On December 13, 2023, the Cyberspace Administration of China (hereinafter referred to as the “CAC”) published on its official website the “Implementation Guidelines on the Standard Contract for Cross-border Personal Information Flow within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” (hereinafter referred to as the “GBA Implementation Guidelines”). The GBA Implementation Guidelines were jointly formulated by the CAC and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region. Regarding the filing of the standard contract for cross-border personal information flow from the Mainland to Hong Kong within the Guangdong-Hong Kong-Macao Greater Bay Area (hereinafter referred to as the “GBA”), we have compiled the following ten questions with corresponding answers and discussion.

1. Can a branch registered in the GBA apply the GBA Implementation Guidelines?

Answer

Article 2 of the GBA Implementation Guidelines clearly provides that personal information processors (this article only refers to organizations, hereinafter the same) shall be registered in the nine Mainland GBA cities (Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing) or Hong Kong. Given that personal information processors under the Personal Information Protection Law of the People’s Republic of China (hereinafter referred to as the “PIPL”) are not limited to legal persons, we tend to believe that branches registered in the Mainland GBA may apply the GBA Implementation Guidelines.

Question

2. Is consent of the personal information subject still required before cross-border provision?

Answer

Article 4 of the GBA Implementation Guidelines provides that before cross-border provision, the personal information processor shall fulfill the notification obligation “or” obtain consent in accordance with territorial laws and regulations. The term used here is “or,” not “or/and.” Does this mean that for Mainland personal information processors, they only need to fulfill the notification obligation? We believe that Mainland personal information processors still need to obtain the consent of the personal information subject, because Article 39 of the PIPL clearly provides that cross-border provision requires both fulfilling the notification obligation and obtaining separate consent.

Question

3. After Hong Kong Company A receives personal information from the Mainland, can it provide it to its European headquarters or Hong Kong Company B?

Answer

The GBA Implementation Guidelines are formulated to promote cross-border data flow in the GBA and clearly provide that personal information shall not be provided to organizations or individuals outside the GBA. Therefore, the European headquarters company cannot access personal information that the Hong Kong company obtained from the Mainland.

According to Article 3 of Appendix 1, the “Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) Standard Contract for Cross-border Personal Information Flow” (hereinafter referred to as the “GBA Standard Contract”), personal information may be provided to Hong Kong Company B within the same jurisdiction only if the following four conditions are simultaneously met:

• There is a genuine business need;
• The provision is made in accordance with the agreement in Appendix I “Description of Cross-border Personal Information Provision” to the GBA Standard Contract;
• The personal information subject has been informed of Hong Kong Company B’s name, contact information, processing purpose, processing method, types of personal information, retention period, and the methods and procedures for exercising personal information subject rights;
• Where personal information is processed based on consent, consent of the personal information subject shall be obtained.

Question

4. What simplifications are there for the personal information protection impact assessment?

Answer

The GBA Implementation Guidelines do not directly exempt the obligation to conduct a personal information protection impact assessment under Article 55 of the PIPL. However, compared with the February 2023 “Measures for the Standard Contract for Outbound Personal Information Transfer,” the GBA Implementation Guidelines have reduced the content required for key assessment, deleting from the “National Standard Contract” under the “Measures for the Standard Contract for Outbound Personal Information Transfer” such items as “the scale, scope, types, and sensitivity of the outbound personal information,” “the risks of alteration, destruction, leakage, loss, and illegal use after personal information is transferred outbound,” “whether the channels for safeguarding personal information rights are unobstructed,” and “the impact of the personal information protection policies and laws of the country or region where the overseas recipient is located on the performance of the standard contract.”

Furthermore, Article 8 of the GBA Implementation Guidelines provides that the filing materials submitted by Mainland personal information processors to the Guangdong CAC do not include the personal information impact assessment report required under the “Measures for the Standard Contract for Outbound Personal Information Transfer.” However, combined with the third point of the commitment in Appendix 2 “Commitment Letter (Template)” to the GBA Implementation Guidelines—“The personal information protection impact assessment was completed within 3 months before the filing date, and no significant changes have occurred up to the filing date”—Mainland personal information processors still need to conduct personal information protection impact assessments in accordance with law; only the assessment report is no longer required as a filing submission material.

Question

5. Should Mainland personal information processors notify the Guangdong CAC or the national CAC in the event of a personal information security incident?

