On 13 December 2023, the Cyberspace Administration of China (the “CAC”) and the Innovation, Technology and Industry Bureau (the “ITIB”) of the Hong Kong Government jointly released the “Implementation Guidelines for Standard Contract for the Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” (“GBA SCC Guidelines”).
The GBA SCC Guidelines mark China’s first measure to create an integrated approach for the cross-border flow of personal data transfers within the ten cities in the Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”).
In this article, we highlight key provisions and share our observations on the proposed requirements. If you require any further assistance, please contact James Gong at james.gong@twobirds.com or Wilfred Ng at wilfred.ng@twobirds.com.
This is the Part II of the Article. Click here to read the Part I of this Article.
BACKGROUND
(See Part I of this Article)
KEY PROVISIONS AND OBSERVATIONS
- Legal Effect and Application(see Part I of this Article)
- Key Provisions
Compliance Obligations
Before carrying out cross-border transfers through entering into GBA SCCs, PI Processors[1] in the GBA must comply with the following actions:
1. Fully informing the PI subject and obtaining a legal basis (such as consent): This should be carried out in accordance with the relevant local laws and regulations of the PI Processor’s jurisdiction. If the local laws and regulations do not require notification, then their provisions should be followed.
2. Conducting a Personal Information Protection Impact Assessment (“PIPIA”)
Before carrying out cross-border transfers of PI under the GBA SCCs, PI Processors (including data users in Hong Kong) must conduct a PIPIA. The GBA SCC Guidelines do not currently stipulate that the PIPIA conducted for the purpose of entering into GBA SCCs needs to be submitted to local authorities. This remains a procedural distinction from the practice under PIPL SCCs, where the PIPIA conducted has to be submitted to the CAC together with the signed PIPL SCCs.
For data users in Hong Kong, carrying out a PIPIA is not required under the PDPO. The PCPD only recommends a non-compulsory Privacy Impact Assessment (“PIA”) before launching new businesses or projects that may have a significant impact on personal data privacy. However, it should be noted that the “Policy Statement on Facilitating Data Flow and Safeguarding Data Security in Hong Kong” mentioned that the Constitutional and Mainland Affairs Bureau will consider possible amendments to the PDPO to align legislation with the latest international developments in privacy protection. Thus, the PDPO may incorporate international practices and mandate PIA as a compliance requirement in certain situations.
- Key Assessment Area:
- The legality, legitimacy and necessity of the purposes and means, etc. of processing PI by the PI Processor and recipient (In contrast to the PIPL SCCs, the assessment of the “scope” of PI processing is not considered);
- The impact on the rights and interests of PI subjects, as well as the security risk to PI subjects (cf. the PIPL SCCs which contain more detailed requirements[2]);
- Whether the obligations undertaken by the recipient and its management and technical measures and capabilities can ensure the level of security measures to be applied to the PI in question.
The assessment of the impact of the PI protection policies and regulations of the recipient’s country or region on the performance of the standard contract is not required under the GBA SCC Guidelines which is an obligation stipulated under the PIPL SCCs. This means the GBA SCCs mechanism does not require the evaluation of the legal environment of PI protection in the recipient jurisdiction, an exercise entailed in a customary transfer impact assessment in international data transfer mechanisms.
- PIPIA Time Limit: In line with the PIPL SCCs guidelines, the PIPIA must be completed within three months before the filing date, and no major changes should have taken place as of the filing date.
- PIPIA Template: At present, neither the Guangdong CAC nor Hong Kong authorities have issued a PIPIA report outline or template under the GBA SCCs mechanism. We will keep a watching brief on the upcoming filing guidelines from the Guangdong CAC, which may provide guidance for PIPIA implementation for Hong Kong’s data users.
3. Signing the GBA SCCs with the recipient according to the template
The GBA SCCs must strictly adhere to Appendix I of the GBA SCC Guidelines. While the PI Processor can negotiate additional terms with the recipient, these terms must not contradict the GBA SCCs. In case of any discrepancies between the GBA SCCs and other legal agreements, the GBA SCCs takes precedence. For specific business arrangements, separate commercial contracts can be established.
The GBA SCCs template is currently designed for one-way data transfers. Hence, if a cross-border data exchange involves transfers from Mainland China to Hong Kong and vice versa, it would necessitate the signing of two distinct GBA SCCs to accommodate each direction of transfer.
Key differences between the GBA SCCs and PIPL SCCs include:
- GBA SCCs restrict cross-border PI transfers to within the GBA, unlike the PIPL SCCs.
- GBA SCCs have relaxed requirements for providing PI to GBA third parties, with no need to ensure their activities meet China’s PI protection standards or to provide individuals with copies of agreements with the third party.
