On June 29, 2023, the Cyberspace Administration of China ("CAC") and the Innovation, Technology and Industry Bureau of the Hong Kong Special Administrative Region ("Hong Kong") Government ("HKITIB") signed the Memorandum of Understanding to Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macau Greater Bay Area ("GBA") ("MOU").
While the details of the MOU are yet to be published, the Secretary for HKITIB noted in his speech on June 30, 2023 (see here) that the CAC and the HKITIB will introduce a set of implementing rules under the MOU aimed at reducing the significant challenges of managing cross-boundary transfers of personal data from mainland China to Hong Kong. Whether this means a streamlined application of the CAC’s security assessment procedure [please see our client briefing here], the introduction of specific data handling standards for Hong Kong or some other measure remains to be seen.
The MOU will only address Guangdong-Hong Kong transfers, with the aim of supporting efforts to develop the GBA as a tech-finance hub. It is noteworthy that while Mainland China has developed a complex regulatory regime for international transfers of personal data, there has been very little progress on long-promised legislative reforms to Hong Kong’s Personal Data (Privacy) Ordinance (the "PDPO"). Section 33 of the PDPO, which would regulate transfers of personal data, has not yet come into force.
The output from the MOU will be closely watched, not the least because the approach taken may offer a pathway to relieve the significant challenges multinational organizations have been facing these past months seeking to comply with the CAC’s security assessment procedure and more recently the personal information privacy impact assessment report requirements introduced as part of the standard contractual clauses filing applicable to data transfers falling below the thresholds for security assessment [please see our client briefing here].
Authored by Mark Parsons, Tommy Liu, Flora Feng and Kiki Dong.
