GBA Standard Contract to Promote Cross-Border Data Flow

Background

On 13 December 2023, the Innovation, Technology and Industry Bureau (ITIB) and the Cyberspace Administration of China (CAC) issued the “Standard Contract for the Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area Mainland, Hong Kong” (“the GBA Standard Contract”). This is the first facilitation measure under the framework of the “Memorandum of Understanding on Facilitating Cross-boundary Data Flow Within the Greater Bay Area” which was signed on 29 June 2023.

The ITIB and CAC further released the “Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” on the same day.

Paul Chan, the Financial Secretary of Hong Kong, further published this in his Hong Kong 2024-25 Budget speech (Paragraph 96) on 28 February 2024 by stating that the Hong Kong government has initiated the early pilot implementation scheme of the GBA Standard Contract. They are inviting participants from the banking, credit referencing, and healthcare sectors for the first implementation stage. The Hong Kong government underscored its intention to gradually broaden the scope of facilitation measures. This will enable diverse business sectors in both regions to utilise cross-boundary data more seamlessly.

Purpose

The GBA Standard Contract aims to facilitate and streamline the arrangement on cross-border flow of personal information between the nine Mainland cities in GBA (i.e. Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing in Guangdong province, the “GBA Mainland Cities”) and Hong Kong.

The GBA Standard Contract

From the current cross-border transfer rules at the national level, the Standard Contract (“SCC”) is one of the three mechanisms to export personal information outside of Mainland China. The GBA Standard Contract will exclusively apply to data flows between the GBA Mainland Cities and Hong Kong.

There are no changes for data users in Hong Kong regarding restrictions on transferring personal information outside the jurisdiction. The GBA Standard Contract does not affect the implementation of the Personal Data (Privacy) Ordinance (PDPO) of Hong Kong. Meanwhile, if a data user in Hong Kong intends to conduct cross-boundary personal data transfers to GBA Mainland Cities, the Office of the Privacy Commissioner for Personal Data encourages the parties to adopt the GBA Standard Contract for such transfers, as it also fulfills the regulations under PDPO.

The GBA Standard Contract can be adopted on a voluntary basis. Since 1 January 2024, organisations or individuals that are interested to participate in the early and pilot implementation arrangement should submit an “Express of Interest form” to the Office of the Government Chief Information Officer (OGCIO). The OGCIO will conduct an initial review on the received forms and acknowledge the organisations or individuals’ intentions to participate in the early and pilot implementation scheme.

The concerned organisations or individuals can then enter into the GBA Standard Contract with their counterparties in the GBA Mainland Cities. Both the data processor and recipient must conduct the required filing procedures of the GBA Standard Contract with their respective competent authorities, i.e. CAC of Guangdong province or OGCIO. Notably, the data processors and the recipients must be registered (for organisations)/located (for individuals) in the GBA or Hong Kong.

The GBA Standard Contract will not apply to:

1. any transfer or secondary transfer to recipients outside of the above territorial scope; and
2. any transfer of “important data”. 

Comparison between the SCC and the GBA standard contract

The GBA Standard Contract imposes less stringent requirements for implementation compared to the SCC, thereby easing the data exporter’s obligations. We outline the following key relaxation measures provided by the GBA Standard Contract.

1. For data exporters in the GBA Mainland Cities, there is no volume threshold that may trigger the security assessment under the SCC - a much welcome approach for data rich businesses in these GBA cities.
2. The GBA Standard Contract narrows down the scope of the Personal Information Protection Impact Assessment (PIPIA) by excluding certain key aspects required by the SCC, such as the assessment of the impact of local policies and regulations.
3. Filing of PIPIA is not required under the GBA Standard Contract. 
4. In the context of onward transfers to third parties within the same jurisdiction, some restrictions from the SCC have been removed in the GBA Standard Contract. For example, data exporters are not required to enter into a separate agreement with the third party or provide a copy of the written agreement to the data subjects upon request.

The National Level’s Regime – the CAC's draft provisions

On 28 September 2023, the CAC issued the “Provisions on Regulating and Promoting Cross-Border Data Flows (Draft for Public Consultation) (规范和促进数据跨境流动规定（征求意见稿））” (“the Draft Provisions”). The GBA Standard Contract can be seen as a supplement to the national-level Draft Provisions to relax cross-border data transfer restrictions. The finalization of the Draft Provisions will certainly improve the clarity of the applicability of the GBA Standard Contract.

As an illustration, the Draft Provisions sought to clarify the statutory definition of “important data”, specifically, the data processors may comfortably assume that they are not exporting important data, unless the data transferred has been labelled as “important data” by the regulator or local authorities and notified the same to the exporter, or falls within the scope of “important data” that has been publicly announced (e.g. some industry rules and standards may set out certain types of “important data”). Conversely, data processors may adopt the GBA Standard Contract if the data exported are not announced or classified as “important data”.

The proposed relaxation of the cross-border data transfer rules at the national level demonstrates the willingness of Mainland China regulators to create a more favourable legal landscape to promote cross-border data flow.

What’s next?

Businesses should keep an eye on the development of the Draft Provisions, in addition to the finalization of the draft “Practical Guidelines on Cross-border Personal Information Protection Requirements in GBA” issued by the China’s National Information Security Standardisation Technical Committee (TC260) for public consultation on 1 November 2023. The proposed exemptions under these regimes may further enhance the incentive to adopt the GBA Standard Contract for organisations based in Hong Kong or GBA Mainland Cities.