The National Information Security Standardization Technical Committee (“TC260”) issued the “Network Security Standard Practice Guide—Guangdong-Hong Kong-Macao Greater Bay Area Cross-Border Personal Information Protection Requirements (Draft for Comment)” (the “Draft Guide”) on 1 November 2023.
The Draft Guide provides protection standards for cross-border data flow in the Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”), as the basis for the GBA personal information protection certification (“GBA Certification”).
In this article, we highlight the key provisions of the Draft Guide and set out our observations on the proposed requirements. If you would like a copy of the English translation of the Draft Guide, please contact James Gong at james.gong@twobirds.com.
BACKGROUND
I. Cross-Border Data Transfer Regimes in Mainland China and Hong Kong
The current cross-border data regimes in Mainland China is established pursuant to the Personal Information Protection Law (“PIPL”) (click here to read our interpretation of the PIPL). There are three routes for personal information processors[1] to cross-border flow of personal information(“PI”), namely:
- Passing a governmental security assessment, that is required for (i) critical information infrastructure operators that export important data and PI; (ii) organisations that export important data;and (iii) organisations that process PI reaching one of the three threshold amounts[2] specified by the Cyberspace Administration of China (“CAC”) (Click here to read our comments on the governmental assessment);
- Attaining a PI protection certification (“PIPL Certification”) by an institution accredited by the CAC (Click here and here to read our comments on the PIPL Certification regime); or
- Entering into the standard contractual clauses (“SCCs”) with the overseas PI importers (Click here to read our comments on the SCCs).
On 28 September 2023, the CAC released the draft “Regulation for Administering and Promoting Cross-border Data Flow”, which proposes substantial changes to the current cross-border data transfer regimes, but the draft regulation did not mention the data flow in the GBA (Click here to read our comments on the draft regulation).
In Hong Kong, Article 33 of the “Personal Data (Privacy) Ordinance” (“PDPO”) expressly prohibits the transfer of personal data to places outside Hong Kong except in circumstances specified in the PDPO[3]. Considering the high demand for data free flow by Hong Kong enterprises, this clause has not been implemented yet, so there is currently no mandatory restriction on the cross-border transfer of personal data in Hong Kong. Still, the Office of the Privacy Commissioner for Personal Data of Hong Kong encourages the compliance with Article 33. It has issued two non-compulsory guidelines in 2014 and 2022[4] to prepare for the implementation of Article 33, which include Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data.Nonetheless, the general security measures and restrictions on data transfer in the PDPO still apply to Hong Kong PI Processors. For example, informing the data subject of the category of persons who can receive his or her data, before sharing personal data with third parties. When the purpose of collecting personal data changes, the data user must obtain the explicit consent of the data subject.
II. Initiative to Facilitate Data Flows in the GBA
The Draft Guide aims to implement the “Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the GBA” (the “Memorandum”) signed between the CAC and the Innovation, Technology and Industry Bureau of Hong Kong (the “ITIB”) on 29 June 2023.
Announcement of this Memorandum says it plans to establish safety rules for cross-border data flow in the GBA under the national management framework on safeguarding the security of cross-boundary data. The State Council supports this initiative and encourages experimentation with security management mechanisms for cross-border data flows in the GBA, according to the “Opinions on Further Optimizing the Foreign Investment Environment and Increasing the Attraction of Foreign Investment” issued in August, 2023.
The signing of the Memorandum aims to foster secure cross-boundary flow of Mainland data within the GBA. Hong Kong SAR government is working with Guangdong Province to adopt an early and pilot implementation approach in the GBA, targeting high-demand services like finance, credit checking, and healthcare, to streamline the compliance arrangements for the flow of personal data from the Mainland to Hong Kong, based on its effectiveness and experience, the authority will consider expanding it to other sectors in an orderly manner, as stated in the “Chief Executive’s 2023 Policy Address” on 25 October 2o23 and a written reply to the Legislative Council by the Secretary for the ITIB on 15 November 2023.
