China Proposes Certification Regime for Data Transfer in Greater Bay Area (GBA) | Key Findings
China’s National Information Security Standardisation Technical Committee Publishes Draft Guidelines on Cross-border Personal Information Protection in the Greater Bay Area
China’s National Information Security Standardisation Technical Committee (TC260) has recently released the draft Practical Guidelines on Cross-border Personal Information Protection Requirements in the Guangdong-Hong Kong-Macau Greater Bay Area (Draft GBA Guidelines). This move comes after the signing of a memorandum of understanding (MoU) between the People’s Republic of China (PRC) and Hong Kong to address data transfers in the Greater Bay Area (GBA).
The Draft GBA Guidelines propose a certification regime for cross-border data transfers within the GBA, following a consultation period that ended on November 15. The guidelines apply to data controllers within specified areas of the GBA, including cities in the Guangdong province and Hong Kong. However, Macau is currently omitted from this iteration of the guidelines due to administrative reasons.
The guidelines echo the requirements of local data privacy regulations, with a focus on personal information protection laws. They impose additional requirements on data controllers, such as entering into a legally binding data processing agreement, implementing personal data security measures, and notifying data subjects of processing purposes and methods.
While the GBA Certification may benefit businesses with interests solely within the GBA, it may pose challenges for Hong Kong-based data controllers seeking to transfer data to the PRC. The guidelines also prohibit onward transfer of data outside the GBA, which may impact companies looking to transfer data to overseas affiliates via Hong Kong.
Overall, the Draft GBA Guidelines aim to address concerns with the PRC’s cross-border data transfer regime, but there are still practical questions and unresolved issues that need clarification. Companies should stay informed about further developments and clarifications regarding the GBA Certification regime to ensure compliance with data protection regulations in the GBA.
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/archetype/NVUXASCMPFCGY3LWJNLVOUBTNJ.jpg?w=390&resize=390,220&ssl=1 "Enhancing Customer Experience through Secure Cross-Agency Data Sharing")
