Streamlining Data Exchange: Easing Cross-Border Regulations in the Greater Bay Area

by | Dec 30, 2023

The Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) has made progress in regulating cross-border data transfers within the Guangdong-Hong Kong-Macao Greater Bay Area (GBA). By introducing new guidelines and mechanisms, the PCPD has provided individuals and organizations in the GBA with ways to manage data flow while following data protection rules.

China’s PCPD has launched the GBA SCC Guidelines to establish a unified approach to cross-border personal data transfers within the GBA’s ten cities. These guidelines offer an alternative route for transfers, allowing individuals and organizations to voluntarily enter into a standard contract called GBA SCCs. This mechanism applies to personal information (PI) flow between Mainland cities in the GBA and Hong Kong.

To comply with the GBA SCCs mechanism, certain conditions must be met. Firstly, both the PI processor and recipient must be within the GBA, emphasizing the importance of keeping data within the area. Additionally, there should be no onward transfer of personal information outside the GBA for the GBA SCCs mechanism to apply, protecting the privacy and security of personal data within the region.

However, it’s worth noting that the GBA SCCs mechanism doesn’t explicitly prohibit the transfer of personal information to entrusted sub-processors located outside the GBA. This matter needs clarification, as the Guangdong Cyberspace Administration rejects the idea of entrusted sub-processing outside the GBA.

One advantage of adopting GBA SCCs is the flexibility it offers organizations in protecting personal data according to their needs. Compared to the more strict requirements of the Personal Information Protection Law SCCs, the GBA SCCs have fewer implementation requirements, making compliance easier for entities operating within the GBA.

In line with the GBA SCC Guidelines, the Hong Kong Information Technology and Innovation Bureau (ITIB) and the Office of the Government Chief Information Officer (OGCIO) have released the “Policy Statement on Facilitating Data Flow and Safeguarding Data Security in Hong Kong.” This policy statement shows their commitment to data protection within the GBA.

To enhance cooperation between Mainland China and Hong Kong in promoting secure and efficient cross-border data transfers, the Cyberspace Administration of China (CAC) and ITIB have signed the Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the GBA. This agreement reflects the shared vision of both parties to create a data-friendly environment within the GBA.

It’s important to note that the GBA SCC Guidelines and the GBA SCCs mechanism don’t change any restrictions on personal data transfers from Hong Kong to Mainland China. The Personal Data (Privacy) Ordinance (PDPO) in Hong Kong still prohibits transferring personal data outside Hong Kong unless specified in the PDPO.

To ensure a smooth implementation of the GBA SCCs mechanism, the OGCIO in Hong Kong is closely collaborating with the Guangdong Cyberspace Administration. Together, they are establishing an early and pilot implementation arrangement called the Pilot Implementation within the GBA.

Although the GBA SCCs mechanism provides an alternative for cross-border data transfers, Mainland PI Processors in the GBA still have the option to export personal information outside the GBA using existing options under the PIPL. This flexibility allows businesses to explore different avenues while complying with data protection regulations.

The National Information Security Standardization Technical Committee (TC260) has also played a role in regulating cross-border data transfers within the GBA. Their issuance of the “Network Security Standard Practice Guide-Guangdong-Hong Kong-Macao Greater Bay Area Cross-Border Personal Information Protection Requirements” further emphasizes the commitment to data security and protection within the GBA.

In summary, the introduction of the GBA SCCs mechanism and the GBA SCC Guidelines is a step forward in simplifying cross-border data transfers within the GBA. With a focus on complying with data protection regulations, the flexibility and voluntary nature of these mechanisms provide businesses with the necessary tools to manage cross-border data transfers while protecting the privacy and security of personal information.