Introduction of a standard contract for the cross-border flow of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (consisting of a series of standard contract clauses) GBA SCC), along with its implementation guidelines, marks an important milestone in facilitating cross-border data flows between major cities in Guangdong province and Hong Kong, a major city in the Greater Bay Area (GBA). This replaces the existing requirement under China’s Privacy Law to use one of three methods for transferring personal data outside mainland China, namely using China’s Standard Contractual Clauses. Offers (China SCC), obtain certification from a professional body, and submit to government-initiated security assessment review if certain types of data are transferred or data volume thresholds are met.
In an interview with Asian Private Banker, Dominic Edmondson talks about how banks and financial institutions should evaluate which framework to use.
Unlike China’s SCC, GBA SCC does not limit the amount of data you can transfer. Additionally, the GBA SCC does not require parties transferring data from mainland China to submit a Personal Information Protection Impact Assessment (PIPIA) report to the relevant authorities.
According to Dominic, the requirements for data recipients in the Hong Kong-based GBA SCC will be more relaxed than those under China’s SCC. This means that private banks and asset managers operating in mainland China, for example, may benefit from using the GBA SCC, especially when transferring data to Hong Kong. However, recipients of data within Hong Kong must not further transfer such data outside Hong Kong. It is also important to note that Macau SAR is not subject to the GBA SCC.
Read the interview (subscription required)
