China Issues Personal Information Cross-Border Processing Protection Requirements for the Guangdong-Hong Kong-Macao Greater Bay Area
Published 28 November 2024
Sarah Xuan
The Cybersecurity Standards Practice Guidelines - Personal Information Cross-Border Processing Protection Requirements for the Guangdong-Hong Kong-Macao Greater Bay Area (hereinafter referred to as the Guidelines) were jointly developed by the Secretariat of the National Cybersecurity Standardization Technical Committee (NCSC) and the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong. The Guidelines aim to establish fundamental principles and security requirements for cross-border processing of personal information within the Greater Bay Area (hereinafter referred to as the “GBA”), ensuring the lawful flow and secure protection of personal data across borders.The Guidelines are based on the Memorandum of Cooperation on Promoting Cross-Border Data Flow in the GBA between the Cyberspace Administration of China and the Hong Kong Innovation and Technology Bureau, as well as applicable local laws and regulations. It provides actionable recommendations for cross-border security certification and mutual recognition, serving as an institutional safeguard for regional data sharing. The following is an introduction and analysis on the key content of the guidelines.
I. Scope and Terminology1. ScopeThe Guidelines apply to personal information processors and recipients within the GBA, specifying the principles and requirements they must follow when facilitating cross-border information flow. The primary objective is to achieve compliance through mutual security recognition mechanisms, such as security certification in Mainland China and recognition lists in Hong Kong. Notably, important data or data requiring special legal protections are excluded from its scope.The Guidelines cover organizations or individuals registered or located within the nine cities of Guangdong Province (Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing) and the Hong Kong Special Administrative Region (HKSAR). While this regional framework promotes data integration and collaboration, it also necessitates attention to jurisdictional differences in its implementation.2. Terminology Definitions
The Guidelines provide detailed explanations of key terminology to ensure clarity for applicable entities. Regarding definitions, the Guidelines specify that Mainland China’s definitions are primarily based on the Personal Information Protection Law of the People’s Republic of China (PIPL), while Hong Kong’s definitions are based on the Personal Data (Privacy) Ordinance (PDPO). Examples include:
1) Personal Information
Refers to any information recorded in electronic or other forms related to an identified or identifiable natural person.
In Mainland China, this is defined under the PIPL as “personal information”. In Hong Kong, this is defined under the PDPO as “personal data”. While the two definitions are generally consistent, Hong Kong’s definition of “personal data” covers a slightly broader scope, emphasizing the possession and processing of data.
2) Personal Information Subject
Refers to the natural person identified or associated with the personal information.
Mainland China follows the PIPL definition of “personal information subject”. In Hong Kong, this is referred to as “data subject” under the PDPO.
3) Personal Information Processor
Refers to an organization or individual that independently determines the purposes and methods of processing personal information.
Mainland China’s definition is derived from the PIPL. In Hong Kong, this is referred to as “data user” under the PDPO, which places greater emphasis on control over data.
4) Recipient
Refers to an organization or individual receiving personal information cross-border.
5) Personal Information Processing
Includes activities such as the collection, storage, use, processing, transmission, provision, disclosure, or deletion of personal information.
In Hong Kong, the PDPO also covers the collection, possession, processing, or use of personal data (including disclosure or transfer).
6) Local Laws and Regulations
Cross-border processing of personal information within the Greater Bay Area must comply with local laws and regulations:
Mainland China applies the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. Hong Kong applies the Personal Data (Privacy) Ordinance.
7) Cross-Border Personal Information Processing
The Guidelines define cross-border personal information processing as the flow of personal information within the GBA (Mainland China and Hong Kong), including:
(a) Unidirectional or bidirectional transmission of personal information between Mainland China and Hong Kong.(b) Processing of personal information stored by a processor through querying, downloading, or other means by a recipient.(c) Other scenarios specified under Article 3(2) of the PIPL, such as the processing of Mainland natural persons’ personal information in Hong Kong.
