The implementation of the GBA Standard Contract Guideline and the GBA Standard Contract marks substantial progress in arrangements to promote and regulate cross-boundary data flow within the Guangdong-Hong Kong-Macao Greater Bay Area ("GBA"), as envisaged under the Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area agreed by CAC and HK ITIB in June 2023.

The GBA Contract arrangements represent a welcome reduction in the significant compliance burden for cross-boundary transfers of personal data from Guangdong province to Hong Kong, both in relation to the CAC security assessment applicable to larger transfers of personal data and to cross-border data transfers falling below the data volume thresholds for the CAC security assessment (see here and here for our previous coverage), to which the CAC’s Standard Contractual Clauses ("SCCs") apply.   

Acknowledging that a step forward has been taken in easing the compliance burden for GBA data transfers, we also note that the GBA Contract arrangements have several key limitations.  The arrangements only apply to transfers of personal data between Guangdong province and Hong Kong, meaning that organizations will not be able to use the GBA arrangements to transfer personal data from their China operations to Hong Kong on a comprehensive basis or support transfers from or to the Macau Special Administrative Region.  Critically, data transferred to Hong Kong under these arrangements must remain within the GBA.

In this briefing, we review the key features of the GBA Standard Contract Guideline and GBA Standard Contract, highlighting practical points and the main differences between the GBA arrangements and the Measures on the Standard Contract for the Cross-border Transfer of Personal Information ("SCCs Measures") and SCCs.

Scope of Application of the GBA Standard Contract

The data exporter under the GBA Standard Contract is assumed to be a “data controller” (i.e., a “personal information handler” under China’s Personal Information Protection Law (“PIPL”) or a “data user” under Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”)).  Data importers may either be “data controllers” receiving personal data to process for their own purposes or “data processors” processing the data on behalf of the data exporter as part of a cross-boundary service arrangement.  The data exporter and importer must both execute and file the GBA Standard Contract with their respective competent authorities within ten business days of the GBA Standard Contract becoming effective.  The GBA Standard Contract may only be used for cross-boundary transfers where:

• the transfer does not include “important data”  (“Important data” is currently defined as data that, if distorted, damaged, leaked or illegally obtained or used, may endanger China’s national security, economic operation, social stability, public health, and security, etc., as defined under the Security Assessment Measures. It is expected to be classified in detail by industry regulators under the Data Security Law.);

• data subject consent has been obtained and/or notification made in accordance with the relevant applicable local law; and

• there will be no onward transfer of the data outside the GBA.

The GBA Standard Contract is only available to data exporters who are “data controllers” in covered GBA cities in Guangdong province or Hong Kong transferring personal data on a “controller-controller” or “controller-processor” basis. The modular approach taken by the European Commission with its standard contractual clauses has not been applied.  A few points of clarification, including points that have arisen in implementing the CAC SCCs remain:

• Is the branch of a Hong Kong company registered in Guangdong province, which is not an independent legal entity in China eligible to use the GBA Standard Contract?

• Are companies registered in the GBA deploying their servers outside GBA eligible to use the GBA Standard Contract?

• Is the GBA Standard Contract only available to Guangdong-based “data controllers” who solely control the processing of personal data in China, or is there scope for a Guangdong based co-controller to use these arrangements to transfer data also controlled by its mainland China affiliates to Hong Kong?   

Data Protection Impact Assessment

Organizations making use of the GBA Standard contract are required to undertake a data protection impact assessment ("DPIA") requiring analysis of the following:

1. the legality, legitimacy and necessity of the purposes and means of processing of the personal data by both the data exporter and the data importer;

2. the impact of the transfer on the rights and interests of data subject; and

3. whether the obligations undertaken by the data recipient and the data recipient’s  management and technical measures and capability to perform these obligations can ensure the security of the personal data once it has crossed the boundary. 

What challenges have been alleviated under the GBA Standard Contract Guideline and the GBA Standard Contract, as compared with the CAC’s export review procedures?

The GBA Standard Contract Guideline provides a streamlined approach for data exporters in covered GBA cities in Guangdong province relative to the existing CAC data export regime, noting in particular:  

• Unlike the CAC data export regime, the GBA Standard Contract Guideline does not specify any volume thresholds for approval of cross-border data flows by the CAC.

