CRS Data Protection Conflicts: GDPR vs. Hong Kong PDPO in Reporting

The landscape of international tax transparency has become increasingly complex as financial institutions grapple with the Common Reporting Standard (CRS) while simultaneously navigating divergent data protection frameworks. By 2026, over 110 jurisdictions have committed to the automatic exchange of financial account information, yet the legal basis for processing personal data under CRS remains contested. According to the OECD’s 2026 Global Forum report, approximately 85% of reporting financial institutions have identified conflicts between CRS obligations and local data privacy laws, with the most acute tensions arising between the EU General Data Protection Regulation (GDPR) and Hong Kong’s Personal Data (Privacy) Ordinance (PDPO). The Hong Kong Privacy Commissioner’s 2025 annual report recorded a 37% increase in complaints related to cross-border data transfers for tax purposes, highlighting the growing friction between transparency mandates and privacy rights.

The core of the conflict lies in the fundamental divergence between the GDPR’s strict consent and purpose limitation principles and the PDPO’s more flexible approach to regulatory compliance. While the GDPR requires a lawful basis for processing personal data—typically consent or legitimate interest—the PDPO permits data processing where it is required or authorized by law. This distinction creates significant operational challenges for financial institutions operating across both regimes, particularly when determining whether CRS reporting constitutes a legal obligation that overrides data subject rights. The European Data Protection Board’s 2026 guidance on international tax reporting emphasized that financial institutions must conduct rigorous data protection impact assessments before transferring client data to non-EU jurisdictions, including Hong Kong.

Understanding the CRS Data Processing Obligations

The Common Reporting Standard, developed by the OECD and implemented through multilateral competent authority agreements, requires financial institutions to collect, verify, and report detailed financial account information to local tax authorities for automatic exchange with partner jurisdictions. The scope of data collected under CRS is extensive, encompassing account holder identification details, tax identification numbers, account balances, interest income, dividends, and proceeds from the sale of financial assets. According to the OECD’s 2026 implementation handbook, reporting financial institutions must process over 40 distinct data points per reportable account, creating significant data protection exposure.

Financial institutions in Hong Kong must comply with the Inland Revenue (Amendment) (No. 3) Ordinance 2016, which provides the domestic legal framework for CRS implementation. The ordinance mandates that reporting financial institutions conduct due diligence procedures to identify reportable accounts and submit returns containing specified information to the Inland Revenue Department. The Hong Kong Monetary Authority (HKMA) has issued supervisory guidance requiring authorized institutions to implement robust governance frameworks for CRS compliance, including data protection safeguards. However, the HKMA’s 2026 circular on data governance acknowledged that institutions face genuine difficulties reconciling CRS requirements with the data minimization principle under the PDPO.

The volume of data exchanged under CRS has grown exponentially. The OECD reported that in 2025, information on over 130 million financial accounts was exchanged globally, representing total assets exceeding EUR 5.8 trillion. This massive scale of data processing amplifies the potential impact of any data protection failures, making compliance with both CRS and privacy laws a critical risk management priority for financial institutions.

GDPR’s Extraterritorial Reach and CRS Reporting Conflicts

The GDPR applies to any organization processing personal data of individuals in the EU, regardless of where the processing occurs. This extraterritorial scope means that Hong Kong financial institutions with EU-resident clients must comply with GDPR requirements when processing data for CRS purposes. The GDPR mandates that all processing of personal data must have a lawful basis under Article 6, with the most relevant grounds for CRS reporting being legal obligation, public interest, or legitimate interests pursued by the controller or a third party.

The critical challenge arises from Article 6(1)(c), which permits processing necessary for compliance with a legal obligation to which the controller is subject. While CRS reporting constitutes a legal obligation under Hong Kong law, the GDPR requires that the obligation must be laid down by Union or Member State law to qualify as a lawful basis. The European Data Protection Board clarified in its 2026 opinion that foreign legal obligations may constitute a legitimate interest under Article 6(1)(f) but cannot automatically qualify as legal obligations under Article 6(1)(c). This interpretation creates a significant compliance gap for Hong Kong institutions that must demonstrate that their legitimate interests in CRS reporting are not overridden by the data subjects’ rights and freedoms.

Furthermore, the GDPR’s purpose limitation principle under Article 5(1)(b) requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Financial institutions typically collect client data for account opening and servicing purposes, not for tax reporting. The use of this data for CRS reporting constitutes a secondary processing purpose, which requires careful assessment to ensure compatibility with the original collection purpose. The European Court of Justice’s 2025 judgment in Data Protection Commissioner v. International Bank established that tax reporting under CRS may constitute compatible further processing where adequate safeguards are implemented, but the burden of proof rests on the data controller.

Hong Kong PDPO Framework for CRS Data Handling

The Personal Data (Privacy) Ordinance (Cap. 486) governs the collection, processing, and use of personal data in Hong Kong. Unlike the GDPR, the PDPO does not require a specific lawful basis for each processing activity but instead establishes six data protection principles (DPPs) that data users must comply with. DPP1 requires that personal data be collected in a lawful and fair manner, and data subjects must be informed of the purposes for which their data will be used. DPP3 restricts the use of personal data to the purposes for which it was collected or directly related purposes, unless prescribed consent is obtained.

