《香港金融发展局:2022连接数据:将香港打造为跨境金融数据枢纽研究报告 (英文版)(49页).pdf》由会员分享,可在线阅读,更多相关《香港金融发展局:2022连接数据:将香港打造为跨境金融数据枢纽研究报告 (英文版)(49页).pdf(49页珍藏版)》请在三个皮匠报告上搜索。
1、Connecting Data:Establishing Hong Kongas a Cross-BoundaryFinancial Data HubDecemberFSDC Paper No.562022ContentsExecutive SummaryBackground:Opportunities and Risks Data as a strategic asset for financial services industry Cross-boundary data flow to support the integration and digital transformation
2、of the GBA Hong Kong should position itself to be the financial data hub for the GBAGlobal data landscape and policies Common mechanisms for cross-border/boundary data flows The United States The EU Mainland China Hong Kong Pain points facing Hong Kongs financial services industry Lack of specific l
3、egislation to facilitate cross-border/boundary data transfers The changing regulatory landscape of data protection Operational obstacles Compliance cost and challenges Talent shortagePolicy recommendations To provide clarity on section 33 of PDPO To strengthen data governance and policy coordination
4、 within the GBA To formulate standard contractual clauses for cross-boundary data transfers within the GBA To set up a third-party certification agency to conduct impartial conformity assessment on cross-boundary data transfers within the GBA To explore the use of new technologies to enable cross-bo
5、undary data transfers within the GBA To attract and cultivate talents with technological and digital-related skillsetsConclusion Appendices Appendix 1.Key data regulation developments in Mainland China over the last five years Appendix 2.A summary of data landscape and policies in Mainland China and
6、 Hong Kong Appendix 3.AI ethical standards and requirements in Mainland China and Hong Kongand other international standards839892022430313235Executive SummaryThe financial services industry has become increasingly digitalised,with cross-border transactions continuin
7、g to grow significantly and data connectivity being an imminent business need globally.Similarly,within the Greater Bay Area(GBA),cross-boundary flow of data is crucial for the further integration and connectivity of the financial services industry.A coordinated governance framework and standard is
8、key to facilitate data flow between Hong Kong and the rest of the GBA cities,and to address operational challenges and compliance uncertainties to businesses operating across multiple jurisdictions.Hong Kong,being the international financial centre(IFC)of Asia and already possessing robust informati
9、on and communications technology infrastructure and innovation capabilities,has what it takes to become the financial data hub of the GBA to facilitate a frictionless flow of data within the region.To this end,the Financial Services Development Council(FSDC)formed a Working Group consisting of indus
10、try experts to conduct a study with the aim of identifying challenges facing Hong Kongs financial services industry in data governance and putting forward recommendations to address them.We believe these recommendations will help establish Hong Kong as the financial data hub ofthe GBA,and thereby st
11、rengthen Hong Kongs status as an international financial centre.Our recommendations include:To provide clarity on section 33 of the Personal Data(Privacy)OrdinanceTo strengthen data governance and policy coordination within the GBA by the following means:To formulate standard contractual clauses for
12、 cross-boundary data transfers within the GBATo set up a third-party certification agency to conduct impartial conformity assessments on cross-boundary data transfers within the GBATo explore the use of new technologies to enable cross-boundary data transfers within the GBATo attract and cultivate t
13、alent with technological and digital-related skillsets oTo establish white-and grey-lists to facilitate cross-boundary data transfers withinthe GBAoTo explore the feasibility of cross-boundary data sharing through conducting pilotprojectsoTo develop a set of GBA data governance standardsThe FSDC rec
14、ognised that data flow is a complex matter that requires thorough considerations concerning security,economic stability,and operating environment,among others.At the same time,the further integration of the GBA required a freer flow of data beyond the financial services industry.A better exchange of
15、 a broader range of data within the GBA(and beyond)will further enhance the integration of the GBA and support the growth of other sectors.While this paper has casted a focus on the freer flow of financial data within the GBA,the scope of the recommendations put forth here can be potentially expande
16、d to cover other types of data and industries at a time that is considered appropriate by stakeholders concerned in the Mainland and Hong Kong.We believe these recommendations are some of the initial essential actions in helping establish Hong Kong as the financial data hub of the GBA,but also some
17、of the first steps to further strengthen data connectivity within the region,thereby further deepening the integration of the GBA.1The adoption of technology in financial services has rendered data as a strategic asset and,in return,data availability and quality can lend further support to the enhan
18、cement of the financial services industry.Such a trend is particularly important for cross-boundary businesses,which have benefited significantly through enhanced client experience and market connectivity.Hong Kong being Asias leading international financial centre,a unique intermediary between Chin
19、ese and international markets,and home to many fintech companies should take proactive actions to capture opportunities arising therein.It is believed that the city,which has an advanced IT infrastructure,communication network,and trusted legal system,is well positioned to become the financial data
20、hub for the GBA to facilitate easier flow through the access,usage,and exchange of data within the region.Background:Opportunities and Risks Data as a strategic asset for the financial services industry According to the World Bank,“the digital economy is equivalent to 15.5%of global GDP,growing two
21、and a half times faster than global GDP over the past 15 years”since 2007.1 The global transformation to a digital economy has led major economies,including Mainland China,the European Union(EU),and the United States,among others,to attach strategic importance to data.2 Data is now widely recognised
22、 as a key production factor,in addition to classical economic factors of production such as land,labour,and capital.Data is particularly important for the development of a digital economy.Despite the importance of data,there is no consensus on the definition of data among the academic world and poli
23、cy makers of different jurisdictions,as data can have multiple meanings depending on the context and jurisdiction.The matter is further complicated when it comes to defining a specific type of data,such as“personal data”,as its scope usually varies significantly among legal jurisdictions.A review of
24、 studies shows that attempts to define data usually make a distinction between data and information with information being commonly defined as refined and processed data,3 and data generally being defined as a collection of unprocessed points about events,objects,and people.4 These points can either
25、 be related or unrelated initially,but with aggregation,processing,and analysing,these points will become useful information for making decisions that have an impact on the economy,environment,health,or society in general.5 World Bank,Digital Development,https:/www.worldbank.org/en/topic/digitaldeve
26、lopment/overview(accessed on 16 June 2022)South China Morning Post(SCMP),US-China tech war:Beijing unveils grand plan to grow digital economy as US moves forward with competition bill(13 January 2022),https:/ on 5 June 2022)United Nations Conference on Trade and Development(UNCTAD),Digital Economy R
27、eport 2021(March 2022),https:/unctad.org/webflyer/digital-econo-my-report-2021(accessed on 5 March 2022)Organisation for Economic Co-operation and Development(OECD),Enhancing Access to and Sharing of Data:Reconciling Risks and Benefits for Data Re-use across Societies,https:/www.oecd-ilibrary.org/si
28、tes/276aaca8-en/1/2/1/index.html?itemId=/content/publication/276aaca8-en&_csp_=a1e9fa54d39998ecc1d83f19b8b0fc34&itemIGO=oecd&itemContentType=book(accessed on 5 March 2022)United Nations Conference on Trade and Development(UNCTAD),Digital Economy Report 2021(March 2022),https:/unctad.org/webflyer/dig
29、ital-econo-my-report-2021(accessed on 5 March 2022)123452Given the indispensable role of data,the usage and flow of data within a country and across borders have increased dramatically over the past few years.According to a study conducted by the United Nations in 2021 about digital economy,global i
30、nternet traffic in 2022 was predicted to exceed all the internet traffic up to 2016.6 It was estimated that 79 zettabytes(ZB,1ZB=1 trillion gigabytes)of data were created in 2021 alone,7 and this number is expected to reach 180 ZB by 2025.8 Notably,Mainland China is one of the biggest data generator
31、s,and is forecasted to generate 48.6ZB of data by 2025.9 The large and increasing amount of data is partly driven by the adoption of data-driven technologies in various industries to accelerate growth,capture new opportunities,expand access to other markets,and solve complex issues.Notably,innovativ
32、e solutions are not only important at the time when an economy is doing well,but also crucial and perhaps even more so during times of crisis,natural disasters,and pandemics.Under these circumstances,digital savvy businesses are observed to fare better and can remain connected to their clients and c
33、ustomers,and hence remain competitive,and with better capability to weather through these challenging times.10 As such,data can be seen as the lifeblood of businesses.For the financial services industry in particular,its reliance on data is as much,if not more,than other industries.Financial service
34、s are data-driven with a significant amount of data involved.Activities within the financial services industry include processes to create,collect,store,transfer,and process data.The application of data in the financial services industry is omnipresent,including to support product development,improv
35、e sales and marketing efforts,better manage customer relationships,enhance risk management,strengthen internal management,and reinforce compliance monitoring.11 Take the banking industry of Hong Kong as an example;in 2020,the Hong Kong Monetary Authority(HKMA)established a financial data infrastruct
36、ure,known as the Commercial Data Interchange(CDI),to facilitate the sharing of commercial data.12 CDI is a consent-based financial infrastructure that would enable more secure and efficient data flow between banks and sources of commercial data.One benefit of CDI is its use as an alternative tool to
37、 facilitate banks in conducting risk assessment of loan applications from small and medium enterprises(SMEs).According to a study conducted by the HKMA in 2021,with the aid of CDI,550 SME loans totalling over HKD 900 million were approved by the participating banks as of 1 November 2021.13 With more
38、 efficient data sharing of the banking industry,SMEs have easier access to financing,therefore furthering financial inclusion.United Nations Conference on Trade and Development(UNCTAD),Digital Economy Report 2021(March 2022),https:/unctad.org/webflyer/digital-econo-my-report-2021(accessed on 5 March
39、 2022)Statista,Big data-Statistics&Facts,https:/ https:/www.red- on 5 June 2022)CNBC,As information increasingly drives economies,China is set to overtake the US in race for data(13 February 2019),https:/ on 2 June 2022)World Bank,Digital Development,https:/www.worldbank.org/en/topic/digitaldevelopm
40、ent/overview(accessed on 16 June 2022)Oxford University,Analytics:The real-world use of big data in financial services,https:/ on 16 June 2022)HKMA,Commercial Data Interchange,https:/www.hkma.gov.hk/eng/key-functions/international-financial-centre/fintech/research-and-applications/commercial-data-in
41、terchange/(accessed on 5 August 2022)HKSAR,Briefing to the Legislative Council Panel on Financial Affair(3 May 2022),Government,https:/www.legco.gov.hk/yr2022/english/panels/fa/papers/fa20220503cb1-217-2-e.pdf(accessed on 5 August 2022)6789101112133Similar initiatives are being developed in other ma
42、rkets,such as the UK.For instance,the UKs Open Banking,a regulatory initiative that allows authorised third-party financial service providers to securely access consumer banking information,14 has seen a rapid growth since it was introduced in 2018.15 As of February 2022,over five million UK consume