• The DPIA required under the GBA transfer arrangements is not nearly so complex or voluminous as the CAC’s security assessment procedure or the personal information privacy impact assessment required to be completed and filed in conjunction with the use of the SCCs. 

• The DPIA report is not required to be filed with the executed GBA Standard Contract.

• Disputes under the GBA Standard Contract may be submitted to arbitration at the Hong Kong International Arbitration Centre, the Greater Bay Area International Arbitration Center or be submitted to a competent court in Hong Kong. 

2What is the filing procedure?

Unlike the SCCs Measures, which only require the data exporter to file the executed SCC with the competent local CAC, the GBA Standard Contract Guideline mandates that both the data exporter and data recipient must file the executed GBA Standard Contract concurrently and respectively with their supervisory authorities (i.e., the Guangdong CAC or the OGCIO) within 10 working days from the effective date thereof.

Following receipt of a completed filing, the relevant authority is expected to notify the filing party of the result within 10 working days.

The filing process under the GBA Standard Contract Guideline includes the following steps:

Step 1: Submission of application documents

• GBA Mainland China data exporters and recipients are required to first submit the full set of required materials in electronic form to the municipal CAC of Guangdong province for preliminary examination, and upon the Guangdong CAC's approval, they can further send hard copies of the documents to the Guangdong CAC.

• Hong Kong data exporters and recipients shall submit the required materials by post to the OGCIO.

Step 2: Document check and notification of filing results

• Filing by the data exporter: The Guangdong CAC/OGCIO will review and respond to each application within 10 working days, with the outcome being either a “pass” or a “fail.” If a failing grade is awarded, the data exporter will be notified of the reasons for the failure and be asked to provide supplementary materials within 10 working days.
• Filing by the data recipient: Upon receipt and confirmation of the completeness of documents filed, the Guangdong CAC/OGCIO will issue an acknowledgment to the recipient within 10 working days.

What do the GBA arrangements mean for Hong Kong data exporters?

There has been much focus on prospects that the GBA data transfer arrangements will ease restrictions on data transfers from mainland China, which have been subject to increasing regulation in recent years under the Cybersecurity Law, Data Security Law and the PIPL. 

Hong Kong’s PDPO, on the other hand, continues to impose no specific restriction on transfers of personal data to mainland China (or to anywhere else).  The PDPO does, however, require data exporters to ensure that data processors (wherever they may be located) apply appropriate security measures to the data and erase the data once the data processing arrangements finish.  The Privacy Commissioner for Personal Data (“PCPD”) had previously published its Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data (see here), which serve as a best practice reference point (our client briefing is here), but there are no specific requirements.

Although there is no specific compliance requirement under the PDPO, the PCPD has published its Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong – Hong Kong – Macao Greater Bay Area (Mainland, Hong Kong) (see here), which encourages Hong Kong businesses to make use of the GBA Standard Contract where transferring personal data to recipients based in Guangdong province.  It is clear, however, that executing the GBA Standard Contract would place a Hong Kong data user under a number of contractual obligations which it would not otherwise be subject to as a consequence of the PDPO, including:

• to provide, as a default, that data subjects have third party rights to enforce the GBA Standard Contract;

• to complete a DPIA; and

• to report any security incident involving the transferred data to the PCPD (noting that the PDPO is an outlier internationally in that it does not yet have a mandatory data breach notification obligation).

Similarly and as already noted, Guangdong-based recipients of Hong Kong personal data would be required to hold and process the data in the GBA.  There is currently no restriction in this regard under the PDPO or PIPL.

What's next?

OGCIO has initiated a pilot implementation of the GBA Standard Contract for Hong Kong data exporters and data recipients operating in the banking, credit referencing and healthcare sectors. Data exporters and data recipients, who submitted the expression of interest by December 31, 2023 will be eligible to conduct the data transfer within GBA through the GBA Standard Contract from early 2024.

It is clear that organizations wishing to transfer personal information from mainland China within the GBA to Hong Kong will benefit from the streamlined process envisaged by the GBA Standard Contract Guideline and the GBA Standard Contract. However, the arrangements do not establish Hong Kong as a complete “safe harbour” for transfers of Chinese personal data in general.  It may be that the GBA arrangements are a first step towards a broader understanding that would bolster Hong Kong’s position as a critical part of the GBA.