Next Generation Partners

Rising Stars

Data protection and cyber security in Hong Kong

DLA Piper

The team at DLA Piper handles the full gamut of matters for a stellar client base, which notably includes Hilton, Chubb, and Standard Chartered Bank. The practice assists with China CAC assessment projects and vendor due diligence, and exhibits broad expertise in the implementation of incident response plans, and the management of high profile incidents resulting in notifications to both regulators and affected individuals. Carolyn Bigg leads the team, utilising her expansive expertise in the implementation and management of data privacy regulation, in addition to data analytics and connected vehicle projects across the automobile and insurance sectors. Bigg is also noted for advising US and EU technology clients on expansion within China. Senior associate Venus Cheung is noted for her vast knowledge of Chinese regulatory compliance concerning IT infrastructure, the cloud, and apps. Since publication, Yue Lin Lee departed in March 2024.

Practice head(s):

Carolyn Bigg

Other key lawyers:

Venus Cheung

Key clients

Standard Chartered Bank







Four Seasons Hotels






Work highlights

  • Advised Standard Chartered Bank on numerous data protection projects, including strategic advice on data protection compliance.
  • Assisted global automobile manufacturers, as well as some of their key suppliers, on connected vehicles, including use and analytics of vehicle data; as well as on the rapidly evolving and complex automobile industry regulations in Mainland China, particularly those affecting electric and automated vehicles.

Norton Rose Fulbright

Norton Rose Fulbright‘s team handles the full gamut of matters for a diverse client base of governmental and corporate data-rich entities within the healthcare and financial services sectors. The group offers expertise across a host of areas, regularly advising on export solutions, data subject request responses, and the location of data storage. Working out of both the Hong Kong and Brisbane offices, practice head Anna Gamvros  is known for her vast experience in assisting with multi-jurisdictional data management projects, privacy compliance issues, and e-commerce related matters. Associate Ruby Kwok  primarily focuses on regulatory issues within the Hong Kong and China TMT sectors, and cybersecurity and breach response protocols and associate Edward Yau is well versed in Australian privacy law, and handles cybersecurity incidents with cross-border elements.

Practice head(s):

Anna Gamvros

Other key lawyers:

Ruby Kwok; Edward Yau

Key clients

Gaw Capital Partner






Work highlights

  • Advised Gaw Capital Partners, a real estate private equity firm in the Asia Pacific region, on a series of investments which includes supporting the growing of one of its financed groups to become a leading cyber security incident response business in Asia.

Bird & Bird

The team at Bird & Bird regularly handles a varied range of mandates involving cross-border data transfer agreements, security breaches, and privacy impact assessments. The group has experienced an increase in data localisation and transfer matters after China’s implementation of the PIPL. The team frequently acts for clients from a broad range of sectors, including banking, technology, and transport, who collect and transfer sensitive data. Having joined the team from an in-house position at Tencent in November 2022, ‘one of a kind‘ practice head Wilfred Ng is noted for his broad experience in advising on data protection compliance and GDPR related matters.

Practice head(s):

Wilfred Ng

Other key lawyers:

Calista Chiu


‘Bird & Bird no doubt is excellent at delivering updates on data-related developments and artificial intelligence across the legal industry. They are well aware of new developments and always keen to offer support whenever they can.’

‘Wilfred Ng is definitely one of a kind, he would patiently listens to and digests your query with respect and cautiousness. He doesn’t rush to offer you hasty advice, but always makes sure that his advice is supplemented with thoughtful consideration from a practical perspective.’

‘Calista Chiu clearly has a in-depth understanding of the latest developments and provides tremendous support by summarising the ask and delivering a consolidated and thoughtful legal position. She is an invaluable asset to Wilfred’s team.’

‘Wilfred Ng is a fresh face in Bird & Bird with in-house experience. He has been extremely helpful in all fronts and has been very responsive. I believe that Wilfred’s past experience would be a great asset to the team to understand the pain points of his clients and can help to providing practical solutions for different issues.’

