On 29 June, 2023, the Cyberspace Administration of China (“CAC”) and the Hong Kong Innovation, Technology and Industry Bureau (“ITIB”) signed a Memorandum of Understanding on Facilitating Cross-Border Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area (“Memorandum”). We set out below an overview of the key facilitation measures that have been subsequently issued on the basis of the Memorandum.
The GBA Standard Contract
On 10 December, 2023, the CAC and ITIB jointly released the Implementation Guidelines on the Standard Contract for the Cross-Border Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (“Guidelines”). These Guidelines introduce the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (“GBA Standard Contract”), which applies to the transfer of personal information between the nine Mainland cities in the Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”) and Hong Kong. While the GBA Standard Contract is modelled on the nationwide Standard Contract for Cross-Border Personal Information Transfers (“Standard Contract”), it introduces reduced compliance obligations for the receiving party.
Key changes to the compliance requirements under the Guidelines include the following:
- Simplified Personal Information Protection Impact Assessment (“PIA”): While a PIA is still required, the requirements are significantly less stringent than those in the PIA required under the nationwide Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information (First Edition).
- No PIA filing requirement: Filing entities are not required to submit the full PIA report when filing the GBA Standard Contract. However, a letter of commitment undertaking that the PIA has been completed must be submitted.
- Expanded complaint mechanisms: In addition to Mainland authorities, any entities or individuals may also submit complaints to the ITIB, the Office of the Government Chief Information Officer of Hong Kong, or the Hong Kong Privacy Commissioner for Personal Data (“PCPD”).
Furthermore, the Hong Kong parties to the GBA Standard Contract must file the GBA Standard Contract with the Hong Kong Digital Policy Office.
Mutual Recognition of Data Security
The Cybersecurity Standards Practice Guide—Requirements for Cross-Border Processing and Protection of Personal Information in the Greater Bay Area (Mainland, Hong Kong) (“Practice Guide”), published on 21 November, 2024, introduces a “Mutual Recognition of Security” framework for the cross-border transfer of personal information between the nine Mainland cities and Hong Kong in the GBA. Under this approach, cross-border data transfers can be facilitated by voluntarily applying for a GBA personal information cross-border security certification (for Mainland personal information processors or recipients) or by voluntarily joining the “Mainland-Hong Kong Cross-Border Data Transfer Recognition List” established by the PCPD (for Hong Kong personal information processors or recipients). It is worth noting that the Practice Guide merely outlines theses mechanisms and does not provide detailed implementing regulations at this stage.
The regulatory framework for cross-border data transfers in the GBA remains in its early stages of development. It is anticipated that the relevant authorities in Mainland China and Hong Kong will issue further regulations or guidelines under frameworks such as the Memorandum to enhance the facilitation of cross-border data flows within the GBA.
We are closely monitoring these developments and will provide timely updates as new information becomes available. Should you have any questions or require assistance with cross-border data transfers in the GBA, please feel free to contact us.