43、rs and businesses have used open banking-enabled products,which are powered by extensive data and rigorous analysis.16As it develops,the improving availability of data also lends support to global efforts to enhance financial inclusion.For instance,traditional commercial banks are generally more rel
44、uctant to grant loans or other forms of financing to SME clients,due in part to the intrinsic difficulty for businesses of smaller scale to meet the loan assessment requirements of banks.In the face of proliferation of business data,such may no longer be the case for SMEs,with alternative data start
45、ing to play a part in providing information to support alternative loan assessment methodologies.Data such as real-time supply chain transaction data,inventory and sales proceeds collected from the end consumer,payment history,cash flow,supply chain and number of employees,etc.,can offer a 360-view
46、of businesses particularly of SMEs.This can be beneficial for bridging the gap by enabling the analysis of behavioural data rather than relying on traditional credibility measures of proof of income/revenue.Such usage of alternatives may encourage banks to provide more funding support to SMEs.Data a
47、lso plays a key role for risk management,by supporting the banking sector to monitor financial market activities and helping to detect illegal trading activities,such as money-laundering and fraudulent activities.Similarly,for the insurance sector,data analytics helps the sector to detect fraud as w
48、ell as produce customer insights.The power of data is exponentiated when synthesised from different sources,which is visible through dynamic ecosystems being formed between cross-industry entities.Taking RegTech as an example,these technologies are becoming increasingly dependent on high quality and
49、 high velocity data,which is often reliant on third parties that have the scale and capability to manage this data on behalf of multiple parties.Technological advancements in the field of artificial intelligence(AI)have also provided more channels for businesses of the financial services industry to
50、 meet various business needs by integrating AI into their operations.The power of data can also be magnified when its access is open and shared across different countries and borders,such as supporting multinational corporations to make better business decisions in various areas and helping countrie
51、s fight against transnational crimes.141516UK Government,Corporate report:Update on Open Banking(5 November 2021),https:/www.gov.uk/government/publications/update-gover-nance-of-open-banking/update-on-open-banking(accessed on 16 June 2022)Open Banking,About the OBIE,https:/www.openbanking.org.uk/abo
52、ut-us/(accessed on 16 June 2022)UK Government,Corporate report:Update on Open Banking(5 November 2021),https:/www.gov.uk/government/publications/update-gover-nance-of-open-banking/update-on-open-banking(accessed on 16 June 2022)4Cross-boundary data flow to support the integration and digital transfo
53、rmation of the GBAThe GBA seeks to create a globally competitive ecosystem through integrating an international financial centre,a leading technology and innovation hub and other vibrant cities within the region with varied and mutually complementary advantages.The“Outline Development Plan for the G
54、uangdong-Hong Kong-Macao Greater Bay Area”(the Outline)issued by the State Council in 2019 emphasised the need to leverage the geographical advantages of the GBA to drive regional development,and highlighted a number of focus areas related to financial services industry,including(i)the development o
55、f cross-boundary financial services;(ii)the application of technology and innovation in fields including financial technologies and big data;(iii)and the prevention and mitigation of financial risks.17Against this backdrop,enabling the frictionless cross-boundary flow of relevant financial data with
56、in the GBA is essential to fully implement these policy objectives.The key to integrated development lies in fostering the flow of people,goods,capital,and information.Having enhanced mechanisms to facilitate data exchange in a more timely,higher quality,and more effective manner is an integral part
57、 of its development.In fact,market participants have longed for an effective flow of data within the GBA in order to accel-erate their business expansion and integration within the region.Data-backed innovative technolo-gies such as AI,blockchain,and big data are believed to be the solution to furth
58、er enhancing the financial industrys capability to provide quality cross-boundary services to clients.Backed by such technologies,applications in digital identification,KYC procedures,risk evaluation and credit assessment,to list a few,can significantly improve customer experience and enable financi
59、al institu-tions to better serve SMEs and other traditionally underserved sectors.Notably,such data-based innovation can also make a difference in reducing cyber risks and fraud cases at a local or regional scale as a large(r)dataset can help banks and other financial institutions to more effectivel
60、y identify abnormal behaviours and irregular transaction patterns.Furthermore,with seamless data flow,businesses within the GBA can accelerate their digital adoption and continue to leverage AI to enhance business performance,18 providing them with an additional competitive edge to flourish within t
61、he GBA and even internationally.HKSAR Government,Greater Bay Area,Outline Development Plan(18 February 2019),https:/www.bayarea.gov.hk/filemanager/sc/share/pdf/Out-line_Development_Plan.pdf(accessed on 16 June 2022)City University of Hong Kong,Legal research project:Proposal for Hong Kong To Be a Da
62、ta Centre Hub For The Greater Bay Area and China(January 2019),https:/www.cityu.edu.hk/slw/lib/doc/rccl/201901_RCCL_Report-HK_as_Data_Centre_Hub-ES.pdf(accessed on 16 June 2022)17185Hong Kong should position itself to be the financial data hub for the GBAGiven the prominent role that data plays in s
63、upporting the development of the GBA,establishing a data hub that allows seamless data exchange within the GBA will unleash more potential of the power of data.A data hub refers to the centre of data-related activities.The setup of a successful data hub could be driven by various factors,such as the
64、 increase of business activities that leads to the need for data and/or the production of data.With the data hub being formed,it provides data users with a centre point of access for data,allows data users to integrate and harmonise information from multiple sources,and also facilitates data flow.In
65、 addition to being the leading international financial centre in this part of the world,Hong Kong,given its well-established IT infrastructure and strong research and innovation capabilities,should position itself to be the regions financial data hub to facilitate frictionless data flow.Notably,Hong
66、 Kong has a stable and extensive submarine cable communication network,19 which is part of many submarine cable systems connecting other parts of Asia,Europe,and the US.20 According to a data centre market study,21 Hong Kong is ranked top in many of the 13 assessment categories for data centre marke
67、ts,including market size,strong fibre connectivity,high cloud availability,market friendly tax regime,and rapid growing development pipeline for power.Overall,Hong Kong ranked second in Asia and sixth globally as a data hub,out of the 55 markets studied.For smoother cross-border/boundary data flow t
68、o happen,it is important for the host of data to be well recognised as a trustworthy and secure place for data transmission and utilisation.In this regard,Hong Kong has been well regarded internationally as a reputable and trustworthy city,with a strong governance structure and a vibrant business co
69、mmunity.Such a reputation and its institutional setup has laid a strong foundation for Hong Kong to become a regional data hub and global digital financial centre.Furthermore,the global trend of a data driven economy based on AI/big data development and the proliferation of digital media has increas
70、ed the scale of data storage and transmission by tens of thousands.Notably,many countries have invested significantly in data infrastructure and have devoted resources to driving the development of digitalisation.Alongside the promotion of the digital economy,these countries have also introduced var
71、ious data regulations and policies to enhance the legal framework for fostering healthy development of the industry.Therefore,it is important for Hong Kong to keep pace with global developments to remain competitive.Office of the Communications Authority,Landing of Submarine Cables in Hong Kong,http
72、s:/www.ofca.gov.hk/en/industry_focus/infrastructures/submarine_cables/index.html(accessed on 2 February 2022)Submarine Cable Networks,Cabe Landing Stations in HK,https:/ on 5 January 2022)Cushman&Wakefield,2022 Global Data Center Market Comparison(12 January 2022)https:/cushwake.cld.bz/2022-Global-D
73、ata-Center-Market-Comparison(accessed on 5 April 2022)1920216In this regard,it is encouraging to see that the Hong Kong SAR Government has established a Digital Economy Development Committee(DEDC)in June 2022,among other initiatives,to support the development of its digital economy.22 The DEDC is ma
74、ndated to focus on various topics including setting strategies,enhancing cooperation with stakeholders,driving the growth of data services as an industry,encouraging the adoption of digitalisation by different industries,and promoting digital government.23 More specifically,the DEDC has set up a sub
75、-group on Cross-Boundary Data Collaboration,consisting of industry experts and other stakeholders,to identify,among others,possible approaches to facilitate cross-boundary data collaboration.24 With an aim of supporting the development of the GBA and Mainland Chinas digital economy,as well as implem
76、enting a related wider strategic plan,25 businesses expect Hong Kong to play a more significant role in data-related initiatives by leveraging its own unique advantages under“One Country,Two Systems”.26 If Hong Kong is able to facilitate data flow and enhance cross-boundary data availability between
77、 China and the rest of the world,data-oriented businesses will likely benefit from increasing opportunities to carry out more innovative product development and service enhancement.HKSAR Government,Government announces establishment of Digital Economy Development Committee(22 June 2022),https:/www.i
78、nfo.gov.hk/gia/general/202206/22/P2022062200375.htm(accessed on June 25 2022)HKSAR Government,Government announces establishment of Digital Economy Development Committee(22 June 2022),https:/www.info.gov.hk/gia/general/202206/22/P2022062200375.htm(accessed on June 25 2022)According to conversations
79、with relevant public stakeholders.For instance,please see media report Wen Wei Po,“蔡冠深:港可為 數字絲路 發揮獨特作用”(5 March 2022),https:/ on 5 April 2022)2022 Foundation,Creating the Greater Bay Area of the Future Opportunities for Hong Kong,http:/ on 5 April 2022)22232425267For data to be shared and used safel
80、y and to drive value creation,it is essential that a practical and robust governance framework,covering the entire life cycle from data acquisition,storage,usage,processing,transferring,provision,and to disclosure,is in place.Given the GBA comprises three different legal systems and have different a
81、pproaches to data governance,it will be useful to examine how data-related activities are regulated across different jurisdictions,particularly regarding cross-boundary data transfer.With that in mind,this section provides an overview of global approaches to cross-border/boundary data governance,wit
82、h the focus on data polices of the United States,the European Union(EU),and Mainland China,as their approaches are considered representative of the main approaches adopted for data governance in the world.27 An analysis of Hong Kongs data laws and approaches to international data transfers are also
83、set out in this section.World Economic Forum,Exploring International Data Flow Governance:Platform for Shaping the Future of Trade and Global Economic Interdependence(December 2019),https:/www3.weforum.org/docs/WEF_Trade_Policy_Data_Flows_Report.pdf(accessed on 2 March 2022)World Economic Forum,Expl
84、oring International Data Flow Governance:Platform for Shaping the Future of Trade and Global Economic Interdependence(December 2019),https:/www3.weforum.org/docs/WEF_Trade_Policy_Data_Flows_Report.pdf(accessed on 2 March 2022)Office of the Privacy Commissioner for Personal Data(PCPD),Cross Border/Bo
