カテゴリーなし

Navigating Cross-Boundary Data Transfers in the Guangdong-Hong Kong-Macao Greater Bay Area: What Enterprises Need to Know

Introduction

The Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”) is one of the world’s most consequential economic integration projects, comprising three distinct legal jurisdictions. Anchored by the Pearl River Delta, the GBA brings together eleven cities across three distinct legal jurisdictions — the nine Chinese Mainland Guangdong provincial cities of Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing, together with the Special Administrative Regions of Hong Kong and Macao — under a single regional development framework. The GBA is envisaged under the China State Council’s 2019 Outline Development Plan as China’s premier platform for international technology and innovation centre with global influence.

The free flow of data across jurisdictional boundaries is essential to realising the GBA’s potential. This article examines the legal frameworks governing cross-boundary data transfers between Hong Kong and the Mainland GBA cities, and some of the key compliance obligations that enterprises operating in the region need to understand.

---

Part I: Hong Kong — Ongoing obligations amid a dormant provision

Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) has contained a cross-border data transfer restriction provision (“Section 33”) since its enactment in 1995 but has remain to this date not in force. Section 33, if brought into force, would generally prohibit transfers of personal data outside Hong Kong unless one of several conditions is satisfied — including that the destination jurisdiction provides a comparable level of protection, or that the data subject has given separate and voluntary consent, or that the data user has taken all reasonable precautions and exercised due diligence to ensure the data will be protected to PDPO standards (typically achieved through contractual safeguards).

The latest position of the relevant Hong Kong government bureau has been that there are concerns about the potential financial strain on small businesses if Section 33 is to be implemented. The general position of the Office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”), by contrast, has been one of encouraging voluntary compliance in anticipation of eventual commencement — issuing successive guidance notes and developing model contractual clauses for enterprises’ adoption (see further below).

Absent Section 33, cross-border data transfers from Hong Kong remain subject to the six Data Protection Principles (“DPPs”) set out in Schedule 1 to the PDPO, which apply to all personal data processing regardless of whether the data leaves Hong Kong. The most directly relevant are:

• DPP1 (Purpose and Collection): Personal data must be collected for a lawful purpose directly related to the data user’s function or activity, and must not be collected by means that are excessive relative to that purpose. Where data is being transferred internationally as part of a broader processing chain, the original collection must legitimately anticipate this use.

• DPP3 (Use Limitation): Personal data must not be used for a new purpose without the prescribed consent of the data subject. Cross-border transfer for a purpose different from — or not directly related to — the purpose for which the data was collected will constitute a breach of DPP3 unless consent has been obtained. This is an in-force obligation and a common source of breach.

• DPP4 (Data Security): Data users must take all practicable steps to ensure that personal data is protected against unauthorised or accidental access, processing, erasure, loss or use. Critically, DPP4 applies to overseas processors: if a Hong Kong data user transfers data to a third-party processor in the Mainland or elsewhere, and that processor suffers a breach, the Hong Kong data user may still be found to have breached DPP4 if it failed to implement adequate contractual and technical safeguards over that processor.

• Section 65(2) of the PDPO — Liability for acts of agents: A data user in Hong Kong remains liable for contraventions of the PDPO committed by a data processor acting on its behalf, where the data user has not taken adequate precautions. This provision applies regardless of where the processor is located, including in the Chinese Mainland.

PCPD Guidance: Voluntary but consequential

In May 2022, the PCPD issued Guidance on Recommended Model Contractual Clauses for Cross-Border Transfer of Personal Data (“RMC Guidance”), providing two sets of model contractual clauses (“RMCs”):

• Data User to Data User (DU-DU): For transfers where the receiving entity will use the data for its own purposes.

• Data User to Data Processor (DU-DP): For transfers to entities processing data solely on behalf of the transferring data user.

The RMC Guidance is expressly non-binding. However, enterprises should not underestimate its practical weight. The PCPD has stated that compliance with the RMC Guidance – particularly incorporation of the RMCs or equivalent provisions – will be taken into account when investigating any suspected breach of the PDPO. In other words, an enterprise that has implemented the RMCs is in a materially stronger position if data transferred overseas is misused or subjected to a breach. One that has not done so faces heightened exposure.

It should further be noted that most of the obligations embedded in the RMCs already reflect in-force PDPO requirements — particularly under DPP3 and DPP4. The RMCs are not merely aspirational; a substantial portion of what they require is already mandatory under the PDPO as it stands today.

