On 13 December 2023, the Cyberspace Administration of China (the “CAC”) and the Innovation, Technology and Industry Bureau (the “ITIB”) of the Hong Kong Government jointly released the “Implementation Guidelines for Standard Contract for the Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” (“GBA SCC Guidelines”).
The GBA SCC Guidelines mark China’s first measure to create an integrated approach for the cross-border flow of personal data transfers within the ten cities in the Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”).
In this article, we highlight key provisions and share our observations on the proposed requirements. If you require any further assistance, please contact James Gong at james.gong@twobirds.com or Wilfred Ng at wilfred.ng@twobirds.com.
This is the Part I of this Article, and we will release the Part II after the New Year.
BACKGROUND
Currently, the cross-border data transfer regime in Mainland China is mainly established by the Personal Information Protection Law (“PIPL”) (click here to read our interpretation of the PIPL). Personal information processors[1] have three routes for the export of personal information (“PI”): (1) passing a governmental security assessment, (2) attaining a PI protection certification from an institution accredited by the CAC (“PIPL Certification”), or (3) entering into standard contractual clauses (“PIPL SCCs”) with PI importers.
Previously, the CAC’s release of the draft regulation for “Administering and Promoting Cross-border Data Flow” on 28 September 2023 proposed substantial changes to the current cross-border data transfer regime (Click here to read our comments on the draft regulation), with no specific coverage for GBA data flows. The GBA SCC Guidelines fill this gap by providing an alternative route for cross-border data transfers within the GBA.
Section 33 of Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”) prohibits the transfer of personal data to places outside Hong Kong, except in circumstances specified in the PDPO. Notably, section 33 has yet to come into effect and no current legislative timetable has been announced for its implementation. There are no mandatory restrictions on the cross-border transfer of personal data from Hong Kong. Against this backdrop, the Office of the Privacy Commissioner for Personal Data of Hong Kong (the “PCPD”) issued two guidelines in 2014 and 2022 on the Recommended Model Contractual Clauses (“RMCs”) for cross-border transfer of personal data. Whilst not mandatory for adoption, the PCPD recommends data users in Hong Kong to adopt the RMCs as part of their data governance obligation. Also, to demonstrate their due diligence efforts to ensure the jurisdiction of the data recipient provides the equivalent safeguards as given under the PDPO (i.e. one of the circumstances permitting cross-border transfer in Section 33).
On 29 June 2023, the CAC and ITIB signed the “Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area” (“the Memorandum”). The signing of the Memorandum underscores the authorities’ intentions to establish a secure mechanism for cross-border data flow in the GBA, under the national management framework for safeguarding the security of cross-border data transfers. The “Opinions on Further Optimizing the Foreign Investment Environment and Increasing the Attraction of Foreign Investment” issued by the State Council in August 2023 also explicitly acknowledged this initiative, encouraging the exploration of convenient security management mechanisms for cross-border data flows in the GBA.
The Office of the Government Chief Information Officer (“OGCIO”) in Hong Kong is working with the Cyberspace Administration of Guangdong Province (“Guangdong CAC”) to adopt an “early and pilot implementation arrangement” (“Pilot Implementation”) in the GBA, with the first phase of the Pilot Implementation to target industries with a high demand for cross border transfer, such as finance, credit checking, and healthcare, in order to streamline the compliance arrangements for transfer from Mainland China to Hong Kong[2]. If the Pilot Implementation proves effective, the Government plans to gradually expand the facilitation measures to other sectors.
On 1 November 2023, the National Information Security Standardization Technical Committee (“TC260”) issued the “Network Security Standard Practice Guide—Guangdong-Hong Kong-Macao Greater Bay Area Cross-Border Personal Information Protection Requirements (Draft for Comment)” (the “Draft Guide”), which is intended to serve as the implementation measures to the Memorandum, providing specific operational rules of the certification mechanism (“GBA certification“) for cross-border flow of data between the Mainland and Hong Kong (Click here to read our comments on the Draft Guide).
On 8 December 2023, the Hong Kong ITIB and OGCIO released the “Policy Statement on Facilitating Data Flow and Safeguarding Data Security in Hong Kong”. It indicated that the Constitutional and Mainland Affairs Bureau would consider possible amendments to the PDPO to align with the latest international developments in privacy protection, strengthen personal data protection, and address the challenges posed by cyber technologies.
At the Central Economic Work Conference on 12 December 2023, President Xi Jinping emphasized the need to expand opening up to the international community at a high-level, the serious consideration of cross-border data flow issues, as well as the need to continue to build a first-class internationalized business environment that is market-oriented and rule of law-oriented. The following morning, the GBA SCC Guidelines were officially released, enabling individuals and organizations in the GBA to voluntarily enter into a standard contract (the “GBA SCCs”) as per Appendix I to the GBA SCC Guidelines to facilitate their free data flow within the GBA.
KEY PROVISIONS AND OBSERVATIONS
I. Legal Effect and Application
What is the legal effect of the GBA SCCs mechanism?