85、undary Data Transfer in Hong Kong(March 2019),https:/www.pcpd.org.hk/english/news_events/speech/files/CrossBorderBoundaryDataTransferb.pdf(accessed on 6 March 2022)272829Common mechanisms for cross-border/boundary data flowsCross-border data transfer is governed based on several factors,including th
86、e policy objectives of the implementing jurisdictions.According to a 2019 white paper about data flow published by the World Economic Forum(WEF),28 some common objectives that many jurisdictions consider while formulating related strategies are privacy protection,consumer protection,industry protect
87、ion,economic stability,law enforcement,and national security.Another key factor is the type of data as some types of data have greater impact on and sensitivity to people,such as personal data or security-related data,understandably a higher level of discretion is warranted with regard to the transf
88、er of such data.These categories are often subject to more legal restrictions one of the most restrictive requirements is data localisation under which data is required to be stored and/or processed in the country/region.In extreme situations,this can mean a complete ban on cross-border data transfe
89、rs,even for the purpose of processing.In fewer extreme cases,jurisdictions may impose partial localisation,where data needs to be stored locally but transferring or storing copies of the data abroad is not prohibited.The impact of data regulations on international data transfer varies,depending on t
90、he level of regulatory restrictiveness.That said,given the interconnectedness of businesses,many jurisdictions recognise the importance of international data transfers for businesses.This explains why countries generally allow the exporting of data,provided that data processors comply with specific
91、regulatory requirements.These may include regulatory approval,various binding contracts,consent from data subjects,completion of a data protection-related assessment,among others.The five broad common mechanisms for international data transfers are summarised below.29 Global data landscape and polic
92、ies 8Namely Iceland,Liechtenstein and Norway.PCPD,“Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data”(May 2022),https:/www.pcpd.org.hk/english/resources_centre/publications/files/guidance_model_contractual_clauses.pdf(accessed on 6 June 2022)European Commis
93、sion,Standard Contractual Clauses(SCC),https:/ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en(accessed on 4 March 2022)Personal Data Protection Commission of Singapore,ASEAN Data Management Framework and Model Contractual Cl
94、auses on Cross Border Data Flows(January 2021),https:/www.pdpc.gov.sg/help-and-resources/2021/01/asean-da-ta-management-framework-and-model-contractual-clauses-on-cross-border-data-flows(accessed on 4 March 2022)Cyberspace Administration of China,个人信息出境标准合同规定(征求意见稿)(30 June 2022),http:/ on 24 Octobe
95、r 2022)APEC,What is the Cross-Border Privacy Rules System(October 2021),https:/www.apec.org/about-us/about-apec/fact-sheets/what-is-the-cross-border-privacy-rules-system(accessed on 6 June 2022)Asia-Pacific Economic Cooperation(APEC),APEC Privacy Framework(August 2017),https:/www.apec.org/publicatio
96、ns/2017/08/apec-privacy-frame-work-(2015)(accessed on 6 June 2022)303132 33343536Whitelist:data transfers are regulated on the basis of the data protection standards in the recipient country.Companies are allowed to export data to a receiving country if it is considered to have an adequate level of
97、data protection as the hosting country,often referred to as an adequate jurisdiction.The most typical example would be the EU,which has recognised some countries as adequate jurisdictions,such as the three non-EU European Economic Area member countries.30 Safeguards:data transfers across borders are
98、 allowed if contracts featuring model contractual clauses(also known as standard contractual clauses)pre-approved by regulators are signed between the sending and receiving parties.Many jurisdictions have implemented the mechanism of model contractual clauses for cross-border/boundary transfer.These
99、 include,for example,Hong Kongs Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data(RMCs),31 the EUs Standard Contractual Clauses(SCCs)32 approved by the European Commission and ASEANs Model Contractual Clause for Cross Border Data Flows(MCCs)developed by the Working Gro
100、up on Digital Data Governance.33 On 30 June 2022,Mainland China also issued a consultation paper on Standard Contractual Clauses for cross-border personal information transfer,and the consulting period ended on 22 July 2022.34 Certifications:companies are allowed to transfer and receive data from ce
101、rtain jurisdictions if certain certifications related to data privacy protection are obtained from a professional body recognised by regulators.For example,Asia-Pacific Economic Cooperation(APEC)s Cross-Border Privacy Rules(CBPR)system is a voluntary and accountability-based system that consists of
102、a series of internationally recognised data privacy protection standards.A company certified under the CBPR system is allowed to transfer and receive personal data collected in an APEC member economy across borders.35 One data privacy protection standard included in the CBPR system is the APEC Priva
103、cy Framework,which is designed to protect privacy while ensuring personal information is able to flow freely to benefit consumers,businesses,and governments.36 9UK Government,Corporate report:Update on Open Banking(5 November 2021),https:/www.gov.uk/government/publications/update-gover-nance-of-open
104、-banking/update-on-open-banking(accessed on 16 June 2022)Open Banking,About the OBIE,https:/www.openbanking.org.uk/about-us/(accessed on 16 June 2022)UK Government,Corporate report:Update on Open Banking(5 November 2021),https:/www.gov.uk/government/publications/update-gover-nance-of-open-banking/up
105、date-on-open-banking(accessed on 16 June 2022)The National Peoples Congress of the Peoples Republic of China,中华人民共和国个人信息保护法(20 August 2021),http:/ 2 December 2021)PCPD,Cross Border/Boundary Data Transfer in Hong Kong(March 2019),https:/www.pcpd.org.hk/english/news_events/speech/files/CrossBorderBoun
106、daryDataTransferb.pdf(accessed on 6 March 2022)UNCTAD,Digital Economy Report 2021(March 2022),https:/unctad.org/webflyer/digital-economy-report-2021(accessed on 5 March 2022)UNCTAD,Digital Economy Report 2021(March 2022),https:/unctad.org/webflyer/digital-economy-report-2021(accessed on 5 March 2022
107、)37383940The United States According to a UN study on the digital economy,39 the United States has adopted a free-market approach towards the digital economy,which enables cross-boundary free flow of data.Such proposition favours a private market-driven approach that stimulates innovation and suppor
108、ts first-mover advantages,and,as a result,technology companies in the United States have arguably achieved a dominant position comparatively.The United States has used trade agreements to enable firms to gain access to foreign markets and ban practices such as data and server localisation requiremen
109、ts.This approach enables data to flow back to the United States when overseas users engage with firms headquartered in the country.The UN study notes that the United States does not impose any specific compliance requirements for cross-boundary transfers of personal data.It has,however,taken a restr
110、ictive approach for data related to defence and national security issues,such as requiring any company providing cloud services to its defence department to store its data only in the United States.40 Necessity:most jurisdictions prohibit the international transfer of(personal)data by default,and on
111、ly permit the transfer of such data for certain purposes,such as for business needs(e.g.,a performance of a contract).Notably,necessity is often a prerequisite for an international data transfer.Consent:some jurisdictions require data users to obtain consent from data subjects(e.g.,natural persons)p
112、rior to the transfer of personal data.Nonetheless,the level of consent required may vary across markets.For instance,Mainland China requires express consent from data subjects to proceed for every transfer,37 whereas in Hong Kong,consent from data subjects is needed only if the transfer is initiated
113、 for a new purpose.38 Furthermore,jurisdictions may adopt more than one mechanism for the transfer of data across boundaries,especially for handling personal data.For example,in Mainland China,data users are required to obtain a consent plus a government approval,a certification,or a contract with t
114、he data recipient,among others,before a transfer of personal data can take place.Comparatively,some rare jurisdictions are bound by less legal requirements for the transfer of personal data.For example,in the Republic of Korea,companies are only required to obtain consent from data subjects prior to
115、 exporting personal data.Whereas for cases that involve cross-border data interchange,apart from the above legal requirements,data users are expected to take into account fundamental data principles as they would be required to for cases of local data transfer,such as data needing to be collected fo
116、r a lawful purpose.10For data privacy,it has opted for a flexible and ad-hoc sectoral approach,and only prescribed standards in specific areas such as child privacy,health information,and financial data privacy.While none of these sectoral regulations restrict cross-boundary data transfer,these sect
117、ors are subject to more restrictive compliance requirements.Take the financial services industry as an example,the United States has imposed a range of personal and financial data regulations to ensure market efficiency,consumer protection,and financial stability alongside the flow of data.41 The UN
118、 study argues that the United States has adopted such a liberal regulatory approach on cross-boundary data flow to maintain and further expand its leadership in the global digital market.Therefore,it has advocated against data protectionism and supports cross-border data governance,such as endorsing
119、 the APEC Privacy Framework and APECs CBPR system.The EUAccording to the European Data Strategy published by the European Commission(EC)in February 2020,the EU aims to“create a single market for data”,where data with the EU can flow freely with respect to European rules,including privacy and data pr
120、otection as well as competition law.42 The EUs data policy is mainly governed by the General Data Protection Regulation(GDPR),which is widely recognised as one of the most comprehensive data protection frameworks in the world.In general,the EU takes a strong regulatory approach towards the digital e
121、conomy,which is formulated based on the protection of fundamental rights and values of the EU.43 Regulations on cross border data flow are relatively more stringent with an aim of protecting the privacy of individuals.While the governance with regard to the transfer of personal data outside of the r
122、egion is challenging,the EU does not explicitly ban the exit of non-personal data.Under the GDPR,transfer of personal data outside of the EU is only allowed if the recipient countries reciprocally provide a similar level of privacy protection to its citizens as the EU,as designated by the EC.As of 1
123、7 March 2022,countries or territories that the EC has endorsed as having an adequate level of privacy protection to its citizens are Andorra,Argentina,Canada(commercial organisations),the Faroe Islands,Guernsey,Israel,the Isle of Man,Japan,Jersey,New Zealand,the Republic of Korea,Switzerland,the Uni
124、ted Kingdom.44,45 Another mechanism to enable international transfer is to adopt appropriate safeguards(such as standard contractual clauses SCCs approved by the EC or binding corporate rules BCRs for intragroup transfers)and the data subjects should possess enforceable rights and be protected by ef
125、fective legal remedies.In the absence of an option under the two approaches mentioned before,transfer of personal data is still possible if the action falls under a derogation(exception)specified in the GDPR(e.g.,explicit consent of the data subjects,or if necessary,to exercise or defend a legal cla
126、im,amongst others).46SSRN,Financial Data Governance:The Datafication of Finance,the Rise of Open Banking and the End of the Data Centralization Paradigm by Douglas W.Arner,et al(23 March 2022),https:/ on 4 Ap ril 2022)European Commission,The European Data Strategy(19 February 2020),https:/ec.europa.
