To facilitate cross-border data flows within the Greater Bay Area, on December 13, 2023 China issued the Guidelines on the Standard Contract for Outbound Transfer of Personal Information Within the Greater Bay Area, including Hong Kong.
Onward transfer of personal information outside the Greater Bay Area is not allowed under the Guidelines.
China’s Personal Information Protection Law (“PIPL”) has been in effect for over two years. China has established three cross-border data transfer mechanisms under the PIPL: passing a security assessment conducted by the Cyberspace Administration of China (“CAC”); obtaining personal information (“PI”) protection certification from an authorized third party; and forming a contract with the foreign party receiving the PI in accordance with the standard contractual clauses (“SCCs”) established by the CAC.
In an effort to facilitate cross-border data transfer within the Greater Bay Area (“GBA”) (without needing to implement one of the three mechanisms mentioned above), on June 29, 2023, the CAC and the Hong Kong Innovation, Technology and Industry Bureau entered into a Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area” (“the Memorandum”) to jointly promote cross-border data flow within the GBA, comprised of nine Mainland cities (see below), Hong Kong and Macao. Against this background, the CAC and the Hong Kong Innovation, Technology and Industry Bureau issued the Guidelines on the Standard Contract for Outbound Transfer of Personal Information Within the GBA (Mainland, Hong Kong) (“Guidelines”) and GBA SCCs on December 13, 2023.
The Guidelines apply to PI handlers and recipients who are registered or located in the Mainland cities within the GBA (including Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing), and conduct cross-border PI transfer from the above Mainland cities to Hong Kong and vice versa. Notably, the Guidelines do not extend to Macau, to PI that has been classified as “important data” by the relevant authorities, or to onward PI transfers outside the GBA.
As noted above, the CAC had previously released (on February 24, 2023) the Measures on Standard Contract for Cross-Border Transfer of Personal Information (“SCC Measures”) for transferring PI outside China. (Note: For more details on the SCC Measures, see XL Law’s Insights article from March 9, 2023 summarizing the Measures). Important differences between the SCC Measures and the Guidelines include the following:
The SCC Measures require the PI handler to submit the cross-border transfer PI impact assessment report to the CAC prior to transfer. Although the Guidelines still require the PI handler to conduct a PI impact assessment, the filing procedures are simplified, and the PI handler does not need to submit the PI impact assessment report to Chinese authorities.
The contents of the PI impact assessment are also simplified. Under the SCC Measures, the PI handler prepares the PI impact assessment report by considering multiple factors, including: 1) the legality, legitimacy, and necessity of the purpose, scope, and method of handling; 2) the size, scope, type, and sensitivity of PI, and the possible risks posed to the rights and interests in PI arising from the transfer; 3) the obligations that the overseas recipient undertakes to assume, and whether the overseas recipient's management and technical measures and capabilities to fulfill such obligations can ensure the security of the PI to be transferred abroad; 4) the risk that the PI may be tampered with, destroyed, divulged, lost, or illegally used, after its outbound transfer; and whether there are smooth channels for individuals to protect their rights and interests in the PI; and 5) the impact of PI protection policies and regulations in the country or region where the overseas recipient is located on the performance of the standard contract. Requirements under the Guidelines are notably simpler, with “scope of handling” removed from the first requirement, “size, scope, type, and sensitivity of PI” removed from the second requirement, and the fourth and fifth requirements removed entirely.
The Guidelines lighten the recipient’s obligations. The SCC Measure requires the recipient to provide the PI handler access to review the necessary data, documents, and files, and to provide the relevant records and documents to the authorities directly or through the PI handler, as required by the relevant laws and regulations. The Guidelines eliminate these requirements.
Implications for U.S. Higher Education Institutions
U.S. higher education institutions may rely on the Guidelines to ease data transfer restrictions within the GBA. However, because onward transfer of PI outside the GBA is not allowed under the Guidelines, institutions cannot use the Guidelines to transfer PI from Mainland China to other countries via the GBA. The cross-border transfer of PI from Mainland China to other countries is still subject to one of the three mechanisms mentioned above, and the cross-border transfer of PI from Hong Kong to other countries is regulated by the Hong Kong Personal Data (Privacy) Ordinance. Depending on the location of an U.S. institution’s overseas educational activities, therefore, the Guidelines may be of limited use in terms of facilitating the cross-border transfer of PI.