Unravelling the GBA Standard Contract: Cross border data transfer between Hong Kong and the GBA cities in Mainland China
-
Market Insight 23 February 2024 23 February 2024
-
Asia Pacific
-
Data Protection & Privacy
The Cyberspace Administration of China (“CAC”) and the Innovation, Technology & Industry Bureau of Hong Kong (“ITIB”) jointly released the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (the “GBA SC”) together with its implementing guidelines [1] (the “Guidelines”) on 10 December 2023. The GBA SC enables the transfer of personal information between the nine cities in the Greater Bay Area in China (“GBA”) and the Hong Kong Special Administration Region (“Hong Kong”) using GBA SC, a useful mechanism for companies to ensure the free flow of personal information.
To transfer personal information across borders using the GBA SC, the following conditions must be met:
- the personal information subject/data subject[2] must have been informed or have consented to the transfer; and
- there can be no further transfer to outside the GBA.
Personal information processors[3] and recipients must also be registered in one of the Mainland China cities within the GBA.
We set out below the 10 key things you need to know about the GBA SC:
- When do companies need to start using the GBA SC:
The GBA SC takes effect from 10 December 2023. Any cross-border transfer of personal information can only be carried out when the signed GBA SC takes effect if the GBA SC is to be relied upon as a compliance mechanism for data outbound transfers.
- Can we alter the terms under the GBA SC:
Under Article 6 of the Guidelines, the GBA SC must be adopted in strict accordance with the annexes to the Guidelines. The parties to the GBA SC may include additional terms and conditions provided that the terms do not conflict with the main terms in the GBA SC.
A supplemental agreement or a new standard contract is necessary if the processing of personal information exceeds the agreed purposes of processing, means of processing and the categories of personal information processed.
- Territorial scope:
The parties can enter into the GBA SC to conduct cross-border flow of personal information between the nine cities in the GBA (namely Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing in Guangdong Province) and Hong Kong.
-
Types of personal information:
All types of personal information can be transferred across borders between the Mainland and Hong Kong in the GBA, except for ‘important data’ that has been notified by relevant Chinese authorities, regions or being publicly released as important data. The Guidelines did not define what constitutes ‘important data’[4], in practice, this suggests that personal information can flow freely unless otherwise notified or publicly released by the authorities.
-
Any limit on the volume of data to be transferred:
The Guidelines is silent on the volume of personal information that can be transferred between the nine GBA cities and Hong Kong.
This is different from the position under the Measures for Security Assessment for Data Outbound Transfers in China, where conditions for mandatory security assessments may be triggered if there are transfers of large volumes of personal information.
This seems to suggest that personal information processors in the GBA will not be subject to these requirements when using the GBA SC.
-
Any onward transfer restrictions on personal information:
(a) there is a business need for the transfer;
Onward transfer of personal information to outside the GBA is not allowed.
For general onward transfers to third parties in Mainland cities within the GBA and Hong Kong, the requirements are more relaxed when compared to the Standard Contract for the Outbound Transfer of Personal Information issued by the CAC ("PRC nationwide SC”).
Personal information may be transferred to third parties in the Mainland cities within the GBA or Hong Kong by the recipient if:
(b) the personal information subject has been informed of such onward transfer with relevant details provided;
(c) consent has been obtained from the personal information subject in accordance with the laws and regulations of the jurisdiction of personal information processor;
(d) personal information is provided to the third party in accordance with the terms set out in the GBA SC “Description of cross-boundary transfer of personal information”.
Restrictions from the PRC nationwide SC, such as requiring a data processing agreement with the recipient of the onward transfer under terms and conditions that are no less stringent than the data protection standard in the PRC nationwide SC, and providing that agreement to the personal information subject upon request, has been removed in the GBA SC. However, there are still some requirements that are kept in the GBA SC on, for example the data importer being required to inform the personal information subject of the name and contact information of the third party, purpose of handling and retention period of their personal information.
- Personal information protection impact assessment requirement:
The personal information processor is required to carry out a personal information protection impact assessment (“PIPIA”). The following is what is considered in the assessment:
- the legality, legitimacy and necessity of the purposes and means of processing personal information by the personal information processor and recipient;
- the impact on and security risks to the rights and interests of personal information subjects;
- whether the obligations undertaken by the recipient, as well as its management and technical measures and capabilities to perform the obligations can ensure the security of personal information transferred across the boundary.