127、eu/commission/presscorner/detail/en/fs_20_283(accessed on 4 April 2022)UNCTAD,Digital Economy Report 2021(March 2022),https:/unctad.org/webflyer/digital-economy-report-2021(accessed on 5 March 2022)The adequacy findings is a product of long bilateral negotiations,with the EU taking into consideratio
128、ns of several factors of the negotiating parties,including their data protection framework,legal system,and their economic and political relationship with the EU.European Commission,Adequacy decisions,https:/ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adeq
129、uacy-decisions_en(accessed on 3 February 2022)In July 2020,the ECJ ruled in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems(Case C-311/18)EU:C:2020:559 that the EU-US Privacy Shield mechanism for international transfers was invalid and that,if companies are looking to rely on
130、 SCCs to enable a transfer of personal data outside the EEA,entities must carry out an evaluation to determine if the recipient countrys laws undermines the ability of the SCCs to provide the GDPRs required level of data protection.As such,supplementary measures may also need to be implemented to en
131、sure the transferred data is adequately protected.411The National Peoples Congress of the Peoples Republic of China,中华人民共和国数据安全法(10 June 2021),http:/ 2 December 2021)The National Peoples Congress of the Peoples Republic of China,中华人民共和国个人信息保护法(20 August 2021),http:/ 2 December 2021)Cybers
132、pace Administration of China,中华人民共和国网络安全法(7 November 2016),http:/ 2 December 2021)Please refer to the Appendix for a summary of Mainland Chinas data regulations development.The National Peoples Congress of the Peoples Republic of China,Data Security Law of the Peoples Republic of China(10 June 2021)
133、,http:/ on 5 March 2022)The National Peoples Congress of the Peoples Republic of China,中华人民共和国数据安全法(10 June 2021),http:/ 2 December 2021)474849505152Mainland ChinaIn Mainland China,approaches for the flow of cross-border/boundary data are incorporated in several laws.They are mainly regulated by the
134、 Data Security Law(implemented on 1 September 2021),47 Personal Information Protection Law(implemented on November 1,2021),48 and the Cyber Security Law(implemented on 1 June 2017),49 among others.50 As suggested by the names of these regulations,Mainland Chinas data regulations explicitly govern as
135、pects beyond just personal data.Data Security LawMainland Chinas Data Security Law(DSL)became effective in September 2021,with the purpose of“regulating data processing,ensuring data security,promoting development and utilisation of data,protecting the lawful rights and interests of individuals and
136、organisations,and safeguarding the sovereignty,security,and development interests of the state”.51 Articles 11 and 31 of the DSL provide the conditions for cross-border/boundary data transfer.52 Article 11 is a principal provision,highlighting the countrys support for promoting cross-border/boundary
137、 data.Article 11 stipulates that the Mainland government will actively carry out international exchanges and cooperation in the fields of data security governance,data development and utilisation,participate in the formulation of international rules and standards related to data security,and facilit
138、ate the safe and free flow of cross-border/boundary data.Article 31 stipulates that the exit security management of important data collected and generated by operators of critical information infrastructure during operations within the territory of Mainland China shall be governed by the provisions
139、of the Cyber Security Law in conjunction with relevant departments of the State Council.12Personal Information Protection LawMainland China imposes data localisation of personal data and restricts the exit of personal data.53 The Personal Information Protection Law(PIPL)provides special chapters on
140、cross-border/boundary provision of personal information-Article 38 stipulates that personal information processors should only provide personal information outside Mainland China due to business needs;PIPL requires separate consent from subjects for personal data to be transferred out of Mainland Ch
141、ina(article 39&55 of PIPL).Additionally,one of the following conditions should be fulfilled:Cyber Security LawThe cross-border/boundary provisions for critical infrastructure data are stipulated in the Cyber Security Law(CSL).According to the CSL,“the personal information and important data collecte
142、d and generated by operators of critical infrastructure during operations within the territory of Mainland China shall be stored in Mainland China”.54Where the international treaties and agreements that Mainland China has concluded or participated in have provisions on the conditions to provide pers
143、onal information outside of the Mainland,cross-border/boundary transfer of personal information can be implemented in accordance with those provisions.Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the
144、personal information protection standards stipulated in this law.The National Peoples Congress of the Peoples Republic of China,中华人民共和国个人信息保护法(20 August 2021),http:/ 2 December 2021)The term“critical infrastructure”is defined to include“public communications services,energy,transport,water conservat
145、ion,finance,public services,e-government affairs or anything else where data loss,destruction or leakage can result serious damage to state security,national economy and peoples livelihood and public interests”Please see Cyberspace Administration of China,中华人民共和国网络安全法(7 November 2016),http:/ 2 Decem
146、ber 2021)UNCTAD,Digital Economy Report 2021(March 2022),https:/unctad.org/webflyer/digital-economy-report-2021(accessed on 5 March 2022)Cyberspace Administration of China,中华人民共和国网络安全法(7 November 2016),http:/ 2 December 2021)5354passing the security assessment organised by the Cyberspace Administrati
147、on in accordance with Article 40 of PIPL;obtaining personal information protection certification by a professional organisation pursuant to the provisions of the Cyberspace Administration;concluding a contract with the overseas entities,according to the standard contract formulated by the Cyberspace
148、 Administration,to stipulate the rights and obligations of both parties;complying with other conditions stipulated by laws,administrative regulations or the Cyberspace Administration.i.ii.iii.iv.13With an aim of ensuring public security and easy access to data for regulatory purposes,Mainland China
149、imposes data localisation for information of several specific sectors,including health and/or personal information collected by credit investigation organisations,commercial banks,internet map service organisations,online taxi platform companies,and internet bicycle rental operators.55When it is nec
150、essary to provide data to overseas recipients due to business needs,“a security assessment shall be carried out in accordance with the measures formulated by the Cyberspace Administration in conjunction with relevant departments of the State Council.”56Given the importance of security assessment in
151、data exportation for Mainland China,it is worth mentioning that in July 2022,the Cyberspace Administration issued the“Data Outbound Security Assessment Measure”(the Measure),which specifies rules and procedures for the implementation of the security assessment for cross-border/boundary data transfer
152、 as stipulated in the Data Security Law,Personal Information Protection Law,and Cyber Security Law.57 Subsequently,the“Data Outbound Security Assessment Declaration Guidelines”was published in August,58 providing more guidance on the application method,process,supporting documents,and other means re
153、quired for the security assessment.According to the Measure,specific players59 will have to register for a security assessment prior to transferring data overseas.In general,at present,the exit of both personal information and important data(i.e.,collected by operators of critical information infras
154、tructure or operators of other data processors)must undergo strict security assessment,certification,or standard contract review.Peoples Republic of China,Cyberspace Administration of China,“數據出境安全評估辦法”(7 July 2022),http:/ on 15 July 2022)Cyberspace Administration of China,國家互聯網信息辦公室發布 數據出境安全評估申報指南(
155、第一版)(31 August 2022),http:/ on 9 September 2022)Peoples Republic of China,Cyberspace Administration of China,“數據出境安全評估辦法”(7 July 2022),http:/ on 15 July 2022)Cyberspace Administration of China,國家互聯網信息辦公室發布 數據出境安全評估申報指南(第一版)(31 August 2022),http:/ on 9 September 2022)These players include data proces
156、sors transferring important data abroad,operators of critical information infrastructure,data processors handling the personal information of over 1 million users,and data processors who have either accumulatively provided the personal information of over 100,000 users or sensitive information of ov
157、er 10,000 users abroad since January 2021.The Peoples Republic of China,中共中央国务院印发海南自由贸易港建设总体方案(1 June 2020),http:/ on15 February 2022)Peoples Government of Shanghai,上海市人民政府关于印发 上海市全面深化服务贸易创新发展试点实施方案 的通知(5 November 2020),https:/ on 25 February 2022)The Peoples Government of Beijing Municipality,北京市商务
158、局关于印发 北京市关于打造数字贸易试验区实施方案 的通知(18 September 2020),http:/ on 16 June 2022)5556575859606162Cross-border/boundary data flow arrangements in Free Trade Zones and the GBA Given the strong demand for cross-border/bounda ry data flow and many legal restrictions on the provision of cross-border/boundary data,
159、free trade zones in Hainan,Shanghai,and Beijing,namely Hainan Free Trade Port,60 Shanghai Lingang Area,61and Beijing Digital Trade Pilot Zone,62 rely on their respective policy supports to explore solutions for cross-border/boundary data flow based on their regional industrial development needs.14Th
160、ese policies and measures provide useful references for the GBA.On cross-border/boundary data governance,various attempts are being explored in the free trade zones,aiming to leverage their respective policy advantages to achieve breakthroughs in the following five key aspects:Carrying out pilot pro
161、jects for cross-border/boundary data transmission security management.For example,Hainan proposes to explore more convenient methods with a view to conducting assessments for the secure exit of personal information.63 Carrying out a security assessment of cross-border/boundary data flow and building
162、 a public service platform to facilitate the flow.64 For specific industries,such as the financial sector,allowing eligible foreign financial institutions to report and transfer relevant data overseas due to a groups holding of financial institutions in Mainland China.Relevant data could include tho
163、se regarding internal management and risk control,according to the cross-border/boundary data classification supervision model proposed by Shanghai.65 For specific companies,as proposed by Beijing Digital Trade Pilot Zone,actively promoting a small number of pilot companies in the pilot zone to achi
164、eve data flow compliance within specific areas abroad.66 Supporting international collaboration,with China-Japan-Korea,ASEAN,and other regional blocs as a start,expanding to the US and the EU for cross-border data transfer.671.2.3.4.5.On 5 September 2021,Mainland China issued the“Overall Plan for th
