GBA Standard Contract: Cross Border Data Transfer Between Hong Kong and the GBA Cities

An overview of the GBA Standard Contract and its impact moving forward.

The Cyberspace Administration of China (“CAC”) and the Innovation, Technology & Industry Bureau of Hong Kong jointly released the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (the “GBA Standard Contract”) together with its implementing guidelines  (the “Guidelines”) in December 2023. 

This GBA Standard Contract streamlines cross-border data transfer rules between the nine cities in the Greater Bay Area in China (“GBA”) and Hong Kong.

Personal information processors and recipients must also be registered in one of the nine Mainland China cities within the GBA.

Important details of the GBA Standard Contract are listed below:

1. Data flow: The adoption of the GBA Standard Contract is voluntary. The GBA Standard Contract applies to both directions of cross-border flow of personal data between Mainland GBA cities and Hong Kong. Hong Kong entities are encouraged to adopt the GBA Standard Contract if the territorial scope is satisfied.

2. Amendments to the GBA Standard Contract: The GBA Standard Contract must be adopted strictly according to the annexes to the Guidelines. Additional terms and conditions can be included if they are consistent with the main terms.

A supplemental agreement or a new standard contract is necessary if the processing of personal information exceeds the agreed purposes, means of processing and the personal information categories.

3. Types of information that can be transferred: All types of personal information can be transferred across borders between the Mainland GBA cities and Hong Kong, except for ”important data” that has been notified by relevant Chinese authorities, regions or has been publicly released as important data. While there is no definition for “important data”, in practice, this suggests free flow of personal information unless otherwise notified or publicly released by the authorities.
 
4. Data volume threshold: The Guidelines are silent on the volume of personal information that can be transferred between the Mainland GBA cities and Hong Kong.

This is different from China’s Measures for Security Assessment for Data Outbound Transfers position, where mandatory security assessment obligations may be triggered if a large volume of personal information is involved. This seems to suggest GBA personal information processors will not be subject to these requirements when using the GBA Standard Contract.

5. Onward transfer of personal information to outside the GBA: Any onward transfers outside the GBA is not allowed and requires compliance with the Standard Contract for the Outbound Transfer of Personal Information issued by the CAC ("PRC nationwide SC”).

6. Personal information protection impact assessment requirement:

• The personal information processor is required to carry out a personal information protection impact assessment (“PIPIA”), but in a simplified manner, which covers: 
• the legality, legitimacy, and necessity of the purposes and means of processing by the personal information processor and recipient,
• the impact on and security risks to the rights and interests of personal information subjects,
• whether any obligations undertaken by the recipient, as well as its management and technical measures and capabilities to perform the obligations can ensure the security of personal information transferred across the border.

A new PIPIA must be conducted if there are any changes to the personal information in terms of the scope, purpose, categories, means, or the use and means of processing, as well as the retention period.

7. Filing requirement: The GBA Standard Contract is subject to filing requirements, but again, more simplified than that of the PRC nationwide SC regime. Supplemental filings will be required if there are any subsequent changes to the GBA Standard Contract’s terms and conditions. The parties are not required to file the PIPIA report.

8. Governing law: The GBA Standard Contract can be construed according to either Hong Kong laws or the Mainland laws, depending on where the personal information processor is situated.

Moving forward

The first phase use of the GBA Standard Contract has already started under a pilot arrangement amongst banking, credit referencing, and healthcare sectors, and it will later extend to other sectors.

Companies located in Mainland GBA cities can adopt either the PRC nationwide SC or the more relaxed GBA Standard Contract for cross-border transfers. Meanwhile, for Hong Kong companies, the GBA Standard Contract can serve as an effective contractual measure in safeguarding privacy of data subjects when conducting cross-border data transfers in the GBA although the personal data laws prohibiting cross-border data transfers outside of Hong Kong has yet to become effective.