‘Bird & Bird has a strong TMT team which can advise on the latest legal developments and requirements.’

‘Wilfred Ng is a very reliable and strong technical lawyer. He is sincere, prudent and places great emphasis on quality of work.’

Clyde & Co LLP

Clyde & Co LLP‘s team handles the full spectrum of issues for their broad client base in collaboration with the Sydney and Singapore teams. The group frequently advises on multi-party data breaches affecting supply chains and service providers, wire fraud, and voluntary notifications to the Hong Kong Privacy Commission. Practice head Simon McConnell has expansive expertise in advising financial institutions and professionals on cyber attacks and regulatory investigations, in addition to breaches and loss mitigation.

Practice head(s):

Simon McConnell


The team at CMS is known for handling a broad range of issues for a number of notable clients in the fashion and entertainment industries. The group regularly advises on ransomware and data breach issues, data processing agreements, and privacy policy regarding streaming services. Practice head Jonathan Chu has a great deal of knowledge surrounding both commercial and contentious TMT issues concerning data privacy and regulation. Associate Mengyi Chen displays deep expertise in GDPR audits and compliance checks and PIPL related issues, frequently advising global corporations and start-ups.

Practice head(s):

Jonathan Chu

Other key lawyers:

Mengyi Chen

Key clients


Work highlights

  • Advised a shopping and reward platform headquartered in Singapore which comprises cashback rewards and financial services on its business model, merchant agreement, terms of use, privacy policy and employment matters in Hong Kong.
  • Advised Disney on various matters across various practices areas regularly including media, technology, and e-commerce, which includes an e-commerce project where the firm is advising Disney on employee and customer data protection policies and practices across the Asia Pacific region.
  • Advised a famous Chinese designer and manufacturer of consumer electronics and related software, home appliances, and household item regularly on privacy compliance issues for its new products or new product features in the world.

Hogan Lovells

Hogan Lovells provides broad expertise spanning an array of issues, including conducting compliance audits, the handling of personal data within M&A and joint ventures, and commercial arrangements involving the right to use personal data. The group regularly engages with clients seeking to integrate Asian data protection and cybersecurity policies with international regulations, and acts for clients in enforcement actions. Practice head Mark Parsons has a great deal of regulatory expertise, with particular emphasis on the technology and telecoms sectors, and often advises on data licensing and the exploitation of IT assets. TMT specialist Tommy Liu has deep knowledge of outsourcing issues and data privacy matters, while Eugene Low has vast experience in regulatory investigation, litigation, and data breach incidents.

Practice head(s):

Mark Parsons

Other key lawyers:

Tommy Liu; Eugene Low; Nicola Choi; Kenneth Cheung


‘Hogan Lovells is our go-to law firm for wider APAC data privacy, commercial and general regulatory work. The team adopts a practical approach when handling complicated regulatory and compliance work and is able to navigate clients on implementing measures handling business requests. We feel like that they are part of our own team.’

‘Tommy Liu has been the go-to person handling our day-to-day needs, client relationship management, and daily legal work in a professional manner, but also with a personal touch.’

Key clients

Beijing Kuaishou Technology Co., Ltd.

The Hong Kong Association of Banks


Hong Kong Exchanges and Clearing Limited

FTI Consulting

Work highlights

  • Advised the Hong Kong Association of Banks (“HKAB”) in relation to the launch of Hong Kong’s Multiple CRA Model.
  • Advised FTI Consulting in relation to its commercialization of an artificial-intelligence based technology for transaction monitoring purposes, including data protection aspects.


The team at Kennedys handles an array of matters for their broad client base, including data privacy compliance audits, direct marketing compliance, and the preparation of international data transfer agreements, with the group often acting as an external incident manager. Practice head Joanie Ko is known for her vast knowledge of cyber incident responses, the recovery of funds transferred due to cyber fraud, and notification, often assisting insurance clients and their policyholders. Dividing his time between Melbourne and Hong Kong, Nicholas Blackmore has longstanding experience in cyber risk insurance and data privacy matters.

