Transfer of Personal Info within the Great Bay Area

On December 13, 2023, the Cyberspace Administration of China (“CAC”) and the Innovation, Technology and Industry Bureau of Hong Kong S.A.R. (“ITIB”) jointly published the Guidelines for Implementing the Standard Contract for the Cross-Boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland and Hong Kong) [粤港澳大湾区（内地、香港）个人信息跨境流动标准合同实施指引，the “GBA Standard Contract Guidelines” ], aiming to facilitate and streamline the arrangements on cross-boundary flow of personal information from the Mainland cities in the GBA to Hong Kong. This new guideline is deemed as China’s attempt to explore a more relaxed and flexible regulatory approach on the cross-border transfer of personal information within specific areas.

In the past, despite its position as an integral part of China, Hong Kong was deemed as an overseas region under China’s regulatory regime on cross-border data transfer;      thus any transfer of personal information from mainland China to Hong Kong was subject to the same restrictions and requirements applicable to such transfer to other foreign countries. However, considering the close economic and business connections between Hong Kong and mainland China, especially cities in the GBA, the existing regulatory framework became a heavy burden and imposed high compliance costs on relevant companies. The Chinese central government is promoting the establishment of closer connections between Hong Kong and mainland China. In this context, the CAC and ITIB signed the Memorandum of Understanding on Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macao Greater Bay Area in June 2023, which called for establishing security rules for cross-boundary data flow within the GBA, promoting safe and orderly cross-border flow of data in this area. The      GBA Standard Contract Guidelines, published in December, can be seen as the first major achievement of cooperation under the Memorandum of Understanding.

The key takeaways and highlights of the GBA Standard Contract Guidelines include:

In contrast to the existing generally applicable cross-border data transfer mechanisms, the standard contract mechanism established by the GBA Standard Contract Guidelines only apply to the cross-border transfer of personal information among personal information handlers and recipients registered (as for institutions) or residing (as for individuals) in the mainland part of the GBA or in Hong Kong.

Personal information handlers and recipients meeting the above conditions are allowed to conduct transfer of personal information by concluding a standard contract (the “GBA Standard Contract”) in accordance with the      guideline. The allowed cross-boundary flows of personal information include the flows in two opposite directions: (i) from a handler in one of nine cities in the mainland part of the GBA to a recipient in Hong Kong; and (ii) from a handler in Hong Kong to a recipient in one of those nine cities. However, because section 33 of Hong Kong’s Personal Data (Privacy) Ordinance has not been put into operation, there is no mandatory restriction on transfer of personal information out of Hong Kong, except for a few recommendatory guidelines published by the Office of the Privacy Commissioner for Personal Data (“PCPD”). Thus, this newly established mechanism is more meaningful for transferring personal information from the mainland part of the GBA to Hong Kong.

Another significant breakthrough is that the GBA Standard Contract Guidelines do not stipulate a threshold for the volume of the personal information involved in the cross-boundary transfer. Under the Provisions for Regulating and Promoting the Cross-Border Flow of Data (Draft for Comments) (《规范和促进数据跨境流动规定（征求意见稿）》) published by the CAC, if a personal information handler expects to transfer the personal information of 1 million or more individuals overseas within one year, it must apply for a security assessment for cross-border data transfer. It is interpreted that under the GBA Standard Contract Guidelines, even if a company in the mainland part of the GBA transfers the personal information of more than 1 million individuals to a recipient in Hong Kong, it can rely on the GBA Standard Contract. The company no longer needs to go through the lengthy and complicated process of security assessment for cross-border data transfer.

In addition, there are two major restrictions worth noting:

(1) If any personal information falls into the scope of the “important data” determined pursuant to applicable laws, the handlers cannot rely on the GBA Standard Contract as the lawful basis to transfer such personal information to Hong Kong.

(2) The personal information transferred under the GBA Standard Contract cannot be forward transferred to other recipients outside the GBA, although      forward transfer to third-party recipients in the GBA is allowed, provided the preconditions provided by Section 8.3 of the GBA Standard Contract have been met. Thus, it is impossible for a personal information handler in mainland China to take advantage of the GBA Standard Contract to transfer personal information to other foreign countries or regions by using Hong Kong as a transit point.

Compared with the existing generally applicable standard contract mechanism  established by the Measures for the Standard Contract for Overseas Transfer of Personal Information (《个人信息出境标准合同办法》) and the corresponding national Standard Contract, the relevant parties’ compliance burden under the GBA Standard Contract Guidelines has been significantly reduced from the following perspectives:

(1) Reduced contractual obligations and responsibilities for recipients

Compared with the obligations set forth by the national Standard Contract, under the GBA Standard Contract, the recipient is no longer required to “allow a personal information handler to access to necessary data files and documentations” when demonstrating its compliance with the contractual obligations. (Section 3.11 of national Standard Contract vs. Section 3.10 of GBA Standard Contract)

Although the recipient is still obligated to keep records of its activities of processing the received personal information for at least three years, the recipients’ obligation to “provide relevant records to the supervisory authority ” has been removed. (Section 3.12 of national Standard Contract vs. Section 3.11 of GBA Standard Contract)

In addition, the recipient’s obligations when using the received personal information to conduct automated decision-making (Section 3.10 of the national Standard Contract) has  also been removed in the GBA Standard Contract. This means that the recipients under GBA Standard Contract may simply follow the rules regarding the automated decision-making by using personal information in their own jurisdiction.

