Personal data transfers in the Greater Bay Area of China

Here’s a conundrum. Two locations in the same country apply different laws to personal data transfers. Those locations are closely integrated economically, with policies that are designed to foster closer collaboration and development. Data sharing is a critical element to accomplish those objectives. This is the interesting situation that applies in the Guangdong-Hong Kong-Macao Greater Bay Area (GBA). In this article, Pádraig Walsh from our Data Privacy team looks at the solution applied by the Hong Kong and Mainland China authorities.

The special case of the Greater Bay Area

Hong Kong is an autonomous Special Administrative Region of the People’s Republic of China. Under the principle of ‘one country, two systems’, the Hong Kong legal system is different from that of Mainland China, and is based on common law supplemented by statutes. The laws of Mainland China do not directly apply in Hong Kong.

Hong Kong is one of two special administrative regions in the GBA, the other being Macao. The GBA also includes the nine municipalities of Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing in Guangdong Province (the GBA Cities). The total area is around 56,000 km², which is larger than the United Kingdom. The total population in the GBA is over 71 million. The combined GDP was approx. US$ 1.7 trillion; this would rank 11^th in the world ahead of South Korea and Australia, if the region was a country. The GBA is a special case.

Personal data transfers from Hong Kong

The key legislation governing the use of personal data in Hong Kong is the Personal Data (Privacy) Ordinance (PDPO). The PDPO is one of Asia’s longest standing comprehensive data protection laws, taking effect in December 1996. One of its key provisions was a restriction on cross-border data transfers in section 33, and this provision is still not yet in operation. This is a matter of policy, rather than neglect. In a statement in response to a media enquiry on data localisation in April 2020, the Office of the Privacy Commissioner for Personal Data (PCPD) commented that “cross-jurisdiction data flow is the life-blood of our data driven economy” and that the regulatory framework on cross-border/boundary[1] data flow would be considered in ways “which best suit the local circumstances in Hong Kong.” In other words, there was no great desire to regulate cross-border/boundary data flow if this would impede data flows.

This is not to state that there are no protections on personal data that is transferred from Hong Kong to elsewhere. Protections under Hong Kong law include:

• There is recognition that disclosure and transfer are a form of use of personal data.

• There is a requirement to give notice to explicitly inform data subjects of the classes of persons to whom the data may be transferred.

• There is a requirement to obtain the prescribed consent of data subjects for change of use of the personal data collected.

• There is a requirement to adopt contractual or other means to prevent personal data transferred to data processors, whether within or outside Hong Kong, from being kept longer than is necessary for processing of the data.

• There is a requirement to adopt contractual or other means to prevent personal data transferred to data processors, whether within or outside Hong Kong, from unauthorised or accidental access, processing, erasure, loss or use of the data being transferred for processing.

• There is also statutory recognition that a data user is responsible and liable for the acts of his agents, which includes data processors outside Hong Kong.

This means that the data subject must be informed on or before the collection of his personal data of an intended transfer of the personal data to a location outside Hong Kong, and that information must include the class of persons to whom the personal data may be transferred. The data subject must provide prior express voluntary consent if there is any change in these particulars, or any new use is proposed. Still, by international standards, this is relatively light regulation and process.

Personal information transfers from Mainland China

Since 2017, Mainland China has enacted several laws that include provisions relating to cross-border data transfers, including the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law (PIPL).

The PIPL, in particular, has a number of quite stringent requirements and procedures that apply to cross-border data transfers. There is a requirement for the personal information processor to first carry out a personal information protection impact assessment. The personal information processor must inform the data subjects of the names and contact information of the overseas recipients, the purposes and means of processing, the categories of personal information involved, as well as the methods and procedures for individuals to exercise their rights under the PIPL. Also, the personal information processor must obtain the specific unbundled consent of the individual data subjects.

The personal information processor must meet one of the following conditions:

(a) pass a security assessment conducted by the cyberspace administration authorities of Mainland China;

(b) obtain personal information protection certification from professional institutions;

(c) enter into a standard contract issued by the cyberspace administrative authorities of Mainland China; or

(d) fulfil other conditions specified by law.

Personal information processors must take necessary measures to ensure that the processing activities undertaken by the overseas recipient meet the standards required under the PIPL.

There are more onerous obligations for critical information infrastructure operators and personal information processors that process and transfer overseas large volumes of personal information.

So, there is a marked difference in the approach to the transfer of personal data in Mainland China and Hong Kong.

