Author: Carolyn Bigg, Amanda Ge, Venus Cheung, Gwyneth To

With 2023 having come to an end, the fast-paced changes to the China data protection regime throughout the year are continuing well into Q1 2024.

As well as a near finalisation of the different routes to legitimise cross-border data transfers, the Cyberspace Administration of China (“CAC”) has begun to direct its efforts into harmonising its data compliance requirements across regions, as well as other aspects of data compliance.

Most notably, these include:

  1. GBA Transfers – Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (“Implementation Guidelines”)

Following from the various cross-border data transfer mechanisms published by the CAC earlier in the year, the CAC and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administration Region (“HKITIB”) jointly issued the Implementation Guidelines, containing the Standard Contract for Cross-boundary Flow of Personal Information within the Greater Bay Area (GBA Standard Contract), on 13 December 2023, to apply with immediate effect.

The GBA Standard Contract seems to be a less stringent version of the China Standard Contractual Clauses (“China SCCs”) route to legitimising cross-border data transfers to Hong Kong, given its limited scope of applicability.

See here for more information on the full China SCCs route.

  • Scope of applicability. Under the Implementation Guidelines, personal information controllers and recipients registered or located within the Greater Bay Area (“GBA”) can sign the GBA Standard Contract to transfer personal information (but excluding important data) within the region.
  • Key obligations and responsibilities. To rely on the GBA Standard Contract to legitimise cross-border data transfers, data controllers must fulfil the following obligations outlined in the GBA Standard Contract:

    • Providing notice and obtaining separate consent from data subjects in accordance with the laws and regulations prior to the transfer;
    • Not transfer any personal information outside the Greater Bay Area; and
    • Conducting a personal information protection impact assessment. However, note that there will be no need to file this simpler assessment with the authorities (a less stringent requirement compared with the formal China SCCs route).
  • Filing procedure. Data controllers must still make a filing containing the signed GBA Standard Contract, together with other specified documents, with the Guangdong Province CAC or the Office of the Hong Kong Government Chief Information Officer within ten working days from the contract’s effective date.
  • Onward transfers are permitted only within the GBA. The GBA Standard Contract must not be abused as a means of leveraging Hong Kong as a safe habour to transfer onwards to jurisdictions outside the GBA, without following the appropriate means of legitimising those cross-border data transfers.

Regardless of the above, the Implementation Guidelines still represent an important first step towards a much-anticipated relaxation of restrictions on personal information flows across the GBA, as seen in the Memorandum of Understanding to Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macau Greater Bay Area signed in June 2023.

  1. Breach Notification – Draft Administrative Measures for the Reporting of Cybersecurity Incidents (“Draft Measures”)

On 8 December, the CAC – as a response to China’s concern with large-scale data security incidents within its borders – issued Draft Measures aiming to safeguard national cybersecurity via the standardisation of reporting cybersecurity incidents. The Draft Measures closed for public consultation on 7 January 2024.

If passed in its current form, network operators will be mandated to report any network security incident that may cause significant harm to relevant government bodies.

The incident reporting is categorised into different levels, based on the type of network operators.

The Draft Measures provide procedures in making notifications. Most notably, it introduces stringent notification timescales. Those cybersecurity incidents classified as “major”, “significant” or “particularly significant” should be reported within one hour of discovery – with information not then available to be supplemented within 24 hours.

  1. Cross-border Data Transfers – CAC Certification route

Following the finalisation of two out of three of the cross-border data transfer mechanisms (CAC Assessment and China SCCs), the CAC now turns to the final route – CAC Certification.

Despite uncertainties around the CAC Certification, developments came to light from 25 December onwards, where the first certifications were granted for notable household names – such as Alipay, JD Technology and the University of Macau.

Most notably, it was reported that in considering the approval of the University of Macau’s certification, various internal governance processes were taken into account. These included but are not limited to: data spatialization, data classification and grading, identity authentication, data subject consent management, personal information impact assessments, data transfer risk assessments etc. – all of which provide a well-rounded governance of the entire lifecycle of data processing.

That said, there is little public information regarding  the basis on which these certifications were approved – in particular, whether the certifications only concern in-country processing of China personal information, or what specific business contexts were involved.

We expect to see more certification approvals during 2024.

See here for a recap on the CAC certification requirements.

Looking ahead – 2024

The China data protection regime is expected to witness more significant changes in the coming year.

Draft measures on important data, as well as compliance audits in the pipeline are indicative of the regulators shifting their focus onto wider data compliance requirements – after the frenzy on cross-border data transfers.  

Given the shift in regulator’s priorities from an external-facing to internal-facing focus of data compliance, it is especially important in the coming months for businesses with a presence in China to focus on formulating a China data compliance programme and remediating any gaps in compliance – now with a focus on internal procedures and governance.