In recent years, there has been a growing number of cross-border transactions and a trend in digitalisation, especially with a closer integration among cities within the Guangdong-Hong Kong-Macao Greater Bay Area (GBA); there are expectedly frequent data flows between Hong Kong and other cities within the GBA. With such a trend, it also creates a need for the protection of personal data during such cross-boundary flows.
On 29 June 2023, the Cyberspace Administration of China (“CAC”) and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (“ITIB”) executed the Memorandum of Understanding on Facilitating Cross-boundary Data Flow Within the Guangdong–Hong Kong–Macao Greater Bay Area (“MoU”). As a facilitation measure under the MoU, the CAC, ITIB, and Office of the Privacy Commissioner for Personal Data in Hong Kong (“PCPD”) formulated the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong – Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (the “GBA Standard Contract”) to facilitate the flow of personal information within the GBA. In December 2023, the ITIB and the CAC launched an early and pilot implementation arrangement for the GBA Standard Contract, and it was opened to the banking, credit referencing and healthcare sectors to participate in, and will gradually extend its coverage to various business sectors.
This article will provide a brief understanding of the current laws relating to the cross-boundary transfer of personal data in Hong Kong and PRC, as well as provide an overview of the GBA Standard Contract.
Laws governing the transfer of personal data outside the jurisdiction concerned
Hong Kong
The primary legislation in Hong Kong governing protection on personal data is the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), which also sets out six Data Protection Principles (“DPPs”).
In the context of transferring personal data outside Hong Kong, section 33 of the PDPO prohibits the transfer of personal data to places outside Hong Kong unless one of a number of conditions is met. However, as at the date of this article, section 33 of PDPO is not yet enacted. Nevertheless, DPPs, which are currently in force, require the data user who wishes to transfer the personal data outside Hong Kong to (i) inform the data subject that his/ her personal data will be transferred to data recipients outside Hong Kong and the purpose for which the data is to be used[1], and (ii) obtain the data subject’s prescribed consent if it is for a new purpose[2]. When a data user hires a processor to handle personal data outside of Hong Kong, they must ensure that the data is not kept longer than necessary[3] and is protected from unauthorized access, processing, loss, or misuse[4].
PRC
The Personal Information Protection Law (“PIPL”) is the main legislation dedicated to the protection of personal information in the PRC. Under the PIPL, personal information processors[5] must obtain separate consent from individuals before transferring personal information out of the country. They must also conduct personal information protection impact assessments under Articles 39 and 55 of the PIPL. In addition, unless an exemption applies[6], they must meet one of the four conditions specified in Article 38 of the PIPL: (i) pass a security assessment by the national cyberspace administration authorities, (ii) obtain certification of personal information protection from professional institutions, (iii) enter into standard contracts issued by the national cyberspace administration authorities, or (iv) fulfill other conditions specified by PRC laws and regulations.
The GBA Standard Contract
Scope of application
The adoption of GBA Standard Contract is voluntary and it applies to flows of personal information between personal information processors and recipients which are registered (in the case of organisations) or who are located (in the case of individuals) in the Mainland cities within the GBA (i.e. Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing of Guangdong Province) and Hong Kong, with Macau not included in the scope. Personal information processors and recipients in the GBA may conduct cross-boundary flow of personal information between Mainland cities within the GBA and Hong Kong by entering into the GBA Standard Contract.
Content of the GBA Standard Contract
The GBA Standard Contract consists of eight articles, which set out the respective obligations and responsibility of the personal information processors and recipients, the rights of the data subjects, and the consequences of any breach.
The main obligations and responsibilities of personal information processors and recipients under the GBA Standard Contract are set out as follows:
Personal information Processors
- Subject to the requirement of notice under the relevant laws and regulations of the jurisdiction concerned, personal information subjects should be informed of the name and contact information of the recipient, purposes of processing, means of such processing, categories of personal information, retention period(s), the transfer to a third party in the same jurisdiction as the recipient, and the methods and procedures for personal information subjects to exercise their rights, etc.[7]
- Prior to the transfer of personal information, the consent of personal information subjects should be obtained in accordance with the laws and regulations of the jurisdiction concerned.[8]
- Personal information subjects should be informed that they will be a third-party beneficiary under the GBA Standard Contract if they do not explicitly reject this term within 30 days, such that they shall enjoy the rights of a third-party beneficiary under the GBA Standard Contract.[9]
- Conduct a personal information protection impact assessment on the intended transfer of personal information to the recipient.[10]
- Process, retain and safeguard the personal information received in accordance with the GBA Standard Contract.[11]
Personal information Recipients
- The recipient shall not provide personal information received to any third party outside the GBA.[12]
- Provision of personal information to a third party in the same jurisdiction of the Mainland cities within the GBA or Hong Kong as the recipient is allowed if all of the following conditions are met, including: [13]
-
- There is a business need for the transfer;
- Subject to the requirement of notice under the relevant laws and regulations of the jurisdiction concerned, notice has been given to the personal information subject similar to the one given by the processors to the subject mentioned above;
- Consent is obtained from the personal information subject and processor, respectively; and
- The personal information is provided to a third party in the same jurisdiction following the terms set out in Appendix I of the GBA Standard Contract.
- If a government or judicial body makes a request to the recipient to provide the personal information obtained under the GBA Standard Contract, the recipient should notify the personal information processor promptly.[14]
Procedure on adopting the GBA Standard Contract
Prior to entering into the GBA Standard Contract, the personal information processor shall conduct a personal information protection impact assessment and complete it within 3 months before the filing date.
The personal information processor and the recipient should file their GBA Standard Contract with the Cyberspace Administration of Guangdong Province or the Office of Government Chief Information Officer of the HKSAR Government within 10 working days of its effective date, and should be responsible for the authenticity of the materials submitted.
Conclusion
The GBA Standard Contract is a voluntary agreement for data users and recipients to enter into. To data users in Hong Kong, they may choose not to enter into the GBA Standard Contract, since they can freely transfer information outside Hong Kong as long as they have obtained informed consent from the data subject under the current PDPO. On the other hand, for recipients in Hong Kong who wish to receive personal information from data users in Mainland cities within the GBA, the GBA Standard Contract streamlines the compliance arrangements and thus facilitate cross-boundary collaboration in the GBA.
Should you require any assistance or advice in relation to the above, we are happy to provide you with a consultation.
[1] DPP1
[2] DPP3
[3] DPP2(3)
[4] DPP4(2)
[5] “Personal information/data processors” has a similar meaning as “data user” under the PDPO. Hence in this article, these two terms are interchangeable.
[6] Under the Regulations on Facilitating and Regulating Cross-Border Data Flow published by the CAC on 22 March 2024, there are certain exemptions where data processors may be exempted from conducting security assessments, entering into standard contracts, or obtaining personal information protection certification.
[7] Article 2(2) of the GBA Standard Contract
[8] Article 2(3) of the GBA Standard Contract
[9] Article 2(4) of the GBA Standard Contract
[10] Article 2(8) of the GBA Standard Contract
[11] Article 3(1) to (6) of the GBA Standard Contract
[12] Article 3(7) of the GBA Standard Contract
[13] Article 3(8) of the GBA Standard Contract
[14] Article 3(13) of the GBA Standard Contract