The GBA Standard Contract Facilitation Measures

In June 2023, the Hong Kong Innovation, Technology and Industry Bureau and the Cyberspace Administration of China entered into a Memorandum of Understanding to facilitate cross-boundary data flow within the GBA. This provided a framework for facilitating the secure and orderly data flow from Mainland China to Hong Kong. This led to the first facilitation measure for cross-boundary data flow, being the GBA Standard Contract and associated compliance arrangements announced in December 2023.

Here are some key features of the GBA Standard Contract:

• It is a voluntary facilitation measure. It is not a legal requirement for the GBA Standard Contract to be used in the relevant data transfers.

• This facilitation measure does not change the laws of either Hong Kong or Mainland China. The processing and export of personal data from Hong Kong will continue to be regulated in accordance with the PDPO. The role of the Digital Policy Office of Hong Kong is to fulfil the administrative requirements of the arrangements, and does not affect the PCPD in performing its supervisory and management roles under the PDPO.

• In the early pilot stage the arrangements were limited to the banking, credit referencing and healthcare sectors. The arrangements have now been extended to all sectors.

• The arrangement applies between personal information processors[2] in Hong Kong and the nine GBA Cities, namely Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing. Macao SAR is excluded.

• If personal information processors in Hong Kong and Mainland China are transferring personal data to each other, then two GBA Standard Contracts are needed – one in which the Hong Kong party is the personal information processor, and the other in which the Mainland Chinese party is the personal information processor.

• Each GBA Standard Contract can cover a range of data exports from the personal information processor with the other counterparty. There is no need for a separate GBA Standard Contract for each data set or for each business line.

• The terms of the GBA Standard Contract cannot be amended, though they can be supplemented with provisions that do not contradict the GBA Standard Contract provisions.

• The arrangement only applies within the GBA area. Personal information provided across the boundary should not be transferred to any organisation outside the GBA, including to group companies outside the GBA area. This includes access via the internet from locations outside the GBA.

The benefits of adopting the GBA Standard Contract

The GBA Standard Contract is a voluntary measure. There are good reasons why Hong Kong businesses that wish to engage with business partners in the GBA should consider adopting the measures. These include:

1. Restrictions under the PIPL concerning the amount and sensitivity of personal information that may be transferred across borders are removed. The typical thresholds that apply include:

(a) personal information[3] of not more than 1,000,000 persons in aggregate;

(b) cumulative outbound transfers of personal information of not more than 100,000 persons in aggregate since 1 January of the preceding year; and

(c) cumulative outbound transfers of sensitive personal information of not more than 10,000 persons since 1 January of the preceding year.

These thresholds do not apply for parties that adopt the GBA Standard Contract.

2. The scope of the personal information protection impact assessment to be conducted by personal information processors is reduced from six areas to three, as described below.

3. The parties to the GBA Standard Contract are not required to conduct assessments of personal information protection policies and regulations in the data importer’s location.

4. There is no specific requirement regarding sensitive personal information or automated decision-making mechanisms.

5. The PCPD has stated[4] that adopting and implementing the GBA Standard Contract will serve to demonstrate that a Hong Kong personal information processor has taken precautions and exercised due diligence to ensure that the relevant data will not be used in Mainland China in a manner which, if it took place in Hong Kong, would be a contravention of a requirement under the PDPO.

The administrative impulse for the GBA Standard Contract measures was triggered by the feedback of Hong Kong businesses of their experiences and various challenges in their efforts to achieve compliance with the requirements of the Mainland China’s requirements under PIPL. The GBA Standard Contract benefits alleviate some of these challenges.

It’s still the case though that the GBA Standard Contract measures require more from the Hong Kong party than is required under Hong Kong law. Specifically:

1. It is not typically required under Hong Kong law to conduct a personal information protection impact assessment on the intended transfer.

2. The procedures in respect of the GBA Standard Contract require filing obligations on the Hong Kong party, regardless of whether the Hong Kong party is a personal information processor or recipient[5].

3. The onward transfer of personal information received by the Hong Kong party to a person outside the GBA is prohibited.

4. There is no mandatory statutory obligation under Hong Kong law to notify a personal data breach to the PCPD or to data subjects, though it is a recommended best practice. The GBA Standard Contract creates the contractual obligation to make a data breach notification if the personal information processed is or may be tampered with, damaged, disclosed, lost, unlawfully used, provided or consulted or accessed without authorisation.

Ultimately, the adoption of the GBA Standard Contract process will require an assessment of the benefit of the intended commercial arrangements, compared to the cost and effort involved in fulfilling the requirements of the GBA Standard Contract process.

