward tighter oversight alongside structured facilitation. The GBA Standard Contract is a significant breakthrough as the first integrated regional framework, but it is a tool rather than a complete solution, requiring careful legal analysis, robust documentation, and disciplined implementation.

Effective compliance demands a structured, end-to-end approach. This typically begins with a readiness assessment to map data flows and identify legal bases and gaps, followed by the design of compliant frameworks covering privacy notices, governance policies, transfer mechanisms, and breach response. Implementation then extends to eligibility analysis, contract execution, dual-side filing, and management of onward transfer restrictions.

Ultimately, organisations that invest early in a forward-looking compliance architecture — rather than reacting to enforcement — are better positioned to move data efficiently, respond confidently to regulatory scrutiny, strengthen their commercial reputation, and build trust with customers and counterparties.

The author is both a qualified Hong Kong solicitor and Guangdong-Hong Kong-Macao Greater Bay Area lawyer.

Disclaimer: This article is for general informational purposes and reference only. The contents do not constitute legal advice and should not be relied upon as such. The legal position described above is accurate as at the date of this article and is subject to change. Readers should seek independent legal advice from qualified practitioners in the relevant jurisdictions before taking any action or making any decision in reliance on the contents of this article. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.

Common Missteps Mainland Families Make When Handling Hong Kong Inheritances

by

When a mainland Chinese entrepreneur dies leaving assets in Hong Kong, the family may discover that Hong Kong procedures are very different from those on the mainland. Bank accounts and safety deposit boxes are frozen, companies cannot be operated, property cannot be sold and the paperwork seems endless. Many of the delays and extra costs come from a small number of recurring missteps.

This article highlights six common mistakes affluent mainland families make when dealing with Hong Kong inheritances, and how these can be avoided.

Are mainland inheritance procedures sufficient for handling Hong Kong assets?

A very common misunderstanding is that once the estate has been dealt with in the PRC (for example, through a notarial inheritance certificate or a mainland court decision), banks and other institutions in Hong Kong will automatically recognise the result.

Unfortunately, this is not the case. Hong Kong has its own probate system and court procedures. Even if all the documents are in order on the mainland, a separate Hong Kong grant of representation (this is called probate where there is a will or letters of administration where there is no will ) is generally required before Hong Kong banks, brokers and the Land Registry will release or transfer assets.

While a PRC death certificate, inheritance notarisation and/or judgment constitute important evidence, these documents do not replace the Hong Kong court process.

Are “small” discrepancies overlooked or are they significant?

From a Hong Kong court’s perspective, details matter. What seems like a minor difference to a layperson can cause delays in probate. A few examples include:

  • Names spelled differently across passports, Hong Kong accounts and PRC identity cards;
  • Old hukou records that do not reflect actual family relationships;
  • Missing divorce judgments or remarriage certificates; and/or
  • Different dates of birth or inconsistent English transliterations.

Each discrepancy can trigger court questions and extra affidavits, slowing the grant. Families sometimes submit whatever documents they have, assuming they are “close enough”, and only discover later that additional notarisations, translations and/or confirmations are needed.

A more effective approach is to review all identity, marriage and hukou records at the outset, identify gaps and inconsistencies early and correct or update these before or during the Hong Kong application. This saves time and reduces the risk of requisitions from the Probate Registry.

Can one assume that “Hong Kong law applies to all assets in Hong Kong”?

Another frequent assumption is that since the assets are in Hong Kong, Hong Kong law decides who inherits the assets. The reality is more nuanced.

As a general principle:

  • Hong Kong real estate (immovable property) is governed by Hong Kong law.
  • Movable assets in Hong Kong (bank accounts, jewellery, shares, fund units) are often governed, on questions of who ultimately inherits, by the law of the deceased’s domicile at death – for many mainland entrepreneurs, this will be PRC succession law.

Domicile is not the same as nationality or simple residence; it refers to the place treated as the person’s permanent home. This becomes complicated when a person has spent long periods in Hong Kong or overseas, but keeps strong ties to the mainland.

Ignoring these issues can lead to surprises, especially where PRC and Hong Kong rules on heirs differ. Proper planning and careful analysis of domicile help to ensure that one’s intended family members actually inherit the Hong Kong assets.

Can the heirs manage everything with their mainland advisors without an experienced Hong Kong adviser?

