China’s National Information Security Standardisation Technical Committee (TC260) published draft Practical Guidelines on Cross-border Personal Information Protection Requirements in the Guangdong-Hong Kong-Macau Greater Bay Area (Draft GBA Guidelines)1 on 1 November 2023.

They propose a certification regime for cross-border data transfers within the GBA (GBA Certification), following a consultation period that ended on 15 November.

Background

The Draft GBA Guidelines are the first implementing regulations relating to the liberalisation of cross-border data transfer activities within the GBA.

Their release follows (a) signing of a memorandum of understanding (MoU) between the PRC and Hong Kong on 29 June 2023 to address data transfers in the GBA, and (b) issuance of the draft Provisions on Regulating and Promoting Cross-Border Data Transfers (Draft CBDT Provisions) by the Cyberspace Administration of China’s (CAC) on 28 September 2023.

While the contents of the MoU were not made public, the Draft CBDT Provisions contained a provision proposing to exempt cross-border data transfers from transfer mechanism requirements set out in Article 38 of the Personal Information Protection Law (PIPL) for a class set out in a “negative list” (See our previous Legal Update on China Proposes Easing of Cross-Border Data Controls).

In this Legal Update, we look at key provisions of the Draft GBA Guidelines and assess how they may impact cross-border data transfers within the GBA.

Application

The Draft GBA Guidelines only apply to data controllers within specified areas of the GBA – namely cities in the Guangdong province (e.g. Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing) and Hong Kong.2

Curiously, despite reference to Macau in the title, Macau is conspicuously omitted from this iteration of the Draft GBA Guidelines. We understand the omission is motivated by administrative reasons; and Macau will be included within future intra-GBA transfer regulations.

GBA-specific Data Transfer Requirements

The Draft GBA Guidelines generally echo the requirements of “local” data privacy regulations, and expressly provide that “personal information processed by the data controllers is [to be] determined in accordance with the personal information protection laws of the jurisdiction”.3

However, the majority of the standards imposed on data controllers are clearly influenced by the PIPL (understandably so, given the issuing authority).

Save for certain specific references to “data controllers in Hong Kong”,4 the requirements apply to both data controllers in the PRC and data users (read: data controllers) in Hong Kong. While data controllers in the PRC would already have to comply with their obligations under the PIPL, the imposition of PIPL standards on data users in Hong Kong may prove overly onerous.

Some examples include:

1. Entering into a Legally Binding Agreement

There are no specific restrictions on cross-border data transfers under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). While it is important for data users to have appropriate protection for cross-border transfers of personal data – since they are ultimately responsible for breaches of the PDPO by data recipients – data exports are permitted so long as data subjects are notified of the purposes of the data exports on or before collection of their data, and processing of the data exports remains consistent with such notification.

However, under the Draft GBA Guidelines, data controllers and data recipients of personal information are required to sign a legally binding data processing agreement (DPA) which specifies the following:5

  1. purpose, method and scope of processing;
  2. type, quantity, retention period and storage location of personal information to be transferred; and
  3. responsibilities and obligations of both parties.

Furthermore, processing personal information beyond the scope of the DPA by the data recipient will result in the GBA Certification being declared terminated or invalid.6 It is unclear whether this refers to the exporter’s certification or the recipient’s certification.

Data recipients are also required to return or delete personal data if the DPA is rendered ineffective, invalid, revoked or terminated.7

While the provisions of this DPA appear to be less onerous than the provisions of the Standard Contract (for more detail, please see our previous Legal Update on China’s Standard Contracts for Exporting Personal Information Guidelines Have Been Released!), such a DPA would go beyond the contractual documentation that most Hong Kong data users use for cross-border data transfers.

It is also unclear whether the DPA will have to be in a prescribed format (e.g., SCC-like) or whether it will need to be filed with the GBA Certification bodies.

2. Personal Data Security Requirements

The PDPO only generally requires that data users take "all practicable steps” to “ensure that any personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user is protected against unauthorised or accidental access, processing, erasure, loss or use”.8

However, the Draft GBA Guidelines impose additional mandatory requirements, including:

a. keeping records of cross-border data transfers for at least three years;9

b. establishing an access control policy to ensure personnel can only access or view the minimum necessary information required for their duties;10

c. appointing a DPO;11

d. encrypting sensitive personal information;12

e. executing confidentiality agreements with relevant personnel engaged in personal information processing;13

f. establishing internal approval processes for important operations on personal information e.g. batch operations;14

g. developing an incident response plan and regularly conducting tabletop simulations;15 and

h. committing to accept continuous supervision by certification authorities on cross-border processing activities.16

While many of these measures are generally encouraged and considered best practices for data management for data users in Hong Kong, data users who do not already have such measures in place would need to undertake a significant amount of work to implement such practices.