165、e Construction of the Hengqin Guangdong-Macao Intensive Cooperation Zone”(the Plan),which provides some visions for safe and orderly cross-border/boundary transfer of data.68 The Plan states that under the national security management framework for cross-border/boundary data transmission,relevant au
166、thorities will carry out pilot projects for cross-border/boundary data transmission,study the construction of green channels for a fixed network to access the worldwide internet,and explore the formation of a mechanism that can facilitate data flow while ensuring security.It will also support releva
167、nt universities and scientific research institutions in Zhuhai and Macao to achieve the interconnection of cross-border/boundary scientific research data under the condition that personal information and important data are secured.The Peoples Republic of China,中共中央国务院印发海南自由贸易港建设总体方案(1 June 2020),htt
168、p:/ on 15 February 2022)Peoples Government of Shanghai,上海市人民政府关于印发 上海市全面深化服务贸易创新发展试点实施方案 的通知(5 November 2020),https:/ on 25 February 2022)Peoples Government of Shanghai,上海市人民政府关于印发 上海市全面深化服务贸易创新发展试点实施方案 的通知(5 November 2020),https:/ on 25 February 2022)The Peoples Government of Beijing Municipality,北
169、京市商务局关于印发 北京市关于打造数字贸易试验区实施方案 的通知(18 September 2020),http:/ on 16 June 2022)The Peoples Government of Beijing Municipality,北京市商务局关于印发 北京市关于打造数字贸易试验区实施方案 的通知(18 September 2020),http:/ on 16 June 2022)The Peoples Republic of China,中共中央国务院印发 横琴粤澳深度合作区建设总体方案(5 September 2021),http:/ on 30 May 2022)636465
170、66676815PCPD,The Personal Data(Privacy)Ordinance,https:/www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html(accessed on 15 December 2021)PCPD,Cross Border/Boundary Data Transfer in Hong Kong(March 2019),https:/www.pcpd.org.hk/english/news_events/speech/files/CrossBorderBoun
171、daryDataTransferb.pdf(accessed on 6 March 2022)HKSAR Government,Personal Data(Privacy)Ordinance(last updated on 8 October 2021),https:/www.elegislation.gov.hk/hk/cap486!en-zh-Hant-HK.pdf?FROMCAPINDEX=Y(accessed on 7 February 2022)697071Hong KongHong Kongs main data regulation is the Personal Data(Pr
172、ivacy)Ordinance(PDPO),whose primary concern is personal data and privacy protection.PDPO defines personal data as information which relates to a living individual and can be used to identify that individual.It must also exist in a form which access to or processing of,is practicable.69 Notably,Secti
173、on 33 of PDPO is intended to be the guiding principle for cross-border/boundary transfer of data under Hong Kongs existing legal framework.However,due to concerns from the business community over its potential impact on business operations and compliance difficulties,70 the section has not been impl
174、emented,despite its introduction in 1996.Cross-border/boundary data transfer arrangements Section 33 of the PDPO sketches out under what circumstances personal data can be gathered within Hong Kong and the conditions that need to be met before cross-border/boundary data transfer is allowed.As sectio
175、n 33 of PDPO is not in effect,there is technically no specific law governing the cross-border/boundary transfer of data in Hong Kong.That said,six Data Protection Principles71(DPP)are in place to guide the collection and usage of personal data.For the purpose of cross-border/boundary data transfer,s
176、uch principles include:s33(2)(a)Jurisdictions with data privacy protection laws that are same or similar as those in Hong Kong(i.e.,PDPO),which have been confirmed by the Privacy Commissioner for Personal Data through the publication by notice in the Gazette;s33(2)(b)If the user has reasonable groun
177、ds to believe that the jurisdiction has any law that is similar to the PDPO in Hong Kong;s33(2)(c)Data subject has given written consent for the transfer;s33(2)(d)For the benefit of the persons with the personal data(subject to more detailed stipulations);s33(2)(e)Other exceptions.DPP 2(3)requires d
178、ata users to prevent their processors from retaining personal data longer than necessary,and DPP 3 prohibits transfer of personal data for new purposes without consent.DPP 3 prohibits transfer of personal data for new purposes without consent.DPP 2(3)requires data users to prevent their processors f
179、rom retaining personal data longer than necessary,and 16PCPD,“Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data”(May 2022),https:/www.pcpd.org.hk/english/resources_centre/publications/files/guidance_model_contractual_clauses.pdf(accessed on 6 June 2022)HKSA
180、R Government,“Cyber security legislation proposed”(25 May 2022),https:/www.news.gov.hk/eng/2022/05/20220525/20220525_125433_066.html7273Other than the mechanisms stipulated in the DPP and PDPO,it is also possible to establish contractual obligation on overseas parties regarding how they handle perso
181、nal data obtained within Hong Kong.The PCPD has issued the Recommended Model Contractual Clauses for the Cross-border Transfer of Personal Data(RMCs),which are free-standing clauses that may be incorporated into business agreements between transferors and data transferees across borders/boundaries.7
182、2 Such clauses aim to help businesses to take into consideration the relevant requirements of data protection set out in the PDPO.An example on a wider scale will be bilateral agreements between jurisdictions,whereby there may still be jurisdictional applicable rules/commitment to cross-border data
183、transfer.In the bilateral free trade agreement(FTA)between Hong Kong and Australia from 2019,a declaration of commitments to the policy of free flow of data was included in the FTA.Remarkably,approaches in Hong Kong are in line with the approaches of other jurisdictions,such as the EU and Mainland C
184、hina.We are also aware that the Government is formulating regulations that define the cyber security obligations of critical infrastructure operators,73 which may impact the relevant operators.A public consultation exercise is expected to be launched by the end of 2022 and the FSDC will continue to
185、monitor this space.DPP 4(2)requires data users to ensure that the security of personal data transferred to their processors are all applicable to cross-border/boundary data usage.Furthermore,under section 65(2)of the PDPO,data users are liable for the acts of their agents,which can be used to cover
186、the acts of overseas service providers as well.As such,data users who may transfer data collected in Hong Kong to overseas service providers can still be held liable should anything go amiss.o 17The financial services industry in the GBA has become increasingly integrated in recent years,with the la
187、test milestone being the launch of the Wealth Management Connect in 202174 and the ETF Connect in July 2022.75 In contrast,connectivity in respect of financial data seems to be lagging,posing operational challenges and compliance uncertainties for businesses operating across the GBA.Lack of specific
188、 legislation to facilitate cross-border/boundary data transfersThere is a lack of specific legislation to facilitate data transfer in Hong Kong.Section 33 of the PDPO prohibits the transfer of personal data to places outside of Hong Kong unless one of the specified conditions is fulfilled.76 That sa
189、id,it has not been in force since the PDPO took effect from December 1996.While the Office of the Privacy Commissioner for Personal Data(PCPD)has in the past com-missioned consultancy studies on bringing section 33 into force,it remains unclear when the particular statutory provision will be effecti
190、ve.77 According to a PCPD document,seven issues relat-ed to the implementation of section 33 were raised from a study,ranging from definition,implemen-tation,and enforcement to policy interaction with other regulations governing certain highly regulat-ed industries.78 Concerns from businesses about
191、the impact on their operations,compliance difficulties,and additional time and effort required in relation to these,have led to the implementation of section 33 being deferred.79 For example,as stated in the aforementioned PDPO document,if a jurisdiction was previously confirmed by the PCPD as havin
192、g the same or similar data protection laws as those in Hong Kong(i.e.,the PDPO),but is later delisted by the Commissioner as one which is no longer considered to have a similar law as the PDPO,the steps that a business should take to ensure their compliance with the law is uncertain.80 Pain points f
193、acing Hong Kongs financial services industryHKMA,Cross-boundary Wealth Management Connect Scheme in the Guangdong-Hong Kong-Macao Greater Bay Area(9 November 2021),https:/www.hkma.gov.hk/eng/key-functions/international-financial-centre/wealth-management-connect/(accessed on 23 March 2022)Hong Kong E
194、xchanges and Clearing Limited(HKEX),“HKEX to Include ETFs in Stock Connect on 4 July”(28 June 2028),https:/.hk/News/News-Release/2022/220628news?sc_lang=en(accessed on 30 June 2022)PCPD,Response to media enquiry on data localisation(15 April 2020),https:/www.pcpd.org.hk/english/news_events/media_enq
195、uiry/enquiry_20200415.html(accessed 2 April 2022)PCPD,Cross Border/Boundary Data Transfer in Hong Kong(March 2019),https:/www.pcpd.org.hk/english/news_events/speech/files/CrossBorderBoundaryDataTransferb.pdf(accessed on 6 March 2022)PCPD,Cross Border/Boundary Data Transfer in Hong Kong(March 2019),h
196、ttps:/www.pcpd.org.hk/english/news_events/speech/files/CrossBorderBoundaryDataTransferb.pdf(accessed on 6 March 2022)PCPD,Cross Border/Boundary Data Transfer in Hong Kong(March 2019),https:/www.pcpd.org.hk/english/news_events/speech/files/CrossBorderBoundaryDataTransferb.pdf(accessed on 6 March 2022
197、)PCPD,Cross Border/Boundary Data Transfer in Hong Kong(March 2019),https:/www.pcpd.org.hk/english/news_events/speech/files/CrossBorderBoundaryDataTransferb.pdf(accessed on 6 March 2022)7475767778798018The National Peoples Congress of the Peoples Republic of China,中华人民共和国个人信息保护法(20 August 2021),http:
198、/ on 2 December 2021)HKSAR Government,Personal Data(Privacy)Ordinance(last updated on 8 October 2021),https:/www.elegislation.gov.hk/hk/cap486!en-zh-Hant-HK.pdf?FROMCAPINDEX=Y(accessed on 7 February 2022)PCPD,Six Data Protection Principles,https:/www.pcpd.org.hk/english/data_privacy_law/6_data_prote
199、ction_principles/files/6DPP.pdf(accessed on 30 May 2022);The National Peoples Congress of the Peoples Republic of China,中华人民共和国个人信息保护法(20 August 2021),http:/ 2 December 2021)HKSAR Government,“Cyber security legislation proposed”(25 May 2022),https:/www.news.gov.hk/eng/2022/05/20220525/20220525_12543
200、3_066.html(accessed on 7 July 2022)81828384The changing regulatory landscape of data protection The recently legislated/imposed data laws in Mainland China have distinctive impacts on cross-boundary data governance and may have far-reaching implications for Hong Kong.One of the foundations of Hong K
201、ongs role as an international financial centre of China and part of the GBA is its strong connection with Mainland China in various aspects,including people,business,and other social interactions.In this regard,while protecting the interests of data subjects,the frictionless flow of data between Hon
202、g Kong and Mainland China is essential to fostering strong connectivity.Nevertheless,as Hong Kong is considered an“offshore”market of Mainland China with its own legal system under“One Country,Two Systems”,a higher degree of policy coordination will be needed to facilitate more effective cross-bound
