Unravelling the GBA Standard Contract: Cross border data transfer between Hong Kong and the GBA cities in Mainland China

1. When do companies need to start using the GBA SC: 
   
   The GBA SC takes effect from 10 December 2023. Any cross-border transfer of personal information can only be carried out when the signed GBA SC takes effect if the GBA SC is to be relied upon as a compliance mechanism for data outbound transfers.
    
2. Can we alter the terms under the GBA SC:
   
   Under Article 6 of the Guidelines, the GBA SC must be adopted in strict accordance with the annexes to the Guidelines. The parties to the GBA SC may include additional terms and conditions provided that the terms do not conflict with the main terms in the GBA SC.
   
   A supplemental agreement or a new standard contract is necessary if the processing of personal information exceeds the agreed purposes of processing, means of processing and the categories of personal information processed.
    
3. Territorial scope:
   
   The parties can enter into the GBA SC to conduct cross-border flow of personal information between the nine cities in the GBA (namely Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing in Guangdong Province) and Hong Kong.
    

4. Types of personal information:
   
   All types of personal information can be transferred across borders between the Mainland and Hong Kong in the GBA, except for ‘important data’ that has been notified by relevant Chinese authorities, regions or being publicly released as important data. The Guidelines did not define what constitutes ‘important data’[4], in practice, this suggests that personal information can flow freely unless otherwise notified or publicly released by the authorities.
    

5. Any limit on the volume of data to be transferred:
   
   The Guidelines is silent on the volume of personal information that can be transferred between the nine GBA cities and Hong Kong.
   
   This is different from the position under the Measures for Security Assessment for Data Outbound Transfers in China, where conditions for mandatory security assessments may be triggered if there are transfers of large volumes of personal information.
   
   This seems to suggest that personal information processors in the GBA will not be subject to these requirements when using the GBA SC.
    

6. Any onward transfer restrictions on personal information:
   
   Onward transfer of personal information to outside the GBA is not allowed.
   
   For general onward transfers to third parties in Mainland cities within the GBA and Hong Kong, the requirements are more relaxed when compared to the Standard Contract for the Outbound Transfer of Personal Information issued by the CAC ("PRC nationwide SC”).
   
   Personal information may be transferred to third parties in the Mainland cities within the GBA or Hong Kong by the recipient if:

   (a)  there is a business need for the transfer;
   (b)  the personal information subject has been informed of such onward transfer with relevant details provided;
   (c)  consent has been obtained from the personal information subject in accordance with the laws and regulations of the jurisdiction of personal information processor;
   (d)  personal information is provided to the third party in accordance with the terms set out in the GBA SC “Description of cross-boundary transfer of personal information”.
   
   Restrictions from the PRC nationwide SC, such as requiring a data processing agreement with the recipient of the onward transfer under terms and conditions that are no less stringent than the data protection standard in the PRC nationwide SC, and providing that agreement to the personal information subject upon request, has been removed in the GBA SC. However, there are still some requirements that are kept in the GBA SC on, for example the data importer being required to inform the personal information subject of the name and contact information of the third party, purpose of handling and retention period of their personal information.
    
7. Personal information protection impact assessment requirement:
   
   The personal information processor is required to carry out a personal information protection impact assessment (“PIPIA”). The following is what is considered in the assessment:
   
   -  the legality, legitimacy and necessity of the purposes and means of processing personal information by the personal information processor and recipient;
   -  the impact on and security risks to the rights and interests of personal information subjects;
   -  whether the obligations undertaken by the recipient, as well as its management and technical measures and capabilities to perform the obligations can ensure the security of personal information transferred across the boundary.
   
   The personal information processor must conduct another PIPIA afresh if there are any changes to the personal information in terms of the scope, purpose, categories, means, or the recipient’s use and means of personal information processing, or the retention period is extended. 
    
8. Filing requirement:
   
   The GBA SC is subject to filing requirement, however, compared to the PRC nationwide SC regime, the filing procedure is much more simplified. 
   
   The personal information processor and recipient of personal information shall within ten (10) business days (from the effective date of the GBA SC) file the GBA SC with the Internet Information Office of Guangdong Province (广东省互联网信息办公室) or the Office of the Government Chief Information Officer of Hong Kong, the following documents:
   (a)  the signed GBA SC;
   (b)  the letter of commitment; and
   (c)  a copy of the legally designated representative’s identity documents.
   
   Supplemental filings will be required if there are any subsequent changes to the terms and conditions (including but not limited to the purpose, scope, type of personal information to be transferred, or extending the retention period of personal information) of the GBA SC.
   
   The Guidelines do not require the parties to file the PIPIA report.
    
9. What is the governing law if there is a dispute and what about arbitration:

   
   The GBA SC will be construed in accordance with the relevant laws and regulations of the jurisdiction of the personal information processor and can be governed by either the laws of Hong Kong or the Mainland.
   
   The GBA SC provides that disputes can be resolved by legal proceedings in Mainland or Hong Kong courts, and by arbitral proceedings in either the China International Economic and Trade Arbitration Commission, China Maritime Arbitration Commission, Guangzhou Arbitration Commission, Guangdong-Hong Kong-Macao Greater Bay Area International Arbitration Centre and the Hong Kong International Arbitration Centre.
    

10. What happens if the parties failed to perform the obligations under the GBA SC or if there is a data breach incident:

    
    Any organisation or individual can lodge a complaint or report to the regulatory authorities[5] if they discover parties have failed to perform the obligations under the GBA SC or the Guidelines. The regulatory authorities can also request parties to make rectification if there are relatively high security risks in cross-boundary personal information processing activities or security incidents have already occurred.
    
    Further, if there is any security incident or leakage of personal information, the personal information processor or recipient shall take remedial measures immediately and notify the regulatory authorities.
     

[1] Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)