Facilitating cross-border data flow in the GBA

The Guangdong-Hong Kong-Macau Greater Bay Area (GBA) initiative creates a highly integrated economic and business hub by connecting nine cities in Guangdong province with the Hong Kong and Macau Special Administrative Regions.

Introduction of the Standard Contract for the Cross-boundary Flow of Personal Information within the GBA (GBA SCC) marks a new milestone for cross-border data transfer. While adoption of the GBA SCC is voluntary, it provides an alternative route facilitating cross-border data flow.

Background

1. Mainland China’s Personal Information Protection Law (PIPL). The PIPL (effective from 2021) stipulates three main methods for transferring personal data abroad (subject to exemptions):

Companies not classified as critical information infrastructure operators processing personal information below a specified quantity threshold can use Standard Contractual Clauses (China SCCs) issued by the Cyberspace Administration of China (CAC) to transfer personal information abroad. A personal information protection impact assessment (PIPIA) must be conducted and filed with the local CAC authority before using the China SCC.

Companies can obtain personal information protection certification from authorised certification institutions, verifying that their data processing complies with relevant standards.

Companies that: (1) are classified as critical information infrastructure operators; (2) have processed personal information exceeding a specified quantity threshold; and (3) the transfer of certain types of data outside mainland China must undergo a mandatory government-led security assessment review.

2. Hong Kong’s Personal Data (Privacy) Ordinance (PDPO). Hong Kong’s primary data protection legislation, the PDPO (effective from 1996), does not explicitly restrict cross-border data transfers.

Companies intending to transfer data outside Hong Kong should generally observe the Data Protection Principle 3 under the PDPO, which requires data users to inform data subjects about the purpose of data collection and classes of transferees, and obtain prescribed consent from them if the transfer is for a new purpose.

The Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) also issued two guidelines, in 2014 and 2022, on Recommended Model Contractual Clauses. These guidelines assist data processors and users in complying with the PDPO for cross-border transfers of personal data.

GBA SCC data transfer

• • Territorial scope – The GBA SCC applies to cross-border transfers of personal information among the nine cities and two special administrative regions within the GBA: Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing, Hong Kong and Macau.
  • Types of data – All types of personal information can be transferred under the GBA SCC, except for “important data” designated as such by GBA authorities.
  • No onward transfers outside the GBA – The GBA SCC is not applicable in situations requiring onward transfers of personal information outside the GBA.
  • PIPIA – The PIPIA is an assessment of the legality, necessity and security risks of the data transfer, which must be completed by the personal information processor three months before the date of filing the GBA SCC with relevant authorities.
  • Filing requirement – The signed GBA SCC, a letter of undertaking, the authorised representative’s identity document and other supporting documents must be filed with the relevant authorities within 10 working days.
  • Governing law & dispute resolution – The GBA SCC can be governed by either mainland China or Hong Kong law. Disputes can be resolved through courts or arbitration in mainland China or Hong Kong.
  • Compliance & enforcement – Regulatory authorities can request rectification if there are security risks or incidents. Parties can file complaints either at the CAC, Guangdong’s CAC, the Innovation, Technology and Industry Bureau in Hong Kong, the Office of the Government Chief Information Officer in Hong Kong, or the PCPD if any obligations under the GBA SCC are not met.

Implication takeaways

• • Increased compliance requirements for Hong Kong entities – Under the PDPO, there is no requirement for government filings for any cross-border data transfer, unlike the requirements in mainland China under the PIPL. With the introduction of the GBA SCC mechanism, data processors and data recipients in both regions are required to file the GBA SCC with their respective authorities within 10 working days of the contract’s effective date. Further, Hong Kong-based entities are now required to conduct a PIPIA before engaging in cross-border data transfers within the GBA, adding a new compliance requirement for Hong Kong-based businesses.
  • Reduced compliance burden for mainland China entities – Compared to the China SCC under the PIPL, the GBA SCC imposes less stringent requirements. For instance, there is no volume threshold that would trigger a security assessment for data exporters in the GBA, and the scope of the PIPIA is narrower.
  • Strengthened Hong Kong status as data hub – The GBA SCC mechanism provides a legal framework for the transfer of personal data within the GBA that aims to facilitate data flow within the region.

Availability of the GBA SCC also makes Hong Kong an attractive location for companies seeking to establish regional data centres or hubs to support their operations across the GBA, which could strengthen Hong Kong’s position as a data hub within the GBA.

Authors: Sam Wu and Beverly Fu at YYC Legal LLP