203、ary data activities.Having compared the data laws in Mainland China and Hong Kong,both jurisdictions share some common data protection principles.For instance,according to articles 5 to 8 of Mainland Chinas PIPL,the collection and handling of personal information shall,but not limited to,“follow the
204、 principles of lawfulness,legitimacy,necessity,and integrity”;“follow the principles of openness and transparency”;81“have a clear and reasonable purpose”,and“guarantee the quality of personal information”.According to Hong Kongs six Data Protection Principals,Principle 1 requires personal data,but
205、not limited to,shall be collected“for a lawful purpose”,“by means which are lawful and fair in the circumstances of the case”;Principle 2 requires,but not limited to,“all practicable steps shall be taken to ensure that personal data is accurate having regard to the purpose for which the data is or i
206、s to be used”.82 While there are similarities in data protection principles between the two jurisdictions,83 legal requirements to ensure data protection are different.They have discrete legal requirements to ensure data protection.Notably,Mainland China requires operators of critical information in
207、frastructure and entities which process personal information beyond the limits determined by the Cyberspace Administration of China to store data locally,whereas Hong Kongs PDPO does not impose such data localisation requirement on any specific data processors.Indeed,this might change after the Gove
208、rnment has enacted the laws in relation to defining obligations of critical infrastructure operators,84 which may have an impact on relevant operators.19Additionally,the main data laws of Mainland China were introduced within the last five years and guidance on specific aspects is still being formul
209、ated.This gives rise to unintended uncertainties,resulting in many organisations adopting a“play it safe”approach and putting in place restrictions beyond the original legislative intent.For example,Mainland Chinas DSL,which came into effect in 2021,requires a higher level of protection to“critical
210、data”without further clarifying its definition.Subsequently,in January 2022,the draft of“Information security technology Guideline for identification of critical data”published by the State Administration for Market Regulation and Standardisation Administration preliminarily defined“critical data”as
211、 the type of data that can cause harm to national security and public interests,if it is modified,destroyed,leaked,or illegally obtained and used.85While the draft of“Information security technology Guideline for identification of critical data”is yet to be finalised,the definition of“critical data”
212、as mentioned above has been adopted by the“Measure”.86 Many law firms have underlined that guidance on the definition of“critical data”and identifications of similar types of data will require clarity and certainty.87 According to a news report,due to uncertainties around data protection requirement
213、s,particularly related to cross-border/boundary data transfers,some foreign businesses decided to scale back their planned budget for research and development projects in Mainland China,while some other businesses were compelled to downgrade the quality of service provided to clients.88 It will take
214、 time for the financial services industry,as with other economic sectors,to observe and understand the implementation of the series of updates around data governance in Mainland China,and the relevant implications on cross-boundary data transmission as related to business needs.For the time being,th
215、ese policy changes while necessary to ensure data protection,will unavoidably bring about some level of uncertainty to the integration of cross-boundary financial services.Operational obstaclesInsufficient data integration within the GBA has created many operational obstacles for GBA companies.Busin
216、esses face difficulties in fulfilling Know-Your-Customer(“KYC”)compliance,obtaining alternative data source of credit rating,etc.,when promoting the financial services across the GBA regions.For example,banks in Hong Kong may not be able to obtain KYC information from banks in Mainland cities,due to
217、 the cross-boundary data privacy protection and conflicting cyber security laws and vice versa.National Information Security Standardization Technical Committee,信息安全技術重要數據識別指南(7 January 2022),https:/ on 7 July 2022)Peoples Republic of China,Cyberspace Administration of China,“數據出境安全評估辦法”(7 July 2022
218、),http:/ on 15 July 2022)IFLR,“PRIMER:Chinas Data Security Law”(11 November 2021),https:/ on 28 June 2021)SCMP,“China must clarify uncertainty over data security laws,allow more cross-border transfers”(23 November 2021),https:/ on 30 June 2022)8586878820Another example is the validation of letters o
219、f guarantees.Currently there is no centralised database where financial institutions,banks and FinTech incumbents can share their customers credit reports and collateral.89 Companies will also have difficulty finding a trusted notary across boundaries to validate and value collaterals.Companies with
220、 operations in Mainland China and Hong Kong are struggling to integrate their businesses.For example,under the current arrangement,any Mainland subsidiary of a Hong Kong-based company must meet a set of legal requirements for transferring company data to Hong Kong.Hence,a business might hesitate to
221、conduct cross-boundary data transfer,thereby hindering business integration.Encouragingly,there have been developments in the GBA to address challenges of cross-boundary customer onboarding in the banking sector.In November 2021,Guangzhou launched the Greater Bay Area Cross-border Data Mutual Recogn
222、ition Platform,which allows banks to verify the identities of customers residing in Guangdong and Hong Kong,therefore making the cross-boundary KYC checks more effective.90 That said,more effort will be required to overcome the operational challenges mentioned above.Compliance cost and challengesThe
223、 lack of an integrated framework governing data transfer within the region means that businesses must consider how to coordinate between all the data laws and understand conflicting cases,if any,and,if so,how to resolve them.The cost to meet legal requirements for cross-boundary transfer of data(suc
224、h as personal data or operational data)to take place within the region is significant and felt even more acutely by SMEs,which have limited capital and resources to invest in legal and compliance.The compliance challenges have also deterred banks from onboarding SME clients as they generally have le
225、ss collateral or credit-related data to meet the lending requirements of financial institutions.As mentioned before,using alternative data can be a solution to promote financial inclusion,enabling underserved SMEs to have greater access to financial support.Nova,实现跨境企业征信建设跨境信用机制诺华诚信参与草拟跨境企业信用标准(Dece
226、mber),https:/www.nova- 23 January 2022)The Peoples Government of Guangzhou Municipality,广州南沙建大湾区跨境数据互信互认平台(6 December 2021),http:/ on 17 December 2021)899021Talent shortageIn order to stay at the forefront of the evolution,businesses rely on their workforce to design,execute,and review their data an
227、d digitalisation strategies.However,Hong Kong businesses are confronted with talent scarcity.A relatively small talent pool in the information technology industry has long been one of the challenges facing Hong Kongs technology and data sector.According to the Talent Development Survey 2021 conducte
228、d by the Hong Kong Institute of Bankers,82%of surveyed financial industry practitioners considered technological and data skills as the greatest skill gap for the banking industry.There is no surprise that innovation and technology experts,data scientists and cyber security specialists,and Fintech p
229、rofessionals are three of the 13 professions in the Talent List of Hong Kong that the city seeks to attract.91 In particular,companies have expressed their struggles to find talent that has both data-related competency and business sense.For example,according to a 2021 study of a consulting firm,40%
230、of Hong Kong companies surveyed indicated the“lack of talent with integrated knowledge in technology and management”as one of the top three challenges that hinder their technological innovation.92 Given the increasingly sophisticated business needs,companies not only expect data scientists to be tec
231、hnically sound,but also to have a nuanced business sense in analysing huge datasets to help companies navigate critical business decisions.It can be challenging for data talent who are well-versed in computer science and statistics to understand the business landscape,especially the more complicated
232、 overlays of implicit business rules and processes.Additionally,businesses are also experiencing challenges to acquire and nurture home-grown and foreign talent.While the information technology industry is gaining greater attention and wider popularity among university students,there is still a cons
233、iderable gap between Hong Kong graduates skillsets and the demands of workplaces.93 It is therefore important for students to find theories and skills taught in the classroom to be highly relevant and practical in the work environment,especially as technology is continuing to evolve rapidly across v
234、arious industries.Many companies have also quoted their challenging process to retain and source foreign talent to fill the local demand gap,especially for senior-level talent.94Talent shortage in Hong Kong across various industry sectors is further highlighted by the ongoing COVID-19 pandemic.95 Wh
235、ile the supply of talent has decreased,the demand for data talent has increased dramatically since industry players have been racing against each other to accelerate their digitalisation agenda during this period.HKSAR Government,The 13 Professions on the Talent List,https:/www.talentlist.gov.hk/en/
236、talentlist.html(accessed on 15 July 2022)Deloitte,Rekindling Hong Kongs economic growth through innovation(December 2021),https:/ on 15 July 2022)SCMP,“Hong Kongs IT sector facing shortage of skilled talent as Covid-19 keeps foreigners away and locals mull migration”(13 March 2021),https:/ on 15 Jul
237、y 2022)Ming Pao,“獵頭公司:主要外籍人才流失 5年內港成不吸引城市”(31 March 2022),https:/ 15 July 2022)SCMP,“Hong Kongs banking talent shortage worsened by zero-Covid rules must be urgently addressed,industry association says”(21 January 2022),https:/ 15 July 2022)9In order to achieve an effective flow of financ
238、ial data within the GBA,and to position Hong Kongs role as the financial data hub of the region,this report proposes some recommendations in the following aspects.To provide clarity on section 33 of PDPOAs mentioned previously,PDPO is the major legislation in Hong Kong that is related to data govern
239、ance.While its section 33 governs the transfer of personal data from Hong Kong to other jurisdictions,it has not been implemented since its introduction in 1996 due to concerns from businesses over its operational impact and compliance difficulties.96 The six Data Protection Principles has become on