Practice head(s):

Joanie Ko

Other key lawyers:

Nicholas Blackmore


‘Nicholas Blackmore is practical and prompt in his advice.’

Key clients


Allianz Global & Corporate Specialty



Bupa (Asia) Limited

Canopius Global Specialty Insurance

Cathay Pacific Airways

Chubb Insurance Hong Kong

Cipriani & Werner PC

Euler Hermes/Allianz Trade

Hong Kong Hospital Authority

Lewis Brisbois

Mullen Coughlin LLC


Swire Pacific


Praised for their ‘excellent‘ coverage of regulatory issues across the APAC region, the team at Linklaters calls upon its prior expertise working for the Hong Kong Data Privacy Commissioner to advise on international information management projects, particularly in relation to the implementation of the Chinese Personal Information Protection Law (PIPL) and European GDPR. The ‘excellentAlbert Yuen heads the practice, and is known for his longstanding expertise in handling a broad range of TMT issues involving data protection and privacy, cloud arrangements, and telecoms projects. Hailed by clients as ‘the privacy lawyer to watch‘, associate Yang Fan leverages his in-house experience to handle global data projects, contentious subject asset issues, and business-critical data security incidents.

Practice head(s):

Adrian Fisher; Albert Yuen

Other key lawyers:

Yang Fan; Eunice Lee; Jasmine Yung


‘The team is up to date and always in touch with the latest legal and tech updates across many jurisdictions, they are very aware of the the latest market updates and legal issues around the world; very practical and commercial.’

‘Linklaters really know their stuff in this area. They are particularly well-versed and knowledgeable in China, Hong Kong and Singapore. They have very strong teams in those jurisdictions and are able to leverage their client experiences.’

‘Albert Yuen, Eunice Lee and Yang Fan have sought to provide clear and concise advice to clients to areas which are continuing to evolve, and continue to reach out to clients in order to provide assistance with these areas.’

Key clients


Work highlights

  • Advising a global technology company on various data privacy and cybersecurity issues throughout Asia, including Hong Kong data privacy issues and engagement with the Hong Kong Privacy Commissioner on data privacy-related matters.
  • Advising Elex on a broad range of GDPR compliance, privacy-by-design, age-appropriate design and other data protection regulatory issues as well as advice on advertising laws.
  • Advising a global supply chain logistics company on responding to a cybersecurity event impacting over 50 countries, including advising on the incident response and regulatory investigations across APAC

Mayer Brown

Mayer Brown has strong regulatory capabilities when acting on mandates concerning national security and data security requirements within Hong Kong, and the implications of the PIPL. The group is also known for handling procedures in relation to ransom demands. The well known Gabriela Kennedy leads the team, and is noted for her experience in handling cyber incident responses, often advising on post incident strategies and responses to customers and regulators. Kennedy has broad expertise in the privacy aspects of digital transformation projects, including issues such as data audits, the sovereignty of data, and adequacy assessments under Hong Kong national security rules and GDPR. With ‘unparalleled‘ experience, TL Lim takes a ‘dynamic‘ approach when acting as a breach coach in notifications and communication strategies, often conducting workshops with international corporations.

Practice head(s):

Gabriela Kennedy

Other key lawyers:

TL Lim


‘Mayer Brown has knowledgeable, responsive cyber experts who understand the needs of clients, and provides effective communication and support. The team fosters comprehensive problem solving capabilities. They have a collaborative approach with timely updates to ensure successful outcomes.’

‘TL Lim stands out with unparalleled technical experience, strategic thinking, and his handling of intricate cases. His dynamic approach ensures comprehensive solutions, setting him apart and providing unparalleled client satisfaction in the challenging realm of cyber legal representation.’

‘The Mayer Brown Hong Kong team and excel at showing their legal expertise in a highly international setting. They were quick to pull together the right core team members, had a good understanding of the matter at hand, and delivered as promised.’

