By Centre for Chinese and Comparative Law (RCCL) of School of Law, City University of Hong Kong

MISSION

This report is a product of the titled project conducted by the Centre for Chinese and Comparative Law (RCCL) of School of Law, City University of Hong Kong, sponsored by Microsoft Hong Kong Limited. The report has examined the legal issues related to cross-border data transfer and has assessed a proposal exploring Hong Kong to be a data center hub for the Greater Bay Area (GBA) as a pilot, and eventually for the entire China in the long run. In the end, some key recommendations have been made in relation to the relevant legal considerations to enable cross-border data flow within GBA.

Specifically, the report consists of two parts: analysis of current legal framework, and recommendations. Discussions in each part are presented according to the following order: mainland China, Hong Kong, and Macao.

The purpose of the project is threefold. Firstly, it reviews the legal framework of data protection and cybersecurity in mainland China, Hong Kong and Macao. Data transfer involves various areas of law, including inter alia, cyber law, data privacy law, criminal law, national security law. It is for this reason that a relatively comprehensive review of these relevant areas of law in the three legal jurisdictions has been carried out. Secondly, it aims to identify the key areas/restrictions on free data flow among the three jurisdictions and to therefore figure out the possible solutions. Thirdly, based on the above, this project attempts to explore a proposal whether Hong Kong is suitable to serve as a data depository and processing center in the region and for China. The research team considers recommending a special pilot of free data flow within GBA, and related requirements and criteria for gradual approach depending on the nature of data (e.g. non-critical information/non-personal data, pure commercial data, R&D data, personal data, sensitive/national security data) as its main methodology. The feasibility of the recommendations from legal and policy perspectives has been analyzed.

Key Findings and Recommendations

Key findings:

- China - Without any exaggeration, data flow is at the core of digital economy. Under the premise of protecting controllable security of important data, maximization of free flow of data is useful in advancing the development of digital economy. The Cyber Security Law of the People’s Republic of China has basically set out the fundamental rules regarding cross-border data flow in mainland China. Yet the enactment of the detailed implementation regulations and relevant statutes is well underway. Key terms and new concepts, such as “Critical Information Infrastructure” and “important data” found in Cyber Security Law need to be clarified and defined to facilitate further discussion on cross-border data flow.

- Hong Kong - Hong Kong’s data protection law focuses on the protection of privacy and security of personal data. To date, there is no legal/regulatory restriction on cross-border transfer of data to and from Hong Kong. Section 33 of the Personal Data (Privacy) Ordinance governs the transfer of personal data from Hong Kong to the overseas jurisdictions, but the section is not yet in force, despite being a provision of the Ordinance since 1996. Section 33 provides one may transfer data out of Hong Kong if certain criteria are met: for example, if the receiving jurisdiction provides similar protections to personal data as in Hong Kong, if data subject’s consent has been obtained, or if certain due diligence exercise has been carried out to ensure data will be handled properly in the receiving jurisdiction. In a nutshell, the current legal regime in Hong Kong does not restrict Hong Kong from being a global data hub to receive, store and share data. Hong Kong has the potential to be a data center hub.

- Macao - The question of whether personal data can be transferred to a jurisdiction outside Macao is dependent on 1) the level of compliance with the Personal Data Protection Act and 2) the level of adequate protection in the data receiving jurisdiction. When there is no adequate level of protection in the receiving jurisdiction, transfer of data out of Macao may still be allowed if certain criteria are met. For example, if data subject’s consent has been obtained and a notification for the transfer is filed with the Office for Personal Data Protection, if the transfer is necessary (e.g. to perform a contract) or related to public interest (e.g. public security), or in other scenario where approval is granted by the Office for Personal Data Protection to transfer data out of Macao.

- This project examines the feasibility of a pilot project employing Hong Kong to be a data hub within GBA. There are practical needs for cross-border data flow from China to the rest of the world. If the pilot is successful, Hong Kong may serve as a data center hub to connect China with the rest of the world: 1) At a personal level, there are over 800 million of Internet users in China and there are cross-border data transfer activities on a day-to-day basis; (2) there are needs to transfer data within GBA at the government level, for example for public health reasons; (3) at business level, cross-border data transfer is necessary, for example: (a) for collaboration purposes: by private entities in their business activities, especially for multinational corporations to transfer internal data within different affiliates within the organization; (b) for research purposes: there is a need for international cooperation in research projects and it will involve data sharing; (c) for regulatory compliance purpose: such as anti-money laundering or know-your-client compliance checks for banks; and (d) for litigation purpose: such as in overseas lawsuit that involves evidence originated from mainland China.

