Streamlining data flow in the GBA

Cyberspace administration enhances cross-border data exchange

Analysis

To enhance digital economic development and facilitate cross-border data exchange, the Macao Special Administrative Region (SAR) government has signed a “Memorandum of Cooperation” with the Cyberspace Administration of China (CAC). Finalized earlier this month, this agreement aims to promote personal information exchanges and strengthen cooperation within the Guangdong-Hong Kong-Macao Greater Bay Area (GBA).

The introduction of the “Standard Contract for Cross-Boundary Flow of Personal Information Within the GBA” signifies a major step forward in facilitating data transfer between Mainland China and Hong Kong. Launched by the CAC and the Innovation, Technology, and Industry Bureau (ITIB) of the Hong Kong SAR government, this initiative is designed to streamline cross-boundary data flow while ensuring robust data protection measures.

The signing of the “Memorandum of Understanding on Facilitating Cross-Boundary Data Flow” in Beijing on June 29, 2023, marked a significant policy breakthrough aimed at leveraging data flow for digital economic development while safeguarding personal privacy and data security.

The GBA Standard Contract is integral to this initiative, allowing enterprises in Macau and nine mainland cities—Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing—to engage in cross-border data transactions more efficiently. By utilizing standard contracts and streamlined filing procedures with local authorities, organizations can navigate the complexities of data transfer while ensuring compliance with existing legal frameworks.

The Standard Contract allows personal information processors and recipients within the GBA to conduct cross-border data transfers between Mainland cities and Hong Kong. By entering into this contract, organizations can improve operational efficiency while complying with regulatory requirements.

Personal information processors have several key obligations they must adhere to. First, they are required to inform individuals or obtain their consent before any cross-boundary transfers of personal information. Additionally, transfers of personal information outside the Guangdong-Hong Kong-Macao Greater Bay Area are strictly prohibited, according to the CAC. Furthermore, processors must conduct a personal information protection impact assessment prior to any data transfers to ensure compliance with relevant regulations.

Recipients of personal information also bear specific responsibilities. They are prohibited from sharing any received personal information with organizations or individuals outside the GBA. In cases where a government department or judicial body requests access to this information, recipients must promptly notify the personal information processor.

When there are changes regarding the purpose, scope, categories, means, or retention period of personal information, several procedures must be followed. The personal information processor is required to conduct a new impact assessment, establish a supplemental agreement or a new Standard Contract, and complete the corresponding filing procedures.

In the event of a personal information breach, both processors and recipients are obligated to take immediate remedial actions. They must also notify either the Cyberspace Administration of China (CAC) or the Innovation, Technology, and Industry Bureau (ITIB), depending on their respective jurisdictions.

Both processors and recipients must complete the necessary filing procedures for the Standard Contract within 10 working days from its effective date, as mandated by jurisdictional regulations. This requirement ensures that all parties remain compliant with the established legal framework governing data protection in the region.

The implementation of the Standard Contract represents a pivotal advancement in enhancing cross-boundary data flow within the GBA. By establishing clear guidelines and responsibilities for personal information processors and recipients, this initiative not only facilitates seamless data exchange but also reinforces data protection standards. This framework is expected to foster greater connectivity and collaboration between Mainland China and Hong Kong, driving innovation and growth in the digital landscape.

Chairman Ma Chi Ngai of the Science and Technology Development Fund (FDCT) emphasized that Macau’s higher education institutions can play a crucial role in this initiative. He believes that leveraging scientific research will enable Macau to effectively coordinate data circulation and set standards for data protection across the region.

The GBA Standard Contract simplifies existing regulations by exempting personal information processors from stringent cross-border flow restrictions. It also reduces compliance costs associated with personal data protection impact assessments. Under these new guidelines, businesses can focus on innovation and growth without being hindered by excessive regulatory hurdles.

Companies operating within the GBA can opt to enter into the GBA Standard Contract, which must be registered with either the Cyberspace Administration of Guangdong Province or the Macau Personal Data Protection Bureau (DSPDP) to activate cross-border personal information flows.

Positioning itself as a facilitator in cross-border data governance, Macau faces challenges due to its smaller economic scale compared to Guangdong and Hong Kong. However, Ma remains optimistic about the city’s ability to contribute meaningfully to data rule-making through its academic institutions. By Nadia Shaw, MDT

Categories GBA Views