‘The Mayer Brown Hong Kong team were extremely quick to understand our challenges, agree on the targeted solution, provided absolute clarity on the roadmap, and simply delivered perfectly on that without any negative surprises.’

Key clients


Airport Authority Hong Kong

Fung Group

Warner Media

Tanner De Witt

Tanner De Witt‘s ‘excellent‘ team is praised for its ‘extraordinary skills‘ in handling the full gamut of issues for clients in sectors including banking and finance, hospitality, and manufacturing. The group exhibits deep expertise relating to personal data privacy, data breach notifications under the Personal Data Privacy Ordinance (PDPO), data processing agreements (DPO), and the data privacy aspects of advertising campaigns. Described by clients as a ‘deep thinker‘ and an ‘exceptional lawyer‘, practice head Pádraig Walsh is noted for his vast knowledge of the full range of Hong Kong data protection issues, including compliance regarding regulatory enquiries and data breaches, transfer impact assessments, and data processing and sharing agreements. Associate Tara Chan often assists technology companies and entrepreneurs with data privacy and governance issues.

Practice head(s):

Pádraig Walsh

Other key lawyers:

Tara Chan


‘The firm has extraordinary skills in this practice area, and excellent team members.’

‘Pádraig Walsh is a standout partner with incredible acumen, judgement and very practical advice for clients. He has huge respect within the legal community.’

‘Really strong technical lawyers, but also very commercially astute. Demonstrated commitment to client service. Very willing to collaborate with clients and other law firms to achieve client outcomes. Very responsive to correspondence. The team is also at the forefront of legal changes, and is very generous with its learnings for clients.’

‘Pádraig Walsh is a deep thinker, an exceptional lawyer and a lovely person. The team each give clear instructions and are very helpful.’

‘We think very highly of the TMT practice at TDW, especially cyber security and data protection and privacy. Their responsiveness to client needs and partner availability makes them stand out in the Hong Kong market.’

‘Pádraig Walsh is a well-known leader in the industry, and we always recommend him due to his knowledge of the data protection and privacy, practical solutions fitting client needs, and client responsiveness.’

Work highlights

  • Advising on a transfer impact assessment from data subjects in the EEA, this matter involves several Hong Kong legislations such as the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region (National Security Law), the Organized and Serious Crimes Ordinance (Cap.455), the Police Force Ordinance(Cap.232) and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615).
  • Advising a professional services firm on best approaches on handling data breaches and potential consequences under the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (PDPO) and other relevant legislation.
  • Advising for a US electronic component distributor on various Hong Kong data privacy law matters, including direct marketing laws and cookies regulation under Hong Kong laws.

Baker McKenzie

Baker McKenzie houses a broad practice which handles a myriad of issues, including risk management and compliance audits, and both regulatory and stakeholder notifications. Practice co-head Lex Kuo leads the TMT group, and regularly advises on global privacy policies, and data protection and cybersecurity assessments relating to clients expanding into new markets. With longstanding experience in commercial disputes, Gary Seib leads the cyber fraud recovery group, often handling the tracing and recovery of proceeds from cyber fraud incidents, and claims alleging the loss of personal data.

Practice head(s):

Lex Kuo; Isabella Liu; Gary Seib

Other key lawyers:

Gillian Lam; Dominic Edmonson

Key clients


Gulf Innova Company Limited



Work highlights

  • Advised UBS in its role as distributor and custodian on the issuance of a blockchain-based tokenized bond.
  • Advised Chanel on technology-related regulations in Hong Kong and Mainland China, including concerning platforms, online consumer law, artificial intelligence, metaverses, cyber security, NFTs, blockchain and cryptocurrencies.
  • Advised Gulf on a joint venture in Thailand with a centralized digital asset exchange firm (Exchange) originating in China and the drafting of a technical services agreement between the JV and the regulated Thai entity of the Exchange for the provision of a cloud based solution by the crypto exchange firm.


