On December 13th, China’s Cyberspace Administration of China (CAC) and the Hong Kong SAR Government’s Innovation, Technology, and Industry Bureau (ITIB) jointly released a new rule aimed at promoting the free flow of cross-border data within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong). Starting December 13, 2023, companies in the Bay Area can transfer personal information without government approval by signing a standard contract.

It’s the first bilateral cross-border data flow agreement that the Chinese mainland signed with “other regions”（境外地区）. In addition, this might be a relief for companies planning to go public in Hong Kong. According to the rules of the “Cyber Security Review” modified by the CAC in 2022, these companies may need to undergo cyber security review if the IPO impact or with the possibility to impact national security. As data security is a major national security concern here, it may not be considered a national security issue for them to transfer data to Hong Kong on the precondition that they have signed a standard contract recognized by the CAC with recipients in Hong Kong.

Per the new rule named “Implementation Guidelines for Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” (hereinafter referred to as “Implementation Guidelines”), The personal information processor, through entering into the “Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” (hereinafter referred to as “the GBA Standard Contract”), may provide personal information across the boundary and such information shall not be transferred to any organisation or individual outside the GBA.

The “Implementation Guidelines” is a facilitation measure under a memorandum of understanding(MoU) signed by the CAC and Hong Kong ITIB on 29 June 20231. The two sides agreed to establish rules for data transfer within the Great Bay Area (GBA) under the data security framework of the People’s Republic of China (PRC) (Proposed GBA Mechanism) in the MOU. The Proposed GBA Mechanism is considered China's new attempt to establish a more streamlined mechanism for regional cross-border data flows in response to the ambitious plans of the PRC to enhance economic and trade relations between China mainland and Hong Kong.

The GBA Standard Contract was formulated jointly by the ITIB and CAC. Individuals and organizations from both places may enter into a GBA Standard Contract based on a pre-designed template to outline the obligations and responsibilities of both parties in protecting personal information being transferred across the boundary. The GBA Standard Contract applies to the personal information processor and the recipient who are registered (applicable to organisations)/located (applicable to individuals) in Mainland cities within the GBA, that is, Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing, and conduct cross-boundary flow of personal information between these Mainland cities and Hong Kong (i.e., flow of the personal information from the Mainland cities in the GBA to Hong Kong, and vice versa).

The main features of the GBA Standard Contract include the obligations and responsibilities of both parties, the rights of personal information subjects, related remedies, termination of the contract, liability for breach of contract, dispute resolution, and other related matters. The personal information processor and recipient entered into a GBA Standard Contract voluntarily to transfer personal information across the boundary, shall observe relevant administrative measures, make filings, and abide by the protection of personal information to ensure the safe and free flow of personal information across the boundary.

The release of the “Implementation Guidelines” also marks a major step forward in the long-time effort of China mainland and Hong Kong to establish a free flow of cross-border data. Under "One China, Two System," cross-border data flow between China mainland and Hong Kong has complex legal issues. However, according to an article of a respected Chinese expert in data security, the two sides have been collaborating since 2017 to fulfill a free data flow agreement.

In early 2016, the Office of the Government Chief Information Officer of Hong Kong and the Cyber Security Coordination Bureau of the CAC reached a consensus on cyber security cooperation, and subsequently held the China mainland-Hong Kong Cyber Security Forum. The mechanism is said to be proposed by the Hong Kong government.

In January 2017, under the cyber security cooperation mechanism, the two sides jointly established a China mainland-Hong Kong expert group to discuss the promotion of an orderly data flow.

On April 11, 2017, the CAC publicly solicited opinions on the "Measures for the Security Assessment of Outbound Transfer of Personal Information and Important Data". Article 15 stipulates that agreements signed by the Chinese government with “other countries and regions”regarding outbound data transfer shall be implemented in accordance with the provisions of the agreements. The time when this provision was proposed coincided with the China mainland-Hong Kong expert group consultations. It was said that Article 15 is the policy room specifically for the future bilateral data flow agreement with Hong Kong.

In June 2018, the two sides agreed to launch the China Unicom Hong Kong company outbound data transfer security assessment project, which was completed in January 2019.

In April 2021, the Greater Bay Area International Information Technology Association and the National Information Security Standardization Technical Committee held a seminar on data circulation in the Greater Bay Area. Liang Zhenying, the Vice Chairperson of the National Committee of the Chinese People's Political Consultative Conference, and Zhao Zeliang, the then Deputy Director of the CAC, attended. After the meeting, the CAC entrusted Hong Kong to lead in drafting a research report on cross-border data flow.

From then on, the mainland and Hong Kong expert groups worked together to study a data flow mechanism that ensures safety, has simple procedures, and can even have special arrangements. The expert group also discussed how to draft data flow agreements between the mainland and Hong Kong. The expert group 's work come to an end around 2021 without providing a clear explanation. However, the consultation between the CAC and Hong Kong is ongoing, albeit at a slow and irregular pace. In the past months, the Chinese government has taken a lot of measures to support Hong Kong’s economy as well as China’s digital economy as a whole, potentially leading to the conclusion of the agreement.

This agreement is the first one, but it in no way will be the last one.