New Standard Contract Guidelines Streamline Cross-Border Personal Information Transfer in the GBA
China’s cybersecurity authority has released new guidelines for the use of standard contracts to perform cross-border personal information transfer in the Guangdong-Hong Kong-Macao Greater Bay Area. The new guidelines make it easier for companies located in the mainland portion of the Greater Bay Area and Hong Kong to use the simplified standard contract mechanism to perform personal information transfer between the two regions, thus facilitating normal business operations and improving cross-border connectivity.
In December 2023, the Cybersecurity Administration of China (CAC), China’s top cybersecurity authority, released a new set of guidelines for companies in the Guangdong-Hong Kong-Macao Greater Bay Area (GBA) to sign a standard contract to engage in cross-border personal information (PI) transfer between the mainland portion of the GBA and Hong Kong.
The GBA (Mainland, Hong Kong) Implementation Guidelines for the Standard Contract for Cross-border Flow of Personal Information (the “GBA guidelines”) are the result of an agreement between the CAC and the Innovation, Technology and Industry Bureau (ITIB) of Hong Kong to facilitate cross-border data flows and establish security rules for PI transfer within the GBA.
The GBA guidelines, which took effect on December 13, 2023, make it significantly easier for companies located in one of the nine mainland cities of the GBA to transfer PI to Hong Kong by expanding the scope of companies permitted to use the standard contract procedure, as well as simplifying filing procedures.
The efforts to streamline cross-border PI transfer align with the central goal of deepening integration between the mainland and offshore areas of the GBA and fostering a more business-friendly environment in the region.
What is a standard contract?
The standard contract is one of three possible mechanisms for companies to export PI collected from subjects in China, as stipulated in China’s Personal Information Protection Law (PIPL). The other two mechanisms are undergoing PI protection certification by a third-party agency and undergoing a cybersecurity review by the CAC.
The Standard Contract is arguably the simplest route to conducting cross-border PI transfer, as it does not require a security review by either the CAC or a third-party agency.
On June 1, 2023, the finalized standard contract measures for the whole of China came into force, providing clarity for companies seeking to engage in the cross-border transfer of PI. The standard contract measures stipulate what is considered “PI export activity” (required to understand which companies must undergo one of the PI export mechanisms), who is eligible for this mechanism, and the required contents of the standard contract, among other rules.
Under the standard contract mechanism, companies can sign a standard contract with the overseas recipient of the PI, in which both parties agree to certain PI protection obligations stipulated in the measures. Companies going this route will also be required to conduct a personal information protection impact assessment (PIPIA).
Who can enter into a standard contract under the GBA guidelines?
The GBA guidelines stipulate that PI processors (the companies engaging in PI export activity) and the PI recipients in the GBA may conduct cross-border PI transfers between the Chinese mainland and Hong Kong by voluntarily entering into a standard contract in accordance with the GBA guidelines. However, any PI that has been identified as “important data” by the government is excluded from the scope of data that can be transferred under these guidelines.
Only PI processors and recipients that are registered or located in one of the nine mainland cities of the GBA (Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing) or Hong Kong can sign a standard contract under the GBA guidelines. Companies situated elsewhere in China transferring PI to Hong Kong, or any company in China looking to transfer PI to an overseas territory other than Hong Kong (including Macao and Taiwan) using the standard contract method must follow the national standard contract measures. There are currently no regulations in force on cross-border transfer of PI for companies located in Hong Kong.
Procedures for transferring PI under a standard contract in the GBA
Meeting obligations and requirements stipulated in the standard contract
Companies that transfer PI across borders in the GBA through the conclusion of a standard contract must commit to certain obligations and responsibilities specified in the standard contract. This includes meeting the following conditions:
- Notifying or obtaining the consent of the PI subject before exporting the PI; and
- Not providing PI to organizations or individuals outside the GBA.
Note that the cross-border transfer of PI can only be carried out after the contract comes into effect. The standard contract must be concluded following the standard contract template and letter of commitment template provided along with the GBA guidelines. The PI processor can agree on other terms with the recipient, but they must not conflict with the contents of the standard contract template.
Conducting a PIPIA
Companies must also conduct a PIPIA before transferring the PI across borders. The PIPIA must focus on the following points:
- The legality, legitimacy, and necessity of the purposes and methods of processing the PI by the PI processor and the recipient;
- The impact on the rights and interests of the PI subjects and associated security risks; and
- Whether the obligations promised by the recipient, as well as the management and technical measures and capabilities to perform these obligations, can ensure the security of the exported PI.
