Cross-border data management: Cross-border flow of personal information in the Guangdong-Hong Kong-Macao Greater Bay Area (Li Peisheng) – EJ Tech

AuthorShing Leeis a senior founding member of the Data Literacy Association and writes a column for EJTech

Cross-border data management has become an important issue worldwide. As a rapidly developing region, the Guangdong-Hong Kong-Macao Greater Bay Area (mainland and Hong Kong) has attracted widespread attention for its standard contract on cross-border flow of personal information.

The Guangdong-Hong Kong-Macao Greater Bay Area spans mainland China, Hong Kong and Macao, and is a region with booming economy. As a financial and technological center, Hong Kong has an increasing demand for data flow with the mainland. On the basis of compliance and legality, in order to make data truly “live”, we have the following points worth noting:

Standard Contract for Cross-border Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area

The Standard Contract for Cross-border Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area refers to a contract standard formulated to promote the cross-border flow of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area, protect the rights and interests of personal information subjects, and regulate data processing behaviors.

• Purpose: The Standard Contract for Cross-Border Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area aims to ensure the security and compliance of personal information.
• Contract content: The standard contract covers the scope of application of the contract, data protection requirements, data flow procedures, etc. For example:
  • Data flow rules: Clarify the rules for cross-border flow of personal information, including data transmission, storage, processing and other aspects.
  • Privacy protection: stipulates privacy protection measures regarding the collection, use, and disclosure of personal information.
  • Responsibilities and obligations: The responsibilities and obligations of data processors and personal information subjects are clarified.

These contracts are designed to facilitate data flows within the Guangdong-Hong Kong-Macao Greater Bay Area while protecting individual privacy rights.

What industries do standard contracts apply to?

The Guangdong-Hong Kong-Macao Greater Bay Area standard contracts for cross-border flow of personal information are generally applicable to all walks of life, including but not limited to finance, technology, medical care, education, retail, manufacturing and other fields. Whether it is cross-border data transmission, cloud service providers, or other businesses involving personal information, these contract standards can be used as a reference to regulate data flow and protect personal privacy.

Regulations and guidelines

Recently, laws and regulations related to data have been introduced and updated one after another, such as:

• Europe: The European Union’s General Data Protection Regulation (GDPR) provides guidance for cross-border data flows.
• USA: The U.S. Privacy Shield Agreement and the California Consumer Privacy Act (CCPA) involve cross-border data flows.
• Asia: Japan’s Personal Information Protection Act and South Korea’s Personal Information Protection Act are also worthy of attention.

What should we pay attention to in Hong Kong and the Mainland?

As the cross-border flow of personal information between Hong Kong and the Mainland becomes increasingly frequent, in addition to the standard contract implementation guidelines that have been officially announced in December 2023, we also need to understand the implementation of the Data Free Trade Port and the negative list.

Data Free Trade Port:

• Data free trade ports refer to specific areas within the free trade pilot zones (FTZs) that allow cross-border data flows. These areas can formulate their own “negative lists”, which list the data categories that do not need to be reported for data export security assessment. Only data on the negative list needs to complete the corresponding pre-regulatory procedures.

• The establishment of the Data Free Trade Port aims to promote the cross-border flow of data and strengthen the free trade zone’s aggregation power in the field of cross-border flow of information.

New rules on cross-border data flows allow free trade zones to develop negative lists:

• On March 22, 2024, the Cyberspace Administration of China announced the “Regulations on Promoting and Regulating Cross-Border Data Flows”. According to this regulation, the free trade pilot zones (FTZs) have the right to formulate a “negative list”.
• The FTZ can formulate its own negative list based on the national data classification and grading protection system framework. After approval by the provincial cybersecurity and informatization committee, it shall be reported to the national cybersecurity and information technology department and the national data management department for filing.
• For corporate data not included in the negative list, data processors within the free trade zone are exempt from declaring data export security assessments, entering into standard contracts for the export of personal information, and passing personal information protection certification.

We recommend that companies consider the following suggestions when implementing the relevant guidelines to ensure compliance:

1. Data classification and labeling: Ensure your data is classified and labeled according to sensitivity and regulatory requirements. For example, distinguish between personally identifiable information, medical records, and financial data.
2. Data encryption: Use strong encryption algorithms to protect data, especially when transferring data across borders. Ensure that data is encrypted both during transmission and storage.
3. Compliance review: Regularly review regulations and guidelines to ensure that your data management processes meet the latest standards. This includes some standards in the Mainland, GDPR in Europe, CCPA in the United States, etc.
4. Data storage location: Understand the geographic location where your data is stored. Some regulations require that data be stored in a specific region.
5. Data flow contract: If your data needs to flow across borders, please sign a compliant data flow contract with the relevant parties to clearly stipulate the use and protection of the data.

More articles by Li Peisheng:

Support EJ Tech

If you want to submit articles, report information, issue press releases or interview notices,Click here to contact us.