Welcome to the sixth issue of NetMission’s news and policy digest, where we transform recent tech news and policy into a bite-size reader for you. This edition examines the development of cross-border data transfers between China’s southern megapolis encompassing nine cities of the Guangdong province, as well as Macao and Hong Kong.
The Significance
With close to USD 2 trillion combined GDP across the 11 cities, the Guangdong–Hong Kong–Macao Greater Bay Area (GBA) by itself would rank as the world’s 10th-largest economy in 2022. In a CPA Australia report of the same year on GBA, while 67.2% of its respondents expected their company’s GBA investment to increase in the next five years, many acknowledged the urgency to address differences in regulatory regimes, whereas cross-border data flow is one of the top five areas that needed further support.
In particular, Hong Kong is named the world’s fourth largest data center market in a 2023 report by Cushman & Wakefield, where data center space – currently standing at over 8.6 million sq ft – is expected to further grow by 34% in three years. At the same time, the Hong Kong government has been doubling down on its role as the international gateway to and for mainland China. Yet, reservations and doubts loom over the city’s effectiveness in its role due to the intricacies (and sometimes contradictions) of Internet governance and legal systems across Beijing and various GBA governments. The harmonization of data governance models and regulations in Hong Kong and across the border would set the trajectory of regional development and integration.
The Guangdong–Hong Kong–Macao Greater Bay Area (Ismoon, Wikimedia)
The Latest
On January 2, 2024, the Hong Kong Office of the Government Chief Information Officer (OGCIO) publicized the document accepting applications for the “Early and Pilot Implementation” of measures that would facilitate the cross-border flow of personal information across the GBA. The Expression of Interest (EoI) document, along with the Standard Contract Filing Guidelines, was first circulated among the banking, credit referencing, and healthcare sectors on December 13, 2023, after the Announcement and Implementation Guidelines by the Cyberspace Administration of China (CAC) on the Standard Contract. These are the latest steps to establish a standardized and streamlined data transfer mechanism across the Area.
The mechanism gained greater clarity as it came to light after the signing of the Memorandum of Understanding (MoU) on facilitating GBA data transfers by CAC and Hong Kong’s Innovation, Technology and Industry Bureau (ITIB) on June 29, 2023. On November 1, Beijing’s National Information Security Standardization Technical Committee (TC260) published the draft Standard Practical Guidelines; and the construction of a Shenzhen-Hong Kong Cross-border Data Verification Platform by multiple companies under the direction of government agencies was also announced in the same month.
In conjunction with the above is CAC’s draft Rules on Standardizing and Facilitating Cross-Border Data Flow issued in September 2023. Expounding several key national data transfer requirements and loosening some of the more stringent ones, the unexpected move is surmised to be Beijing’s latest gesture for its ongoing bid to join the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) and Digital Economic Partnership Agreement (DEPA). Regardless of the intention, the overhaul also conveniently came weeks before the GBA data transfer mechanism was publicized, carrying the immediate benefit of allaying some degree of concerns over data flow across international and GBA borders.
Media reports indicated the Hong Kong government initiated and “started a dialogue with CAC” in mid-2022 advocating data transfer mechanisms to be set up between Hong Kong and Mainland China. Contrasting to this common understanding, the plan was envisaged as early as February 2019 as part of the GBA development guiding principles directed by Beijing, which was then later institutionalized by the Guangdong provincial government.
The Preparation
On July 11, 2021, the Guangdong government issued the “Notice of the Configuration Reform for Market-based Data Factor Allocation” as the nation’s “pioneering” provincial plan based on March 2020 Comments by the State Council and the national 14th Five-Year Plan publicized in March 2021. Cause 20 of the Notice prescribed the facilitation of “orderly data flow” across the Guangdong-Hong Kong-Macao region for the betterment of “industry development, societal governance, and civil service”. Known as portion “X” of its “1+2+3+X” Action Framework, data customs, GBA-centralized data centers, data exchanges and data verification platforms were some of the preparatory work outlined for regional data governance.
On November 24, 2021, the Guangzhou government published its municipal-level Action Plan to lay out a roadmap that meets the directions of the provincial and national plans by empowering “all-rounded data factor markets” and fostering “megapolis governance modernization”. With the ambitions of having major data transfer pilot zones and necessary infrastructure in place by the end of 2022, the need for a cross-border data transfer mechanism between Hong Kong, Macao, and the nine Guangdong cities was clear and imminent. Since then, scattered developments have been reported, including the opening of the Canton Data Exchange in September 2022 and Shenzhen Data Exchange in November 2022, as well as the establishment of a data rights compliance committee and verification mechanism for the Guangdong province.
At the same time, local governments in the Mainland have been sharpening local policies and regulatory instruments in tandem with the national Cybersecurity Law (CSL), Personal Information Protection Law (PIPL), and Data Security Law (DSL). The Shenzhen city government passed the nation’s first local data regulations for its Special Economic Zone in June 2021, while the municipal government of Guangdong started formulating its data regulations in 2023 to drive the construction of the Nansha (Guangdong-Hong Kong-Macao) Data Service Pilot Zone.
Hong Kong, in the meantime, was relatively quiet on its view on cross-border data transfers. Although Section 33 of the Personal Data (Privacy) Ordinance (PDPO) would prohibit personal data transfer outside Hong Kong to places where its stipulated circumstances were not met, the provision has yet to be in operation since its enactment in 1996. Despite “grave concerns” over non-enforcement recently expressed by some lawmakers, the Privacy Commissioner underscored the potential adverse business impact upon implementation and reiterated the need to “enhance practicability and user-friendliness” of Hong Kong’s personal data protection. Subsequently, PCPD issued in May 2022 the Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data, which arguably has become the skeleton for the Standard Contract for Cross-boundary Flow of Personal Information within GBA (alongside the CAC’s 2023 Standard Contract Clauses for Cross-Border Personal Information Exports).
Developments were slightly lagged by the uptakes of COVID cases and wide-spread lockdowns in a large part of 2022, but governments in the Area had been gearing up solitarily during this time, preparing for the facilitation and harmonization of data transfers across GBA.
What’s next
In a briefing given by the Hong Kong OGCIO on December 13, 2023, the Office will review its GBA data transfer pilot and early implementation scheme by mid-2024. The expected scheme expansion afterward would be vital for an “orderly data flow” and set the course for the realization of a “Digital Bay Area”. While the Guangdong provincial government technically has no authority to direct the Hong Kong government to follow its vision, alignments are not hard to pinpoint with a keen eye. On the one hand, the Guangdong government laid out its Digital Bay Area three-year plan in November 2023 with initiatives including a data transfer whitelist and a data special administrative region within Hong Kong and Macao; on the other hand, Hong Kong’s ITIB has signaled plans to expedite data flow from the Mainland to the Lok Ma Chau Loop and other parts of Hong Kong. This is just one of the many examples of how the 11 cities continue deepening collaboration and integration, and more should be expected.
As Internet and data governance in China and the international community continue to evolve, the trajectory of data transfers among and from GBA cities should be carefully examined given its economic significance and strategic positioning of China’s overall development and beyond.
By Kenneth Leung (Reviewed and edited by Jenna Manhau Fung and Vicente Arias González)