Registering the standard contract
The PI processors and recipients must register the standard contract with the Internet Information Office of Guangdong Province or the Office of the Government Chief Information Officer (OGCIO) of Hong Kong within 10 working days from the effective date of the standard contract. The following materials must be submitted:
- Photocopy of the legal representative’s identity document;
- A letter of commitment; and
- The standard contract.
Changes to the circumstances of the PI transfer
PI processors should re-conduct a PIPIA, supplement or re-enter into a standard contract with the overseas recipient, and perform all corresponding filing procedures if any of the following changes occur:
- The purpose of the PI transfer;
- The scope or type of PI to be transferred;
- The method of PI transfer;
- The purpose or method of processing PI by the recipient;
- The period that the PI recipient holds is extended; or
- Any other circumstances that affect or may affect the rights and interests of PI subjects.
Ongoing supervision of contract parties
The PI processors and recipients that enter into standard contracts to conduct PI transfers are subject to supervision and management by local regulatory agencies, as stipulated in the standard contract.
Duties in this regard include:
- Bearing the burden of proof in responding to inquiries from regulatory agencies and fulfilling the obligations and responsibilities of the contract;
- Accepting the supervision and management of the regulatory agency, including obeying the decisions made by the regulatory agency and providing proof that necessary actions have been taken; and
- Notifying the regulatory agency when the PI processor terminates the standard contract.
PI processors and recipients are also required to take immediate remedial measures and notify the CAC, Internet Information Office of Guangdong, the ITIB, the OGCIO, or the Office of the Privacy Commissioner for Personal Data (PCPD) of Hong Kong (depending on the party’s jurisdiction) if they encounter a leak or other security incident when processing the PI.
How are the GBA guidelines different from regulations in the rest of China?
The GBA guidelines adhere closely to the standard contract measures for companies located in the rest of China. However, the GBA guidelines are simplified in a few key ways.
Removal of PI volume thresholds
The most important difference is that companies transferring PI between the mainland portion of the GBA and Hong Kong appear not to be subject to the same thresholds for PI volume that are stipulated in the standard contract measures.
In the standard contract measures, only companies that meet all of the following criteria are eligible to enter into a standard contract:
- They are not a critical information infrastructure operator (CIIO).
- They process the PI of fewer than one million people.
- Since January 1 of the previous year, they have exported the PI of less than 100,000 people out of China.
- Since January 1 of the previous year, they have exported the “sensitive” PI of less than 10,000 people out of China.
None of the above criteria are mentioned in the GBA guidelines, which suggests that companies that process higher volumes of PI are still permitted to use the standard contract mechanism. As this mechanism is significantly simpler than the mechanism required for companies processing higher volumes of data (a security review by the CAC), this will make it significantly easier for larger companies in the GBA to engage with subsidiaries and partners in Hong Kong. (Note that the GBA guidelines do exclude “important data” from the scope of PI that can be transferred using the standard contract mechanism).
Simpler filing procedures
Another difference is that the filing procedures for the standard contract in the GBA are simpler than for the rest of the country. To file a standard contract to transfer PI from one of the nine mainland GBA cities to Hong Kong, companies only need to provide three documents, as listed above. Companies located elsewhere in the Chinese mainland wishing to export PI to Hong Kong, or companies located anywhere in the Chinese mainland exporting PI overseas, will be required to provide seven documents, including a copy of the PIPIA and Power of Attorney.
Shorter processing period
The processing period for the filing is also shorter in the GBA guidelines, at 10 days after the date of filing, as opposed to 15 days under the standard contract measures.
In its announcement of the new guidelines, the ITIB confirmed these tweaks to the standard contract measures in the GBA, stating that the new guidelines “lift the restriction on the volume of cross-boundary flow of personal data that a personal information processor can transfer under the Mainland’s framework on safe management of cross-boundary data flow, and simplify the relevant assessment contents in applicable personal information protection impact assessment”.
About Us
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE). We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, and Bangladesh.
- Previous Article China Implements Five New Measures to Ease Entry for International Travelers
- Next Article China Amends Criminal Law to Strengthen Anti-Bribery Regulation for Private Companies