Key provisions of the GBA Standard Contract[6]

The core of the substantive provisions of the GBA Standard Contract[7] deal with the obligations of personal information processors and recipients of personal information, and the rights of data subjects

Obligations of personal information processors

The key obligations of personal information processors include:

1. Notice: Data subjects should be informed of

(a) the name and contact information of the recipient;

(b) the purposes for processing the personal information to be transferred, and the means of such processing;

(c) the categories of personal information involved;

(d) the retention period(s) to be applied;

(e) the particulars of any transfer to a third party within the GBA Cities or Hong Kong; and

(f) the methods and procedures data subjects can follow for exercising their rights.

Data subjects should be informed that they will be a third party beneficiary under the GBA Standard Contract; and can enjoy the rights of a third party beneficiary in accordance with its terms.

2. Consent: Prior to the transfer of personal information to the recipient, the personal information processor must obtain the consent of data subjects. This requirement applies in accordance with the laws of the jurisdiction concerned. So, in Hong Kong, consent is only needed if the cross-boundary transfer of personal information to the recipient is for a new purpose. If so, then the prescribed consent of the data subject must be obtained.

3. Impact assessment: The personal information processor must conduct a personal information protection impact assessment on the intended transfer of personal information to the recipient. The impact assessment must cover:

(a) the legality, legitimacy and necessity of the purposes and means of processing;

(b) the impact on and security risks to the rights and interests of data subjects; and

(c) whether the measures, management, capabilities and systems of the recipient can ensure the security of the transferred personal information.

The impact assessment must be conducted prior to the transfer of personal information to the recipient under the GBA Standard Contract. The impact assessment report must be retained for at least three years. The impact assessment must be repeated if the conditions of processing materially change, such as material changes to the purpose, scope, categories, means, or retention period.

Obligations of recipients

The key obligations of the recipients of personal information transferred under the GBA Standard Contract include:

1. Processing parameters: The recipient must process the personal information in accordance with the terms set out in the completed Appendix 1 to the GBA Standard Contract: Description of Cross-boundary Transfer of Personal Information (GBA Standard Contract Appendix).

2. Data breach obligations: If the personal information processed is or may be tampered with, damaged, disclosed, lost, unlawfully used, provided or consulted or accessed without authorisation, then the recipient must:

(a) adopt appropriate remedial measures in a timely manner to mitigate the adverse impact on the data subject;

(b) notify the personal information processor immediately, and report to the regulatory authorities of the jurisdiction concerned;

(c) if the data subject must be notified under applicable laws, then the notice should contain: the categories of personal information involved, the reasons and possible harm, the remedial measures adopted, the measures that the data subject may take to mitigate the harm, and the contact information of the person or team in charge;

(d) record and retain details of all relevant circumstances, including all remedial measures adopted.

Interestingly, there is no mandatory statutory obligation under Hong Kong law to notify a personal data breach to the PCPD or to data subjects, though it is a recommended best practice.[8] The GBA Standard Contract may create the contractual obligation to make a data breach notification.[9]

3. Territorial limitation: The recipient is prohibited from providing personal information received under the GBA Standard Contract to organisations or individuals outside Hong Kong or the GBA Cities.

4. Onward transfer limitation: Even for transfers within Hong Kong and the GBA Cities, the recipient may only provide personal information to a third party if:

(a) there is a business need for the transfer;

(b) unless the applicable law does not require notification, the data subject has been informed of the third party’s name and contact information, purposes of processing, means of processing, categories of personal information, retention periods, and methods and procedures data subjects can follow for exercising their rights;

(c) consent has to be obtained from the data subject in accordance with the requirements of the applicable law of the jurisdiction of the personal information processor, if the processing of personal information is based on the consent of the individual.

(d) the personal information is provided in accordance with the terms set out in the GBA Standard Contract Appendix.

5. Notice of judicial or administrative access: The recipient must immediately notify the personal information processor if the recipient receives a request from a government department or judicial body of the jurisdiction where it is located to provide personal information received under the GBA Standard Contract.

Rights of data subjects

In general, the rights of the data subject under the laws of the jurisdiction of the personal information processor are preserved. Under Hong Kong law, the key data subject rights are data access and data correction requests.

The personal information processor is required to fulfil any exercise of those rights by the data subject, and to request the recipient to do so. Interestingly, the data subject may directly notify and request the recipient to fulfil exercise of his data subject rights, and the recipient must fulfil the request within a reasonable period[10].

The data subject is also expressly given third party rights to benefit from, rely on and enforce certain provisions of the GBA Standard Contract.