- GBA SCCs have removed clauses concerning the impact of the local PI protection policies and regulations of the recipient’s country or region on contract performance. If local policy or regulation changes prevent the recipient from fulfilling the GBA SCCs, the recipient can’t unilaterally terminate the GBA SCCs.
- GBA SCCs emphasise the application of local laws, e.g., informing individuals and obtaining consent must comply with local laws. In disputes, individuals can choose to apply the laws of the PI Processor’s jurisdiction and file lawsuits in Mainland China or Hong Kong based on their respective laws
As per Article 6 of the GBA SCC Guidelines, cross-border PI transfers may only occur once the GBA SCCs are effective. Additionally, a filing with the local regulatory authority is required within ten working days from the GBA SCCs’ effective date, and a filing reference number must be obtained before any cross-border PI transfer, as confirmed with the Guangdong CAC.
4. Filing the GBA SCCs with the local regulatory authority
- Who is responsible for the Filing?
Under GBA SCCs, both PI Processors and recipients shall file with their local authorities, unlike PIPL SCCs where only Mainland PI Processors are required to file. This measure may be to monitor recipients’ implementation based on the GBA SCCs, especially in relation to data onward transfers within the GBA.
The Guangdong CAC has indicated that one party filing under GBA SCCs may suffice, but this requires Hong Kong authorities’ confirmation. Notably, the OGCIO issued the Filing Guidelines on the Standard Contract for the Cross-boundary Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)[3] (“Hong Kong Filing Guidelines”), which are silent on this issue but have referred to two separate sets of filing procedures for both Hong Kong-based PI Processors and recipients. Whether this in practice means a Hong Kong recipient is expected to conduct a local filing in addition to the CAC filing already made by a PI Processor based in Mainland China remains to be seen.
For Hong Kong data users and recipients, using the GBA SCCs mechanism means increased filing responsibilities. However, the PCPD’s RMCs[4] which are more concise and flexible than GBA SCCs, do not require filing with the regulatory authority.
- Which regulatory authority will handle the Filing?PI Processors and recipients shall file with the Guangdong CAC or the OGCIO in the Hong Kong according to their respective jurisdictions and submit the required filing documents.The Hong Kong Filing Guidelines are only applicable to contracting parties in Hong Kong, including data users or recipients.The Guangdong CAC is expected to issue filing guidelines in the near future, which will be applicable to PI Processors and recipients in the nine Mainland cities of the GBA.
- Filing Documents
- Photocopy of Identity proof of the legal representatives
- Undertaking (see Template at Appendix II of the GBA SCC Guidelines); and
- The GBA SCCs (Chinese version).
Hong Kong OGCIO has provided a separate application form for filing, and the Guangdong CAC may also develop corresponding filing application forms, requiring PI Processors to provide their contact information.Pending confirmation from upcoming the Guangdong CAC filing guidelines, it appears that the above filing documents do not require a PIPIA report, suggesting more flexibility in the PIPIA of the GBA SCCs in form and content compared to the PIPIA under the PIPL SCCs. Despite this, authorities may still review the PIPIA report during cross-border transfers and request rectification depending on the situation.
- Filing ProcessThe filing process may include the submission of documents, the checking of documents, notification of filing results, the provision of supplementary information and carrying out the re-filing procedures.
- Submission of Documents: the parties shall conduct the filing procedures within ten working days from the effective date of the GBA SCCs.
- Feedback timeline: The feedback timeline for Mainland parties is pending the release of the relevant rules by Guangdong CAC. The Hong Kong Filing Guidelines outline the following filing procedure timeline:
- For data user applications, the OGCIO will provide filing results within ten working days of receiving filing documents. If approved, a filing reference number will be issued. If not, the data user will be notified, and it may re-file with supplementary documents within ten working days.
- For recipient applications, the OGCIO will acknowledge receipt and document completeness within ten working days of receiving filing documents.
During the effective term of the GBA SCCs, PI Processors and recipients in the GBA should perform the following obligations:
1. PI Processors in the GBA should promptly re-conduct a PIPIA, enter into a supplemental agreement or a new GBA SCCs, and conduct the corresponding filing procedures, should the following occur:
- The purpose, scope, categories, means, or the recipient’s use and means of PI processing changes, or the retention period is extended. (Compared to the PIPL SCCs, changes in sensitivity and retention location are not mentioned.)
- The occurrence of any other circumstances that affect or may affect the rights and interests in relation to PI. (Compared to the PIPL SCCs, changes in the PI protection policies and regulations of the recipient’s country or region that may affect PI rights and interests are not mentioned. This aligns with the GBA SCCs’ PIPIA, which does not require an assessment of the legal environment of the recipient’s country or region.)
2. PI Processors and recipients in the GBA shall be supervised and managed by the regulatory authorities of the jurisdiction concerned.
