On Dec 13, 2023, a fresh announcement was released by Cyberspace Administration of China (CAC) and Innovation, Technology and Industry Bureau of the Government of the Hong Kong SAR (ITIBHK) together regarding the Implementation Guidelines on the Standard Contract for Cross-Border Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong), aiming to detail and clarify the cooperation measures for the Memorandum of Cooperation to Facilitate Data Cross-Border Flow within Greater Bay Area between CAC and ITIBHK in June.

This new Guideline intends to provide unified standards and regulations for the cross-border flow of personal information within the Greater Bay Area, and help reduce the cost for the data flow and promote the coordination and cooperation of personal information protection in the area. As a regional pilot program of great benefit and breakthrough, it further lowers the compliance burden of the enterprises in Greater Bay Area upon the Provisions on Regulating and Facilitating Cross-border Data Flow (Draft for Comment) in September. Some highlights for the Guidelines are:

1.    Applicability and restrictions. The Standard Contract for Greater Bay Area is applicable to the personal information processors and the recipients registered (applicable to organizations)/located (applicable to individuals) in nine cities of Mainland Guangdong within the Greater Bay Area or the Hong Kong SAR. As long as the enterprise is domiciled in the region or city as stipulated, the Guideline could apply. Some restrictions on the applicability of the Standard Contract for Greater Bay Area are: (1) personal information that has been classified or promulgated by the relevant authorities or regions as critical data is excluded from the Guideline; (2) the personal information processor shall not transfer to any organization or individual outside the Greater Bay Area.

2.    Exemptions for volume restriction of data flow. The Guideline further exempts the volume restrictions and threshold on cross-border flow of personal information within the Greater Bay Area. Specifically, to trigger the mainland Standard Contract, the data processor shall meet the following criteria: (1) not being a critical information infrastructure operator; (2) handling personal information of fewer than one million individuals; (3) having provided personal information of fewer than 100,000 individuals in aggregate to overseas recipients since January 1 of the previous year; and (4) having provided sensitive personal information of fewer than 10,000 individuals in aggregate to any overseas recipients since January 1 of the previous year. Comparatively, as for the Standard Contract for Greater Bay Area, with no explicit threshold for the volume restrictions, the Guideline only requires the personal information processor’s obligation for notification and/or obtaining consent prior to the cross-border data transfer in compliance with the jurisdictional laws and regulations. This potentially means that for the scenario of cross-border data transfer over 100,000 individuals within Greater Bay Area, the Guideline could apply, and no need for the security assessment for cross-border data transfer within the area any more, which bears much lower compliance burden for the data processor.

3.    Simplified requirements for personal information protection impact assessment. The requirements and scope for a personal information protection impact assessment are loosened further as well, as stipulated by the Guideline. Comparing with the mainland Standard Contract, the Greater Bay Area version simplifies the assessment scope, deleting some specific requirements such as the scale, volume, scope, type, and sensitiveness of the out-bound data, and the impact for the agreement execution from the receipt’s jurisdictional laws, regulations, and policies for personal data protection, In addition, the personal information protection impact assessment report will not be required to submit, with only a undertaking letter required for recordal at local authority. These all could further help reduce the complex of the compliance effort and burden of the data processors.

The release of the Guideline strengthens the signal that the policy is navigating more open and flexible for cross-border data transfer. This measure could benefit the enterprises registered in the Greater Bay Area and effectively contribute to the reduction of compliance burden and costs pursuant to the cross-border flow of personal information for the enterprises and transactions within the area.