The National Information Security Standardization Technical Committee (“TC260”) issued the “Network Security Standard Practice Guide—Guangdong-Hong Kong-Macao Greater Bay Area Cross-Border Personal Information Protection Requirements (Draft for Comment)” (the “Draft Guide”) on 1 November 2023.
The Draft Guide provides protection standards for cross-border data flow in the Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”), as the basis for the GBA personal information protection certification (“GBA Certification”).
In this article, we highlight the key provisions of the Draft Guide and set out our observations on the proposed requirements. If you would like a copy of the English translation of the Draft Guide, please contact James Gong at [email protected].
The current cross-border data regimes in Mainland China is established pursuant to the Personal Information Protection Law (“PIPL”) (click here to read our interpretation of the PIPL). There are three routes for personal information processors[1] to cross-border flow of personal information(“PI”), namely:
On 28 September 2023, the CAC released the draft “Regulation for Administering and Promoting Cross-border Data Flow”, which proposes substantial changes to the current cross-border data transfer regimes, but the draft regulation did not mention the data flow in the GBA (Click here to read our comments on the draft regulation).
In Hong Kong, Article 33 of the “Personal Data (Privacy) Ordinance” (“PDPO”) expressly prohibits the transfer of personal data to places outside Hong Kong except in circumstances specified in the PDPO[3]. Considering the high demand for data free flow by Hong Kong enterprises, this clause has not been implemented yet, so there is currently no mandatory restriction on the cross-border transfer of personal data in Hong Kong. Still, the Office of the Privacy Commissioner for Personal Data of Hong Kong encourages the compliance with Article 33. It has issued two non-compulsory guidelines in 2014 and 2022[4] to prepare for the implementation of Article 33, which include Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data.
Nonetheless, the general security measures and restrictions on data transfer in the PDPO still apply to Hong Kong PI Processors. For example, informing the data subject of the category of persons who can receive his or her data, before sharing personal data with third parties. When the purpose of collecting personal data changes, the data user must obtain the explicit consent of the data subject.The Draft Guide aims to implement the “Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the GBA” (the “Memorandum”) signed between the CAC and the Innovation, Technology and Industry Bureau of Hong Kong (the “ITIB”) on 29 June 2023.
Announcement of this Memorandum says it plans to establish safety rules for cross-border data flow in the GBA under the national management framework on safeguarding the security of cross-boundary data. The State Council supports this initiative and encourages experimentation with security management mechanisms for cross-border data flows in the GBA, according to the “Opinions on Further Optimizing the Foreign Investment Environment and Increasing the Attraction of Foreign Investment” issued in August, 2023.
The signing of the Memorandum aims to foster secure cross-boundary flow of Mainland data within the GBA. Hong Kong SAR government is working with Guangdong Province to adopt an early and pilot implementation approach in the GBA, targeting high-demand services like finance, credit checking, and healthcare, to streamline the compliance arrangements for the flow of personal data from the Mainland to Hong Kong, based on its effectiveness and experience, the authority will consider expanding it to other sectors in an orderly manner, as stated in the “Chief Executive’s 2023 Policy Address” on 25 October 2o23 and a written reply to the Legislative Council by the Secretary for the ITIB on 15 November 2023.
Based on the Memorandum, on December 13, 2023, the CAC and the ITIB issued the “Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the GBA (Mainland, Hong Kong)” (“GBA SCCs”). Effective from its release date, the GBA SCCs mechanism is first facilitation measure formulated to foster the cross-boundary flow of PI within the GBA in a safe and orderly manner. Individuals and organizations in the GBA can voluntarily adopt the GBA SCCs when applicable. We will release our commentary article regarding the GBA SCCs mechanism soon.
What is the legal effect of the Draft Guide?
The Draft Guide by TC260 is an unofficial, optional network security guide, not yet in effect. TC260 is not an official legislative body in Mainland China[1]. According to the “Management Measures for Network Security Standard Practice Guides (Interim)”, the Network Security Standard Practice Guide aims to disseminate network security standards and knowledge, providing standardised guides. The Draft Guide serves as a basis for GBA Certification under the Memorandum and a compliance reference for PI Processors, without mandatory enforcement power.
Like PI protection certification guidelines under the PIPL Certification regime, the Draft Guide could be a precursor to future regulations and may evolve into a more effective document by TC260 or a higher authority when appropriate.
Is the GBA Certification the only way for cross-border data transfer in the GBA?
No. As the CAC issued the GBA SCCs based on the Memorandum on 13 December 2023, PI Processors in the GBA (the “GBA PI Processors”) can also choose to sign the GBA SCCs for cross-boundary data flow in the region. Therefore, the GBA Certification mechanism will not be the sole option for the GBA PI Processors.