(2) Simplified personal information protection impact assessment

According to Article 5 of the GBA Standard Contract Guidelines, personal information handlers still need to conduct a personal information protection impact assessment (“PIA”) before using the GBA Standard Contract to transfer personal information. However, compared with the assessment requirements laid out by the Measures for the Standard Contract for Overseas Transfer of Personal Information , the major issues to be assessed have been narrowed to three points: (i) the legitimacy, justification and necessity of the purposes and manners of the processing of personal information by the personal information handler and the recipient; (ii) the impact on the rights and interests of the data subjects and the security risks; and (iii) the obligations that the recipient undertakes to assume, and whether its management and technical measures and capabilities to fulfill the obligations can guarantee the security of transferred personal information.

Handlers of personal information are no longer required to assess issues such as the volume, scope, type and sensitivity of the personal information to be transferred, or the impact of personal information protection policies and regulations in the recipient's region on the performance of the standard contract. These changes reflect mutual recognition by mainland China and Hong Kong of the other jurisdiction’s personal information protection levels.

As a result, it is expected that a PIA conducted in accordance with the GBA Standard Contract will be simpler and the PIA report generated will be shorter as well.

(3) Simplified record filing requirement

Article 8 of the GBA Standard Contract Guidelines require the personal information handler and the recipient to file for the record with the Guangdong Cyberspace Administration or the Office of the Government Chief Information Officer (“OGCIO”) of Hong Kong (depending on where the personal information handler is registered/resides) within 10 days upon the signed standard contract becoming effective.

When filing for the record under the GBA Standard Contract, only three documents need to be submitted: (i) a photocopy of the legal representative’s identification document; (ii) the signed commitment letter; and (iii) the signed GBA Standard Contract. Compared with the filing requirements for the national Standard Contract, the most significant change is that the PIA report is no longer required to be submitted. This means that, at the filing for the record stage, the authorities on either side will not conduct a substantive review over the cross-border transfer of personal information provided in the standard contract. Combined with the simplified assessment requirements, the time needed to prepare the PIA report and the filing documents will be significantly reduced, and thus the relevant parties’ compliance costs will be further minimized accordingly.

This does not mean, however, that the supervisory authorities will loosen their regulation and enforcement. The authorities may conduct random investigations and checks on compliance of the personal information handlers and recipients within their respective jurisdictions. The personal information handlers and the recipient must ensure themselves fully compliant with the applicable requirements set out by the corresponding personal information protection laws as well as the GBA Standard Contract.

The GBA Standard Contract Guidelines send a positive signal to the market that the Chinese government is flexibly adjusting the regulatory framework to promote the orderly flow of data. The GBA Standard Contract mechanism could in this way be seen as a pilot within an area fully controlled by China. On the other hand, the development of the GBA is one of the predominant strategies of China’s central government, and the GBA Standard Contract mechanism is also a breakthrough to support regional development.

The implementation of the GBA Standard Contract Mechanism will help to promote the cross-boundary services involved in the processing of personal information and create more business opportunities for companies within this area. For example, the OGCIO of Hong Kong has announced that it will      launch an early and pilot implementation arrangement of the GBA Standard Contract, publicly inviting participation from the banking, credit referencing and healthcare sectors, which all have a strong demand for cross-boundary services. Meanwhile, the OGCIO has also published the filing guidelines to provide the detailed explanation on how to file for record for the GBA Standard Contract. It must still      be emphasized that for a Hong Kong company that transfers personal information from Hong Kong to a recipient in the mainland part of the GBA, signing the GBA Standard Contract and filing for the record is a voluntary – rather than compulsory – option.

On the mainland side, under the Personal Information Protection Law, one of the preconditions provided by Article 38 must be met before transferring personal information overseas. The GBA Standard Contract Guidelines provide the personal information handler in the GBA a better and simpler option to rely on as the lawful basis to transfer personal information to Hong Kong. It is also expected that the Guangdong Cyberspace Administration will publish filing guidelines for the mainland part of the GBA, and may also provide more clarification for the relationship between the GBA Standard Contract mechanism and the existing mechanisms for overseas transfer of personal information, including the Provisions for Regulating and Promoting the Cross-Border Flow of Data (Draft for Comments) which are expected to be finalized soon.