Law & Taxation

Cross-border transfer of personal information between Hong Kong and nine Mainland cities to become less onerous with new contract

On 13 December 2023, the Cyberspace Administration of China and the Innovation, Technology and Industry Bureau of Hong Kong (the “ITIB”) jointly promulgated, with immediate effect, the “Implementation Guidelines on the Standard Contract for Cross-border Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” (the “Guidelines”). The Guidelines aim to facilitate the exchange of personal information between Hong Kong and nine cities in South-East China (i.e. Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing) by introducing a standard contract (the “GBA Standard Contract”).  Individuals and organisations in those cities and Hong Kong have the option to enter into the GBA Standard Contract so that they can transfer personal information within the GBA on less onerous terms than those under the standard clauses for personal information transfers that are mandatory in the People’s Republic of China (the “PRC Standard Contract”). In this article, a reference to the Greater Bay Area (the “GBA”), which is a term that normally includes the nine above-mentioned Mainland cities, Hong Kong and Macau, is a reference to the GBA excluding Macau.

Voluntary nature of the GBA Standard Contract

Parties exchanging personal information in the GBA have the option, but not an obligation, to enter into a GBA Standard Contract.  Hong Kong parties to a GBA Standard Contract are not exempted from, and should comply with, the provisions of Hong Kong’s data privacy protection law – the Personal Data (Privacy) Ordinance, Cap. 486 (the “PDPO”).  In addition, Hong Kong parties should be aware that unlike the PDPO, which does not prohibit transfer of personal information outside Hong Kong, the GBA Standard Contract does not allow transfer outside the GBA of personal information received under a GBA Standard Contract.

Conditions of the GBA Standard Contract

A precondition for use of the GBA Standard Contract is that both the personal information processor (the “PI Processor”) and recipient (the “PI Recipient”) are registered (in the case of organizations) or located (in the case of individuals) in the GBA.

Parties entering into the GBA Standard Contract must comply with the following main requirements:

1. No personal information may be transferred, whether directly or by way of onward transfer, outside the GBA. Companies in the GBA which share IT systems with affiliates outside the GBA should ensure that personal information exchanged under a GBA Standard Contract cannot be accessed from outside the GBA.  
2. Prior to the cross-border transfer of personal information, the PI Processor must inform the person whose personal information is to be transferred or obtain the consent of such person to the transfer as required by the laws of the PI Processor’s jurisdiction. 
3. Prior to the cross-border transfer of personal information, the PI Processor must conduct a personal information protection impact assessment on, amongst others, the legality, legitimacy and necessity of the purposes and means of the personal information processing, the impact on and security risks to the rights and interests of the person whose personal information is transferred and whether measures are in place to ensure the security of the transferred personal information. 
4. If during the processing of personal information by the PI Processor or the PI Recipient there is a personal information security breach, the PI Processor or the PI Recipient (as applicable) must immediately notify the Cyberspace Administration of Guangdong Province or the ITIB, as applicable, and take remedial measures. 

The PI Processor and the PI Recipient must file the GBA Standard Contract within 10 working days from its effective date with the Cyberspace Administration of Guangdong Province (if based in China) and the Office of the Government Chief Information Officer (if based in Hong Kong).  

Advantages of the GBA Standard Contract 

The GBA Standard Contract allows personal information to be exchanged with fewer restrictions when compared to the PRC Standard Contract. The following are two examples of this:   

1. The GBA Standard Contract does not impose the PRC Standard Contract’s restrictions on the volume of personal information that can be transferred across the border (except if such personal information is considered “critical data”). 
2. Under the GBA Standard Contract, when a PI Recipient transfers the personal information it has received to a subsequent recipient it does not need to do so on terms and conditions that are at least as stringent as the PRC laws applicable to the transfer of personal information. 

Conclusion 

The GBA Standard Contract is expected to facilitate the cross-border flow of personal information within the GBA by allowing parties to elect a transfer regime that is less stringent when compared to the one available under the PRC Standard Contract. Companies in Hong Kong which exchange information with companies in the GBA and wish to adopt the GBA Standard Contract should take adequate measures to prevent the flow of information outside the GBA and ensure their continued compliance with the PDPO. 

Nicolas Vanderchmitt | Erik Leyssens | Camilla Venanzi