Save the Best for Last – All You need to Know about the Standard Contract for GBA Data Transfers (Part I)
Written By
On 13 December 2023, the Cyberspace Administration of China (the “CAC”) and the Innovation, Technology and Industry Bureau (the “ITIB”) of the Hong Kong Government jointly released the “Implementation Guidelines for Standard Contract for the Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” (“GBA SCC Guidelines”).
The GBA SCC Guidelines mark China’s first measure to create an integrated approach for the cross-border flow of personal data transfers within the ten cities in the Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”).
In this article, we highlight key provisions and share our observations on the proposed requirements. If you require any further assistance, please contact James Gong at [email protected] or Wilfred Ng at [email protected].
This is the Part I of this Article, and we will release the Part II after the New Year.
BACKGROUND
Currently, the cross-border data transfer regime in Mainland China is mainly established by the Personal Information Protection Law (“PIPL”) (click here to read our interpretation of the PIPL). Personal information processors[1] have three routes for the export of personal information (“PI”): (1) passing a governmental security assessment, (2) attaining a PI protection certification from an institution accredited by the CAC (“PIPL Certification”), or (3) entering into standard contractual clauses (“PIPL SCCs”) with PI importers.
Previously, the CAC’s release of the draft regulation for “Administering and Promoting Cross-border Data Flow” on 28 September 2023 proposed substantial changes to the current cross-border data transfer regime (Click here to read our comments on the draft regulation), with no specific coverage for GBA data flows. The GBA SCC Guidelines fill this gap by providing an alternative route for cross-border data transfers within the GBA.
Section 33 of Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”) prohibits the transfer of personal data to places outside Hong Kong, except in circumstances specified in the PDPO. Notably, section 33 has yet to come into effect and no current legislative timetable has been announced for its implementation. There are no mandatory restrictions on the cross-border transfer of personal data from Hong Kong. Against this backdrop, the Office of the Privacy Commissioner for Personal Data of Hong Kong (the “PCPD”) issued two guidelines in 2014 and 2022 on the Recommended Model Contractual Clauses (“RMCs”) for cross-border transfer of personal data. Whilst not mandatory for adoption, the PCPD recommends data users in Hong Kong to adopt the RMCs as part of their data governance obligation. Also, to demonstrate their due diligence efforts to ensure the jurisdiction of the data recipient provides the equivalent safeguards as given under the PDPO (i.e. one of the circumstances permitting cross-border transfer in Section 33).
On 29 June 2023, the CAC and ITIB signed the “Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area” (“the Memorandum”). The signing of the Memorandum underscores the authorities’ intentions to establish a secure mechanism for cross-border data flow in the GBA, under the national management framework for safeguarding the security of cross-border data transfers. The “Opinions on Further Optimizing the Foreign Investment Environment and Increasing the Attraction of Foreign Investment” issued by the State Council in August 2023 also explicitly acknowledged this initiative, encouraging the exploration of convenient security management mechanisms for cross-border data flows in the GBA.
On 1 November 2023, the National Information Security Standardization Technical Committee (“TC260”) issued the “Network Security Standard Practice Guide—Guangdong-Hong Kong-Macao Greater Bay Area Cross-Border Personal Information Protection Requirements (Draft for Comment)” (the “Draft Guide”), which is intended to serve as the implementation measures to the Memorandum, providing specific operational rules of the certification mechanism ("GBA certification") for cross-border flow of data between the Mainland and Hong Kong (Click here to read our comments on the Draft Guide).
On 8 December 2023, the Hong Kong ITIB and OGCIO released the “Policy Statement on Facilitating Data Flow and Safeguarding Data Security in Hong Kong”. It indicated that the Constitutional and Mainland Affairs Bureau would consider possible amendments to the PDPO to align with the latest international developments in privacy protection, strengthen personal data protection, and address the challenges posed by cyber technologies.
