GBA exemption: Is data to become China’s next bubble?, Alex Roberts, Tiantian Ke, Jasmine Yung, Ruoyi Lu

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

The Cyberspace Administration of China and Hong Kong SAR’s Innovation, Technology and Industry Bureau signed an MOU on 29 June 2023 that sketches out draft rules on safeguarding data flows in the Greater Bay Area – one of the economic hubs that officials hope will drive economic recovery in both the mainland and special administrative region. However, neither further details nor the text of the rules was publicly released at the time.

Speculation on the creation of a “data bubble” around the GBA has been rife since the region’s inception in February 2019. Mainland China’s infamously strict stance on data exports – particularly with the launch of its security assessment regime last year and burdensome standard contract from 1 July this year – has left tech companies and other businesses with operations in or with the world’s second largest economy keen to understand whether a parallel data security regime would apply to the GBA.

This has especially been the case for banks, financial institutions, and their service providers, which have invested hugely in cross-border services under the various “connect” and other preferential schemes.

More squeak than bubble?

Industry watchers’ ears pricked up again this Sunday when Sun Dong, Hong Kong’s technology chief (Secretary for Innovation, Technology and Industry of Hong Kong) confirmed that an action plan is being developed to deal with cross-border data transfers. Squeaks from the corridors of power had previously suggested that regulators’ plans centred around northbound data transfers from the SAR to the mainland.

As reported in the article below though, Sun Dong’s descriptions of proposals interestingly focus on southbound exports. This spin makes sense:

Data exports from mainland China to Hong Kong SAR certainly have the more difficult rules to navigate – as mentioned above and the fact that cross-border data provisions of s.33 of HK’s Personal Data (Privacy) Ordinance (PDPO) remain inoperative and compliance with s33 remains only voluntary best practice for businesses. Currently, data exports are permitted under the PDPO so long as these are notified to individuals on or before data collection and the purposes of data exports remain consistent with such notifications.
Geopolitical, political, and other concerns persist around the security guarantees given to personal data transferred into the Chinese mainland – whether as scrutinised under the hugely topical EU standards that have also outlawed data transfers into the US, from the perspective of US lawmakers, or elsewhere. Sun Dong is quoted as emphasising that any new arrangements will not derogate from privacy protections afforded to Hong Kong residents.

Standard contract: solution or burden?

For legal and ops teams of organisations dealing with the GBA, the main takeaway from the news must be the revelation about the likely introduction of a GBA “standard contract”.

While Hong Kong’s authorities did introduce their own model terms in May 2022, their use is not mandatory. On the contrary, multinationals operating in the EU, UK, mainland China, and Vietnam have (or should have!) been frantically repapering data transfer arrangements among affiliates and suppliers for the last year or so.

Given that, if another regime is set to mandate new data transfer terms, multinationals will hope that either:

reliance on a robust template already in existence in another market will have equivalence to Sun’s forthcoming pro forma; or
the mainland and Hong Kong data watchdogs will simply prescribe a set of security principles to be adhered to, but leaving flexibility for organisations to determine how this is done. Why reinvent the wheel, for instance, when such principles already exist in the form of the APEC Privacy Framework, the ASEAN Framework on Personal Data Protection or the initiatives being formulated by the newly expanded Global CBPR Forum?

What’s next?

As such, although the news from Hong Kong on an action plan is hugely positive for tech players, financiers and others engaged in the GBA, these businesses must continue to wait with bated breath for answers to their questions on cross-border data transfers.

There is plenty for multinationals to do in the meantime with uplifting data compliance programmes, but it also sounds like there is more to come…!

We are here, of course, to help!

{

Previously, it was very difficult to transfer data from industries such as banking and healthcare to Hong Kong. Now, after years of negotiation with the country, we have signed the memorandum to help data flow within the bay area.

https://www.scmp.com/news/hong-kong/society/article/3227062/hong-kong-mainland-china-create-plan-within-months-greater-bay-area-data-transfer-deal-covering