Interface with the Protection of Critical Infrastructures (Computer Systems) Ordinance

The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) (the “PCIO”) was enacted on 19 March 2025 and came into force on 1 January 2026. It represents Hong Kong’s first piece of legislation specifically targeting cybersecurity in respect of critical infrastructures. Although the PCIO is not a data privacy statute per se, it intersects in important ways with the PDPO, and is therefore of particular relevance to enterprises operating in the Greater Bay Area that engage in cross-boundary processing of personal data.

The PCIO regulates designated operators of critical infrastructures (“CIOs”) across eight specified sectors, including energy, information technology, banking and financial services, transportation (covering aviation, land and maritime transport), healthcare, and telecommunications and broadcasting. It imposes statutory obligations requiring CIOs to adopt appropriate measures to safeguard their computer systems, with a view to reducing the risk of disruption or damage to essential services caused by cyberattacks, thereby maintaining the normal functioning of society and protecting public interests. In particular, the PCIO requires CIOs to establish and maintain comprehensive cybersecurity management systems, implement a computer-system security management plan, conduct regular risk assessments and audits, incident reporting, and setting up a structured incident preparedness and response regime.

Although the PCIO primarily focuses on the technical security of critical computer systems, its framework also strengthens the broader data protection landscape. These requirements enhance the protection of personal data stored, processed, or transmitted within critical infrastructures, and align closely with the PDPO’s data protection principles — particularly the obligation on data users to take all practicable steps to safeguard personal data against unauthorised or accidental access, loss, or misuse. By introducing mandatory organisational and technical safeguards, the PCIO supports CIOs in discharging these obligations with greater rigour.

What Hong Kong enterprises should do now

Enterprises transferring personal data from Hong Kong to the Chinese Mainland should consider the following as a baseline compliance programme:

1. Data mapping: Identify all categories of personal data leaving Hong Kong, the legal basis for collection, the purposes for which data is being transferred, and the identity and location of recipients.
2. Purpose alignment (DPP3): For each transfer, assess whether the purpose is the same as, or directly related to, the purpose for which the data was collected. Where it is not, either obtain fresh consent or restructure the data flow.
3. Processor contracts (DPP4 / s.65(2)): Enter into written data processing agreements with all Mainland processors, incorporating data security standards, sub-processing restrictions, breach notification obligations, audit rights, and data retention requirements. The DU-DP RMCs provide a useful starting template.
4. Data User to Data User transfers: Where the Mainland recipient uses the data for its own purposes, DU-DU contractual protections are needed, covering purpose limitations, data subject rights, security, and accountability.
5. Privacy notices: Ensure collection notices adequately describe the possibility of cross-border transfers and the safeguards in place. Inadequate privacy notices are a routine finding in PCPD investigations.
6. Preparing for Section 33: Implementing the RMCs now is good practice regardless of timing, and will reduce the compliance burden if and when Section 33 is eventually commenced.

---

Part II: Chinese Mainland — A comprehensive statutory framework with multiple transfer mechanisms

The Chinese Mainland’s data governance framework for personal information is built on three interlocking statutes:

• Cybersecurity Law 《网络安全法》(effective 1 June 2017): Establishes baseline requirements for network operators. Critical information infrastructure (“CII”) operators are subject to data localisation requirements, whereby personal information and important data gathered or produced during operations within the Chinese Mainland must be stored within the Chinese Mainland, and may only be transferred overseas after passing a security assessment. CII operators span sectors including telecommunications, energy, transport, finance, and public services.

• Data Security Law 《数据安全法》 (“DSL”) (effective 1 September 2021): Introduces a tiered classification system for all data (not just personal data), based on its importance to national security, public interest, and economic development. “Important data” attracts heightened restrictions. The DSL has extraterritorial reach, applying to data processing activities outside the Chinese Mainland that harm China’s national security, public interest, or the lawful rights of Chinese citizens.