Given that these requirements are already the norm for data controllers in the PRC, the GBA Certification would appear to simplify cross-border data traffic from the PRC to Hong Kong, but may complicate traffic in the other directions – namely from Hong Kong, or even Macau, to the PRC.

3. PIPL-aligned Notification Requirements

The Draft GBA Guidelines impose stringent notification requirements on data controllers that would require data subjects to be notified of:

a. the name or contact information;

b. processing purposes;

c. processing methods; and

d. types of personal information of the recipient.

Similar to point (3) above, these notification requirements go beyond current requirements under the PDPO – and would require data users to rethink how they notify data subjects if they were to utilise the GBA Certification.

This would make the GBA Certification a less attractive tool for data users seeking to transfer personal data into the PRC.

In fact, given that the Draft CBDT Provisions have proposed exemption of “personal information that is not collected or generated within mainland China” from the PIPL cross-border data transfer mechanism, it appears that the GBA Certification may only be relevant for data users in Hong Kong who collect data of subjects resident in the PRC.17

4. Onward Transfer Outside GBA is Prohibited

Lastly, and perhaps most significantly, data controllers are required to take measures – such as entering into an agreement, providing an undertaking to the GBA Certification body, and conducting an audit of data recipient practices – to prevent data recipients from transferring data to a third party outside the GBA.18

Notably, this requirement, if implemented in its current form, may disappoint companies that had hoped to use the GBA Certification to transfer personal information out of the PRC to their overseas affiliates via Hong Kong.

Observations

In the absence of further details of the GBA Certification, it is still unclear the extent to which the proposed framework addresses concerns with the PRC’s onerous cross-border data transfer regime.

Based on preliminary indications furnished by the Draft GBA Guidelines, the promise showed by the MoU may be less than expected; given the onerous additional requirements to be imposed on Hong Kong data users, coupled with the breadth of the existing derogations already proposed under the Draft CBDT Provisions.

On the other hand, the GBA Certification may benefit businesses with interests solely within the GBA (read: PRC businesses with affiliates in Hong Kong), since the proposed framework under the Draft GBA Guidelines does seem to help reduce compliance costs.

For example, the Personal Information Protection Impact Assessment (PIA)/data transfer impact assessment (DTIA) – which is one of the key compliance obligations under the Standard Contract mechanism – is not expressly required under the proposed GBA Certification framework.

Given that requirements under the Draft GBA Guidelines generally reflect PIPL requirements, compliance should be easier for PRC-based data exporters to achieve.

On the other hand, difficulties may arise when Hong Kong-based data controllers who wish to transfer data from Hong Kong to the PRC are required to fulfil additional obligations that are not presently required under the PDPO.

Companies wishing to transfer data from the PRC to Hong Kong (as opposed to Hong Kong companies) may therefore have more reasons to consider leveraging the GBA Certification regime, to reduce compliance costs and facilitate their data exports.

However, there are still outstanding practical questions on the proposed GBA Certification regime that remain unanswered.

For example, the Draft GBA Guidelines are silent on the relevant GBA Certification bodies, the detailed GBA Certification procedures, and the validity period of GBA Certification.

Furthermore, it is unclear which entity(s) will be responsible for enforcing the GBA Certification rules, and how this will impact Hong Kong companies that technically fall outside the jurisdiction of PRC data laws. Will it bring Hong Kong companies within the purview of PRC regulations?

Takeaways

The blistering pace at which various PRC government bodies have been issuing policies strongly suggests intensified efforts to address some of the concerns raised regarding difficulty complying with the PRC’s cross-border data transfer regime.

As highlighted above, while the Draft GBA Guidelines shed some light on the proposed GBA arrangement under the MoU, there are still unresolved practical difficulties that remain, given the vastly different data protection regimes in Hong Kong and the PRC.

Companies should keep an eye out for further clarifications of the Draft GBA Guidelines and the Draft CBDT Provisions that will hopefully actually ease data export controls in the GBA.

The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown, for her assistance with this Legal Update.