In 2024, DLA Piper has seen a growing number of cyber incidents brought on by malware, phishing, and similar incidents, and excels in handling these type of matters. Advising on the regulatory oversight of data flows also falls within the scope of the group’s work. The team’s extensive client list ranges from large conglomerates such as Hilton to logistics companies such as OmniLogistics. Carolyn Bigg heads up the team, and has a strong track record of being involved in and managing data protection compliance programmes and cyber incidents throughout the Greater China region. Senior associate Venus Cheung is well versed in data protection compliance, and is able to assist clients with cybersecurity incidents and risk management.

The Hogan Lovells data privacy and cybersecurity team offers clients a one-stop shop for all areas of data protection and cybersecurity compliance, with advice spanning from the acquisition of personal data, to protection issues arising from online data capture. The scale of the group’s work continues to increase, evidenced by a highlight for the team in 2024 which was the largest tech transformation project in Hong Kong. Mark Parsons oversees the practice, and counts high profile clients including the Hong Kong Exchange among his varied client base. Additional key team members include Tommy Liu who provides ‘very technical and commercially-minded advice‘ for clients in a variety of sectors, including TMT and financial services, and concentrates on strategic transaction structuring and complex contractual arrangements.

With a great deal of experience in data protection, Bird & Bird stands out for representing key technology companies with day to day issues such as international policies and handling security breaches, as well as assisting high profile clients in the banking industry. Indeed practice head Wilfred Ng, who ‘understands the nuances of regional implementation and risks prioritisation‘, utilises experience working for a large technology conglomerate and is able to advise on complex regulatory matters in the industry. The group operates in a cross practice manner, incorporating TMT, IP, and regulatory focused advice. the former of which is an area of expertise for Michelle Chan.

CMS‘ data protection and cybersecurity practice sits within the firm’s wider TMT practice, and is therefore engaged in a number of entertainment industry. The group stands out for its ability to lean on an extremely large global network of law firms, leveraging this to assist clients with data protection and cyber security matters of a multi jurisdictional nature. Jonathan Chu has a history of advising on cyber security threats and employee theft of data, and privacy policies, and has a varied client roster which features household names such as Disney. Chu is well supported by senior associate and IP practitioner Mengyi Chen, who is adept at handling GDPR audit/compliance checks in the PRC.

Despite working on large scale cross-border cyber incidents and data privacy advice, Kennedys is still able to adopt a ‘regional view when comes to data protection and cyber security which is useful for organisations with regional footprint‘. Such organisations include clients hailing from the financial services, healthcare, hospitality sectors, among others. Joanie Ko leads the team, offering clients assistance with cyber incident response services as well as data privacy advice. Nicholas Blackmore, who splits his time between Hong Kong and Melbourne, is extremely knowledgeable when it comes to IT law.

King & Wood Mallesons has acted in high profile regulatory reform mandates in the fintech space in 2024, most notably assisting with the Hong Kong government’s Digital Transformation Strategy and Fintech 2025 strategy. Additionally, the group has acted on cross-border data transfer and GDPR matters through the APAC region. Practice head Peter Bullock is an experienced data and cyber security lawyer, who is noted for his proficiency in the technology sector, characteristic of the wider group’s expertise in the FinTech sector, particularly Urszula McCormack who has a strong emerging technologies practice.

Linklaters navigates an ever changing data privacy landscape, working on an increasingly full gamut of data privacy and cybersecurity, including data privacy and cyber security issues in commercial and technology licensing agreements, as well as potential gaps in their data protection practices that clients may face. On the regulatory side, the group stands out for its regulatory work across Asia and beyond, including assisting with investigations by the PCPD. Practice head Albert Yuen, supported by associate and GDPR data privacy specialist Jasmine Yung, is key in this regard, benefitting from experience working at several international law firms across the APAC region.

Mayer Brown operates internationally, having been been engaged in a high number of cyber breach cases globally in the past year, as well as providing clients with a range of privacy compliance advice and responses to data breaches. Gabriela Kennedy is the group’s leader, and has the ability to deal with national security and data security requirements, and data transfer advice, which are all important elements of the wider group’s workload.

With ‘an abundance of experience in handling cyber breaches’ RPC is well versed in a range of matters including data transfer projects and cyber security matters, and boasts a growing regional practice in Asia. The group has also seen an uptick in work in the technology sector, and in data protection within FinTech such as virtual assets, digital banks and Web3. Practice head Jonathan Crompton is a cyber security expert to whom clients turn to reduce the damage caused by cyberattacks and other data breaches, and Ivan Chang counts high profile, global companies as key clients.

As well as acting in data privacy and data breach matters, Tanner De Witt has a strong regulatory practice, often focusing on assisting regulators with data breach matters, and working on many compliance matters in relation to data breaches for clients in a range of industries, including hospitality, manufacturing and education. Practice head Pádraig Walsh, who 'is intelligent, well-considered, strategic and thoughtful in his advice and dealings' displays a prowess in responding to data breaches and regulatory enquiries is an integral part of this. Elsewhere in the team, Tara Chan stands out at associate level for her work in the technology industry, from assisting start ups to large corporations.

Baker McKenzie's data protection and cyber security practice is prominent in the media sphere, advising leading Chinese technology companies. Its varied workload encompasses cross-border data transfers, data protection compliance, data privacy disputes, cyber security and risk management. IP expert Isabella Liu and Lex Kuo head up the team alongside cyber fraud recovery group head Gary Seib, who is particularly reputed for complex arbitration and litigation related to cybersecurity and data recovery. Kuo acts in a range of regulatory and transactions projects relating to cybersecurity and data privacy.

Deacons is especially prominent in the hospitality, gaming, and IT sectors and is active across China, with offices in Beijing, Shanghai and Guangzhou, as well as having a strong presence in Hong Kong. The group is accomplished in drafting data processing agreements, and advising on data regulations across these jurisdictions, as well as privacy issues in advertising and marketing. Machiuanna Chu heads up the team, bringing a great deal of compliance expertise to clients and experience in investment transactions. Andy Yu and Dora Si are lauded for their ‘deep knowledge of data protection and a longstanding practice in this field.’