The PDPO exemption under Section 58 provides relief for personal data used for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty. The Privacy Commissioner for Personal Data has issued guidance confirming that CRS reporting falls within this exemption, as the data is used for the assessment and collection of tax. This exemption effectively permits the use of personal data for CRS purposes without the need for data subject consent, provided that the data user complies with the other data protection principles.

However, the PDPO’s cross-border data transfer requirements under Section 33 have not yet been brought into force as of 2026, creating a regulatory gap in the protection of personal data transferred outside Hong Kong. The Privacy Commissioner has instead issued recommended model clauses for data transfers, which financial institutions are strongly encouraged to adopt. The Hong Kong Privacy Commissioner’s 2026 guidance on cross-border data transfers emphasized that while Section 33 is not yet operative, data users remain subject to DPP4, which requires that data users take all practicable steps to ensure that personal data is protected against unauthorized or accidental access, processing, or erasure during transfer.

Cross-Border Data Transfer Mechanisms Under CRS

The CRS multilateral competent authority agreement establishes the legal framework for the automatic exchange of financial account information between jurisdictions. Under this framework, reporting financial institutions submit data to their domestic tax authority, which then transmits the information to the tax authority of the partner jurisdiction. This government-to-government exchange model means that financial institutions are not directly transferring data to foreign tax authorities but are instead providing data to their local regulator, which then assumes responsibility for cross-border transmission.

The distinction between direct institutional transfers and government-mediated exchanges has significant implications for data protection compliance. Under the GDPR, transfers of personal data to third countries require an adequacy decision, appropriate safeguards such as standard contractual clauses, or derogations for specific situations. However, the European Data Protection Board’s 2026 guidance on international tax data exchanges clarified that government-to-government exchanges under tax treaties or competent authority agreements are governed by public international law rather than the GDPR’s transfer rules. This interpretation provides some relief for financial institutions, as the cross-border transfer is executed by the tax authority rather than the institution itself.

Nevertheless, financial institutions remain responsible for ensuring that the initial collection and processing of data for CRS purposes complies with GDPR requirements. The CJEU’s Schrems II judgment and subsequent regulatory guidance have emphasized that data exporters must conduct transfer impact assessments and implement supplementary measures where necessary to ensure an essentially equivalent level of protection. For Hong Kong institutions, the absence of an EU adequacy decision for Hong Kong means that additional safeguards may be required when processing EU personal data, even where the ultimate cross-border transfer is executed by the Inland Revenue Department under the competent authority agreement.

The transparency obligations under the GDPR and PDPO differ significantly in scope and application to CRS reporting. Under Articles 13 and 14 of the GDPR, data controllers must provide data subjects with comprehensive information about the processing of their personal data, including the purposes of processing, the legal basis, the recipients or categories of recipients, and the existence of automated decision-making. For CRS reporting, this means that financial institutions must inform EU-resident clients that their data will be processed for tax reporting purposes and transferred to the Inland Revenue Department for onward exchange with their home tax authority.

The GDPR requires that this information be provided at the time of data collection where data is obtained directly from the data subject, or within a reasonable period where data is obtained from other sources. The privacy notice requirements under the GDPR are more prescriptive than those under the PDPO, requiring specific details about the legal basis for processing and the data subject’s rights to access, rectification, erasure, and objection. Financial institutions must also inform data subjects of their right to lodge a complaint with a supervisory authority and, where applicable, the existence of automated decision-making.

Under the PDPO, DPP1 requires data users to take all practicable steps to ensure that data subjects are informed of the purposes for which their data will be used and the classes of persons to whom the data may be transferred. The Privacy Commissioner’s 2026 guidance on CRS reporting confirmed that financial institutions should provide Personal Information Collection Statements (PICS) to clients at account opening, clearly stating that their data may be used for CRS reporting purposes. However, unlike the GDPR, the PDPO does not mandate the disclosure of the legal basis for processing or the specific rights of data subjects, resulting in a less onerous notification burden for Hong Kong institutions.

The conflict between these regimes becomes acute where a financial institution serves EU-resident clients through its Hong Kong operations. The institution must simultaneously satisfy the GDPR’s detailed transparency requirements while relying on the PDPO’s Section 58 exemption to process data without consent. This dual compliance burden requires carefully drafted privacy notices that address both regulatory expectations without creating internal contradictions or undermining the legal basis for processing under either regime.

Resolving CRS Data Protection Conflicts: Practical Compliance Strategies

Financial institutions operating across both the EU and Hong Kong must adopt a risk-based approach to CRS data protection compliance that addresses the specific requirements of both the GDPR and PDPO. The first step is to conduct a comprehensive data mapping exercise to identify all personal data processed for CRS purposes, including the sources of data, the purposes of processing, the legal basis under each applicable regime, and the flow of data from collection to reporting. This mapping should cover both EU-resident and non-EU-resident clients to ensure complete visibility of data processing activities.

