Reed Smith In-depth

Key takeaways

  • Streamlined SCC regime for data transfers between Hong Kong and China GBA cities, effective from December 2023
  • Significant business implications for organisations
  • The strategy and compliance steps needed to leverage this important development

In June 2023, Hong Kong and mainland China signed the Memorandum of Cooperation on Cross-border Data Flow in the Guangdong-Hong Kong-Macao Greater Bay Area (GBA) to mark the twenty-sixth anniversary of Hong Kong’s return to China. As the first facilitation measure under the Memorandum, the Cyberspace Administration of China (CAC) and the Innovation, Technology and Industry Bureau of Hong Kong (ITIB) jointly issued new guidelines on the implementation of standard contracts (GBA Guidelines) on 10 December 2023, with immediate effect, to launch a pilot programme, streamlining the arrangements on cross-border data transfers within the GBA.

Under China’s Personal Information Protection Law and other laws and regulations, the cross-border data transfer of personal information is subject to security assessment, a nationwide standard contractual clauses (SCC) regime and/or certification, as the case may be. Compared with the nationwide SCC regime, the GBA Guidelines introduce significant and noteworthy relaxations. Business organisations in the GBA can adopt a more lenient SCC mechanism for transferring personal information between the mainland GBA area and Hong Kong. This client alert summarises the key requirements and highlights under the GBA Guidelines and discusses the major implications for business organisations.

Scope of application

Compared with the nationwide SCC regime, the GBA Guidelines widen the scope of the SCC’s application:

  • Under the nationwide SCC mechanism, in case of the cross-border transfer of the ordinary personal information of over 100,000 people or the sensitive personal information of over 10,000 people, companies are not allowed to adopt the SCC regime and instead have to go through a CAC-led security assessment, which is much more complex and time-consuming. Even under the draft Provisions on Regulating and Promoting Transborder Data Flow issued by the CAC on 28 September 2023, the transfer of personal information of more than 1 million people is subject to CAC security assessment. However, under the GBA SCC regime, companies can adopt SCC for cross-border data transfers without being subject to the restriction on data volume, except for those data which is identified as ‘important data’.
  • To address the uncertainty on “important data”, the GBA Guidelines provide that companies can deem their data as non-important data unless otherwise notified by the regulators.
  • It is important to note that the GBA Guidelines cover inbound and outbound data flow between nine cities in the mainland GBA area (Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing) and Hong Kong.