Some families prefer to “save time and money” by handling the Hong Kong inheritance entirely from the PRC, using only PRC notaries or advisers who are unfamiliar with Hong Kong probate practices. This often leads to application forms and affidavits that do not meet Hong Kong’s formal requirements, incorrect assumptions about who has priority to apply for a grant and avoidable delays when the Probate Registry raises queries that cannot easily be answered from across the border.

The result can be months of back‑and‑forth communication, repeated document submissions and frustration for heirs who cannot access funds needed for living expenses, tax payments and/or business operations.

In practice, having a Hong Kong‑based team to manage the local court process, coordinate with mainland notaries and advise on the right strategy from day one usually proves more efficient and cost‑effective than remote trial‑and‑error.

Relying on one PRC will for everything, without checking its effect in Hong Kong

Many mainland entrepreneurs do make wills in the PRC, but do not consider how that document will operate for their Hong Kong assets.

Some common issues include:

  • The PRC will does not clearly mention overseas holdings, or uses generic wording that banks and brokers in Hong Kong find unclear;
  • No executor familiar with Hong Kong is appointed, making it harder to apply for a Hong Kong grant of probate;
  • Later wills or codicils unintentionally revoke earlier documents that were meant to cover Hong Kong assets;
  • The structure of gifts creates difficulties for Hong Kong corporate ownership interests, such as shares in a private company. For example, the will may divide the entrepreneur’s shares in a Hong Kong company in a way that does not fit how the company has been set up or how it actually runs. This can make it slower and more complicated to transfer the shares after death and to keep the business running smoothly for the family.

A single PRC will that covers “all assets worldwide” may certainly be valid in principle, but it is not always the most efficient solution for Hong Kong. In certain situations, a separate, carefully coordinated Hong Kong will (drafted to sit alongside the PRC will and not to replace it) can significantly simplify administration and reduce delays.

Is not having a will really that serious?

Finally, the most serious mistake of all may also be the most common – not making any will. Unfortunately it will already be too late for the heirs once death has occurred.

If a mainland Chinese entrepreneur dies without a valid will (i.e., intestate), several problems arise in respect of Hong Kong assets. Distribution follows fixed intestacy rules, which may not reflect the deceased’s true wishes. For example, the way assets are split between spouse, children and parents can be very different from what the entrepreneur assumed. As well, loyal employees, close friends, distant relatives and loved ones who are not close relatives will not inherit from the estate.

In an intestacy, there is no chosen executor. Family members need to decide who will apply for letters of administration and disputes often arise over this and control of the estate.

Business continuity may be affected if a Hong Kong company cannot be operated pending the grant, with no clear person authorised to make decisions.

For affluent families with cross‑border holdings, intestacy often means more time, more paperwork and more risk of conflict. A well‑structured will, or a set of coordinated wills for different jurisdictions, makes it far easier for heirs to take control of Hong Kong assets and implement the deceased’s wishes efficiently.

Conclusion Thoughtful and early planning can turn a difficult, uncertain situation into a more predictable and efficient process for a deceased’s beneficiaries. By avoiding these six common mistakes, mainland entrepreneurs and their heirs can manage Hong Kong inheritances with greater confidence and fewer unpleasant surprises during a difficult time.

Disclaimer: This article is for reference only. Nothing herein shall be construed as Hong Kong legal advice or any legal advice for that matter to any person. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.

Oldham, Li & Nie Expands International Offering with Addition of Italian Registered Foreign Lawyer

by

We are pleased to announce that Valerio Scimemi has joined the firm as a Registered Foreign Lawyer (Italy), further expanding OLN’s cross-border offering.

Admitted to practice law in Italy since 2001 and before the Italian and European higher courts since 2015, Valerio brings more than 25 years of international legal experience. His practice focuses on commercial and corporate law, international contracts, M&A, extraordinary transactions, and cross-border business expansion.

Over the course of his career, Valerio has advised European and Asian clients on commercial, corporate and industrial law, labour law, banking and finance, intellectual property, and complex M&A transactions. He has particular expertise in business development and intermediation, as well as in the international expansion of businesses in the luxury fashion, oil and gas, F&B, and spirits sectors.

The addition of Valerio marks another important milestone in OLN’s strategic growth and reinforces the firm’s commitment to providing seamless international legal services. His appointment builds on the firm’s established Chinese, French and Japanese practices, as well as its U.S. tax advisory capability.

For more information about Valerio and his practice, visit: https://oln-law.com/our-people/valerio-scimemi/.