• Personal Information Protection Law 《个人信息保护法》 (“PIPL”) (effective 1 November 2021): China’s comprehensive personal data statute, broadly analogous in structure — though not in substance — to the European Union’s GDPR. The PIPL governs the collection, processing, and transfer of “personal information” (broadly defined), imposes strict conditions on cross-border transfers, and applies extraterritorially to processing outside the Chinese Mainland that serves persons within the Chinese Mainland or analyses their behaviour. The implementation of the PIPL is further supported by specific implementing regulations governing the procedures and requirements for cross-border transfers, principally: the Measures for Security Assessment of Outbound Data Transfers 《数据出境安全评估办法》 (effective 1 September 2022); the Measures for the Standard Contract for Outbound Transfer of Personal Information 《个人信息出境标准合同办法》 (effective 1 June 2023); the Provisions on Promoting and Regulating the Cross-Border Flow of Data 《促进和规范数据跨境流动规定》 (effective 22 March 2024, the “2024 Provisions”); the Measures for the Administration of Personal Information Protection Compliance Audits 《个人信息保护合规审计管理办法》 (effective 1 May 2025); and the Measures for Certification of Cross-Border Personal Information Transfer 《个人信息出境认证办法》(effective 1 January 2026).

In addition, sitting below the three primary statutes, the State Council promulgated the Network Data Security Management Regulation 《网络数据安全管理条例》 (effective 1 January 2025) on 30 September 2024, providing comprehensive regulation of network data security management at the administrative regulation level. In the context of cross-border data transfers, the Network Data Security Management Regulation plays the following roles: first, it consolidates and confirms at administrative regulation level the three transfer mechanisms established under the Cyberspace Administration of China (“CAC”) departmental rules (see further below), lending the framework greater legal authority; second, it provides an operational general definition of “important data,” assisting enterprises in identifying which data assets trigger the mandatory security assessment requirement; third, it introduces additional exemptions beyond those in the 2024 Provisions; fourth, it requires overseas data processors to establish a designated organisation or appoint a representative within the Chinese Mainland, strengthening oversight of data processing activities conducted from abroad; and fifth, it reaffirms that data processors who have obtained security assessment approval must conduct their data export activities strictly within the purposes, methods, scope, types, and scale as determined in the assessment, and may not exceed the approved parameters.

Cross-border transfer mechanisms under PIPL and its relevant implementing regulations

A personal information processor (“PI Processor”) subject to PIPL that wishes to transfer personal information beyond the Chinese Mainland should generally satisfy one of three alternative mechanisms:

• Mechanism 1 — Mandatory to undergo data export security assessment: (a) CII operators providing personal information or important data overseas; (b) data processors other than CII operators providing important data overseas, and that have cumulatively provided personal information of 1 million or more individuals (excluding sensitive personal information) or sensitive personal information of 10,000 or more individuals overseas since 1 January of the current year; or (c) other circumstances as stipulated by CAC requiring application for a data export security assessment.

• Mechanism 2 — Standard Contractual Clauses (“China SCCs”): PI Processors other than CII operators that have cumulatively provided personal information of 100,000 or more but fewer than 1 million individuals (excluding sensitive personal information), or sensitive personal information of fewer than 10,000 individuals, beyond Chinese Mainland since 1 January of the current year, may enter into the CAC’s standard contract template (promulgated June 2023) with the non-Chinese Mainland recipient. The China SCCs require a prior Personal Information Protection Impact Assessment (“PIPIA”), which must be retained for three years. The executed SCCs must be filed with the competent local CAC within 10 working days of execution. This is the most commonly used mechanism for commercial enterprises below the large-scale thresholds.

• Mechanism 3 — Personal Information Protection Certification: PI Processors may obtain certification from a CAC-designated certification body confirming that their cross-border processing activities meet applicable standards. This mechanism is particularly suited to intra-group transfers within multinational enterprises. The certification body evaluates the PI Processor’s compliance programme holistically rather than on a transfer-by-transfer basis.

Exemptions and facilitation measures under the 2024 Provisions

The 2024 Provisions further introduced important exemptions from the transfer mechanisms and additional facilitation measures:

• Exemptions from all three mechanisms (excluding important data) apply where: (i) data processors other than CII operators that have cumulatively provided personal information of fewer than 100,000 individuals (excluding sensitive personal information) overseas since 1 January of the current year; (ii) where it is genuinely necessary to provide personal information overseas for the conclusion or performance of a contract to which an individual is a party, such as cross-border shopping, cross-border courier services, cross-border remittances, cross-border payments, cross-border account opening, flight and hotel bookings, visa processing, and examination services; (iii) where it is genuinely necessary to provide employees’ personal information overseas for the implementation of cross-border human resources management in accordance with lawfully formulated internal labour rules and collective agreements concluded in accordance with law; or (iv) where it is genuinely necessary to provide personal information overseas in emergency situations to protect the life, health, and property of a natural person.