240、e of the key guidelines for handling personal data across borders/boundaries.Nonetheless,these principles focus on personal data protection,with limited clarity and guidelines on ways to carry out cross-border data transfers than section 33,if it was implemented.97 Hence,a clear legal framework that
241、 spells out mechanisms can facilitate international data transfers.Additionally,it also demonstrates a jurisdictions adequacy of data protection.In this context,Hong Kong,with an aim of taking up the role as a facilitator of safe and secure flow of data across the region,should provide clarity on re
242、levant rules and regulations in the data space.In this respect,the industry has been seeking clarity on the PDPO,particularly regarding section 33.A clear timeline about the implementation of section 33 will be crucial for establishing a legal framework for GBA integration.Understandably,businesses
243、should be given sufficient time to implement the necessary measures to comply with the data laws.The Government should therefore consider setting up a roadmap in relation to the implementation,with an objective to address the previously mentioned challenges.This includes how businesses can remain co
244、mpliant with the law if a jurisdiction that was initially approved by the Commissioner for international data transfer was delisted by the Commissioner afterwards.To foster the development of an orderly and healthy market,it is important that rules and regulations keep pace with technological and co
245、mmercial realities,with defined requirements and standards clearly laid out.This would lead to appropriate regulations on parties involved in data exchange,thereby ensuring the accuracy,validity,and security of data.Notably,laws of section 33 that govern data transfer were first created decades ago,
246、before the mass scale of data was being utilised for personal and commercial purposes as it is today.Therefore,prompting a need to review and potentially update the rules is necessary to ensure they remain fit for purpose prior to the formulation of a timeline and roadmap.Looking ahead,it is worth c
247、onsidering mandating companies of a certain scale,or companies handling large amounts of personal and/or sensitive data,to designate a data protection officer(DPO)to take on the responsibility of ensuring their organisations comply with all the relevant data laws.Such a practice has become the norm
248、in many jurisdictions,including the EU.98 At the same time,the PCPD has also advocated the inclusion of a DPO as part of organisations data governance in the best practice guide issued under the Privacy Management Programme.99 However,to demonstrate that Hong Kong is well-positioned to be the data h
249、ub of the GBA(and beyond),a step further by adopting the mandatory appointment of a DPO within an organisation is considered a key element,as it reflects good data governance.Policy recommendationsPCPD,Cross Border/Boundary Data Transfer in Hong Kong(March 2019),https:/www.pcpd.org.hk/english/news_e
250、vents/speech/files/CrossBorderBoundaryDataTransferb.pdf(accessed on 6 March 2022)Please refer to“Hong Kong”from the section of“Common mechanisms for cross-border data transfer for additional information.European Commission,“What are the responsibilities of a Data Protection Officer(DPO)?”https:/ec.e
251、uropa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/data-protection-officers/what-are-responsibilities-data-protection-officer-dpo_en(accessed on 31 August 2022)PCPD,Privacy Management Programme:A Best Practice Guide(August 2018),https:/www.pcpd.org.hk/pmp
252、/files/pmp_guide2018.pdf;PCPD,Privacy Management Programme(PMP)Manual;https:/www.pcpd.org.hk/misc/files/grg_private_sector.pdf(both were accessed on 24 October 2022)9697989923To strengthen data governance and policy coordination within the GBARecognising the complexity of harmonising data regulation
253、s for cross-boundary transfer between Hong Kong and GBA cities in Mainland China,it is suggested that the Hong Kong Government should maintain a dialogue with its Mainland counterparts to enhance governance and policy coordination among relevant authorities within the GBA.Notably,Mainland China has
254、signed two data security frameworks,namely the China-League of Arab States(LAS)Cooperation Initiative on Data Security(China-LAS DSCI)in March 2021,100 and the Data Security Cooperation Initiative of China+Central Asia(C+C5 DSCI)in June 2022,101 with a view to strengthening data cooperation and prom
255、oting digital economy among the signing member countries.While these initiatives are not directly related to cross-border/boundary data sharing,it is clear that stronger cooperation in data-related matters are crucial for the digital economy.Hong Kong,being part of China,should aim to develop strong
256、er cooperation with the Mainland in data related initiatives,particularly governance related to data connectivity.Having a mutual understanding of the rules and regulations in each others jurisdictions can be fostered through rolling out various forms of pilot projects as the process would allow fas
257、t tracking cross-boundary data exchanges for certain data types among some GBA cities,subject to certain rules and protocols that are agreeable to the relevant parties involved.In the long run,these initiatives can be scaled to the wider GBA area,based on regulatory and enforcement experience accumu
258、lated.As such,a more harmonised data governance standard that is applicable to the entire GBA can be developed,to enable more secure and efficient data flow.It is equally important to strengthen policy coordination within the GBA,for the purpose of enabling data sharing and usage across boundaries.H
259、ence,the Hong Kong Government should consider setting up a joint advisory group/committee with its counterparts and,if appropriate,invite other relevant public sector stakeholders of Mainland China,such as the Cyberspace Administration of China and financial supervisory bodies,to provide support and
260、 resources.Support from the Central Government would certainly help to accelerate the implementation progress.Peoples Republic of China,Ministry of Foreign Affairs,“China-League of Arab States Cooperation Initiative on Data Security”(29 March 2021),https:/ on 15 July 2022)Peoples Republic of China,M
261、inistry of Foreign Affairs,“Wang Yi Attends the Third China+Central Asia Foreign Ministers Meeting”(9 June 2022),https:/ on 15 July 2022)10010124To establish white-and grey-lists to facilitate cross-boundary data transfers within the GBAUnder the current legal setup,data leaving Mainland China and H
262、ong Kong are subject to various degrees of regulatory approvals and obligations.It is therefore suggested that the Hong Kong Government and its Mainland counterparts relax or exempt the regulatory requirements of certain types of data to promote the financial services industry within the GBA,subject
263、 to rules and protocols with defined accountability for the safety and security of data being transferred.Such an approach can be represented in the form of a white-list and grey-list.A white-list will permit certain categories of data to enter and exit freely;the grey-list is for the categories of
264、data that are allowed to be transferred only within the GBA and no further transactions beyond the region.The parameters for the data categories can be of specific industries(e.g.,data from the financial services industry for the purposes of cross-boundary remittance and payment),specific company si
265、zes(e.g.,SMEs),specific purposes(e.g.,regulatory compliance,anti-money laundering/combating terrorist financing,or non-commercial research),and the parameters should be reviewed regularly and have the flexibility for adjustment as needed.In particular,the white-list should be comprehensive and as in
266、clusive as practicable to enable a variety of data to be included as appropriate,which will maximise the range of businesses,customers,and financial activities who can benefit from such an arrangement.We recognise that it is challenging to identify which data types should be included in each list,be
267、cause the definition and scope of each type of data must be clearly and precisely defined.Therefore,when deciding the types of data to go under the white-list and grey-list,Hong Kong and relevant Mainland counterparts may draw references from other jurisdictions in terms of the approach to govern th
268、e transfer of certain data types.For example,for the white-list category,the Government could explore the feasibility of allowing banks to report and transfer relevant cross-boundary data that is critical to the internal management and risk control of businesses(e.g.,suspicious trading transactions,
269、network analysis).As for the grey-list,the Government and its Mainland counterparts could consider allowing the free flow of financial data related to various Connect Schemes,such as the Cross-boundary Wealth Management Connect Scheme,within the GBA,but still prohibit further transfers outside of th
270、e region.Freer flow of such information will help foster the enhancement and growth of various Connect Schemes.As previously mentioned,section 33 of the PDPO(although not in effect)currently operates a“whitelist”,which is tied with the data laws of the receiving jurisdictions(i.e.,the transfer of da
271、ta is permitted if a receiving jurisdiction has a privacy law similar to the PDPO).The suggested white-and grey-lists will be tied to the categories of data,which would hopefully provide businesses with more flexibility for data transfer and will allow for freer data transfer than a simple jurisdict
272、ional white-list(i.e.,a simple yes/no situation).However,we also recognise that having an extra two lists might create additional compliance challenges for businesses as they will need to categorise their data,which can be difficult.Nonetheless,we believe this recommendation will be effective in fac
273、ilitating cross-boundary data transfers,and the additional compliance challenges can possibly be overcome by having well-defined definitions for the two lists,as well as by adopting a two-phased approach to implement,namely to start with introducing a white-list,then roll out a grey-list after busin
274、esses are familiar with such processes.25To explore the feasibility of cross-boundary data sharing through conducting pilot projectsApart from the recommendation to set up white-and grey-lists,other pilot projects can be explored by imposing less restrictive requirements for an easier flow of financ
275、ial-related data among specific financial institutions and companies.In the initial stage,these pilot projects can be limited to data flow within selected GBA cities,to ensure the programmes are implemented in a gradual and risk-manageable manner.The Government can,for example,take reference of the
276、policies of Free Trade Zones,such as Hainan,102 Shanghai,103 Beijing,104 among others to conduct pilot projects for cross-boundary provision of data related to the financial services industry within the GBA.In this context,the process of security assessment,certification,and standard contract review
277、 process can be simplified.The scope of data can also include,or gradually add in,data that is less sensitive,SME related,business operations,and non-commercial research metrics.The white-and grey-lists mentioned previously can be considered as one of the approaches to implement such pilot projects.