- Further, it is strategic to have the pilot in GBA, because 1) GBA is an important platform for mainland China to further engage the outside world. Realization of cross-border free flow of data within GBA can make the development of the area more vibrant and enhance deep integration in the development of GBA. 2) The uniqueness of the “One Country, Two Systems” structure provides advantageous conditions for exploring cross-border free flow of data within GBA. In tandem with the National Strategy published in President Xi Jinping’s report delivered at the 19th National Congress of the Communist Party of China [1], it is expected that certain special legal arrangements will be provided to promote the deeper integration among the three jurisdictions. 3) It does not seem attainable to expect the primary legislation at the national level, Chinese Cyber Security Law, enacted as recent as in 2017, to be amended to lift the ban completely. It will be appropriate to explore a pilot within GBA first.

- In summary, it is submitted that in view of the reasons above, GBA provides a feasible pilot project allowing Hong Kong to be the data center hub facilitating cross-border data transfer to and from China. The pilot can start with less sensitive/critical data, such as open data, “harmless” data, and data not otherwise subject to legal or regulatory restrictions. It can also cover data of small-mid size businesses (as they will unlikely fall within the scope of “Critical Information Infrastructure”), common e-commerce, data for specific purposes such as for enterprises/multinational corporations intergroup communication, regulatory compliance, and non-commercial research.

Recommendations for a GBA pilot:

- To establish a special task force group to coordinate data transfer issues within GBA;

• At institutional level, cross-jurisdiction coordination is needed to launch the pilot project participated by different parties from the three jurisdictions. All the three jurisdictions have different legal and institutional mechanisms to manage data privacy and data flow. Therefore, it is recommended that a special task force group be established to coordinate and mobilize the legal institutions and relevant government agencies in Guangdong, Hong Kong and Macao. The purpose is to enhance the communication among the three jurisdictions and to facilitate the rule-making and enforcement with regard to the free flow of data.

- To harmonize the policies, regimes, and technical aspects related to data transfer within GBA;

• Guangdong, Hong Kong and Macao have different social, economic and legal systems. Given the differences in the policies, legal regimes, and technical aspects related to data transfer, it is recommended that a harmonization of substantive rules at technical levels for the three involved jurisdictions is necessitated. To be specific, it is further recommended that the actual operators, end-users and all the stakeholders voluntarily participate in the proposed protection system.

- To establish a “white list” or a “negative list” for data flow;

• A “white list” is a mechanism which permits certain categories of data enter and exit in certain circumstances, while the “negative list” is able to ascertain the scope of data that are not allowed to be freely transferred. The establishment of a “white list” or a “negative list” could enhance the certainty and efficiency of free data flow in the GBA. The lists need to identify specific industries or categories (e.g. financial services, healthcare, small-mid size businesses), and identify specific purposes (e.g. for e-commerce, enterprises/multinational corporations intergroup communication, regulatory compliance, non-commercial research), which are amendable and adjusted according to the changes in the systems and technologies and other factors of the three places.

- To take reference to other existing arrangements on cross-border data transfer;

• Hong Kong has been actively participated in several international agreements about cross-border data transfer with several international organizations (e.g. WTO) and other countries, which allows Hong Kong to make arrangements with foreign states for cooperation in legal and judicial matters. Furthermore, the intraregional arrangements include the CEPAs between Hong Kong and Macao, and Hong Kong and the Mainland has been significantly enhanced through the liberalization of the trade in goods and services, in particular, in data services and E-commerce, which have significant reference value to the perfection and application of the cross-border data flow system within the GBA. Observing and learning from these existing mechanisms that focus on a specific sector, e.g. exchanges between two places regarding cross-boundary data flow in the e-commerce sector will be of great value to a GBA pilot in the future.

- To apply Hong Kong/Macao laws in the transfer of permissible data to Hong Kong/Macao;

• While the “border” between mainland and Hong Kong/Macao is different from “national border”, borders do exist due to the differences in the political systems and legal systems under the “One Country Two Systems”. Whether data flow between mainland and Hong Kong/Macao belongs to “cross-border”, and whether such kind of activity should be included in the scope of regulation of the cross-border data flow system need to be clarified. The data transferred from the Mainland to Hong Kong/Macao should be subject to local laws of Hong Kong/Macao.

- To adopt a step by step approach — addressing highly sensitive “important data”;

• Important data is the specific target of regulation of mainland China’s cross-border data flow system e.g. national defence, utility plants. Maintaining data security at the national level should be the basis of the proposal for the pilot project on cross-border free flow of data in the GBA. Under the premise of protecting controllable security of important data, maximization of free flow of data is useful in advancing the development of digital economy. Therefore, it is advised to promote the GBA pilot in a realistic and constructive manner.

[1] Xi Jinping, ‘Secure a Decisive Victory in Building a Moderately Prosperous Society in All Respects and Strive for the Great Success of Socialism with Chinese Characteristics for a New Era — Delivered at the 19th National Congress of the Communist Party of China’, China Daily, 18 October 2017, <http://www.chinadaily.com.cn/interface/flipboard/1142846/2017-11-06/cd_34188086.html> Accessed 23 January. 2019 4

Please click to read full report.