Mainland China, Hong Kong and creating a GBA data hub

The signing of the "Framework Agreement on Deepening Guangdong–Hong Kong–Macao Cooperation in the Development of the Bay Area" (深化粤港澳合作推进大湾区建设框架协议) on 1 July 2017 heralded the public use of the term "Guangdong-Hong Kong-Macao Greater Bay Area" ("GBA"). Since then, there has been regular discussion and speculation regarding the GBA's role in the economies of mainland China and the Special Administrative Regions of Hong Kong ("Hong Kong") and Macau ("Macau").

The integration of businesses and social activities within the GBA, including partnerships and joint efforts in the banking, medical and education sectors, has made data flow of particular importance. Public literature on this issue dates back to December 2019, when the City University of Hong KongproducedtheProposal for Hong Kong to be a Data Center Hub for the Greater Bay Area and China.

While those discussions have continued in the background, until recently little has been said publicly by the relevant governments about this aim. This changed on 29 June 2023, when the Cyberspace Administration of China and Hong Kong's Innovation, Technology and Industry Bureau ("ITIB") signed theMemorandum of Understanding to Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macao Greater Bay Area("MoU").

In announcing the MoU the Secretary for the ITIB, Professor Sun Dong:

The National 14th Five-Year Plan indicates clear support for Hong Kong's development into an international innovation and technology hub. Facilitating data flow in the GBA is an important initiative for promoting the integrated and high-quality development of the GBA, lowering the compliance costs of enterprises and driving the development of Hong Kong's digital economy and proactively integrate Hong Kong into national development. The MoU also contributes to the convenient and orderly flow of cross-boundary data from the Mainland to Hong Kong, which is beneficial to building Hong Kong into a global data hub.

Thoughts regarding the MoU and a "GBA data hub"

With its legal framework and technology and telecommunications infrastructure, Hong Kong is well-placed to act as a global "data hub", and in particular to foster secure and efficient data transfers between mainland China and Hong Kong. What does this MoU mean for mainland China, Hong Kong and companies who hold and transfer personal data in these jurisdictions?

Mainland China has, in the recent year, adopted a number of measures pursuant to thePersonal Information Protection Law("PIPL"), in relation to the transfer of personal information overseas. The most recent of these measures were in relation to the use of standard contractual clauses ("SCC") for cross-border transfer, which came into effect on 1 June 2023. Part of this was the introduction of security assessment procedure and privacy impact assessments for the use and filing of such SCC.

The Chinese SCC have both similarities and differences with the equivalent standard contractual clause under the General Data Protection Regulation ("GDPR"), and adds another set of standard contractual clauses for international organisations to consider. Hong Kong does not have specific requirements in force regarding cross-border transfers of personal information from Hong Kong (as section 33 of thePersonal Data (Privacy) Ordinance("PDPO") is not in force), but the Hong Kong Privacy Commissioner ("Commissioner") hasissuedrecommended (but not mandated) model contractual clauses for such transfer out of Hong Kong.

Two particularly interesting notes from Professor Sun's speech andrelated announcementsare:

• The arrangements under the MoU will consider transfersboth waysbetween mainland China and Hong Kong – previous industry understanding was that any GBA data measures would primarily focus on transfers only from Hong Kong to mainland China.
• For personal information in Hong Kong, the PDPO and other existing regulations will continue to apply.

Taking the speech and announcements as a whole, it appears that Professor Sun is referencing the creation of a SCC for the GBA (i.e. a "SCC lite") and/or standardised principles in relation to the transfer of personal data within the GBA (e.g. removing certain PIPL requirements when data is transferred from GBA to Hong Kong, or introducing specific data handling standards for Hong Kong?). Whether any forthcoming measures will then apply (partially or wholly) to onward transfer from GBA to wider mainland China remains to be seen.

Given the array of cross-border transfer provisions (whether standard contractual clauses or model contractual clauses) and principles available – from jurisdiction-specific laws and from organisations such asAPEC,ASEANand theGlobal CBPR Forum– we believe any creation of the GBA data hub would be best served by adopting one or a mix of these robust templates, particularly given some of these have already been widely adopted in the market by both jurisdictions and large multinational organisations. The MoU's outcome may also offer organisations an avenue to comply with the aforementioned requirements for the SCC under the PIPL.

Further amendments to the PDPO?

All of this comes amidst potential further changes to the PDPO in Hong Kong. The Commissioner had indicated (in abriefingto the Legislative Council Panel on Constitutional Affairs in February 2023) that it is working closely with the Hong Kong Government to review the PDPO and propose further amendments to the PDPO, including introducing:

• Mandatory data breach notifications - to the Commissioner and to impacted individuals, in situations where there is “a real risk of significant harm”. The proposed notification would have to be given within 5 business days from when the data user became aware of the breach.
• Obligations for data processors in relation to personal data retention and security – noting that data processors are currently not directly regulated under the PDPO (the PDPO is focused on regulating data users).
• Requirement for data users to maintain data retention policy (as yet there are no further details regarding whether specific retention periods will be required).
• Powers for the Commissioner to impose administrative fines (in addition to criminal fines pursuant to existing powers), with such fines potentially being based on annual turnovers (similar to what the GDPR and other jurisdictions'' privacy laws have introduced).

While the Commissioner had indicated that such amendments would be finalised in the second quarter of this year, there have been no further public announcements regarding such proposed amendments.

In the meantime, the Commissioner has recently (in June 2023) released an updated “Guidance on Data Breach Handling and Data Breach Notifications”, setting out recommendations on how to address a data breach under the PDPO – including the formulation of a data breach response plan and a step-by-step approach for containing damage after a data breach. This coincides with the Commissioner's release of ane-Data Breach Notification Form, providing a more convenient means of notification of data breach to the Commissioner. However, neither of these developments are mandatory; we therefore await further developments regarding any such proposed amendments.

In the meantime, the Commissioner has recently (in June 2023) released an updated “Guidance on Data Breach Handling and Data Breach Notifications”, setting out recommendations on how to address a data breach under the PDPO – including the formulation of a data breach response plan and a step-by-step approach for containing damage after a data breach. This coincides with the Commissioner's release of an e-Data Breach Notification Form, providing a more convenient means of notification of data breach to the Commissioner. However, neither of these developments are mandatory; we therefore await further developments regarding any proposed amendments of the PDPO to address this (and other) aspects.

Next steps

We await further news from the MoU with interest. In the meantime, we will continue to assist multinational organisations with their global data compliance programs, including how the requirements of the PIPL and PDPO fit in within such programs.

With thanks to Hannah Chiu (Intern) for contributing to this article.