On 13 December 2023, the Cyberspace Administration of China (the “CAC”) and the Innovation, Technology and Industry Bureau (the “ITIB”) of the Hong Kong Government jointly released the “Implementation Guidelines for Standard Contract for the Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” (“GBA SCC Guidelines”).
The GBA SCC Guidelines mark China’s first measure to create an integrated approach for the cross-border flow of personal data transfers within the ten cities in the Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”).
In this article, we highlight key provisions and share our observations on the proposed requirements. If you require any further assistance, please contact James Gong at [email protected] or Wilfred Ng at [email protected].
This is the Part II of the Article. Click here to read the Part I of this Article.
(See Part I of this Article)
(see Part I of this Article)
Compliance Obligations
1. Fully informing the PI subject and obtaining a legal basis (such as consent): This should be carried out in accordance with the relevant local laws and regulations of the PI Processor’s jurisdiction. If the local laws and regulations do not require notification, then their provisions should be followed.
2. Conducting a Personal Information Protection Impact Assessment (“PIPIA”)
Before carrying out cross-border transfers of PI under the GBA SCCs, PI Processors (including data users in Hong Kong) must conduct a PIPIA. The GBA SCC Guidelines do not currently stipulate that the PIPIA conducted for the purpose of entering into GBA SCCs needs to be submitted to local authorities. This remains a procedural distinction from the practice under PIPL SCCs, where the PIPIA conducted has to be submitted to the CAC together with the signed PIPL SCCs.
For data users in Hong Kong, carrying out a PIPIA is not required under the PDPO. The PCPD only recommends a non-compulsory Privacy Impact Assessment (“PIA”) before launching new businesses or projects that may have a significant impact on personal data privacy. However, it should be noted that the “Policy Statement on Facilitating Data Flow and Safeguarding Data Security in Hong Kong” mentioned that the Constitutional and Mainland Affairs Bureau will consider possible amendments to the PDPO to align legislation with the latest international developments in privacy protection. Thus, the PDPO may incorporate international practices and mandate PIA as a compliance requirement in certain situations.
The assessment of the impact of the PI protection policies and regulations of the recipient’s country or region on the performance of the standard contract is not required under the GBA SCC Guidelines which is an obligation stipulated under the PIPL SCCs. This means the GBA SCCs mechanism does not require the evaluation of the legal environment of PI protection in the recipient jurisdiction, an exercise entailed in a customary transfer impact assessment in international data transfer mechanisms.
3. Signing the GBA SCCs with the recipient according to the template
The GBA SCCs must strictly adhere to Appendix I of the GBA SCC Guidelines. While the PI Processor can negotiate additional terms with the recipient, these terms must not contradict the GBA SCCs. In case of any discrepancies between the GBA SCCs and other legal agreements, the GBA SCCs takes precedence. For specific business arrangements, separate commercial contracts can be established.
The GBA SCCs template is currently designed for one-way data transfers. Hence, if a cross-border data exchange involves transfers from Mainland China to Hong Kong and vice versa, it would necessitate the signing of two distinct GBA SCCs to accommodate each direction of transfer.
Key differences between the GBA SCCs and PIPL SCCs include:
As per Article 6 of the GBA SCC Guidelines, cross-border PI transfers may only occur once the GBA SCCs are effective. Additionally, a filing with the local regulatory authority is required within ten working days from the GBA SCCs’ effective date, and a filing reference number must be obtained before any cross-border PI transfer, as confirmed with the Guangdong CAC.
4. Filing the GBA SCCs with the local regulatory authority
Under GBA SCCs, both PI Processors and recipients shall file with their local authorities, unlike PIPL SCCs where only Mainland PI Processors are required to file. This measure may be to monitor recipients’ implementation based on the GBA SCCs, especially in relation to data onward transfers within the GBA.
The Guangdong CAC has indicated that one party filing under GBA SCCs may suffice, but this requires Hong Kong authorities’ confirmation. Notably, the OGCIO issued the Filing Guidelines on the Standard Contract for the Cross-boundary Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)[3] (“Hong Kong Filing Guidelines”), which are silent on this issue but have referred to two separate sets of filing procedures for both Hong Kong-based PI Processors and recipients. Whether this in practice means a Hong Kong recipient is expected to conduct a local filing in addition to the CAC filing already made by a PI Processor based in Mainland China remains to be seen.
For Hong Kong data users and recipients, using the GBA SCCs mechanism means increased filing responsibilities. However, the PCPD’s RMCs[4] which are more concise and flexible than GBA SCCs, do not require filing with the regulatory authority.