Based on the Memorandum, on December 13, 2023, the CAC and the ITIB issued the “Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the GBA (Mainland, Hong Kong)” (“GBA SCCs”). Effective from its release date, the GBA SCCs mechanism is first facilitation measure formulated to foster the cross-boundary flow of PI within the GBA in a safe and orderly manner. Individuals and organizations in the GBA can voluntarily adopt the GBA SCCs when applicable. We will release our commentary article regarding the GBA SCCs mechanism soon.
KEY PROVISIONS AND OBSERVATIONS
I. Legal Effect and Application
What is the legal effect of the Draft Guide?
The Draft Guide by TC260 is an unofficial, optional network security guide, not yet in effect. TC260 is not an official legislative body in Mainland China[1]. According to the “Management Measures for Network Security Standard Practice Guides (Interim)”, the Network Security Standard Practice Guide aims to disseminate network security standards and knowledge, providing standardised guides. The Draft Guide serves as a basis for GBA Certification under the Memorandum and a compliance reference for PI Processors, without mandatory enforcement power.
Like PI protection certification guidelines under the PIPL Certification regime, the Draft Guide could be a precursor to future regulations and may evolve into a more effective document by TC260 or a higher authority when appropriate.
Is the GBA Certification the only way for cross-border data transfer in the GBA?
No. As the CAC issued the GBA SCCs based on the Memorandum on 13 December 2023, PI Processors in the GBA (the “GBA PI Processors”) can also choose to sign the GBA SCCs for cross-boundary data flow in the region. Therefore, the GBA Certification mechanism will not be the sole option for the GBA PI Processors.
The Draft Guide applies to the GBA PI Processors conducting cross-border PI processing via the GBA Certification. However, as the Memorandum’s full text is not public, several questions still need clarification:
- Does the GBA Certification mechanism form part of the PIPL Certification regime?
- Under the GBA Certification mechanism, what are the specific requirements for signing legal documents, filing with authorities, and how does it differ from current PIPL Certification regime and SCCs?
- As PI transferred under the GBA Certification mechanism cannot leave the GBA, does it imply the GBA Certification mechanism will be much simpler than the existing PIPL Certification regime?
Does the Draft Guide apply to data flows from both Mainland and Hong Kong?
The Draft Guide appears to aim at regulating data flow in both directions between Mainland and Hong Kong. This aligns with the Draft Guide’s logic, for example:
- The Draft Guide includes Hong Kong’s PI Processors within the GBA and discusses the PDPO. It introduces terms like “personal data”, “data subject”, and “data user”, which apply when Hong Kong data flows. If it were only regulating Mainland data flowing into Hong Kong, there would be no need to involve Hong Kong law.
- The Draft Guide does not categorize Hong Kong’s PI Processors as overseas recipients. Instead, it groups them with Mainland GBA PI Processors, proposing uniform cross-border PI provision and receipt requirements. This suggests the Draft Guide’s intent to regulate bidirectional data flow.
However, as per the “Chief Executive’s 2023 Policy Address” and the Hong Kong Government’s Secretary for the ITIB’s reply to the Legislative Council on 15 November 2023, the Memorandum was signed to enable the secure cross-border flow of Mainland data within the GBA. It does not address the flow of Hong Kong data into the Mainland.
The Hong Kong PDPO’s data export provisions have not been implemented, so there are no compulsory limits on transferring Hong Kong data outside Hong Kong, only adherence to global protection standards and practices. If the Draft Guide regulates Hong Kong data flow into the Mainland, it could increase Hong Kong PI Processors’ compliance burden. We will discuss the added compliance obligations for Hong Kong PI Processors in the “Specific Provisions” section as below.
Moreover, to apply the Draft Guide’s requirements on bidirectional data flow between Mainland and Hong Kong, Mainland and Hong Kong authorities need to at least enact higher-level laws, set up GBA Certification institutions, and establish procedural rules.
