China: Opened consultation on Cybersecurity Standard Practice Guidelines for protection of cross-border personal Information in Guangdong, Hong Kong and Macao Greater Bay Area

On 1 November 2023, the National Information Security Standardization Technical Committee (TC 260) opened a consultation on draft Cybersecurity Standard Practice Guidelines for the protection of cross-border personal Information in Guangdong, Hong Kong, and Macao Greater Bay Area until 15 November 2023. The draft guidelines were issued in accordance with the Memorandum of Cooperation on Facilitating Cross-Border Data Flow in the Guangdong-Hong Kong-Macao Greater Bay Area (MoU). The guideline provides a framework for the handling of cross-border personal information in the Guangdong-Hong Kong-Macao Greater Bay Area, outlining principles, protection requirements, and standardisation practices. The processing of personal data includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, and other handling activities of personal information. In regard to cross-border data transfer, the draft guideline specifies that data controllers have to establish a system for security management and operational procedures, implement security measures such as encryption and de-identification, maintain records for a minimum of 3 years and identify the type of data for transmission. The data controllers, before or during the cross-border data transfer, have to obtain the data subject's consent, offer information on the recipient's identity and contact information, enter into legally binding agreements with the recipients and implement measures such as contractual agreements and recipient log audits to ensure the data is not transmitted outside the Greater Bay Area.