Hong Kong, China: Standard Contract for Cross-boundary Flow of Personal Information within the Guangdong–Hong Kong–Macao Greater Bay Area
In this Insight article, Ada Chung Lai-Ling, Privacy Commissioner for Personal Data, Hong Kong, explores the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (the GBA SC), including its scope and adoption.
Introduction
The 14th Five-Year Plan of Mainland China emphasized the strategic importance of transforming the Guangdong-Hong Kong-Macao Greater Bay Area (the Greater Bay Area) into a global hub for technological and industrial innovation, and Hong Kong is expected to play a pivotal role as an international center for innovation and technology within this development framework. The Outline Development Plan for the Guangdong-Hong Kong-Macao Greater Bay Area also encouraged the introduction of policy measures to facilitate the cross-boundary and regional flow of innovation elements such as talents, capital, information, and technologies. To this end, Mainland China and the Hong Kong Special Administrative Region have been ramping up efforts to establish a robust framework that facilitates cross-boundary flow of personal information within the Greater Bay Area.
On December 13, 2023, the Cyberspace Administration of China (CAC), the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (ITIB), and the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) jointly promogulated the GBA SC, which represented the first facilitation measure under the Memorandum of Understanding on Facilitating Cross-boundary Data Flow Within the Guangdong–Hong Kong–Macao Greater Bay Area (MoU) signed by CAC and ITIB on June 29, 2023, to jointly promote cross-boundary data flows in the Greater Bay Area.
Scope of application of the GBA SC
The GBA SC applies to cross-boundary transfers of personal information between Hong Kong and nine Mainland cities that are within the Greater Bay Area (including Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing of Guangdong Province). Personal information processors and recipients who are registered (for organizations) or located (for individuals) in the Greater Bay Area may carry out cross-boundary transfers of personal information between these nine Mainland cities within the Greater Bay Area (the Mainland cities) and Hong Kong by executing agreements that adopt the GBA SC in compliance with the requirements of the relevant laws and regulations of their respective jurisdictions, including, in particular, Mainland China's Personal Information Protection Law (PIPL) and the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (the PDPO) of Hong Kong.
Compliance with the PDPO
The obligations, including the six Data Protection Principles (DPPs), under the PDPO imposed on data users in Hong Kong are still applicable if they intend to rely on the GBA SC for transferring personal data from Hong Kong to the nine Mainland cities. For example, they should inform the data subjects that their personal data will be transferred to data recipients outside Hong Kong and specify the purposes for which the data is to be used (DPP1). Data users should also assess whether the intended cross-boundary transfer would constitute a new purpose. If so, data subject's prescribed consent (DPP3) would be required prior to the transfer. A data user engaging a data processor to process personal data outside Hong Kong on its behalf must adopt contractual or other means to, among other things, prevent prolonged retention (DPP2(3)) and unauthorized or accidental access, processing, erasure, loss, or use of the personal data transferred to the data processor (DPP4(2)).
By adopting the GBA SC for cross-boundary transfers of personal data from Hong Kong to the nine Mainland cities within the Greater Bay Area, data users can demonstrate that they have taken reasonable precautions and exercised due diligence to ensure that the relevant data will not be collected, held, processed, or used in Mainland China in any manner that would contravene the provisions of the PDPO if such activities were conducted in Hong Kong. It is recommended that data users in Hong Kong adopt the GBA SC to facilitate these transfers while ensuring compliance with the PDPO in Hong Kong.
The adoption of the GBA SC
The GBA SC contains eight parts and imposes obligations and responsibilities on both personal information processors (including data users) and the intended recipients of the data.
Data users and recipients should also take note of the requirements set out under the Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (the Implementation Guidelines) issued by the CAC and ITIB on December 13, 2023, regarding the implementation of the GBA SC.
Key definitions
The GBA SC adopts the concept of 'respective jurisdiction' to ensure that personal information processors and recipients can transfer personal information across boundaries in accordance with the relevant legal requirements of their respective jurisdictions. This means that data users in Hong Kong must observe the requirements of the PDPO, while personal information processors in Mainland China must comply with the PIPL and other relevant laws and regulations.
Under the GBA SC, a 'personal information processor' in Mainland China is an organization or individual that autonomously determines the purposes and means of processing personal information. The term also covers a 'data user' in Hong Kong who, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing, or use of the data. A 'personal information processor' is the party who transfers personal information across the boundary.
Similarly, while a 'personal information subject' in Mainland China refers to a natural person who can be identified by or is associated with the personal information, the term covers a 'data subject' in Hong Kong. In relation to personal data, this means the individual who is the subject of the data.
The definition of 'personal information,' which is processed by personal information processors in the Mainland cities and by data users in Hong Kong, is determined in accordance with the PIPL and the PDPO, respectively.
Key obligations and responsibilities for personal information processors
Article 2 of the GBA SC specifies the obligations and responsibilities of personal information processors (including data users):
-
inform the personal information subjects (including data subjects) of the requisite information, such as the name and contact information of the recipient, the purposes and means of processing the personal information to be transferred across boundaries, the intended transfer to a third party in the same jurisdiction as the recipient (if applicable), etc. (Article 2(2));
-
obtain the consent of the personal information subjects prior to the transfer in accordance with the laws and regulations of the jurisdiction concerned (Article 2(3));
-
inform the personal information subjects that they will be a third-party beneficiary as agreed by the personal information processor and the recipient under the GBA SC (Article 2(4)); and
-
conduct a personal information protection impact assessment on the intended transfer, focusing in particular on the following matters, and retain the report for at least three years (Article 2(8)):
-
the legality, legitimacy, and necessity of the purposes and means, etc., of processing personal information by the personal information processor and the recipient;
-
the impact on and security risks to the rights and interests of personal information subjects; and
-
whether the obligations undertaken by the recipient, as well as its management and technical measures, together with capabilities, etc., to perform such obligations, can ensure the security of personal information transferred across the boundary.