At the Central Economic Work Conference on 12 December 2023, President Xi Jinping emphasized the need to expand opening up to the international community at a high-level, the serious consideration of cross-border data flow issues, as well as the need to continue to build a first-class internationalized business environment that is market-oriented and rule of law-oriented. The following morning, the GBA SCC Guidelines were officially released, enabling individuals and organizations in the GBA to voluntarily enter into a standard contract (the “GBA SCCs”) as per Appendix I to the GBA SCC Guidelines to facilitate their free data flow within the GBA.
KEY PROVISIONS AND OBSERVATIONS
I. Legal Effect and Application
What is the legal effect of the GBA SCCs mechanism?
The GBA SCC Guidelines came into effect on December 13, 2023. According to the related information[3] and press release[4] issued by the Hong Kong SAR Government on the same day:
i. The adoption of GBA SCCs is on a voluntary basis.
ii. The GBA SCCs mechanism does not affect the regulation of the processing and export of PI in the Mainland and Hong Kong according to local laws and regulations of the respective jurisdictions.[5]
The adoption of GBA SCCs is on a voluntary basis, which means:
- Mainland PI Processors in the GBA can still export data outside the GBA pursuant to the existing three options for cross-border flow of PI under the PIPL. On the other hand, if the data only needs to be circulated within the GBA (i.e. no onward transfer outside the GBA), PI Processors can rely on the GBA SCCs or the GBA Certification mechanism (We will keep a watching brief on the relevant filing guidelines and any consultation hotline to be released by the Guangdong CAC – watch this space).
- For data users in Hong Kong, there is no change to any restriction of personal data to be transferred outside the jurisdiction. Existing data flow from Hong Kong to Mainland China will not be subject to a compulsory legal requirement for entering into the GBA SCCs.[6]
When will the GBA SCCs mechanism apply?
The OGCIO of the HKSAR Government has stated[7] that the GBA SCCs mechanism applies to both directions of cross-border flow of PI between Mainland cities in the GBA and Hong Kong.
The following conditions must be met:
i. Both the PI Processor and recipient must be located in the GBA: The PI Processors[8] and the recipients must be registered (in the case of organisations) or located (in the case of individuals) in Mainland cities within the GBA, i.e. Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing of Guangdong Province, or the Hong Kong; and
ii. The transfer should not involve the export of important data: Notably, the GBA SCCs mechanism does not apply if the export of important data is involved. PI may be classified or promulgated as important data by relevant departments or regions.
iii. There should be no onward transfer of PI outside the GBA: the GBA SCCs mechanism does not apply if there is a need for onward transfers of PI to organisations or individuals outside of the GBA.
Specifically, it is not allowed to provide[9] PI to organisations or individuals outside of the GBA under the GBA SCCs mechanism, but GBA SCCs do not explicitly prohibit transfer to the entrusted sub-processor outside the GBA[10]. However, the Guangdong CAC currently rejects any implication that entrusted sub-processing can be conducted outside the GBA. We will keep a watching brief on the relevant filing guidelines and any consultation hotline to be released by the Guangdong CAC – watch this space.
The above conditions do not concern the quantity of PI being exported. This suggests that the GBA SCCs have less stringent requirements for implementation compared to the PIPL SCCs[11], a point confirmed by the Hong Kong SAR Government.[12] This may mean that for Mainland PI Processors in the GBA:
- Despite reaching the threshold of governmental security assessment, if the above conditions can be met, Mainland PI Processors can still choose to export PI pursuant to the GBA SCCs mechanism.
- Conversely, if the exemption conditions in the draft regulation for Administering and Promoting Cross-border Data Flow for data export compliance mechanisms (such as PIPL SCCs) are met, Mainland PI Processors do not have an obligation to export data pursuant to the GBA SCCs mechanism.
If not, for PI Processors who meet the exemption conditions, the cross-border compliance requirements in the GBA are higher than those in other Mainland areas, which contradicts the goal of promoting data flow in the GBA. We will keep a watching brief on the relevant legislative developments to further confirm such implications - watch this space.
Stay tuned for Part II after the New Year, where we’ll dive deeper into the provisions of the GBA SCC Guidelines and share with you our views and observations.
—