II. Core PrinciplesThe Guidelines explicitly outline six core principles, which serve as both ethical Guidelines for personal information processing activities and legal enforcement standards:1. Legality, Fairness, and Integrity Principle: Prohibits obtaining information through fraudulent means and emphasizes legal accountability.2. Minimum Necessity Principle: Limits the scope of information processing strictly to what is necessary to achieve the intended purpose.3. Transparency Principle: Ensures that processing rules are disclosed and comprehensible to data subjects, for example, through privacy policies.4. Rights Protection Principle: Focuses on the accuracy of data to minimize harm caused by errors or incomplete information.5. Security Assurance Principle: Requires processors to adopt advanced technologies and management measures to reduce the risk of data breaches or misuse.6. Accountability Principle: Clearly defines the responsibilities of processors and recipients to ensure compliance and accountability.These principles reflect a comprehensive and forward-looking approach to data protection. The emphasis on “minimum necessity” and “transparency” is particularly notable for fostering public trust and enhancing the efficiency of data flows.III. Personal Information Processing Requirements
The Guidelines set out detailed requirements for each stage of personal information processing, covering legal basis, collection, storage, use, delegated processing, and cross-border transfer. Specifically, these include:
1. Legal Basis for Processing Personal Information
The Guidelines specify that personal information processing must comply with local laws and regulations. The requirements for Mainland China and Hong Kong are as follows:1) In Mainland China, under the Personal Information Protection Law (PIPL), personal information processing must meet at least one of the following conditions:(a) Obtaining the individual’s consent;(b) Fulfilling contractual obligations;(c) Addressing public emergencies;(d) Reasonable use of publicly available information in the public interest.
2) In Hong Kong, processing must comply with the data protection principles outlined in Schedule 1 of the Personal Data (Privacy) Ordinance (PDPO), including legality, transparency, and data minimization.
2. Collection of Personal Information
For the collection of personal information, the Guidelines require processors to:1) Clearly inform data subjects of the purpose, method, and scope of processing before collection.2) Develop and disclose rules for personal information processing in clear, understandable language.3) Obtain guardian consent for the collection of information from minors (under 14 in Mainland China and under 18 in Hong Kong).
The Guidelines emphasize a “notice-and-consent” mechanism, prioritizing transparency and safeguarding the rights of data subjects. However, differences in the protection standards for minors in Mainland China and Hong Kong may impose additional compliance challenges for cross-border operations.
3. Storage, Use, and Processing of Personal Information
The Guidelines impose clear restrictions on the storage and use of personal information:1) Minimum Retention Period Principle: Data retention must be limited to the shortest period necessary to achieve the processing purpose.2) Consent for Changes: Any changes in the purpose or method of processing require renewed consent from the data subject.3) Automated Decision-Making: For activities such as targeted marketing or notifications, processors must provide an option for human intervention and allow users to opt out.
By addressing the use of automated decision-making, the Guidelines demonstrate a commitment to fairness. However, they do not specify clear timelines for data retention, leaving room for further clarification.
4. Delegated Processing, Sharing, and Disclosure
The Guidelines outline the following requirements for sharing and delegated processing of data:1) Delegated processing must be governed by a contract specifying protection measures, processing duration, and deletion requirements, with the processor supervising the delegate’s activities.2) Prior to sharing data with third parties, the processor must inform the individual of the processing purpose and recipient details and obtain their consent.3) Public disclosure of personal information requires anonymization techniques to reduce sensitivity.
The stringent contractual and technical requirements effectively mitigate external risks but present higher compliance burdens for businesses.
5. Cross-Border Personal Information Processing
Cross-border data flow is a core focus of the Guidelines, with specific requirements including:1) General Requirements:
(a) Processors must establish security management systems before transferring data and adopt encryption and other technical measures.(b) Records of cross-border processing activities must be maintained for at least three years.
2) Cross-Border Provision of Personal Information:
(a) Processors must enter into binding agreements with recipients, clarifying responsibilities and ensuring compliance with the Guidelines.(b) Processors must supervise the recipient’s activities.
3) Cross-Border Receipt of Personal Information:
(a) Recipients must ensure that the data is used solely for the intended purpose and deleted upon expiration of the retention period.(b) Any security incidents must be promptly reported to the processor and relevant regulatory authorities.
By combining technical safeguards with clear legal accountability, the Guidelines aim to ensure the controllability and security of cross-border data flows. However, these requirements may also increase compliance costs for businesses.