PI Processors and recipients shall file with the Guangdong CAC or the OGCIO in the Hong Kong according to their respective jurisdictions and submit the required filing documents.
The Hong Kong Filing Guidelines are only applicable to contracting parties in Hong Kong, including data users or recipients.
The Guangdong CAC is expected to issue filing guidelines in the near future, which will be applicable to PI Processors and recipients in the nine Mainland cities of the GBA.
Hong Kong OGCIO has provided a separate application form for filing, and the Guangdong CAC may also develop corresponding filing application forms, requiring PI Processors to provide their contact information.
Pending confirmation from upcoming the Guangdong CAC filing guidelines, it appears that the above filing documents do not require a PIPIA report, suggesting more flexibility in the PIPIA of the GBA SCCs in form and content compared to the PIPIA under the PIPL SCCs. Despite this, authorities may still review the PIPIA report during cross-border transfers and request rectification depending on the situation.
The filing process may include the submission of documents, the checking of documents, notification of filing results, the provision of supplementary information and carrying out the re-filing procedures.
1. PI Processors in the GBA should promptly re-conduct a PIPIA, enter into a supplemental agreement or a new GBA SCCs, and conduct the corresponding filing procedures, should the following occur:
2. PI Processors and recipients in the GBA shall be supervised and managed by the regulatory authorities of the jurisdiction concerned.
The OGCIO’s responsibilities for GBA SCC Guidelines implementation include:
PI Processors and recipients in the GBA shall accept supervision and management by the regulatory authorities of the jurisdiction concerned during the implementation of the GBA SCCs, specifically including:
Regulatory authorities may request rectification from PI Processors or recipients if high security risks or incidents are identified in the cross-border processing of PI. Cases requiring involvement of other law enforcement will be referred in accordance with the law.
The roles of Mainland and Hong Kong’s data protection authorities in enhancing data protection, handling complaints, investigating, and addressing unlawful data processing remain unaffected by these rules.
If a Hong Kong recipient violates the GBA SCC Guidelines by transferring PI outside the GBA, the OGCIO will follow up on reports or complaints. They may require rectification, with the recipient expected to cooperate, comply, and provide proof of actions taken. If there is any behaviour in violation of the PDPO, the PCPD will follow up and handle the case according to the PDPO.
Implementation Measures
The OGCIO of Hong Kong intended to launch a Pilot Implementation of the GBA SCCs in December 2023, with the first phase openly inviting participants from banking, credit referencing and healthcare sectors. The Hong Kong government will review the Pilot Implementation in due course and expand the facilitation measures to other sectors.
Individuals or enterprises who are interested in participating in the Pilot Implementation must submit their Expression of Interest Form before December 31, 2023.
According to the Expression of Interest Form, any PI Processor or recipient can apply to participate, regardless of industry, and applicants are not limited to banks, credit referencing, and healthcare sectors. In addition, individual PI Processors or recipients can also participate in the Pilot Implementation.
The clear policy intention of the GBA SCC Guidelines to facilitate the transfer of PI from Mainland China to Hong Kong should be understood in the context of any potential impact on the compliance costs. Examples discussed above include the need to conduct the PIPIA for Hong Kong data users and the need for both Mainland China and Hong Kong-based parties to file with their respective local authorities.
It is important to note that Mainland China-based PI Processors can still export data via the existing mechanism pursuant to the PIPL. If data flow does not need to extend beyond the GBA, they can opt for GBA SCCs or GBA Certification mechanisms as needed. They should monitor Guangdong CAC’s upcoming filing guidelines and regulatory development on potential exemptions of the data export compliance obligations.
For Hong Kong data users transferring data to Mainland China, the need to rely on the GBA SCCs will inevitably be a case-by-case assessment. This is likely to depend on the organisation’s existing compliance logic for international data transfers, particularly if intra-group data transfer impact assessment and transfer agreements can be leveraged upon, which will be a natural option for mitigating against any additional potential compliance cost. Relevant stakeholders are advised to monitor any upcoming PDPO revisions and participate in the Pilot Implementation to provide feedback.
[1] According to the GBA SCCs, PI Processors, for the Mainland China, refers to an organisation or individual that autonomously determines the purposes and means of PI processing; for the HKSAR, it also covers a “data user” which, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.
[2] The PIPL SCCs also requires PI Processors to assess the risks in more detail, including the quantity, scope, type, and sensitivity of PI to be transferred overseas, and the risk that the outbound cross-border transfer may pose to PI rights and interests; the risk of the PI being tampered with, sabotaged, disclosed, lost, or illegally used after the it is transferred overseas, and whether there is a smooth channel for protecting the rights and interests in the PI.