The personal information processor must conduct another PIPIA afresh if there are any changes to the personal information in terms of the scope, purpose, categories, means, or the recipient’s use and means of personal information processing, or the retention period is extended.
- Filing requirement:
The GBA SC is subject to filing requirement, however, compared to the PRC nationwide SC regime, the filing procedure is much more simplified.
The personal information processor and recipient of personal information shall within ten (10) business days (from the effective date of the GBA SC) file the GBA SC with the Internet Information Office of Guangdong Province (广东省互联网信息办公室) or the Office of the Government Chief Information Officer of Hong Kong, the following documents:
(a) the signed GBA SC;
(b) the letter of commitment; and
(c) a copy of the legally designated representative’s identity documents.
Supplemental filings will be required if there are any subsequent changes to the terms and conditions (including but not limited to the purpose, scope, type of personal information to be transferred, or extending the retention period of personal information) of the GBA SC.
The Guidelines do not require the parties to file the PIPIA report.
- What is the governing law if there is a dispute and what about arbitration:
The GBA SC will be construed in accordance with the relevant laws and regulations of the jurisdiction of the personal information processor and can be governed by either the laws of Hong Kong or the Mainland.
The GBA SC provides that disputes can be resolved by legal proceedings in Mainland or Hong Kong courts, and by arbitral proceedings in either the China International Economic and Trade Arbitration Commission, China Maritime Arbitration Commission, Guangzhou Arbitration Commission, Guangdong-Hong Kong-Macao Greater Bay Area International Arbitration Centre and the Hong Kong International Arbitration Centre.
-
What happens if the parties failed to perform the obligations under the GBA SC or if there is a data breach incident:
Any organisation or individual can lodge a complaint or report to the regulatory authorities[5] if they discover parties have failed to perform the obligations under the GBA SC or the Guidelines. The regulatory authorities can also request parties to make rectification if there are relatively high security risks in cross-boundary personal information processing activities or security incidents have already occurred.
Further, if there is any security incident or leakage of personal information, the personal information processor or recipient shall take remedial measures immediately and notify the regulatory authorities.
Moving forward
The first phase use of the GBA SC has already started with an “early and pilot implementation” arrangement in December 2023. There have been open invitations for participation among certain sectors, notably banking, credit referencing and healthcare sectors, the arrangement will later extend to other sectors.
Corporations who wish to use the GBA SC should be aware of the above 10 key points. Companies located in Mainland cities in the GBA could still use the PRC nationwide SC for cross-border transfers, but the GBA SC’s requirements are comparatively more relaxed.
In regard to cross-border data transfers in Hong Kong, section 33 of the Personal Data (Privacy) Ordinance (Cap.486), which has yet to come into effect, prohibits the transfer of personal information outside of Hong Kong except in limited circumstances specified. Therefore, this is not a mandatory obligation imposed. The GBA SC would be a good reference point and parties can build on the GBA SC in a practical way to protect data subjects when transferring personal information between the Mainland cities within the GBA and Hong Kong as well as to facilitate cross-border data transfer for their business needs.
[2] “Personal information subject”, for the Mainland, refers to a natural person identified by or associated with the personal information; for Hong Kong, it also covers a “data subject”, which, in relation to personal data, means the individual who is the subject of the data.
[3] “personal information processor (个人信息处理者)”, for the Mainland, refers to an organisation or individual that determines the purposes and means of personal information processing; for Hong Kong, it also covers a “data user” who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.
[4] Under the Measures for the Security Assessment of Data Outbound Transfer, ‘important data (重要数据)’ is defined as data that, once tampered with, damaged, leaked or illegally acquired or used, may jeopardize national security, the operation of the economy, social stability, public health and security, and so forth.
[5] The regulatory authorities are the CAC, and the Cyberspace Administration of Guangdong Province for the Mainland, and the ITIB, the Office of the Government Chief Information Officer of the HKSAR Government and the Office of Privacy Commissioner for Personal Data, Hong Kong for Hong Kong
End