IV. Personal Information Rights Protection and Security Requirements
To safeguard the rights of personal information subjects, the Guidelines clearly outline relevant rights and responsibilities, including the following:
1. Rights of Personal Information Subjects
The Guidelines require personal information processors and recipients to ensure the following rights for personal information subjects:
1) Access and Copies: Individuals have the right to access and obtain copies of their personal information being processed.2) Correction and Supplementation: If the information is inaccurate or incomplete, individuals may request corrections or additions.3) Explanation of Rules: Individuals may request an explanation of the rules governing the processing of their information, except in special circumstances.4) Right to Deletion: When the processing purpose has been fulfilled, or if the processing is illegal, individuals have the right to request the deletion of their information.
2. Measures to Protect Rights
The Guidelines stipulate that processors must provide convenient channels for individuals to exercise their rights and respond to such requests within a specified time frame. If technical limitations make deletion impossible, further processing should cease except for storage and necessary protective measures.
Besides, if cross-border processing poses a risk to national interests or personal rights, such processing must be immediately halted, and relevant parties must be notified.
Ⅴ. Personal Information Security Requirements
To prevent data breaches and misuse, the Guidelines require processors and recipients to implement multiple measures, including:
1. Designating personnel responsible for data protection;2. Establishing security management systems and providing regular training for employees;3. Employing encryption, de-identification, and other technologies to protect sensitive data;4. Imposing reasonable restrictions on access permissions and requiring employees in relevant roles to sign confidentiality agreements;5. Developing incident response plans to quickly address risks such as data breaches or alterations and to notify regulatory authorities and affected individuals promptly.
These measures ensure the security and controllability of personal information while providing clear guidance for compliance. By emphasizing both technological safeguards and operational management, the Guidelines aim to establish a robust framework for the protection of personal data in diverse scenarios.
[Comment]
The Cybersecurity Standards Practice Guidelines – Personal Information Cross-Border Processing Protection Requirements for the Guangdong-Hong Kong-Macao Greater Bay Area is not only a regional data protection directive but also a forward-looking governance practice. From clarifying its scope and terminology to outlining core principles and detailing processing, rights protection, and security requirements, the Guidelines establish a scientific, comprehensive, and actionable framework for cross-border personal information protection.
By focusing on legality, transparency, and technological security, the Guidelines provide a compliance pathway for efficient data flows within the Greater Bay Area (GBA), while laying a foundation for the free movement of data resources to support regional economic collaboration. It is worth noting, however, that the implementation of these Guidelines will require businesses to enhance their technical and management capabilities to meet heightened compliance standards.
Looking ahead, as the demand for data flows within the GBA continues to grow, the Guidelines will play an increasingly strategic role. This includes promoting the development of privacy-preserving technologies and cross-border security management tools, thereby fostering both business efficiency and data security. Furthermore, the Guidelines may gradually expand and refine their framework for cross-border data governance, extending practical experience to other regions.
Overall, the Guidelines not only ensure the lawful and compliant flow of personal information within the GBA but also inject strong momentum into data-driven economic growth.
I. Scope and Terminology1. ScopeThe Guidelines apply to personal information processors and recipients within the GBA, specifying the principles and requirements they must follow when facilitating cross-border information flow. The primary objective is to achieve compliance through mutual security recognition mechanisms, such as security certification in Mainland China and recognition lists in Hong Kong. Notably, important data or data requiring special legal protections are excluded from its scope.The Guidelines cover organizations or individuals registered or located within the nine cities of Guangdong Province (Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing) and the Hong Kong Special Administrative Region (HKSAR). While this regional framework promotes data integration and collaboration, it also necessitates attention to jurisdictional differences in its implementation.2. Terminology Definitions
The Guidelines provide detailed explanations of key terminology to ensure clarity for applicable entities. Regarding definitions, the Guidelines specify that Mainland China’s definitions are primarily based on the Personal Information Protection Law of the People’s Republic of China (PIPL), while Hong Kong’s definitions are based on the Personal Data (Privacy) Ordinance (PDPO). Examples include:
1) Personal Information
Refers to any information recorded in electronic or other forms related to an identified or identifiable natural person.
In Mainland China, this is defined under the PIPL as “personal information”. In Hong Kong, this is defined under the PDPO as “personal data”. While the two definitions are generally consistent, Hong Kong’s definition of “personal data” covers a slightly broader scope, emphasizing the possession and processing of data.
2) Personal Information Subject
Refers to the natural person identified or associated with the personal information.
Mainland China follows the PIPL definition of “personal information subject”. In Hong Kong, this is referred to as “data subject” under the PDPO.
3) Personal Information Processor
Refers to an organization or individual that independently determines the purposes and methods of processing personal information.