Answer

Article 11 of the GBA Implementation Guidelines provides that in the event of a personal information leakage or other security incident, the Mainland personal information processor shall, in accordance with territorial requirements, notify “the Cyberspace Administration of China and the Cyberspace Administration of Guangdong Province.” The notification target here needs to be clarified. If参照 the reporting target under the “Measures for the Reporting of Cybersecurity Incidents (Draft for Comments)” published by the national CAC on December 8, 2023, for major or特别 major cybersecurity incidents, the national CAC should be reported.

Question

6. Do Mainland personal information processors still need to pay special attention to sensitive personal information?

Answer

The key assessment content in the GBA Implementation Guidelines does not specify the sensitivity of personal information. The triggering circumstances for re-filing do not provide for changes in sensitivity. The obligations of personal information processors do not include notifying the necessity of providing sensitive personal information and the impact on the personal information subject’s rights and interests. Appendix I “Description of Cross-border Personal Information Provision” to the GBA Standard Contract does not require a description of “types of outbound sensitive personal information.” Nevertheless, we tend to believe that Mainland personal information processors should still fulfill corresponding compliance obligations in accordance with Mainland regulations on sensitive personal information, such as the special notification obligation under Article 30 of the PIPL.

Question

7. If the recipient exceeds the agreed processing purpose, processing method, and types of personal information processed, does it need to re-obtain consent?

Answer

In the event of such a change, the “National Standard Contract” provides that where personal information is processed based on individual consent, separate consent of the personal information subject shall be obtained in advance. However, Article 3 of the GBA Standard Contract provides that the recipient shall notify the personal information processor in advance, supplement or re-conclude the standard contract, and go through corresponding filing procedures. Whether the GBA Standard Contract replaces separate consent with re-filing requires further clarification by the Mainland cyberspace authorities.

Question

8. Does the GBA Standard Contract alleviate the obligations or responsibilities of the personal information recipient?

Answer

Article 3 of the “National Standard Contract” requires the overseas recipient to undertake to allow the personal information processor to access necessary data files and documents, and to undertake to directly or through the personal information processor provide relevant personal information processing activity records to regulatory authorities in accordance with relevant laws and regulations. The GBA Standard Contract does not retain these two points, which will facilitate the signing of the standard contract text and reduce communication costs between the parties.

It should be noted that Article 3 of the GBA Standard Contract adds a new obligation: where the government department or judicial authority at the recipient’s location requests the recipient to provide personal information under the standard contract, the recipient has the obligation to immediately notify the personal information processor.

Question

9. Must the Mainland personal information processor notify the territorial regulatory authority after terminating the standard contract?

Answer

The “National Standard Contract” provides that the personal information processor has the right to terminate the standard contract under specific circumstances and notify the regulatory authority “when necessary.” However, Article 6 of the GBA Standard Contract clearly provides that the personal information processor shall notify the territorial regulatory authority. We understand that the territorial regulatory authority here refers to the Guangdong CAC. Article 6 of the GBA Standard Contract also deletes one of the triggering circumstances for the termination right under the “National Standard Contract”: “where compliance by the recipient with this contract would violate the laws of the country or region where it is located.”

Question

10. Can the GBA Standard Contract signed for the flow of personal information from the Mainland to Hong Kong stipulate the application of Hong Kong law?

Answer

Article 8 of the GBA Standard Contract provides that the formation, validity, performance, and disputes of the contract shall be governed by the territorial laws and regulations of the “personal information processor.” Article 1 simultaneously clearly defines that the “personal information processor” referred to in this contract is the cross-border personal information provider. When personal information flows from the Mainland to Hong Kong, the personal information cross-border provider is located in the Mainland. Therefore, Mainland laws and regulations shall apply, and the parties may not agree to apply Hong Kong law.

Conclusion

The issuance of the GBA Implementation Guidelines is conducive to promoting cross-border data flow in the Guangdong-Hong Kong-Macao Greater Bay Area. However, regarding the flow of personal information from the Mainland to Hong Kong, the GBA Implementation Guidelines do not substantively change the existing standard contract filing-related compliance obligations under Mainland laws and regulations such as the Personal Information Protection Law. Mainland personal information cross-border providers should closely monitor the official issuance of the “Provisions on Regulating and Promoting Cross-border Data Flow” currently being consulted and make corresponding preparations in advance.