Hong Kong Trade Marks Updates 2026

by

The Trade Marks Registry has introduced a number of updates to its practices and procedures, reflecting developments under the latest edition of the Nice Classification as well as enhancements to filing and examination processes.

Update to search strategies under the 13th Edition of the Nice Classification

With the implementation of the 13th Edition of the Nice Classification, search strategies should be revisited to ensure comprehensive coverage of relevant goods and services. Practitioners are advised to review class headings, explanatory notes, and newly introduced terms, and to conduct broader and more targeted searches where necessary in order to mitigate the risk of citation or opposition based on similar marks in newly refined or reclassified categories.

The implementation of the 13th Edition may affect the class allocation of certain goods and services and, in practice, may require re‑classification for new applications or searches. However, existing registrations are generally not automatically reclassified; instead, the focus under the new edition is on ensuring that specifications and search stratere54gies properly reflect any changes in class allocation. Practitioners should review each specification item‑by‑item against the updated Nice Classification structure and, where appropriate, consider amending or narrowing descriptions to align with the revised class headings and notes.

Declaration of local physical presence by agents

Agents acting in trade mark matters are now required to declare that they maintain a local physical presence in Hong Kong. This requirement reinforces the Registry’s emphasis on ensuring accountability and effective communication within the jurisdiction.

New e‑filing capability for statutory declarations and affidavits

The Registry has expanded its e‑filing capabilities to include statutory declarations and affidavits. Notwithstanding electronic filing, parties are reminded that a copy of any statutory declaration or affidavit must still be served on the opposing party in paper form.

The Registry will also accept the e‑filing of authorities, skeleton arguments, or written submissions for which the parties wish to rely on at the hearing (referred to as “supporting materials”). The service of these supporting materials on the opposing party may be effected in paper form or, where mutually agreed between the parties, by way of electronic storage devices such as USB mass storage devices or portable hard disks with a USB interface.

Clarifications on absolute grounds of refusal under the Trade Marks Registry Work Manual

The updated Work Manual provides further guidance on examination practices in several key areas:

  • Marks contrary to morality or public policy: Greater clarity is provided on the types of marks that may be refused on the basis of being offensive, scandalous, or otherwise inconsistent with accepted societal standards.
  • Deceptive marks: The Registry has elaborated on the assessment of whether a mark has the capacity to mislead the public, particularly in relation to the nature, quality, or geographical origin of the goods or services.
  • Prohibited emblems and Article 6ter signs: Additional guidance is given on the treatment of marks incorporating protected emblems, flags, and insignia, including those covered under Article 6ter of the Paris Convention.
  • Descriptive and non‑distinctive marks: The Manual further clarifies the threshold for distinctiveness and the circumstances in which marks may be considered descriptive or lacking inherent distinctiveness, as well as the evidence required to establish acquired distinctiveness where applicable.

These updates underscore the importance of aligning filing and prosecution strategies with the latest Registry practices to ensure efficient processing and to reduce the risk of objections.

Resources: www.ipd.gov.hk (Trade Marks Registry Work Manual, Trade Marks Ordinance (Cap. 559), Nice Classification (13th Edition), User Guide

for E-Filing System, Terms of Use for Electronic Filing and Communication Services)

Disclaimer: This article is for reference only. Nothing herein shall be construed as Hong Kong legal advice or any legal advice for that matter to any person. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.

Oldham, Li & Nie Announces Promotion of Three New Partners

by

We are pleased to announce the promotion of three senior associates to partnership. The new partners – Gon Yeung and Martin Tse from Tax Advisory and Dispute Resolution practice and Ivan Lee from the Family Law practice – represent the firm’s ongoing commitment to investing in top talent and strengthening its core practices.

The newly promoted partners have made significant contributions to the firm and its clients, demonstrating technical expertise, leadership, and a commitment to delivering high-quality legal services. The promotions support the firm’s strategic growth and reinforce its capabilities in complex contentious matters and private client work.

Commenting on the promotions, Senior Partner Gordon Oldham, said:

“We are delighted to welcome these talented lawyers to the partnership. Each of them embodies the firm’s values of excellence, collaboration, and client commitment, and their promotions reflect both their individual achievements and our continued investment in developing the next generation of OLN leaders.  As we continue to grow, their expertise and fresh perspectives will play an important role in shaping the future of our Tax, Dispute Resolution and Family Law services.”