Who is a GBA PI Processor under the Draft Guide?
The Draft Guide defines the GBA PI Processors as those registered (for organizations) or located (for individuals) in Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing of Guangdong Province, and Hong Kong.
Interestingly, the Draft Guide does not include PI Processors in Macau or mention Macau law, despite its summary stating it applies to cross-border PI processing in the GBA. This might be because the Memorandum was only signed between Mainland China and Hong Kong. To prevent confusion, it is suggested that the official Draft Guide version should clarify its applicability to Macau and include relevant Macau content if applicable.
Furthermore, the term “PI Processors” in Hong Kong might refer to the “data users” as per the PDPO, given the Draft Guide’s potential regulation of Hong Kong data flow to the Mainland. This should also be clarified in the official version of the Draft Guide.
II. Key Provisions
The Draft Guide outlines principles and specific requirements for cross-border PI protection in the GBA, covering data processing’s life cycle, PI rights protection, and PI security. It draws from the PIPL and PDPO, but aims to offer stricter, more detailed requirements.
Basic Principles
Besides the common principles of the PIPL and the PDPO, the Draft Guide adds special principles for inter-regional rule linkage. For example, PI Processors should adhere to local laws according to the principle of territoriality; cross-border PI processing should comply with legally binding documents’ provisions and commitments.
Specific Protection Requirements
The Draft Guide mostly reflects the PIPL requirements, except when it specifies that local laws should be followed. It also includes direct marketing rules based on the Mainland laws, e.g., the “Advertising Law” and the “Measures for the Supervision and Administration of Online Transactions”.
This approach intends to harmonise the level of data protection across the GBA. However, it lacks approval from higher-level laws and could hinder the transfer of Hong Kong data to the Mainland. Specifically:
- The Draft Guide imposes requirements from the PIPL on Hong Kong’s PI Processors, exceeding compliance obligations under the PDPOThe PDPO does not align with all obligations of the PIPL and Draft Guide concerning data collection, disclosure, processing, transfer, and personal rights protection. Legal concepts in the PDPO also differ from the Mainland’s[1]. Hence, Hong Kong PI Processors may face challenge to understand and implement the Draft Guide’s requirements, which the TC260 is not authorised to impose on them.
- The Draft Guide, while advocating local law adherence, lacks clarity on precedence when conflicts arise between its own requirements and those local laws, leading to confusion.PI Processors in Hong Kong should be able to voluntarily adopt only those parts of the Draft Guide that do not conflict with local laws, while the local laws shall prevail when there is any conflict. This approach can allow those who voluntarily participate in the GBA Certification mechanism to protect PI as per Chinese law standards, while minimizing conflicts with local laws and regulations.Given the Mainland’s stricter data export restrictions compared with Hong Kong, using PIPL-based GBA Certification for Hong Kong data entering the Mainland could hinder data flow.Moreover, Draft Guide stipulates more detailed requirements on PI security for PI Processors, compared with the current effective requirements from the PIPL and PIPL Certification regime, including:
- Creating a cross-border PI catalogue: identify and form a catalogue of the PI involved in cross-border processing, and update it timely.
- Implementing access control: establish a minimum access policy for authorized personnel to access or read only necessary PI required by their duties.
- Accepting authority supervision: commit to ongoing supervision by certification authorities, including providing written evidence of having taken necessary actions.
- Establishing confidentiality agreements: limit PI processing permissions and sign confidentiality agreements with relevant personnel.
- Obtaining approval for major operations: implement internal approval processes for significant PI operations like batch modification, copying, and downloading.
Specifically, it states that onward data transfer should remain in the GBA. The PI Processor shall take measures such as contract agreement, commitment to certification authorities, filing with competent authorities, regular audit of recipient logs, annual self-assessment of data export security risks, etc., to prevent the recipient from transferring the received PI to a third party outside the GBA.