Process for adoption of the GBA Standard Contract

The steps for completing the GBA Standard Contract filing process are:

1. The personal information protection impact assessment must be conducted and completed within three months of the filing date. The parties will need to undertake that the impact assessment has been completed within this period, and no material change has occurred between its completion and the submission to the filing authorities. There is no requirement to actually submit and file the impact assessment report itself.

2. The parties then enter into the GBA Standard Contract. There are Chinese and bilingual versions of the GBA Standard Contract. If the Hong Kong party is the recipient under the GBA Standard Contract, then the Hong Kong party must submit the Simplified Chinese version for filing. If each of the parties will be sharing personal information as personal information processors, then two GBA Standard Contracts will be needed – one for each party acting as personal information processor.

3. The filing process must be completed within 10 working days of the effective date of the GBA Standard Contract. The parties should plan to have the relevant documents prepared in conjunction with signing and entering into the GBA Standard Contract.

4. The filing process must be completed in both locations – with the Digital Policy Office in Hong Kong and the Cyberspace Administration of Guangdong Province in Mainland China.

5. The documents for submission are relatively straightforward[11]. They include an original signed copy of the filing submission form, an undertaking and the GBA Standard Contract. Other identification and authorisation documents should also be submitted.

6. The undertaking contains a certification of accuracy and authenticity of the filing documents, a statement of compliance with the filing obligations for the GBA Standard Contract, and a representation in respect of the personal information protection impact assessment. The filing form contains a declaration in respect of the restrictions for onward transfer of the personal information, and a declaration of compliance with applicable laws.

7. The Digital Policy Office will then issue a file reference number or acknowledgement to the Hong Kong party, which indicates that the filing process is complete in Hong Kong.

The nature of the process is a filing process only. There is no substantive review or approval process, save to check that the parties fulfil the qualifying requirements for the GBA Standard Contract and the relevant filing documents have been properly provided.

Concluding thoughts

Two parts of the same country in immediate proximity have two separate legal jurisdictions, but ever closer economic integration. This unusual consequence of the ‘one country, two systems’ between Hong Kong and Mainland China called for special attention. The GBA Standard Contract is a special voluntary facilitation measure that addresses the data sharing needs arising from this special geographical situation.

The objective of the GBA Standard Contract measure is to achieve closer economic integration by facilitating data sharing. There are real benefits for personal information processors in the GBA Cities. The GBA Standard Contract is a standardised contract that has received regulatory blessing in Hong Kong and Mainland China. Previous restrictions on the volume of personal information that can be transferred by a personal information processor in the GBA Cities have been lifted. The filing process for GBA Standard Contract is relatively straightforward, and is a filing process only (not a substantive approval process).

Nonetheless, there may be some additional obligations on Hong Kong personal information processors than might otherwise apply under Hong Kong law. If the commercial benefits are attractive, the additional obligations on Hong Kong parties under the GBA Standard Contract are relatively modest, and similar to or less than might arise in many international locations.

Ultimately, the GBA Standard Contract facilitation measures enhance the ability of Hong Kong and GBA businesses to work together, while maintaining personal data security and privacy.

Pádraig Walsh

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 06 March 2025.

[1] As Hong Kong and Mainland China are one country, it is customary to refer to the boundary between the locations, rather than a border.

[2] Personal information processor is the term used in both the PIPL and the GBA Standard Contract for the person who controls or determines the use and processing of the personal data. This term is, in general, the same as a data user under the PDPO, or a data controller under the GDPR. We will use the term personal information processor for the rest of this article.

[3] Personal information is the term used in the GBA Standard Contract for personal data. We will use the term personal information accordingly in the rest of this article.

[4] See PCPD Guidance Note, Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong – Hong Kong – Macao Greater Bay Area (December 2023) [link]

[5] Recipient is the term used in the GBA Standard Contract for a data processor receiving personal data from the personal information processor / data user. We will use the term recipient accordingly in the rest of this article.

[6] We have also included some obligations that arise under the Implementation Guidelines [link] published with, and integrated into, the GBA Standard Contract.

[7] Full text of the GBA Standard Contract is available on this link.

[8] There are breach notification obligations for financial services regulators for regulated Hong Kong businesses in certain parts of the financial services sector in Hong Kong.

[9] Articles 3(6)(2), GBA Standard Contract. Article 11, Implementation Guidelines.

[10] Article 4(2) and (3), GBA Standard Contract.

[11] The DPO has published helpful Filing Guidelines, which are available on this link.