China
Essential Guide to Cross-Border Personal Data Transfers in the GBA: A Compliance and Security Roadmap
The TC260 has launched a guide to standardize cross-border personal data transfers between the Chinese Mainland and Hong Kong within the Greater Bay Area, enhancing security standards and facilitating data flows while addressing protection challenges amid varied regional regulations.
The Technical Committee for Information Security Technology (TC260) has released a new guide to standardize cross-border personal data transfers between the Chinese Mainland and Hong Kong within the Guangdong-Hong Kong-Macao Greater Bay Area (GBA). This guide introduces enhanced security standards and mutual recognition mechanisms, aiming to facilitate smoother data flows while ensuring robust protection of personal information.
On November 21, the Technical Committee for the Standardization of Information Security Technology (TC260) released a new Cybersecurity Standards Practice Guide (hereinafter, the “Guide”) outlining requirements for cross-border personal information processing and protection within the Guangdong-Hong Kong-Macao Greater Bay Area (GBA).
The Guide provides a framework for businesses and organizations transferring personal data between the Chinese Mainland and Hong Kong, focusing on security standards and mutual recognition mechanisms. It offers a pathway for voluntary certification and inclusion in the “Greater Bay Area Cross-Border Personal Data Transfer Recognition List,” managed by Hong Kong’s Privacy Commissioner.
Cross-border data transfers (CBDT) have become a key focus in the GBA as the region works to enhance economic integration while addressing data protection challenges. Since December 2023, facilitation measures have been in place to streamline personal data transfers between nine Mainland GBA cities—Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing—and Hong Kong.
These measures aim to harmonize the varying regulatory frameworks within the region, particularly between the Chinese Mainland and Hong Kong.
Hong Kong, however, lacks specific rules governing the transfer of personal data outside its jurisdiction, raising questions about the extent to which businesses in Hong Kong would engage with these GBA measures. By contrast, the Chinese Mainland’s Personal Information Protection Law (PIPL) imposes stringent restrictions on cross-border data transfers. The GBA measures marked a significant step forward by relaxing some of these restrictions for transfers from Guangdong to Hong Kong, reflecting efforts to balance security with business practicality.
A major regulatory development followed on March 22, 2024, when the Cyberspace Administration of China (CAC) issued the New CBDT Rules.
| This article was first published by China Briefing , which is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in in China, Hong Kong, Vietnam, Singapore, and India . Readers may write to info@dezshira.com for more support. |
Read the rest of the original article.