The GBA SCC Guidelines came into effect on December 13, 2023. According to the related information[3] and press release[4] issued by the Hong Kong SAR Government on the same day:
i. The adoption of GBA SCCs is on a voluntary basis.
ii. The GBA SCCs mechanism does not affect the regulation of the processing and export of PI in the Mainland and Hong Kong according to local laws and regulations of the respective jurisdictions.[5]
The adoption of GBA SCCs is on a voluntary basis, which means:
- Mainland PI Processors in the GBA can still export data outside the GBA pursuant to the existing three options for cross-border flow of PI under the PIPL. On the other hand, if the data only needs to be circulated within the GBA (i.e. no onward transfer outside the GBA), PI Processors can rely on the GBA SCCs or the GBA Certification mechanism (We will keep a watching brief on the relevant filing guidelines and any consultation hotline to be released by the Guangdong CAC – watch this space).
- For data users in Hong Kong, there is no change to any restriction of personal data to be transferred outside the jurisdiction. Existing data flow from Hong Kong to Mainland China will not be subject to a compulsory legal requirement for entering into the GBA SCCs.[6]
When will the GBA SCCs mechanism apply?
The OGCIO of the HKSAR Government has stated[7] that the GBA SCCs mechanism applies to both directions of cross-border flow of PI between Mainland cities in the GBA and Hong Kong.
The following conditions must be met:
i. Both the PI Processor and recipient must be located in the GBA: The PI Processors[8] and the recipients must be registered (in the case of organisations) or located (in the case of individuals) in Mainland cities within the GBA, i.e. Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing of Guangdong Province, or the Hong Kong; and
ii. The transfer should not involve the export of important data: Notably, the GBA SCCs mechanism does not apply if the export of important data is involved. PI may be classified or promulgated as important data by relevant departments or regions.
iii. There should be no onward transfer of PI outside the GBA: the GBA SCCs mechanism does not apply if there is a need for onward transfers of PI to organisations or individuals outside of the GBA.
Specifically, it is not allowed to provide[9] PI to organisations or individuals outside of the GBA under the GBA SCCs mechanism, but GBA SCCs do not explicitly prohibit transfer to the entrusted sub-processor outside the GBA[10]. However, the Guangdong CAC currently rejects any implication that entrusted sub-processing can be conducted outside the GBA. We will keep a watching brief on the relevant filing guidelines and any consultation hotline to be released by the Guangdong CAC – watch this space.
The above conditions do not concern the quantity of PI being exported. This suggests that the GBA SCCs have less stringent requirements for implementation compared to the PIPL SCCs[11], a point confirmed by the Hong Kong SAR Government.[12] This may mean that for Mainland PI Processors in the GBA:
- Despite reaching the threshold of governmental security assessment, if the above conditions can be met, Mainland PI Processors can still choose to export PI pursuant to the GBA SCCs mechanism.
- Conversely, if the exemption conditions in the draft regulation for Administering and Promoting Cross-border Data Flow for data export compliance mechanisms (such as PIPL SCCs) are met, Mainland PI Processors do not have an obligation to export data pursuant to the GBA SCCs mechanism.
If not, for PI Processors who meet the exemption conditions, the cross-border compliance requirements in the GBA are higher than those in other Mainland areas, which contradicts the goal of promoting data flow in the GBA. We will keep a watching brief on the relevant legislative developments to further confirm such implications – watch this space.
Stay tuned for Part II after the New Year, where we’ll dive deeper into the provisions of the GBA SCC Guidelines and share with you our views and observations.
—
[1] A personal information processor (“PI Processor”) is defined as an organisation or individual that independently determines the purposes and means of the processing, akin to the concept of data controller under the General Data Protection Regulation (“GDPR”) of the European Union.
[2] As stated in the Chief Executive’s 2023 Policy Address on 25 October 2o23 and a written reply to the Legislative Council by the Secretary for the ITIB on 15 November 2023 (see website: Innovation, Technology and Industry Bureau : Questions (2023-11-15) (itib.gov.hk)).
[3] OGCIO: Facilitating Cross-boundary Data Flow within the Greater Bay Area
[6] See Q&A #9 at OGCIO: Facilitating Cross-boundary Data Flow within the Greater Bay Area
[7] OGCIO: Facilitating Cross-boundary Data Flow within the Greater Bay Area
[8] According to the GBA SCCs, “Personal information processor”, for the Mainland, refers to an organisation or individual that autonomously determines the purposes and means of PI processing; for the HKSAR, it also covers a “data user” which, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.
[9] Although there is currently no clear definition of “provide” in Mainland laws and regulations, based on the context of the PIPL and the application of other regulatory documents, we understand that “providing” to a third party refers to transfer data to a third party that can independently determine the purpose and method of data processing, while the entrusted third party in “entrusted processing” can only process data according to the purpose and method specified by the entrusting party.
[10] Article 3 of the GBA SCCs: The recipient shall fulfil the following obligations and responsibilities: (9) Obtain consent of the PI Processor in advance where the processing of PI is entrusted by the PI Processor and further entrusted to a third party, and request the third party not to process the PI beyond the purposes and means of processing, etc. as agreed in Appendix I “Description of cross-boundary transfer of PI” of this Contract, and supervise the PI processing activities of the third party.
[11] According to Article 4 of Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information, to provide PI to an overseas recipient through a SCCs executed, a PI Processor shall meet the following conditions:
(1) not being a critical information infrastructure operator;
(2) handling PI of fewer than one million individuals;
(3) having provided PI of fewer than 100,000 individuals in aggregate to overseas recipients since January 1 of the previous year; and
(4) having provided sensitive PI of fewer than 10,000 individuals in aggregate to any overseas recipients since January 1 of the previous year.