PRC streamlines cross-border data transfer rules within GBA

On 13 December 2023, the Cyberspace Administration of China and the Innovation, Technology & Industry Bureau of Hong Kong jointly released the Standard Contract for Personal Information Cross-Border Flow within Greater Bay Area (mainland and Hong Kong) (GBA Standard Contract) together with its implementing guidelines (Guidelines), effective on the same day.

The Standard Contract is one of the three mechanisms to transfer personal information outside of China, which works similarly to the EU Standard Contractual Clauses but with an additional filing procedure. The GBA Standard Contract aims to provide a streamlined version of the "standard" Standard Contract, with lighter contractual obligations and more friendly filing requirements, to ease the compliance burden of cross-border data flow within the GBA.

Here are some more details on the GBA Standard Contract and the Guidelines:

• Territorial scope: to benefit from the GBA Standard Contract, both the data transferor and recipient shall be registered in either Hong Kong or the nine cities of Guangdong Province including Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen or Zhaoqing.

• No volume threshold: GBA Standard Contract applies regardless of the volume of personal information to be transferred outside of China. Data rich businesses which used to trigger security assessment (the stricter approval mechanism) may now be downgraded to the less restrictive standard contract filing mechanism.

• Exclusion: the new scheme won't apply to (i) any transfer or secondary transfer to recipients outside of the above territorial scope; or (ii) any transfer of personal information which has been identified as "important data". They will need to follow the current nationwide data transfer rules.

• More flexible clauses: GBA Standard Contract cuts back some obligations for the data recipient, as well as provides for more flexibility in terms of terminology and dispute resolution clauses.

• Simpler filing documents: the personal information protection impact assessment report is no longer required to be filed, and the scope of the assessment is also reduced.

• Data flow from HK to mainland: GBA Standard Contract can also apply to data flows from HK to the mainland side of the GBA. According to latest guidance from the HK PDPC, parties are encouraged to adopt the GBA Standard Contract if they satisfy the territorial scope.

• Coordination between regulators from both sides: filings can be made with regulators of both mainland and HK, and same for raising complaints and reporting data incidents.

The Hong Kong government has initiated the first pilot scheme inviting participants in banking, credit referencing and healthcare sectors, all of which with high demand for data. We may also watch out for further guidance from Guangdong cyberspace administration on the implementation of the GBA Standard Contract.

More importantly, the GBA Standard Contract is only the first of many facilitation measures to come under the framework of the MoU on Facilitating Cross-boundary Data Flow Within the Greater Bay Area. The GBA Standard Contract and Guidelines imply the recognition of Hong Kong as offering equivalent data protection as available under Chinese law. With that spirit, we can expect that more opening measures will materialise in the near future to further free up cross border data flow within the GBA and supercharge the economic growth in the region.