Key obligations and responsibilities for recipients
Article 3 of the GBA SC lists out the obligations and responsibilities for recipients to follow, including:
-
The recipient shall not provide the personal information received in accordance with the GBA SC to organizations or individuals outside the Greater Bay Area (Article 3(7)).
-
The recipient may only provide personal information to a third party in the same jurisdiction of the Mainland cities within the Greater Bay Area or in Hong Kong if all of the following conditions are met (Article 3(8)):
-
there is a business need for the transfer;
-
the personal information subject has been informed of the requisite information of the third party, the methods and procedures for exercising their rights as a personal information subject, etc.;
-
consent has been obtained in accordance with the applicable laws and regulations of the jurisdiction of the personal information processor (applicable if the processing of personal information is based on an individual's consent); and
-
the personal information is provided to a third party in the same jurisdiction in accordance with the terms set out in the 'Description of cross-boundary transfer of personal information' in Appendix I to the GBA SC.
-
If the recipient receives a request from a government department or judicial body of the jurisdiction where it is located to provide the personal information received under the GBA SC, it should immediately notify the personal information processor (Article 3(13)).
Relaxation of requirements
As a facilitation measure to foster the cross-boundary flow of personal information within the Greater Bay Area, the GBA SC has relaxed some of the requirements set out in Mainland China's Measures on the Standard Contract for Cross-border Transfers of Personal Information
1. For instance:
-
the restriction concerning the amount and sensitivity of the personal information that may be transferred across borders was removed under the GBA SC;
-
parties to the GBA SC are not required to conduct relevant assessments of the personal information protection policies and regulations in the region where the recipient is located;
-
the scope of the personal information protection impact assessment to be conducted by personal information processors under the GBA SC is greatly reduced; and
-
there is no specific requirement regarding sensitive personal information or automated decision-making mechanisms under the GBA SC.
Additional requirements
To align with the relevant laws and regulations of Mainland China, the GBA SC imposes additional contractual requirements upon the personal information processors and recipients relative to the requirements under the PDPO. For instance:
-
the personal information processor shall conduct a personal information protection impact assessment on the intended transfer (Article 2(8) of the GBA SC);
-
the parties shall adhere to the filing procedures of the GBA SC (Article 8(3) of the Implementation Guidelines); and
-
the recipient shall not provide the personal information received in accordance with the GBA SC to organizations or individuals outside the Greater Bay Area (Article 3(7) of the GBA SC).
Other notable measures
The personal information processor and the recipient should file their GBA SCs with the relevant authorities in their respective jurisdictions within 10 working days of the effective date(s) of the GBA SC. They should also be responsible for the authenticity of the materials filed. In Hong Kong, such filings should be made with the Office of the Government Chief Information Officer; the corresponding authority in the Mainland cities within the Greater Bay Area is the Guangdong Provincial Cyberspace Administration.
While personal information processors may agree on other terms with the recipient, the terms of the GBA SC shall prevail should there be any conflicts or inconsistencies between the GBA SC and any other legal documents executed by the parties.
Conclusion
The introduction of the GBA SC streamlines compliance requirements for conducting cross-boundary flows of personal information within the Greater Bay Area. It is important to note that the implementation of the GBA SC does not affect the operation of the PDPO or the role of my Office in safeguarding personal data privacy and overseeing compliance with the PDPO within Hong Kong. The GBA SC regime serves as an additional framework for facilitating cross-boundary transfers of personal information. Data users in Hong Kong are advised to read the Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) issued by the PCPD to better acquaint themselves with the requirements of the GBA SC.
It is also worth noting that the Regulations on Facilitating and Regulating Cross-Border Data Flow released by the CAC on March 22, 2024 have introduced, inter alia, further exemptions from the restrictions imposed under the PIPL and other relevant laws and regulations of Mainland China if the transfers of personal information from Mainland China fulfill specified conditions such as the implementation of contractual obligations or when the personal information involved relates to less than 100,000 individuals. Despite that, the GBA SC still retains its attractiveness for transfers of personal information within the Greater Bay Area as the restrictions concerning the amounts and sensitivity of personal information are not applicable in the context of the GBA SC. Further, the personal information protection impact assessments that personal information processors are required to conduct under the GBA SC have also been simplified in terms of the scope of assessment.
The strategic importance of leveraging data to propel Hong Kong's economic growth cannot be overstated. The GBA SC is a significant breakthrough under the 'One Country, Two Systems' guiding principle to foster the development and success of Hong Kong and the Greater Bay Area and is in line with the Outline Development Plan for the Guangdong-Hong Kong-Macao Greater Bay Area.
Ada Chung Lai-ling, Privacy Commissioner for Personal Data, Hong Kong, China Member of the Hong Kong Expert Group on Cross-Boundary Data Collaboration
1 The Measures on the Standard Contract for Cross-border Transfers of Personal Information came into operation in Mainland China on June 1, 2023. Personal information processors that satisfy the relevant conditions may rely on the execution of the standard contract to transfer personal information out of Mainland China.