• Free trade zones (“FTZs”) facilitation: FTZs may develop their own negative lists identifying categories of data subject to transfer restrictions; data falling outside the negative list may be exempt from the standard security assessment, SCC filing, and certification requirements that would otherwise apply.

Consent and sensitive personal information specific consent

The PIPL imposes separate and specific consent requirements for the cross-border transfer of personal information: data subjects must be informed of the overseas recipient’s identity and contact details, the purposes and methods of processing, the categories of personal information involved, and the data subject’s rights, and must provide separate consent to the cross-border transfer (as distinct from any consent obtained for the underlying processing).

For sensitive personal information (which under PIPL includes health and medical data, biometric data, financial account data, location tracking data, and information about minors), the consent bar is higher still: express and specific consent is required, and the purposes must meet the standard of being “truly necessary”.

---

Part III: The GBA-Specific Mechanism — The GBA Standard Contract

Background

Given the GBA initiative is a national strategy, it follows naturally that favourable policies and dedicated regulatory frameworks would be devised to facilitate cross-boundary activities conducive to the development of the GBA. A significant regulatory development for data governance is the Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) 粤港澳大湾区（内地、香港）个人信息跨境流动标准合同 (the “GBA Standard Contract”), jointly issued by the CAC and the Hong Kong Innovation, Technology and Industry Bureau on 13 December 2023, together with accompanying Implementation Guidelines. The GBA Standard Contract became effective immediately upon its issuance.

What is the GBA Standard Contract and what it does

The GBA Standard Contract creates a dedicated, streamlined transfer mechanism for personal information flows between the nine GBA Chinese Mainland cities and Hong Kong.  As a pre-approved contract template, the GBA Standard Contract provides Chinese Mainland PI Processors with a compliance pathway that, in certain scenarios, substitutes for the China SCCs, enabling the provision of personal information to Hong Kong without requiring a CAC security assessment — provided the transfer does not trigger the mandatory security assessment thresholds — and with a comparatively simplified overall compliance burden. At the same time, its eligibility conditions are not subject to quantitative volume thresholds, affording a degree of greater flexibility in application compared to the China SCCs. The GBA Standard Contract also streamlines the PIPIA requirements, reducing the assessment items from six to three. Its key features are as follows:

• Scope: The GBA Standard Contract applies to cross-boundary transfers of personal information between GBA Chinese Mainland cities and Hong Kong in both directions — from the GBA Chinese Mainland cities to Hong Kong, and vice versa. Parties must be registered (if organisations) or located (if individuals) in the GBA Chinese Mainland or Hong Kong.

• Relationship to PIPL mechanisms: For Chinese Mainland PI Processors, the GBA Standard Contract operates as an alternative to the standard China SCCs for transfers between the nine GBA Chinese Mainland cities and Hong Kong. It does not substitute the security assessment requirement for CII operators or large-scale processors who fall within the mandatory security assessment thresholds.

• Voluntary adoption: The GBA Standard Contract is voluntary and does not replace existing statutory mechanisms. However, in practice it represents the most practical and administratively supported mechanism for structured GBA cross-boundary transfers, and its use provides a degree of regulatory certainty that bespoke or ad hoc contractual arrangements may not achieve.

• PIPIA requirement: Prior to entering into a GBA Standard Contract, the Chinese Mainland PI Processor is required to conduct a PIPIA. Unlike under the standard China SCC regime, the PIPIA report is not required to be submitted to the competent authorities as part of the filing process — it is instead prepared and retained internally by the enterprise for subsequent regulatory inspection. Furthermore, compared to the PIPIA required under the China SCCs, the PIPIA under the GBA Standard Contract is simplified in scope: there is no requirement to assess the risks of personal information being tampered with, damaged, or otherwise compromised after transferred outside Chinese Mainland; the impact of the personal information protection laws and regulations of the jurisdiction in which the recipient outside Chinese Mainland is located on the performance of the standard contract; or other matters that may affect the security of the personal information transferred outside Chinese Mainland. Hong Kong-side data users are not required to conduct a PIPIA under the PDPO, though the PCPD recommends a non-mandatory privacy impact assessment as good practice.

• Contractual protections for data subjects: The GBA Standard Contract incorporates mandatory provisions protecting the rights of data subjects on both sides of the boundary, including the right to access, correct, and delete their personal information, and the right to bring claims directly against either the PI Processor or the recipient for breaches of the contract. These provisions cannot be contracted out of or modified by the parties.

