In June 2023, Hong Kong and mainland China signed the Memorandum of Cooperation on Cross-border Data Flow in the Guangdong-Hong Kong-Macao Greater Bay Area (GBA) to mark the twenty-sixth anniversary of Hong Kong’s return to China. As the first facilitation measure under the Memorandum, the Cyberspace Administration of China (CAC) and the Innovation, Technology and Industry Bureau of Hong Kong (ITIB) jointly issued new guidelines on the implementation of standard contracts (GBA Guidelines) on 10 December 2023, with immediate effect, to launch a pilot programme, streamlining the arrangements on cross-border data transfers within the GBA.
Under China’s Personal Information Protection Law and other laws and regulations, the cross-border data transfer of personal information is subject to security assessment, a nationwide standard contractual clauses (SCC) regime and/or certification, as the case may be. Compared with the nationwide SCC regime, the GBA Guidelines introduce significant and noteworthy relaxations. Business organisations in the GBA can adopt a more lenient SCC mechanism for transferring personal information between the mainland GBA area and Hong Kong. This client alert summarises the key requirements and highlights under the GBA Guidelines and discusses the major implications for business organisations.
Scope of application
Compared with the nationwide SCC regime, the GBA Guidelines widen the scope of the SCC’s application:
- Under the nationwide SCC mechanism, in case of the cross-border transfer of the ordinary personal information of over 100,000 people or the sensitive personal information of over 10,000 people, companies are not allowed to adopt the SCC regime and instead have to go through a CAC-led security assessment, which is much more complex and time-consuming. Even under the draft Provisions on Regulating and Promoting Transborder Data Flow issued by the CAC on 28 September 2023, the transfer of personal information of more than 1 million people is subject to CAC security assessment. However, under the GBA SCC regime, companies can adopt SCC for cross-border data transfers without being subject to the restriction on data volume, except for those data which is identified as ‘important data’.
- To address the uncertainty on “important data”, the GBA Guidelines provide that companies can deem their data as non-important data unless otherwise notified by the regulators.
- It is important to note that the GBA Guidelines cover inbound and outbound data flow between nine cities in the mainland GBA area (Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing) and Hong Kong.
Pre-conditions for GBA SCC
In order for companies in the GBA to adopt the GBA SCC regime, the parties must satisfy the requirements set forth in the GBA SCC, including the following two primary conditions:
- The data transferor under the GBA SCC, which could be either a Hong Kong entity or an organisation registered in the mainland GBA area, must have notified the data subjects or secured consent from the data subjects in accordance with the local data laws. Where the data transferor is a Hong Kong entity, it has to comply with the data privacy laws in Hong Kong. If it is a domestic entity, the data laws of mainland China must be followed.
- The data transfer must be within the boundaries of the GBA. Data transfers out of the GBA territory are not allowed under the GBA Guidelines, regardless of whether they are direct or onward transfers. If the data recipient intends to further transfer the data received to other entities in the GBA, the entities’ names must be disclosed in Appendix 1 of the GBA SCC.
For those companies in the GBA sharing IT systems with their affiliates outside of the GBA, personal information could be shared via such shared IT systems in certain cases. Relevant measures must be taken to ensure the data transferred under the GBA SCC regime is isolated and not accessible by affiliates outside of the GBA. Otherwise, it could present non-compliance risks and hence have a negative impact on the cross-border data transfer and business continuity.
GBA SCC vs. nationwide SCC
A GBA version of the SCC is attached to the GBA Guidelines. Compared with the nationwide SCC, the terms and conditions of the GBA SCC are more streamlined. For instance, the nationwide SCC requires the data recipient to enter into a data processing agreement with the recipient of the onward transfer under terms and conditions that are no less stringent than the data protection standard in China. In addition, in the nationwide SCC, the parties shall warrant and represent that they have exercised their duty of reasonable care at the time of conclusion of the SCC, and have not discovered any data protection laws of the overseas recipient’s jurisdiction that affect the overseas recipient’s performance of the SCC following proper assessment. These requirements are no longer required in the GBA SCC.
Moreover, the governing law under the nationwide SCC must be Chinese law. Under the GBA SCC, Hong Kong law may apply where the data is transferred from Hong Kong to the mainland GBA area. On the other hand, while disputes may be resolved by way of litigation or arbitration and where the parties opt for arbitration, the GBA SCC only allows the parties to submit the dispute to one of the five arbitral institutions located in mainland China and Hong Kong for arbitral proceedings. Other arbitral institutions from the member jurisdictions of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards are no longer an option in the GBA SCC.
In spite of the above, the GBA SCC shares some arrangements with the nationwide SCC. For example, the main body of the two SCCs is not amendable, but the parties under both SCCs are allowed to include additional terms and conditions in Appendix II provided that they do not conflict with the main body. Moreover, supplemental filings will be required under both SCC regimes in case of any changes to the scope or category of the transferred personal information, and/or when the data recipient changes its purpose and/or method of processing the personal information.
Filing procedure
Under the nationwide SCC regime, the data transferor must submit the executed Chinese version of the SCC, the personal information protection impact assessment (PIPIA) report and other supporting documents to the local provincial CAC for filing. Filing is not merely procedural; it serves as a de facto approval because the outcome of the review is either a “pass” or “failure”. Once the “failure” notification is issued, the data transferor will be asked to provide supplementary materials within 10 working days.
The GBA SCC is also subject to a filing procedure, but the required documentation has been greatly simplified. Only the executed SCC, an undertaking letter and a copy of the legal representative’s ID/passport need to be submitted for filing. The PIPIA report is no longer required, although the GBA Guidelines still require the data transferor to conduct a simplified PIPIA. The regulator in charge of the filing procedure is the provincial CAC in Guangdong (if the data transfer is from the mainland GBA area to Hong Kong) or ITIB (if the data transfer is from Hong Kong to the mainland GBA area). It remains uncertain whether the filing of the GBA SCC is merely procedural or can be denied. We believe the situation will be clearer after the GBA Guidelines are implemented in practice.
Compliance suggestions
In the fast-moving digital era, it is very common for cross-border data transfers to take place, both inward and outward. The GBA Guidelines will greatly facilitate the inward and outward flow of data between the mainland and Hong Kong, promote digital economic innovation in the GBA and support Hong Kong’s better integration into the overall development of China. This is definitely a significant regional development in the data community, offering more options for MNCs with a business presence in the GBA to strategise their data practices. For risk mitigation purposes, MNCs in China are advised to take the following compliance suggestions into consideration:
- The data transferor and data recipient should conduct proper data mapping and identify the data flow, the location of data recipients and the type and volume of personal data to be transferred out of China, so as to assess whether the company is able to take advantage of the GBA SCC regime to streamline the cross-border data transfer.
- The deployment of IT infrastructure must be carefully reviewed and designed if the data transferors in the GBA share IT systems with affiliates outside of the GBA. The sharing of IT systems could result in the sharing of personal information in most cases. As the GBA Guidelines have become effective, relevant technical measures must be taken so that the data transferred under the GBA SCC regime will not be accessed by affiliates outside of the GBA.
- The compliance steps are not one-time undertakings. To ensure continued compliance, companies should monitor and track the life-cycle performance of the GBA SCC, keep up to date with legislative developments, secure professional support and take the required measures in case of any changes to the GBA SCC.
- The GBA SCC regime is an administrative measure and does not affect the supervisory and regulatory roles of the data regulators in mainland China and Hong Kong. It remains important to ensure full compliance with the regulations and guidelines in the relevant jurisdictions.
In-depth 2023-289