The Draft Guide applies to the GBA PI Processors conducting cross-border PI processing via the GBA Certification. However, as the Memorandum’s full text is not public, several questions still need clarification:
Does the Draft Guide apply to data flows from both Mainland and Hong Kong?
The Draft Guide appears to aim at regulating data flow in both directions between Mainland and Hong Kong. This aligns with the Draft Guide’s logic, for example:
However, as per the “Chief Executive’s 2023 Policy Address” and the Hong Kong Government’s Secretary for the ITIB’s reply to the Legislative Council on 15 November 2023, the Memorandum was signed to enable the secure cross-border flow of Mainland data within the GBA. It does not address the flow of Hong Kong data into the Mainland.
The Hong Kong PDPO's data export provisions have not been implemented, so there are no compulsory limits on transferring Hong Kong data outside Hong Kong, only adherence to global protection standards and practices. If the Draft Guide regulates Hong Kong data flow into the Mainland, it could increase Hong Kong PI Processors' compliance burden. We will discuss the added compliance obligations for Hong Kong PI Processors in the “Specific Provisions” section as below.
Moreover, to apply the Draft Guide's requirements on bidirectional data flow between Mainland and Hong Kong, Mainland and Hong Kong authorities need to at least enact higher-level laws, set up GBA Certification institutions, and establish procedural rules.
Who is a GBA PI Processor under the Draft Guide?
The Draft Guide defines the GBA PI Processors as those registered (for organizations) or located (for individuals) in Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing of Guangdong Province, and Hong Kong.
Interestingly, the Draft Guide does not include PI Processors in Macau or mention Macau law, despite its summary stating it applies to cross-border PI processing in the GBA. This might be because the Memorandum was only signed between Mainland China and Hong Kong. To prevent confusion, it is suggested that the official Draft Guide version should clarify its applicability to Macau and include relevant Macau content if applicable.
Furthermore, the term “PI Processors” in Hong Kong might refer to the “data users” as per the PDPO, given the Draft Guide’s potential regulation of Hong Kong data flow to the Mainland. This should also be clarified in the official version of the Draft Guide.
The Draft Guide outlines principles and specific requirements for cross-border PI protection in the GBA, covering data processing's life cycle, PI rights protection, and PI security. It draws from the PIPL and PDPO, but aims to offer stricter, more detailed requirements.
Basic Principles
Besides the common principles of the PIPL and the PDPO, the Draft Guide adds special principles for inter-regional rule linkage. For example, PI Processors should adhere to local laws according to the principle of territoriality; cross-border PI processing should comply with legally binding documents' provisions and commitments.
Specific Protection Requirements
The Draft Guide mostly reflects the PIPL requirements, except when it specifies that local laws should be followed. It also includes direct marketing rules based on the Mainland laws, e.g., the “Advertising Law” and the “Measures for the Supervision and Administration of Online Transactions”.
This approach intends to harmonise the level of data protection across the GBA. However, it lacks approval from higher-level laws and could hinder the transfer of Hong Kong data to the Mainland. Specifically:
The PDPO does not align with all obligations of the PIPL and Draft Guide concerning data collection, disclosure, processing, transfer, and personal rights protection. Legal concepts in the PDPO also differ from the Mainland’s[1]. Hence, Hong Kong PI Processors may face challenge to understand and implement the Draft Guide’s requirements, which the TC260 is not authorised to impose on them.
PI Processors in Hong Kong should be able to voluntarily adopt only those parts of the Draft Guide that do not conflict with local laws, while the local laws shall prevail when there is any conflict. This approach can allow those who voluntarily participate in the GBA Certification mechanism to protect PI as per Chinese law standards, while minimizing conflicts with local laws and regulations.
Given the Mainland’s stricter data export restrictions compared with Hong Kong, using PIPL-based GBA Certification for Hong Kong data entering the Mainland could hinder data flow.
Moreover, Draft Guide stipulates more detailed requirements on PI security for PI Processors, compared with the current effective requirements from the PIPL and PIPL Certification regime, including:
Specifically, it states that onward data transfer should remain in the GBA. The PI Processor shall take measures such as contract agreement, commitment to certification authorities, filing with competent authorities, regular audit of recipient logs, annual self-assessment of data export security risks, etc., to prevent the recipient from transferring the received PI to a third party outside the GBA.
Both the Draft Guide and the GBA SCCs limit the recipient’s ability to transfer PI outside the GBA. This might be to prevent Hong Kong from being used by the exporters to circumvent Mainland data export regime. This implies that the GBA Certification mechanism might be simpler than the current PIPL Certification regime.
In this regard, we recommend that the Draft Guide should clarify the principle of voluntariness and allow Hong Kong PI Processors to voluntarily choose whether to transfer PI to the Mainland through the GBA Certification mechanism.
We propose the following amendments
Takeaways for GBA PI Processors
For Mainland GBA PI Processors:
For Hong Kong PI Processors: