In a strategic move to promote secure and orderly cross-border flow of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area, the Cyberspace Administration of China (CAC) and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administration Region (Hong Kong SAR Government) jointly crafted the Implementation Guidelines for the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland China, Hong Kong) Personal Information Cross-Border Flow Standard Contract (Guidelines).
Issued on 13 December 2023, the Guidelines came into force immediately.
The Greater Bay Area Standard Contract for Personal Information Cross-Border Flow (i.e. the GBA Standard Contract) outlined in these Guidelines serves as an effective measure to facilitate the transfer of personal information between entities.
As per the Guidelines, data handlers and recipients registered (for entities) or located (for individuals) within the Greater Bay Area, specifically in Guangdong Province cities Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing, and the Hong Kong Special Administrative Region, can sign the GBA Standard Contract to share personal information across borders. Information, however, that is classified as important data by relevant departments or regions is excluded from this measure.
In adherence to the Guidelines, when engaging in cross-border transfer of personal information through the GBA Standard Contract, data handlers shall fulfil the obligations outlined in the contract, including:
- Informing data subjects or obtaining consent in accordance with the laws and regulations of the data handler’s jurisdiction before providing personal information across borders.
- Not providing personal information to organisations or individuals outside the Greater Bay Area.
Before implementing a cross-border transfer of personal information, data handlers are required to conduct a protection-impact assessment, focusing on legality, legitimacy, necessity, the impact on the rights of data subjects, security risks, and the recipient's capabilities to ensure security.
Within ten working days from the GBA Standard Contract’s effective date, data handlers and recipients must file the signed contract with the Guangdong Province CAC or the Office of the Government Chief Information Officer of the Hong Kong SAR Government, depending on the jurisdiction.
Comparison with nationwide standard contract approach
Compared to the nationwide standard contract approach stipulated under the Measures on Personal Information Outbound Transfer Standard Contract, the requirements for transfer through GBA Standard Contract under these Guidelines offer significant distinctions.
Under the nationwide approach, restrictions exist on the quantity of personal information transferred via the standard contract, requiring a security assessment if the volume exceeds a certain threshold. Additionally, a comprehensive protection impact assessment, aligned with CAC’s template outline, must be submitted for the filing.
In contrast, the Guidelines differ in several key aspects. There are no quantity limitations within the applicable scope. The Guidelines do not mandate that data handlers whose cross-border personal information transfer exceeds the threshold number for the security assessment are prohibited from transferring personal information through the GBA Standard Contract. Filing documentation does not necessitate submitting a data protection impact assessment prepared by the enterprise, which streamlines the process for data handlers in the Greater Bay Area. Importantly, the Guidelines are exclusive to the Greater Bay Area, reinforcing a commitment to regulate data flow within this specific region, and distinguishing this process from the broader nationwide standard contract approach.
The full text of the Guidelines can be found here (Chinese text only).
For more information on these Guidelines and data protection regulations in China, contact your CMS client partner or these CMS experts.