• Supplementary commercial terms permitted: While the core terms of the GBA Standard Contract template are non-negotiable, parties may supplement the contract with additional commercial terms addressing their specific business arrangements, provided those terms do not contradict or diminish the protections set out in the GBA Standard Contract. In the event of any conflict, the GBA Standard Contract prevails.

It should be noted that the existing consent requirements and the heightened consent obligations for sensitive personal information are not exempted under the GBA Standard Contract mechanism. The GBA Standard Contract allocates obligations between the PI Processors and the Recipient through its contractual framework, but does not relieve PI Processors of the consent requirements imposed by the PIPL.

Filing requirements — A dual obligation

One of the GBA Standard Contract’s features is its dual-filing requirement. Unlike the China SCCs regime, which only require the data exporter to file with the competent local CAC, the GBA Standard Contract framework requires both the data user/PI Processors and the recipient to file with their respective supervisory authorities within 10 working days of the GBA Standard Contract’s effective date:

• Chinese Mainland-based PI Processors/ recipients: File with the Guangdong CAC (or the relevant municipal CAC).

• Hong Kong-based data users/ recipients: File with the Digital Policy Office.

The GBA Certification — A potential second track

In parallel with the GBA Standard Contract, the Chinese Mainland’s National Information Security Standardization Technical Committee issued the “Network Security Standard Practice Guide — Cross-Border Personal Information Protection Requirements in the Guangdong-Hong Kong-Macao Greater Bay Area (Draft for Comment)” on 1 November 2023, providing the technical basis for a GBA personal information protection certification mechanism (“GBA Certification”) as an alternative facilitation mechanism for intra-GBA data flows. The proposed model adopts a certification-based approach, involving a holistic assessment of an organisation’s data processing and transfer practices by an accredited body, and is particularly suited to organisations with high-volume, ongoing cross-boundary transfers for whom entering into individual contracts for each transfer relationship would be operationally impractical.

However, as of date of this article, the GBA Certification framework has not yet been formally implemented. Regulatory developments since 2025 have instead focused on finalising the nationwide personal information protection certification regime under the PIPL, while the GBA-specific certification mechanism remains at a draft stage and further operational guidance is awaited.

What the GBA Standard Contract Mechanism does not do

Several important limitations should be noted:

• Data transferred under the GBA Standard Contract cannot be onward-transferred beyond the GBA (e.g. to a Singapore data centre or a UK headquarters) without separately complying with applicable PIPL cross-border transfer requirements.

• The GBA Standard Contract does not override the PDPO. Hong Kong data users remain subject to all applicable obligations under the PDPO — including the DPPs, breach notification expectations and guidance, and data processor oversight obligations — even when using the GBA Standard Contract.

• The GBA Standard Contract applies only to personal information and does not address “important data” under Chinese Mainland laws, which may require separate regulatory treatment, including CAC security assessment where applicable.

Concluding remarks

The regulatory landscape governing cross-boundary data flows in the GBA is complex, with rising enforcement expectations, increasing scrutiny, and a clear policy direction toward tighter oversight alongside structured facilitation. The GBA Standard Contract is a significant breakthrough as the first integrated regional framework, but it is a tool rather than a complete solution, requiring careful legal analysis, robust documentation, and disciplined implementation.

Effective compliance demands a structured, end-to-end approach. This typically begins with a readiness assessment to map data flows and identify legal bases and gaps, followed by the design of compliant frameworks covering privacy notices, governance policies, transfer mechanisms, and breach response. Implementation then extends to eligibility analysis, contract execution, dual-side filing, and management of onward transfer restrictions.

Ultimately, organisations that invest early in a forward-looking compliance architecture — rather than reacting to enforcement — are better positioned to move data efficiently, respond confidently to regulatory scrutiny, strengthen their commercial reputation, and build trust with customers and counterparties.

The author is both a qualified Hong Kong solicitor and Guangdong-Hong Kong-Macao Greater Bay Area lawyer.

Disclaimer: This article is for general informational purposes and reference only. The contents do not constitute legal advice and should not be relied upon as such. The legal position described above is accurate as at the date of this article and is subject to change. Readers should seek independent legal advice from qualified practitioners in the relevant jurisdictions before taking any action or making any decision in reliance on the contents of this article. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.

Insights

Author(s)