On 13 December, the Cyberspace Administration of China (CAC) and the Innovation, Technology and Industry Bureau (ITIB) in Hong Kong SAR (HKSAR) jointly published the Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (GBA Standard Contract). Under these guidelines, in-scope organisations in the Guangdong-Hong Kong-Macau Greater Bay Area (GBA) can adopt a prescribed template for the GBA Standard Contract to legitimate cross-border personal information processing activities across the GBA.
This new GBA Standard Contract initiative is another facilitation measure under the MOU which was signed in June this year between Mainland China and HKSAR on safeguarding data flows and promoting a digital economy in the GBA. Together with the GBA data transfer certification regime (the draft of which was released last month), the measures will constitute the two main personal information transfer mechanisms specific to the GBA, as additional options to those applying at a national level in Mainland China under the Personal Information Protection Law (PIPL).
Comparison with the China Standard Contract
We look at the key aspects of the GBA Standard Contract in the table below, comparing and contrasting it with the China Standard Contract.
Key requirements which go beyond the HK PDPO
For HKSAR organisations transferring data from HKSAR to the designated cities of the GBA, the GBA Standard Contract represents a novel mechanism solely governing cross-boundary data flows to these urban centres. The mechanism is voluntary, but the HKSAR Privacy Commissioner encourages businesses from the territory to use it when transferring data to these cities. For other cross-boundary data flows, organisations may continue to use the Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data issued by the PCPD.
Organisations based in HKSAR adopting the GBA Standard Contract should note the following key requirements which go beyond the HK Personal Data (Privacy) Ordinance (PDPO). In fact, most of these requirements appear to be a reiteration of the PIPL’s requirements. As we commented on the GBA certification regime, while a Mainland China-based data sender should have observed the PIPL’s requirements in any case, HKSAR-based data senders would likely prefer not to uplift compliance with requirements that are not otherwise set out under the PDPO.
- Impact assessment report: Before entering into the GBA Standard Contract, the data sender must conduct a PIPIA, assessing (1) the legality, legitimacy and necessity of the purposes and means, etc. of the personal information processing; (2) the impact on and security risks to the rights and interests of data subjects; and (3) the obligations undertaken by the recipient and whether its governance, technical measures and capabilities, etc., ensure the security of the personal information to be transferred.
- Enhanced data subject rights: While data subjects are entitled under the PDPO to data access and correction rights and the right not to receive direct marketing materials, the GBA Standard Contract additionally grants them rights to supplement and erase their personal information, and request for an explanation of the information processing. If there is an unresolved dispute between the data subject and either the sender of personal information or the recipient, the data subject (as a third-party beneficiary of the GBA Standard Contract) may lodge court proceedings in addition to complaining to relevant authorities.
- Enhanced obligations on the recipient: Under the PDPO, a recipient processing personal information on behalf of a data sender (whether the sender is within or outside the HKSAR) is not directly regulated, though organisations which outsource data processing to recipients must use contractual or other measures to ensure those recipients’ compliance with retention and security requirements. However, recipients are now subject to following enhanced measures under the GBA Standard Contract, including: (1) notifying the data sender immediately and reporting to the regulatory authorities if personal information processed is lost, damaged, disclosed, unlawfully used or accessed; (2) allowing the data sender to undertake compliance audits on the processing activities conducted by it; (3) obtaining consent from the data sender when data processing is further entrusted to a third party and supervise the third party’s data processing; and (4) complying with certain conditions before sharing personal information with a third party in the same jurisdiction for processing.
As an administrative step, the data sender and the recipient must file the GBA Standard Contract with the OGCIO within 10 working days from the effective date of the GBA Standard Contract. This timing aligns with that applied to the China Standard Contract.
Incentive for adopting the GBA Standard Contract
Given the GBA Standard Contract regime is voluntary, query who will have higher incentive to adopt the GBA Standard Contract.
As alluded to in our earlier post, since the cross-border data transfer provisions under HKSAR’s PDPO remain inoperative, transferring personal information out of HKSAR is not yet subject to stringent restrictions. As such, it seems logical to anticipate that HKSAR-based businesses would have less incentive to uplift compliance via the GBA Standard Contract, although the GBA Standard Contract seemingly relaxes certain requirements for recipients compared with the China Standard Contract.
Separately, given that onward transfers are limited to the GBA region, the benefit of signing a GBA Standard Contract seems highly diminished for international companies based in HKSAR, and potentially for PRC-based companies and other business partners which are based in the GBA, where they have a significant operational need to transfer data to countries/regions other than the GBA.
What’s next?
The GBA Standard Contract mechanism, together with the GBA data transfer certification regime (once finalised), will supplement the existing data export mechanisms from Mainland China, which consist of security assessment, personal information protection certification and standard contract mechanisms, and the exemptions proposed in late September that seek to ease data export restrictions.
Albeit a positive signal for GBA data flows, the GBA Standard Contract mechanism is not open to all businesses. According to OGCIO’s news release, an “early and pilot implementation” arrangement for the GBA Standard Contract will begin this month, opening as a first phase to the banking, credit referencing and healthcare sectors. Organisations in these selected sectors seemingly have stronger demand for cross-boundary services, despite the relatively limited geographical area in which personal information is permitted to flow under this GBA-only scheme. Tech-driven businesses and service providers in these industries are a particular target for the scheme due to their role in the GBA’s digital economy.
Businesses may consider whether to leverage the GBA Standard Contract mechanism as an alternative solution to facilitate their cross-border data transfer across the Greater Bay Area.
We are here, of course, to help!