Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
Developing a unique culture, which blends traditional client care with modern technology and working practices since 1851.
Stay up to date on the latest news and legal insights.
News & Insights
Authored by: Edwarde Webre and Jackie Chen
On 29 June, 2023, the Cyberspace Administration of China (“CAC”) and the Hong Kong Innovation, Technology and Industry Bureau (“ITIB”) signed a Memorandum of Understanding on Facilitating Cross-Border Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area (“Memorandum”). We set out below an overview of the key facilitation measures that have been subsequently issued on the basis of the Memorandum.
The GBA Standard Contract
On 10 December, 2023, the CAC and ITIB jointly released the Implementation Guidelines on the Standard Contract for the Cross-Border Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (“Guidelines”). These Guidelines introduce the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (“GBA Standard Contract”), which applies to the transfer of personal information between the nine Mainland cities in the Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”) and Hong Kong. While the GBA Standard Contract is modelled on the nationwide Standard Contract for Cross-Border Personal Information Transfers (“Standard Contract”), it introduces reduced compliance obligations for the receiving party.
Key changes to the compliance requirements under the Guidelines include the following:
Furthermore, the Hong Kong parties to the GBA Standard Contract must file the GBA Standard Contract with the Hong Kong Digital Policy Office.
Mutual Recognition of Data Security
The Cybersecurity Standards Practice Guide—Requirements for Cross-Border Processing and Protection of Personal Information in the Greater Bay Area (Mainland, Hong Kong) (“Practice Guide”), published on 21 November, 2024, introduces a “Mutual Recognition of Security” framework for the cross-border transfer of personal information between the nine Mainland cities and Hong Kong in the GBA. Under this approach, cross-border data transfers can be facilitated by voluntarily applying for a GBA personal information cross-border security certification (for Mainland personal information processors or recipients) or by voluntarily joining the “Mainland-Hong Kong Cross-Border Data Transfer Recognition List” established by the PCPD (for Hong Kong personal information processors or recipients). It is worth noting that the Practice Guide merely outlines theses mechanisms and does not provide detailed implementing regulations at this stage.
The regulatory framework for cross-border data transfers in the GBA remains in its early stages of development. It is anticipated that the relevant authorities in Mainland China and Hong Kong will issue further regulations or guidelines under frameworks such as the Memorandum to enhance the facilitation of cross-border data flows within the GBA.
We are closely monitoring these developments and will provide timely updates as new information becomes available. Should you have any questions or require assistance with cross-border data transfers in the GBA, please feel free to contact us.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.