The introduction of the Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (comprising a set of standard contractual clauses, GBA SCC), together with its Implementation Guidelines marks a significant milestone in facilitating cross-border data flows between major cities in Guangdong province and Hong Kong, key cities in the Greater Bay Area (GBA). It provides an alternative to the existing requirements under the Personal Information Protection Law of the PRC to use one of three methods for transferring personal data outside of mainland China, namely by use of China standard contractual clauses (China SCC), obtaining certification from professional institutions and, if certain types of data are to be transferred or data quantity thresholds are met, submitting to a government-led security assessment review.
In an interview with Asian Private Banker, Dominic Edmondson discusses how banks and financial institutions should assess which framework to use.
Unlike the China SCC, there is no restriction on the volume of data that can be transferred under the GBA SCC. Moreover, the GBA SCC does not require the party transferring data out of mainland China to file a Personal Information Protection Impact Assessment (PIPIA) report with the relevant authorities.
According to Dominic, the requirements for a Hong Kong-based data recipient of a GBA SCC would be more relaxed than those under the China SCC. This means that for private banks and asset managers, for example, operating in mainland China, there may be advantages in using the GBA SCC — provided that they are transferring data specifically to Hong Kong. However, that the recipient of the data in Hong Kong must not further transfer such data out of Hong Kong. It is also important to note that Macao SAR is not in scope for the purposes of the GBA SCC.
Read the interview (subscription access required)