Deacons houses a broad team which is known for providing comprehensive advice across the PRC and Hong Kong, frequently acting for clients across the hospitality, gaming, and IT sectors. The group handles a variety of matters, including negotiations with service providers, data flow regulations across various jurisdictions, and data requests from law enforcement agencies and data subjects. Charmaine Koo and Machiuanna Chu jointly lead the practice. Koo is noted for her contentious IP expertise, regularly handling compliance issues concerning the exploitation, transfer, and processing of data, in addition to impact assessments on projects. Chu leverages her longstanding commercial expertise to act for technology clients in the commercialisation of digital businesses. Dual qualified in Hong Kong and New Zealand, Kelley Loo handles a broad range of IP related mandates, in addition to privacy policies, and arrangements governing the sharing of data across groups of companies and jurisdictions.

Practice head(s):

Charmaine Koo; Machiuanna Chu

Other key lawyers:

Kelley Loo; Dora Si

King & Wood Mallesons

The ‘highly skilled‘ practice at King & Wood Mallesons handles a myriad of issues for a broad client base which notably includes Amazon Web Services, The World Bank, and SAFE Investment Company Limited. The group regularly undertakes work regarding the processing and export of facial data, and the movement of personal data under the PIPL and the PDPO. Peter Bullock leads the team with his broad expertise in handling both contentious and non-contentious issues concerning data, digital systems, and emerging financial technology. Blockchain and digital specialist Urszula McCormack is a ‘great leader‘ and is noted for her expansive expertise in handling long-running data projects, and played a major role in the Hong Kong Mandatory Reference Checking Scheme within the banking sector; McCormack frequently assists clients with compliance in line with domestic regulations and UK GDPR.

Practice head(s):

Peter Bullock; Susan Ning

Other key lawyers:

Urszula McCormack; Francois Tung


‘The team is commercial and responsive.’

‘Urszula McCormack is a great leader and is a pleasure to work with.’

‘King & Wood Mallesons’s data protection team has been a stable and reliable team. They are highly skilled, understand clients’ needs and are not afraid of speaking up.’

Key clients

Amazon Web Services

PingAn OneConnect Bank (Hong Kong) Limited

China Ping An Insurance Overseas (Holdings) Limited

The Hong Kong Association of Banks

The World Bank

SAFE Investment Company Limited

NIKE China

Techtronic Industries Company Limited

ECARX (Hubei) Technology Co Ltd

Bosch Automotive Products (Suzhou) Co., Ltd

The Icon Group

Bit Digital

Work highlights

  • Advised PingAn OneConnect Bank (Hong Kong) Limited on a third party Open API access agreement. The firm also advised PAOB on compliance with HKMA’s Open API framework, data privacy and other banking regulatory requirements. Under Phase III of HKMA’s Open API initiative, banks are encouraged to allow third party service providers to access their internal IT systems and data in order to provide smart banking services. PAOB wanted to cooperate with Paywatch Hong Kong Limited in a loan referral program. This matter has significant implications for the FinTech industry in Hong Kong as HKMA gradually moves towards implementing the final Phase IV of Open API.
  • Acted for Hong Kong Association of Banks (HKAB) as lead counsel in supporting regulatory reforms in line with the Hong Kong Government’s Digital Transformation Strategy and the Fintech 2025 strategy of the Hong Kong Monetary Authority (HKMA). Data privacy and protection is a key consideration in this transformation. Projects include advising on HKMA’s consultation on the retail central bank digital currency (CBDC) e-HKD: A policy and design perspective technical whitepaper; iAM Smart Hong Kong digital identity scheme; and the HKMA/HKAB collaborative Mandatory Reference Checking Scheme.
  • Acted The World Bank as lead counsel to support the Ministry of Home Affairs of Indonesia to introduce e-KYC and an official digital ID system and/or trust framework. The objective of the Digital Identity Project is to increase access to services and promote digital transformation in Indonesia, including to enhance trust in the digital economy.