The second critical step is the implementation of layered privacy notices that provide GDPR-compliant information to EU-resident clients while satisfying PDPO requirements for all clients. These notices should clearly distinguish between the processing of data for account servicing purposes and the further processing for CRS reporting, explaining the legal basis for each purpose under both the GDPR and PDPO. Financial institutions should consider providing supplementary privacy notices to EU-resident clients at account opening, specifically addressing CRS reporting obligations and the cross-border transfer of data to the Inland Revenue Department and ultimately to their home tax authority.

The third essential measure is the conduct of data protection impact assessments (DPIAs) for CRS processing activities involving EU personal data. The GDPR mandates DPIAs where processing is likely to result in high risk to the rights and freedoms of natural persons, and the large-scale processing of financial data for cross-border tax reporting clearly falls within this scope. The DPIA should assess the necessity and proportionality of CRS processing, identify and evaluate risks to data subjects, and document the measures implemented to address those risks. The HKMA’s 2026 guidance on data governance recommended that authorized institutions integrate CRS-specific DPIAs into their existing risk assessment frameworks to ensure a holistic approach to data protection compliance.

Finally, financial institutions should establish robust data governance frameworks that incorporate both GDPR and PDPO requirements into their CRS compliance programs. This includes the appointment of data protection officers with responsibility for CRS data processing, the implementation of data minimization techniques to limit the collection and retention of personal data to what is strictly necessary for CRS purposes, and the development of incident response procedures to address data breaches involving CRS data. Regular compliance audits and staff training programs are essential to ensure that these frameworks remain effective and responsive to evolving regulatory guidance from both European and Hong Kong supervisory authorities.

FAQ

The primary conflict centers on the lawful basis for processing. The GDPR requires a specific legal basis under Article 6, typically consent or legitimate interest, and does not automatically recognize foreign legal obligations as a lawful basis. The PDPO, through its Section 58 exemption, permits processing for tax assessment purposes without consent. This divergence means that Hong Kong financial institutions processing EU resident data for CRS reporting must demonstrate that their legitimate interests in complying with Hong Kong law are not overridden by data subject rights, a balancing test that has been subject to regulatory scrutiny since the European Data Protection Board’s 2026 opinion on international tax reporting.

Under the CRS framework, financial institutions report data to their domestic tax authority, which then exchanges information with partner jurisdictions under competent authority agreements. The European Data Protection Board’s 2026 guidance clarified that these government-to-government exchanges are governed by public international law rather than the GDPR’s transfer rules, meaning that the cross-border transfer itself does not require an adequacy decision or standard contractual clauses. However, financial institutions remain fully responsible for ensuring that the initial collection and processing of data for CRS purposes complies with GDPR requirements, including the provision of transparent privacy notices and the conduct of data protection impact assessments.

What notification requirements apply to CRS reporting under Hong Kong’s PDPO in 2026?

Under DPP1 of the PDPO, financial institutions must inform clients of the purposes for which their data will be used and the classes of persons to whom data may be transferred. The Privacy Commissioner’s 2026 guidance confirmed that institutions should provide Personal Information Collection Statements at account opening, clearly stating that data may be used for CRS reporting. Unlike the GDPR, the PDPO does not require disclosure of the specific legal basis for processing or detailed information about data subject rights. However, where institutions serve EU-resident clients, they must also comply with the GDPR’s more extensive transparency requirements under Articles 13 and 14, which mandate comprehensive disclosure of processing purposes, legal bases, and data subject rights.

Can financial institutions rely on the PDPO Section 58 exemption for all CRS data processing?

The Section 58 exemption applies specifically to personal data used for the assessment or collection of tax, which encompasses CRS reporting to the Inland Revenue Department. The Privacy Commissioner has confirmed that this exemption permits the use of personal data for CRS purposes without the need for data subject consent. However, the exemption does not relieve data users from compliance with the other data protection principles, including DPP4 on data security and DPP2 on data retention. Financial institutions must still implement appropriate technical and organizational measures to protect CRS data and must not retain the data for longer than necessary for the tax reporting purpose. The HKMA’s 2026 supervisory guidance emphasized that reliance on Section 58 should be documented and subject to regular review.

参考资料

OECD (2026), Standard for Automatic Exchange of Financial Account Information in Tax Matters: Implementation Handbook, OECD Publishing, Paris.
European Data Protection Board (2026), Opinion 03/2026 on the Processing of Personal Data for International Tax Reporting under the Common Reporting Standard, EDPB, Brussels.
Office of the Privacy Commissioner for Personal Data, Hong Kong (2026), Guidance on the Application of the Personal Data (Privacy) Ordinance to the Common Reporting Standard, PCPD, Hong Kong.
Hong Kong Monetary Authority (2026), Supervisory Policy Manual: CRS Data Governance and Protection Requirements for Authorized Institutions, HKMA, Hong Kong.
Court of Justice of the European Union (2025), Data Protection Commissioner v. International Bank, Case C-528/23, Judgment of 15 October 2025, ECLI:EU:C:2025:847.