On November 1, 2023, the National Information Security Standardization Technical Committee (全国信息安全标准化技术委员会) (“TC260”, a policy-making body under the Cyberspace Administration of China (“CAC”)) launched a public consultation on draft Practice Guidelines for Cybersecurity Standards - Requirements for Cross-Boundary Personal Information Protection within the Guangdong-Hong Kong-Macau Greater Bay Area (“GBA”) (the “Draft Guideline”).
On November 1, 2023, the National Information Security Standardization Technical Committee (全国信息安全标准化技术委员会) (“TC260”, a policy-making body under the Cyberspace Administration of China (“CAC”)) launched a public consultation on draft Practice Guidelines for Cybersecurity Standards - Requirements for Cross-Boundary Personal Information Protection within the Guangdong-Hong Kong-Macau Greater Bay Area (“GBA”) (网络安全标准实践指南—粤港澳大湾区跨境个人信息保护要求（征求意见稿）) (the “Draft Guideline”) (see here (Chinese only)).
The Draft Guideline represents an important first step towards a much-anticipated relaxation of restrictions on flows of personal data across the GBA, as envisaged in the Memorandum of Understanding to Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macau Greater Bay Area agreed by the CAC and Hong Kong’s Innovation, Technology and Industry Bureau (the “GBA MOU”) (please see our previous post here). Specifically, the Draft Guideline aims to establish standards against which certification of cross-border transfers under the GBA MOU would be administered.
Cross-Boundary Transfers of Personal Information under the PIPL and PDPO
Under the Personal Information Protection Law (“PIPL”) and the Measures for Security Assessment for Cross-border Data Transfer, personal information handlers transferring personal information from Mainland China are required to obtain data subjects’ separate consent and satisfy at least one of the following regulatory formalities: (i) passing the CAC security assessment, (ii) obtaining a third-party certification, or (iii) entering into standard contractual clauses (“SCCs”) with the offshore data recipient and filing the SCCs together with a report on personal information protection impact assessment (“PIPIA”). The above requirements apply to all transfers of personal information from mainland China, including cross-boundary transfer to the Hong Kong Special Administrative Region (“Hong Kong”) and the Macau Special Administrative Region ("Macau"). Recent draft measures by the CAC propose to relax these requirements in relation to some transfers, but these measures have not yet been finalized (please see our previous post here).
Organizations have found the CAC’s restrictions on international transfers of personal data difficult to navigate in practice. The announcement of the GBA MOU was met with enthusiasm for a more practical approach to cross-border regulation, at least in relation to cross-boundary transfers of data from Guangdong province to Hong Kong and Macau.
Hong Kong’s Personal Data (Privacy) Ordinance (the “PDPO”) regulates the processing of personal data in Hong Kong. Notably, there is no additional compliance requirement in respect of cross-boundary transfers of personal data from Hong Kong to mainland China or Macau, although organizations collecting personal data in Hong Kong are required to ensure that PDPO requirements continue to be met in respect of personal data transferred to other jurisdictions.
Standards under the Draft Guideline
The Draft Guideline outlines the standards under which third party certification of cross-boundary transfers of personal information from Mainland China to Hong Kong will be assessed (transfers to and from Macau are not yet addressed). In substance, the Draft Guideline sets out a number of basic principles and requirements drawn from China’s PIPL and Hong Kong’s PDPO. The Draft Guideline is clear that the applicable territorial laws continue to apply irrespective of the certification. Here it is important to note that the PIPL is a recent law drawing heavily from GDPR, the current “gold standard” for data protection internationally. The PDPO, passed in 1995 and with few substantive amendments since, represents a much lower standard of data protection. This mismatch of requirements means that the standards applicable under the Draft Guideline are necessarily skewed towards compliance with more onerous mainland requirements, meaning that if Hong Kong organizations, which currently face no restrictions on cross-boundary transfers, seek certification, they will likely need to increase data protection standards above and beyond what they currently have in place.
To elaborate, based on the Draft Guideline, personal information handlers on both sides of the boundary will be certified against a set of general obligations drawn largely from the PIPL, including:
- obtaining data subjects’ consent to the transfer, unless one of the PIPL’s other lawful bases for transfer applies (with notification being sufficient in relation to transfers from Hong Kong);
- notifying data subjects of the identity and contact information of the offshore recipient, the purpose of the transfer, the manner in which data subjects may exercise their rights under the law and other details;
- developing and implementing a cross-border security management system and operating procedures, adopting encryption, de-identification and other techniques as appropriate to prevent data being tampered with or lost;
- keeping and continuously updating a catalogue of the personal information involved in cross-boundary transfers;
- keeping a logbook of the cross-boundary transfers of personal information for at least 3 years;
- undertaking to be subject to continuous supervision by the certification institution on cross-boundary transfers of personal information, including responding to inquiries, cooperating with inspection requests, complying with measures taken or decisions made, and providing written proof that necessary actions have been taken;
- controlling remote access so that personnel who are authorized to access personal information remotely are only entitled to the minimum personal information and data processing privileges, as necessary for the performance of their duties;
- adopting measures such as contractual agreements, undertakings to certification bodies, filing with the competent authorities, regular auditing of the recipient and annual self-assessments of security risks to cross-boundary data transfer, to prevent the recipient from transferring data to a third party outside of the GBA.
The Draft Guideline introduces a number of controls specific to the use of personal data for marketing purposes, in particular:
- obtaining data subject consent and disclosing the types of personal data that will be used for marketing purposes; and
- providing a convenient means for data subjects to stop the use of their personal data for such purposes.
The standards set out in the Draft Guidelines require parties to a cross-boundary transfer to enter into and file a legally binding agreement setting out the purpose, manner and scope of the transfer, the type of data being transferred and the retention period and storage location of the data being transferred. Critically, the agreement must specify that the recipient of the data will not transfer the data out of the GBA, meaning that the certification envisaged will not enable Hong Kong as a broader transit point for outbound China data transfers.
Comparing the Certification Standards Against Current CAC Controls
The foregoing summary foreshadows a relatively heavy burden for certification of cross-boundary data transfers in the GBA, particularly as many of the requirements are very generally stated and would benefit from a more detailed statement of controls so that applicants for certification have a clear view of what is expected of them.
That being said, those who have been closely following developments with respect to the CAC’s regulation of international transfers of personal data will note that the certification contemplated by the Draft Guideline is actually narrower in scope when compared to the extensive review expected by the CAC under its security assessment or the PIPIA filing. In particular, the Draft Guideline does not delve so deeply into the cyber security topics that dominate the CAC’s security assessment, noting that Hong Kong does not yet have a counterpart to China’s Cyber Security Law or Data Security Law.
From a Hong Kong perspective, a key point of note is that outbound transfers to the mainland are currently unregulated, meaning that the standards envisaged by the Draft Guideline would represent a significant uplift in data protection controls. It remains to be seen if there is any upside for a Hong Kong organization to seek certification on this basis.