Below is a brief introduction of regulatory authorities in Hong Kong regarding their hierarchy and responsibilities related to cross-border data flows in the GBA:
The OGCIO’s responsibilities for GBA SCC Guidelines implementation include:
- Issuing guidance on GBA SCCs implementation and Pilot Implementation.
- Accepting GBA SCCs filings from Hong Kong contracting parties and the Express of Interest Form for Pilot Implementation.
- Handling complaints and reports about improper performance of GBA SCC Guidelines obligations.
- Taking follow-up actions on GBA SCC Guidelines violations, including requesting necessary rectification from the PI Processor or recipient.
- Collaborating with the PCPD, and referring PDPO violation cases to the PCPD for further investigation and handling.
PI Processors and recipients in the GBA shall accept supervision and management by the regulatory authorities of the jurisdiction concerned during the implementation of the GBA SCCs, specifically including:
- PI Processors must respond to regulatory enquiries, prove GBA SCCs obligations fulfilment, and must notify authorities when terminating GBA SCCs (PIPL SCCs only require notification as necessary).
- Recipients are supervised by regulatory authorities and must answer enquiries, cooperate with inspections, comply with decisions, and provide proof of actions taken. If local government or judicial bodies request PI under GBA SCCs, it shall notify PI Processor immediately.
- In case of a security incident such as a PI breach, immediate remedial measures must be taken and regulatory authorities must be notified. The GBA SCCs and PIPL SCCs have identical notification contents.
Regulatory authorities may request rectification from PI Processors or recipients if high security risks or incidents are identified in the cross-border processing of PI. Cases requiring involvement of other law enforcement will be referred in accordance with the law.
The roles of Mainland and Hong Kong’s data protection authorities in enhancing data protection, handling complaints, investigating, and addressing unlawful data processing remain unaffected by these rules.
If a Hong Kong recipient violates the GBA SCC Guidelines by transferring PI outside the GBA, the OGCIO will follow up on reports or complaints. They may require rectification, with the recipient expected to cooperate, comply, and provide proof of actions taken. If there is any behaviour in violation of the PDPO, the PCPD will follow up and handle the case according to the PDPO.
Implementation Measures
The OGCIO of Hong Kong intended to launch a Pilot Implementation of the GBA SCCs in December 2023, with the first phase openly inviting participants from banking, credit referencing and healthcare sectors. The Hong Kong government will review the Pilot Implementation in due course and expand the facilitation measures to other sectors.
Individuals or enterprises who are interested in participating in the Pilot Implementation must submit their Expression of Interest Form before December 31, 2023.
According to the Expression of Interest Form, any PI Processor or recipient can apply to participate, regardless of industry, and applicants are not limited to banks, credit referencing, and healthcare sectors. In addition, individual PI Processors or recipients can also participate in the Pilot Implementation.
CONCLUSION
The clear policy intention of the GBA SCC Guidelines to facilitate the transfer of PI from Mainland China to Hong Kong should be understood in the context of any potential impact on the compliance costs. Examples discussed above include the need to conduct the PIPIA for Hong Kong data users and the need for both Mainland China and Hong Kong-based parties to file with their respective local authorities.
It is important to note that Mainland China-based PI Processors can still export data via the existing mechanism pursuant to the PIPL. If data flow does not need to extend beyond the GBA, they can opt for GBA SCCs or GBA Certification mechanisms as needed. They should monitor Guangdong CAC’s upcoming filing guidelines and regulatory development on potential exemptions of the data export compliance obligations.
For Hong Kong data users transferring data to Mainland China, the need to rely on the GBA SCCs will inevitably be a case-by-case assessment. This is likely to depend on the organisation’s existing compliance logic for international data transfers, particularly if intra-group data transfer impact assessment and transfer agreements can be leveraged upon, which will be a natural option for mitigating against any additional potential compliance cost. Relevant stakeholders are advised to monitor any upcoming PDPO revisions and participate in the Pilot Implementation to provide feedback.
[1] According to the GBA SCCs, PI Processors, for the Mainland China, refers to an organisation or individual that autonomously determines the purposes and means of PI processing; for the HKSAR, it also covers a “data user” which, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.
[2] The PIPL SCCs also requires PI Processors to assess the risks in more detail, including the quantity, scope, type, and sensitivity of PI to be transferred overseas, and the risk that the outbound cross-border transfer may pose to PI rights and interests; the risk of the PI being tampered with, sabotaged, disclosed, lost, or illegally used after the it is transferred overseas, and whether there is a smooth channel for protecting the rights and interests in the PI.
[4] Media Statement – PCPD Publishes Guidance on Personal Data Protection in Cross-border Data Transfer; Media Statement – PCPD Issues Guidance on Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data