Both the Draft Guide and the GBA SCCs limit the recipient’s ability to transfer PI outside the GBA. This might be to prevent Hong Kong from being used by the exporters to circumvent Mainland data export regime. This implies that the GBA Certification mechanism might be simpler than the current PIPL Certification regime.
In this regard, we recommend that the Draft Guide should clarify the principle of voluntariness and allow Hong Kong PI Processors to voluntarily choose whether to transfer PI to the Mainland through the GBA Certification mechanism.
CONCLUSIONS
We propose the following amendments
- The GBA Certification should be optional for the GBA PI Processors, aligning with voluntary certification principles and optimizing the foreign investment environment.
- The Draft Guide should clarify if it applies to Macao in the official version. If so, it should include Macao relevant content in the applicable scope and rules.
Takeaways for GBA PI Processors
For Mainland GBA PI Processors:
- If onward transfer outside the GBA is necessary, one route of the data cross-border transfer regimes under the PIPL needs to be adopted; otherwise, Mainland GBA PI Processors may choose the GBA SCCs or the GBA Certification to export PI to Hong Kong.
- The GBA Certification will restrict data flow outside the GBA. It is unclear in status, legal effect, and implementation rules, and its convenience compared to mechanisms like SCCs is uncertain.
- Mainland PI Processors should closely monitor any regulatory development on potential exemptions of the data export compliance obligations.
For Hong Kong PI Processors:
- The Draft Guide could limit Hong Kong PI Processors from transferring data to the Mainland given Hong Kong’s absence of mandatory data export restrictions.
- Hong Kong PI Processors should monitor relevant legislation (such as the amendments and implementation of PDPO) closely.
- Hong Kong PI Processors can join and give feedback on the early and pilot data cross-boundary projects between Hong Kong and Guangdong Province when appropriate.
[1] A personal information processor (“PI Processor”) is defined as an organisation or individual that independently determines the purposes and means of the processing, akin to the concept of data controller under the General Data Protection Regulation (“GDPR”) of the European Union.
[2] The current thresholds for triggering security assessment by PI Processor are: (i) from 1 January of the preceding year, (a) exporting PI of 100,000 individuals, or (b) exporting sensitive PI of 10,000 individuals; or (ii) processing PI of 1 million or more individuals.
[3] According to the Article 33 of PDPO, personal data shall not be transferred to a place outside Hong Kong unless:
(a) the place is specified for the purposes of this section in a notice under subsection (3) of the PDPO;
(b) the user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, the PDPO;
(c) the data subject has consented in writing to the transfer;
(d) the user has reasonable grounds for believing that, in all the circumstances of the case— (i) the transfer is for the avoidance or mitigation of adverse action against the data subject; (ii) it is not practicable to obtain the consent in writing of the data subject to that transfer;and (iii) if it was practicable to obtain such consent, the data subject would give it;
(e) the data is exempt from data protection principle 3 by virtue of an exemption under Part 8 of the PDPO; or
(f) the user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the PDPO.
[4] Media Statement – PCPD Publishes Guidance on Personal Data Protection in Cross-border Data Transfer; Media Statement – PCPD Issues Guidance on Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data
[5] According to the Constitution of the National Information Security Standardization Technical Committee, TC260 is a technical organization engaged in standardization work in the field of network security. It is led by the National Standardization Administration of China (SAC) and guided by the Office of the Central Cyberspace Affairs Commission (also named as the CAC) in terms of its work.
[6] For example, in direct marketing, consent in Hong Kong law includes implied consent, while the mainland only recognizes explicit consent. Another example is that for PI Processors to process PI across borders, logs of cross-border processing activities of PI should be recorded, and such logs should be kept for at least 3 years, which may be derived from Article 55 and Article 56 of the PIPL, which require recording the data export processing situation and keeping it for three years, while there is no similar mandated requirement in the PDPO.