Mainland China’s definition is derived from the PIPL. In Hong Kong, this is referred to as “data user” under the PDPO, which places greater emphasis on control over data.
4) Recipient
Refers to an organization or individual receiving personal information cross-border.
5) Personal Information Processing
Includes activities such as the collection, storage, use, processing, transmission, provision, disclosure, or deletion of personal information.
In Hong Kong, the PDPO also covers the collection, possession, processing, or use of personal data (including disclosure or transfer).
6) Local Laws and Regulations
Cross-border processing of personal information within the Greater Bay Area must comply with local laws and regulations:
Mainland China applies the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. Hong Kong applies the Personal Data (Privacy) Ordinance.
7) Cross-Border Personal Information Processing
The Guidelines define cross-border personal information processing as the flow of personal information within the GBA (Mainland China and Hong Kong), including:
(a) Unidirectional or bidirectional transmission of personal information between Mainland China and Hong Kong.(b) Processing of personal information stored by a processor through querying, downloading, or other means by a recipient.(c) Other scenarios specified under Article 3(2) of the PIPL, such as the processing of Mainland natural persons’ personal information in Hong Kong.
II. Core PrinciplesThe Guidelines explicitly outline six core principles, which serve as both ethical Guidelines for personal information processing activities and legal enforcement standards:1. Legality, Fairness, and Integrity Principle: Prohibits obtaining information through fraudulent means and emphasizes legal accountability.2. Minimum Necessity Principle: Limits the scope of information processing strictly to what is necessary to achieve the intended purpose.3. Transparency Principle: Ensures that processing rules are disclosed and comprehensible to data subjects, for example, through privacy policies.4. Rights Protection Principle: Focuses on the accuracy of data to minimize harm caused by errors or incomplete information.5. Security Assurance Principle: Requires processors to adopt advanced technologies and management measures to reduce the risk of data breaches or misuse.6. Accountability Principle: Clearly defines the responsibilities of processors and recipients to ensure compliance and accountability.These principles reflect a comprehensive and forward-looking approach to data protection. The emphasis on “minimum necessity” and “transparency” is particularly notable for fostering public trust and enhancing the efficiency of data flows.III. Personal Information Processing Requirements
The Guidelines set out detailed requirements for each stage of personal information processing, covering legal basis, collection, storage, use, delegated processing, and cross-border transfer. Specifically, these include:
1. Legal Basis for Processing Personal Information
The Guidelines specify that personal information processing must comply with local laws and regulations. The requirements for Mainland China and Hong Kong are as follows:1) In Mainland China, under the Personal Information Protection Law (PIPL), personal information processing must meet at least one of the following conditions:(a) Obtaining the individual’s consent;(b) Fulfilling contractual obligations;(c) Addressing public emergencies;(d) Reasonable use of publicly available information in the public interest.
2) In Hong Kong, processing must comply with the data protection principles outlined in Schedule 1 of the Personal Data (Privacy) Ordinance (PDPO), including legality, transparency, and data minimization.
2. Collection of Personal Information
For the collection of personal information, the Guidelines require processors to:1) Clearly inform data subjects of the purpose, method, and scope of processing before collection.2) Develop and disclose rules for personal information processing in clear, understandable language.3) Obtain guardian consent for the collection of information from minors (under 14 in Mainland China and under 18 in Hong Kong).
The Guidelines emphasize a “notice-and-consent” mechanism, prioritizing transparency and safeguarding the rights of data subjects. However, differences in the protection standards for minors in Mainland China and Hong Kong may impose additional compliance challenges for cross-border operations.
3. Storage, Use, and Processing of Personal Information
The Guidelines impose clear restrictions on the storage and use of personal information:1) Minimum Retention Period Principle: Data retention must be limited to the shortest period necessary to achieve the processing purpose.2) Consent for Changes: Any changes in the purpose or method of processing require renewed consent from the data subject.3) Automated Decision-Making: For activities such as targeted marketing or notifications, processors must provide an option for human intervention and allow users to opt out.
By addressing the use of automated decision-making, the Guidelines demonstrate a commitment to fairness. However, they do not specify clear timelines for data retention, leaving room for further clarification.
