Four months after an MOU was signed between mainland China and Hong Kong SAR on safeguarding data flows in the Guangdong-Hong Kong-Macau Greater Bay Area (GBA), the first set of implementation rules has just been tabled. These rules are a first step to the MOU’s liberalisations becoming operative.
On 1 November 2023, China’s national standardisation committee (also known as “TC260”) released the draft Practical Guidelines on Cross-border Personal Information Protection Requirements in the GBA (GBA Guidance) for public consultation. Once implemented, the GBA Guidance will serve as a foundation for the GBA’s specific personal information protection certification. The GBA Guidance also provides a wider point of reference for organisations in the GBA to manage their cross-border personal information processing activities across the GBA.
Scope of application
The GBA Guidance applies to qualified organisations that choose to rely on the GBA certification regime to legitimise their in-scope cross-border transfer activities. A “qualified organisation” refers to a personal information processor registered or located in the GBA, i.e., in cities including Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing of the Guangdong province, and the Hong Kong SAR.
The GBA Guidance is subordinate to the MOU and the applicable laws of the in-scope jurisdictions, including, for mainland China, the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, and for Hong Kong SAR, the Personal Data (Privacy) Ordinance. Notably, Macau SAR is not yet covered. Based on our conversations with one of the key drafters in attendance with us at this week’s TC260 annual meeting, the current omission of Macau SAR is more a matter of time and approval process. It is expected that rules applicable to transfers to or from Macau SAR within the GBA will also be included soon.
Incentive for obtaining a GBA certificate
Given the GBA certification regime is voluntary, we query who will have more incentive to apply for a GBA certification and comply with the requirements set out under the GBA Guidance.
As alluded to in our earlier post, since the cross-border data transfer provisions under Hong Kong’s PDPO remain inoperative, transferring personal data outside of Hong Kong is not yet subject to stringent restrictions. As such, it seems logical to anticipate that Hong Kong-based businesses would have less incentive to uplift compliance via the GBA Guidance.
On the other hand, organisations located in the mainland cities listed above may have more drivers to consider leveraging the GBA certification as a more efficient way to legitimate their data export activities.
Considering the envisaged cost and effort though, GBA certification may not be a solution catering to all businesses’ needs. Indeed, the policy address of Hong Kong’s Chief Executive specifically signalled out only cross‑boundary financial and medical services as beneficiaries of the scheme.
Data transfer requirements
The GBA Guidance proposes various GBA-specific data transfer requirements. These include:
- Contractual terms: A data exporter must sign a legally binding document with the data recipient. This document must stipulate the purpose, method, scope, type, quantity, retention period, and storage location of personal information to be exported, as well as clarify the responsibilities and obligations of both parties to protect the personal information. Similar in substance to the terms required under other of the PIPL’s transfer mechanisms, so far it is not clear whether the mainland Chinese or Hong Kong SAR’s model contractual clauses will be pushed as a norm.
- No transfers outside the GBA: Importantly, the recipient of the personal information must not transfer it to a third party outside the GBA. To ensure compliance, safeguards must be imposed on the data recipient under the binding document, such as it providing an undertaking to the certification body, submitting a filing to competent authorities, conducting an annual self-assessment, or it allowing an audit of its data transfer log. These requirements, if implemented in their current form, will substantially restrict international data flows. For example, in a scenario where offshore recipients include both a Hong Kong-based and US-based affiliate of the data exporter, the personal data transferred under a GBA certificate could not be onward transferred to the US affiliate from Hong Kong (presumably unless further compliance steps are taken).
- Acceptance of broad supervision: As a condition to obtain a GBA certificate, both the data exporter and the recipient must undertake accepting the certification body's continuous supervision of their cross-border personal information processing activities. In doing so, organisations would be obliged to respond to inquiries, cooperate with inspections, comply with measures taken or decisions made, and provide written proof that necessary actions have been taken. Multinational businesses may have concerns over the broad supervision power equipped to the certification body.
- PIPL-aligned notice and consent: As a reiteration of the PIPL’s requirements for transfers within the mainland, information notices following the PIPL's relatively onerous standards must be served on individuals (including notifying the name and contact details of the recipient), and consent must be obtained where required under applicable law. While a mainland China-based data exporter should have followed the PIPL requirements anyway, Hong Kong based exporters would likely prefer not to provide disclosures that are not otherwise required under the PDPO.
What’s next?
The GBA initiative should become a fifth approach to data exports from mainland China, supplementing the existing security assessment, personal information protection certification and standard contract mechanisms, and the recently proposed exemptions that seek to ease data export restrictions.
Albeit a positive signal for financiers, healthcare services providers, tech players and others engaged in the GBA, it will take time for the certification process to be fully operationalised. Businesses must continue to wait for answers to some long-standing questions on cross-border data transfers.
In the meantime, you are encouraged to submit your organisations’ comments on the draft GBA Guidance, the process of which will close on 15 November. If you would like to submit your comments via us, feel free to reach out.