2024-2025 Global AI Trends Guide
On November 1, 2023, the National Information Security Standardization Technical Committee (全国信æ¯å®‰å…¨æ ‡å‡†åŒ–技术委员会) (“TC260”, a policy-making body under the Cyberspace Administration of China (“CAC”)) launched a public consultation on draft Practice Guidelines for Cybersecurity Standards - Requirements for Cross-Boundary Personal Information Protection within the Guangdong-Hong Kong-Macau Greater Bay Area (“GBA”) (the “Draft Guideline”).
On November 1, 2023, the National Information Security Standardization Technical Committee (全国信æ¯å®‰å…¨æ ‡å‡†åŒ–技术委员会) (“TC260”, a policy-making body under the Cyberspace Administration of China (“CAC”)) launched a public consultation on draft Practice Guidelines for Cybersecurity Standards - Requirements for Cross-Boundary Personal Information Protection within the Guangdong-Hong Kong-Macau Greater Bay Area (“GBA”) (ç½‘ç»œå®‰å…¨æ ‡å‡†å®žè·µæŒ‡å——ç²¤æ¸¯æ¾³å¤§æ¹¾åŒºè·¨å¢ƒä¸ªäººä¿¡æ¯ä¿æŠ¤è¦æ±‚(å¾æ±‚æ„è§ç¨¿ï¼‰) (the “Draft Guideline”) (see here (Chinese only)).
The Draft Guideline represents an important first step towards a much-anticipated relaxation of restrictions on flows of personal data across the GBA, as envisaged in the Memorandum of Understanding to Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macau Greater Bay Area agreed by the CAC and Hong Kong’s Innovation, Technology and Industry Bureau (the “GBA MOU”) (please see our previous post here). Specifically, the Draft Guideline aims to establish standards against which certification of cross-border transfers under the GBA MOU would be administered.
Under the Personal Information Protection Law (“PIPL”) and the Measures for Security Assessment for Cross-border Data Transfer, personal information handlers transferring personal information from Mainland China are required to obtain data subjects’ separate consent and satisfy at least one of the following regulatory formalities: (i) passing the CAC security assessment, (ii) obtaining a third-party certification, or (iii) entering into standard contractual clauses (“SCCs”) with the offshore data recipient and filing the SCCs together with a report on personal information protection impact assessment (“PIPIA”). The above requirements apply to all transfers of personal information from mainland China, including cross-boundary transfer to the Hong Kong Special Administrative Region (“Hong Kong”) and the Macau Special Administrative Region ("Macau"). Recent draft measures by the CAC propose to relax these requirements in relation to some transfers, but these measures have not yet been finalized (please see our previous post here).
Organizations have found the CAC’s restrictions on international transfers of personal data difficult to navigate in practice. The announcement of the GBA MOU was met with enthusiasm for a more practical approach to cross-border regulation, at least in relation to cross-boundary transfers of data from Guangdong province to Hong Kong and Macau.
Hong Kong’s Personal Data (Privacy) Ordinance (the “PDPO”) regulates the processing of personal data in Hong Kong. Notably, there is no additional compliance requirement in respect of cross-boundary transfers of personal data from Hong Kong to mainland China or Macau, although organizations collecting personal data in Hong Kong are required to ensure that PDPO requirements continue to be met in respect of personal data transferred to other jurisdictions.
The Draft Guideline outlines the standards under which third party certification of cross-boundary transfers of personal information from Mainland China to Hong Kong will be assessed (transfers to and from Macau are not yet addressed). In substance, the Draft Guideline sets out a number of basic principles and requirements drawn from China’s PIPL and Hong Kong’s PDPO. The Draft Guideline is clear that the applicable territorial laws continue to apply irrespective of the certification. Here it is important to note that the PIPL is a recent law drawing heavily from GDPR, the current “gold standard” for data protection internationally. The PDPO, passed in 1995 and with few substantive amendments since, represents a much lower standard of data protection. This mismatch of requirements means that the standards applicable under the Draft Guideline are necessarily skewed towards compliance with more onerous mainland requirements, meaning that if Hong Kong organizations, which currently face no restrictions on cross-boundary transfers, seek certification, they will likely need to increase data protection standards above and beyond what they currently have in place.
To elaborate, based on the Draft Guideline, personal information handlers on both sides of the boundary will be certified against a set of general obligations drawn largely from the PIPL, including:
The Draft Guideline introduces a number of controls specific to the use of personal data for marketing purposes, in particular:
The standards set out in the Draft Guidelines require parties to a cross-boundary transfer to enter into and file a legally binding agreement setting out the purpose, manner and scope of the transfer, the type of data being transferred and the retention period and storage location of the data being transferred. Critically, the agreement must specify that the recipient of the data will not transfer the data out of the GBA, meaning that the certification envisaged will not enable Hong Kong as a broader transit point for outbound China data transfers.
The foregoing summary foreshadows a relatively heavy burden for certification of cross-boundary data transfers in the GBA, particularly as many of the requirements are very generally stated and would benefit from a more detailed statement of controls so that applicants for certification have a clear view of what is expected of them.
That being said, those who have been closely following developments with respect to the CAC’s regulation of international transfers of personal data will note that the certification contemplated by the Draft Guideline is actually narrower in scope when compared to the extensive review expected by the CAC under its security assessment or the PIPIA filing. In particular, the Draft Guideline does not delve so deeply into the cyber security topics that dominate the CAC’s security assessment, noting that Hong Kong does not yet have a counterpart to China’s Cyber Security Law or Data Security Law.
From a Hong Kong perspective, a key point of note is that outbound transfers to the mainland are currently unregulated, meaning that the standards envisaged by the Draft Guideline would represent a significant uplift in data protection controls. It remains to be seen if there is any upside for a Hong Kong organization to seek certification on this basis.
Hogan Lovells has been closely monitoring the regulatory development in cross-boundary data transfers, working with clients to develop practical solutions to managing cross-boundary business. Please reach out to any of the listed Hogan Lovells contacts should you have any specific questions.
Authored by Mark Parsons, Sherry Gong, Tommy Liu, and Flora Feng.