4. Delegated Processing, Sharing, and Disclosure
The Guidelines outline the following requirements for sharing and delegated processing of data:1) Delegated processing must be governed by a contract specifying protection measures, processing duration, and deletion requirements, with the processor supervising the delegate’s activities.2) Prior to sharing data with third parties, the processor must inform the individual of the processing purpose and recipient details and obtain their consent.3) Public disclosure of personal information requires anonymization techniques to reduce sensitivity.
The stringent contractual and technical requirements effectively mitigate external risks but present higher compliance burdens for businesses.
5. Cross-Border Personal Information Processing
Cross-border data flow is a core focus of the Guidelines, with specific requirements including:1) General Requirements:
(a) Processors must establish security management systems before transferring data and adopt encryption and other technical measures.(b) Records of cross-border processing activities must be maintained for at least three years.
2) Cross-Border Provision of Personal Information:
(a) Processors must enter into binding agreements with recipients, clarifying responsibilities and ensuring compliance with the Guidelines.(b) Processors must supervise the recipient’s activities.
3) Cross-Border Receipt of Personal Information:
(a) Recipients must ensure that the data is used solely for the intended purpose and deleted upon expiration of the retention period.(b) Any security incidents must be promptly reported to the processor and relevant regulatory authorities.
By combining technical safeguards with clear legal accountability, the Guidelines aim to ensure the controllability and security of cross-border data flows. However, these requirements may also increase compliance costs for businesses.
IV. Personal Information Rights Protection and Security Requirements
To safeguard the rights of personal information subjects, the Guidelines clearly outline relevant rights and responsibilities, including the following:
1. Rights of Personal Information Subjects
The Guidelines require personal information processors and recipients to ensure the following rights for personal information subjects:
1) Access and Copies: Individuals have the right to access and obtain copies of their personal information being processed.2) Correction and Supplementation: If the information is inaccurate or incomplete, individuals may request corrections or additions.3) Explanation of Rules: Individuals may request an explanation of the rules governing the processing of their information, except in special circumstances.4) Right to Deletion: When the processing purpose has been fulfilled, or if the processing is illegal, individuals have the right to request the deletion of their information.
2. Measures to Protect Rights
The Guidelines stipulate that processors must provide convenient channels for individuals to exercise their rights and respond to such requests within a specified time frame. If technical limitations make deletion impossible, further processing should cease except for storage and necessary protective measures.
Besides, if cross-border processing poses a risk to national interests or personal rights, such processing must be immediately halted, and relevant parties must be notified.
Ⅴ. Personal Information Security Requirements
To prevent data breaches and misuse, the Guidelines require processors and recipients to implement multiple measures, including:
1. Designating personnel responsible for data protection;2. Establishing security management systems and providing regular training for employees;3. Employing encryption, de-identification, and other technologies to protect sensitive data;4. Imposing reasonable restrictions on access permissions and requiring employees in relevant roles to sign confidentiality agreements;5. Developing incident response plans to quickly address risks such as data breaches or alterations and to notify regulatory authorities and affected individuals promptly.
These measures ensure the security and controllability of personal information while providing clear guidance for compliance. By emphasizing both technological safeguards and operational management, the Guidelines aim to establish a robust framework for the protection of personal data in diverse scenarios.
[Comment]
The Cybersecurity Standards Practice Guidelines – Personal Information Cross-Border Processing Protection Requirements for the Guangdong-Hong Kong-Macao Greater Bay Area is not only a regional data protection directive but also a forward-looking governance practice. From clarifying its scope and terminology to outlining core principles and detailing processing, rights protection, and security requirements, the Guidelines establish a scientific, comprehensive, and actionable framework for cross-border personal information protection.
By focusing on legality, transparency, and technological security, the Guidelines provide a compliance pathway for efficient data flows within the Greater Bay Area (GBA), while laying a foundation for the free movement of data resources to support regional economic collaboration. It is worth noting, however, that the implementation of these Guidelines will require businesses to enhance their technical and management capabilities to meet heightened compliance standards.
Looking ahead, as the demand for data flows within the GBA continues to grow, the Guidelines will play an increasingly strategic role. This includes promoting the development of privacy-preserving technologies and cross-border security management tools, thereby fostering both business efficiency and data security. Furthermore, the Guidelines may gradually expand and refine their framework for cross-border data governance, extending practical experience to other regions.
Overall, the Guidelines not only ensure the lawful and compliant flow of personal information within the GBA but also inject strong momentum into data-driven economic growth.