278、Many policies are already in place to actively promote the connections between the financial services industry in the GBA,including the cross-boundary use of Renminbi,investment and wealth management,and insurance products.These polices have formed the foundation for cross-boundary financial data po
279、licies.Efforts should be made to explore how data sharing can be implemented within cross-boundary financial products and services.For example,for the Wealth Management Connect,authorities should explore the possibility to allow investors in Hong Kong to open a cross-boundary northbound investment a
280、ccount without the need to be physically present at a Mainland branch(i.e.,remote client on-boarding).Additionally,the Government should explore ways to enable more efficient data transfer between banks and sources of commercial data,to support SMEs and start-ups in the GBA to expand across the boun
281、daries,fostering economic growth.Another Free Trade Zone reference is the Shanghai Lin-Gang Special Area,which has proposed allowing eligible foreign financial institutions to report and transfer relevant data involving their holding of financial institutions in Mainland China abroad for group manag
282、ement purposes,especially those data that are crucial for the internal management and risk control of business operations.105Launching pilot projects in experimental business zones or special economic zones within the GBA should be further explored.For example,the Qianhai Shenzhen-Hong Kong Modern S
283、ervice Industry Cooperation Zone(Qianhai Cooperation Zone)has been set up as an experimental business zone to facilitate cooperation between Mainland China and Hong Kong in financial services,IT services and logistics activities.Thus,the Qianhai Cooperation Zone will be an ideal place for conducting
284、 pilot projects.Hong Kong may also consider leveraging Shenzhens greater autonomy in policy setting asThe Peoples Republic of China,中共中央国务院印发海南自由贸易港建设总体方案(1 June 2020),http:/ on15 February 2022)Peoples Government of Shanghai,上海市人民政府关于印发 上海市全面深化服务贸易创新发展试点实施方案 的通知(5 November 2020),https:/ on 25 Februa
285、ry 2022)The Peoples Government of Beijing Municipality,北京市商务局关于印发 北京市关于打造数字贸易试验区实施方案 的通知(18 September 2020),http:/ on 16 June 2022)Peoples Government of Shanghai,上海市人民政府关于印发 上海市全面深化服务贸易创新发展试点实施方案 的通知(5 November 2020),https:/ on 25 February 2022)526a“Special Economic Zone”,or concessionary
286、 policies rolled out for the Qianhai Cooperation Zone,to explore different options with a view of facilitating data flow between Shenzhen and Hong Kong.It is also suggested that a“data customs”could be established within the GBA with an aim of regulating cross-boundary data transfer and supporting t
287、he integration of data for the region.The FSDC recommends finding common denominators of the existing data laws between Mainland China and Hong Kong to formulate a set of rules,regulations,and guidelines for different purposes/circumstances of cross-boundary data transfer;a risk-based data flow mode
288、l can also be explored.It is believed that an effective integration of different regulatory frameworks and basic systems will strengthen mutual trust in cross-boundary data cooperation and eventually drive the enhancement of regulations across the GBA.With an aim of taking forward the pilot projects
289、,setting up a task force joined by industry representatives is recommended to steer and facilitate the overall coordination.Some of the key factors the task force may wish to address are the duration,scale,locations,implementation,monitoring and evaluation of pilot projects as well as the timeline a
290、nd roadmap to extend pilot projects to the wider GBA region.To develop a set of GBA data governance standardsIn the long run,Hong Kong should aim to collaborate with Mainland China to develop a GBA-wide legal and regulatory data framework that reduces friction for transferring data across the three
291、jurisdictions.Standardised data governance will significantly reduce compliance cost for businesses and allow data to flow freely across industries and boundaries,thereby leading to greater connectivity,efficiency,and productivity within the region.The Government could consider drawing reference fro
292、m the ASEAN Data Management Framework(DMF).106 The DMF is a step-by-step guide for businesses to set up a data management system,including data governance structures and safeguards.A good data management system helps business to unlock the value of data while ensuring adequate safeguards.In fact,the
293、 Guangdong Government recognises the need to support data flow within the GBA effectively in order to accelerate the digital transformation of the GBA.107 This is indicated by the Action Plan for the Reform of Market-based Allocation of Data Matters in Guangdong(the Action Plan),published by the Gua
294、ngdong Government in July 2021.The Action Plan aims to promote the orderly flow of data within the GBA.108 Specifically,it mentions that a common data centre for the GBA will be established to facilitate the orderly circulation and sharing of data among East,West,and North Guangdong and the GBA.In t
295、his context,several data application case studies can be formed to benefit industry development,social governance,and services for the people and related areas.Leveraging these policy supports and the“One Country,Two Systems”principle,Hong Kong should establish a favourable legal and regulatory envi
296、ronment where market participants can tap into the business potentials of cross-boundary data transfer.Hong Kong should engage with relevant counterparts of Mainland China in building a consensus for compliance requirements for exporting data from Mainland China to Hong Kong,such as the security ass
297、essment,to fully contemplate the viability,demand,and features of the financial services industry.Personal Data Protection Commission of Singapore,ASEAN Data Management Framework and Model Contractual Clauses on Cross Border Data Flows(January 2021),https:/www.pdpc.gov.sg/help-and-resources/2021/01/
298、asean-data-management-framework-and-model-contractual-clauses-on-cross-border-data-flows(accessed on 4 March 2022)The Peoples Government of Guangdong Province,广东省人民政府关于印发广东省数据要素市场化配置改革行动方案的通知(5 July 2021),http:/ May 2022)The Peoples Government of Guangdong Province,广东省人民政府关于印发广东省数据要素市场化配置改革行动方案的通知 (
299、July),http:/ is important for Hong Kong to work closely with relevant Mainland authorities to provide a high degree of certainty to businesses,109 including data processors that handle personal information of over one million users.Most ideally,the provision of personal information or data to Hong K
300、ong and Macao for purposes of providing and receiving financial services should be granted the same level of convenience as onshore regions(境內)with reference to the“Data Security Law”,“Personal Information Protection Law”,and“Cyber Security Law”of Mainland China,among others.Notably,Hong Kong was se
301、lected as the location for the US Public Company Accounting Oversight Board(PCAOB)to conduct auditing on the finances of a number of US-listed Chinese companies in August 2022;such an arrangement is an example of how financial-related data can be transferred across boundaries.110If cross-boundary pe
302、rsonal information or data is required to be provided to countries or regions other than Hong Kong or Macao,security assessments,certifications,standard contract clauses,or other ring-fencing measures can be put in place in accordance with the requirements of cross-boundary data provision in the jur
303、isdiction of Mainland China to prevent further transfer to overseas destinations to ensure the security and protection of onshore data.In this context,the enactment of section 33 of PDPO that governs cross-border/boundary data transfers is crucial.Data governance framework with consideration of data
304、 ethics Data protection and ethical data usage are highly relevant;hence,data ethics should be considered while formulating a standardised data governance framework within the GBA,with a view to minimising potential ethical risks and advocating the ethical use of data.Data ethics encompasses a sound
305、 knowledge of data protection law,moral obligations of handling personal identifiable information,and the appropriate use of new technologies.111,112.An ethical practice effectively promotes the responsible and sustainable use of data to benefit society,and ensures that knowledge obtained through da
306、ta is not being exploited or causing harm to an individual or society.113 Encouragingly,many jurisdictions and regional organisations have published good practices/principles and data ethics frameworks to guide the ethical use of data.Furthermore,AI technology plays a key role in supporting the deve
307、lopment and enhancement of the financial services industry,and integration within the GBA,as mentioned previously.In view of the increasing adoption,AI perhaps has a more significant impact on individuals and society,thus promoting AI governance is deemed necessary by industry practitioners.Notably,
308、AI governance encompasses many aspects,with responsible AI increasingly becoming a key block of a comprehensive AI governance framework.Responsible AI is a set of principles with ethical and moral concerns considered,114 with a view of fostering a positive impact on the development through guiding t
309、hem to innovate responsibly and to cultivate a responsible culture.115 2As mentioned before,these include data processors transferring important data abroad,operators of critical information infrastructure,data processors handling the personal information of over 1 million user
310、s,and data processors who have either accumulatively provided the personal information of over 100,000 users or sensitive information of over 10,000 users abroad since January 2021.The New York Times,U.S.and China Announce Deal to Share Audits of U.S.-Listed Chinese Firms“(26 August 2022),https:/ 11
311、 November 2022)The Government of the UK,Data Ethics Framework:glossary and methodology(16 September 2020),https:/www.gov.uk/government/publications/data-ethics-framework/data-ethics-framework-glossary-and-methodology(accessed on 2 September 2022)Harvard Business School,5 Principles of Data Ethics fo
312、r Business(16 March 2021),https:/online.hbs.edu/blog/post/data-ethics(accessed on 2 September 2022)The Government of the UK,Data Ethics Framework:glossary and methodology(16 September 2020),https:/www.gov.uk/government/publications/data-ethics-framework/data-ethics-framework-glossary-and-methodology
313、(accessed on 2 September 2022)International Technology Law Association,“Responsible AI:Policy Framework”(23 May 2019)https:/www.itechlaw.org/sites/default/files/ResponsibleAI_PolicyFramework.pdf(accessed on 16 September 2022)Microsoft,Responsible AI,https:/ on 16 September)mbMany leading technology
314、firms involve the use of data and AI concurrently,and hence they build data governance frameworks with principles that promote responsible AI.With that in mind,a common data ethics framework,including AI governance,should be incorporated into the GBA-wide data governance.A common data ethics framewo
315、rk can take reference from Mainland Chinas“Guide to the Building of a National Standard Framework for New Generation Artificial Intelligence”116 and the“Next Generation AI Ethical Regulations,117 Hong Kongs Data Ethics for Small and Medium Enterprises118 and Guidance on the Ethical Development and U
316、se of Artificial Intelligence,119 the UKs Data Ethics Framework120,and OECDs Good Practice Principles for Data Ethics in the Public Sector,121 while a common AI governance framework can take reference of the Ethical AI framework issued by Office of the Government Chief Information Officer(OGCIO),Mai
317、nland Chinas regulatory standards,as well as the international standards.Peoples Republic of China,国家新一代人工智能标准体系建设指南(7 July 2020),http:/ on 3 February 2022)Ministry of Science and Technology of the Peoples Republic of China,新一代人工智能伦理规范(26 September 2021),http:/ on 3 February 2022)PCPD,Data Ethics fo
318、r Small and Medium Enterprises(April 2019),https:/www.pcpd.org.hk/english/resources_centre/publications/files/dataethics_en.pdf(accessed on 2 September 2022)PCPD,Guidance on the Ethical Development and Use of Artificial Intelligence(August 2021),https:/www.pcpd.org.hk/english/resources_centre/public
319、ations/files/guidance_ethical_e.pdf(accessed on 24 October 2022)The Government of the UK,Data Ethics Framework(16 September 2020),https:/www.gov.uk/government/publications/data-ethics-framework(accessed on 2 September 2022)OECD,Good Practice Principles for Data Ethics in the Public Sector https:/www
320、.oecd.org/digital/digital-government/good-practice-principles-for-data-ethics-in-the-public-sector.htm(accessed on 2 September 2022)912012129To formulate standard contractual clauses for cross-boundary data transfers within the GBAThe GBA covers three jurisdictions,each with different leg
321、al systems.While this is the unique set up of the region,regulatory fragmentation should not become the impediment for integrating financial services industries within the region.The Government should actively work with relevant counterparts in Mainland China(and Macao)to formulate a set of standard
322、 contractual clauses that meet the regulatory requirements of the jurisdictions for businesses to overcome the challenges of complying with various data regulations across the region.In order to achieve this,the Government could build on the SCCs issued by Mainland China and the PCPDs RMCs,which can
323、 be served as a starting point for formulating a set of GBA contractual clauses to facilitate cross-boundary data transfer.The Government could also consider drawing reference from the ASEANs Model Contractual Clause for Cross Border Data Flows(MCCs)to formulate such model contractual clauses.The AS
324、EAN MCCs is a key resource to support companies operating in ASEAN in data-related business operations.122The MCCs,similar to the SCCs of Mainland China and the RMCs,are template contractual terms and conditions that can be incorporated in the legal binding agreements between companies when transfer
325、ring personal data to each other across borders.123 The template clauses help reduce the negotiation and compliance cost and time for businesses,while also ensuring the protection of personal data when it is transferred abroad.The introduction of similar practices will be helpful as a practical supp
326、ort for businesses to smooth compliance procedures that can help address some of the concerns over the implementation of section 33,as previously discussed.Personal Data Protection Commission of Singapore,ASEAN Data Management Framework and Model Contractual Clauses on Cross Border Data Flows(Januar
327、y 2021),https:/www.pdpc.gov.sg/help-and-resources/2021/01/asean-data-management-framework-and-model-contractual-clauses-on-cross-border-data-flows(accessed on 4 March 2022)Personal Data Protection Commission of Singapore,ASEAN Data Management Framework and Model Contractual Clauses on Cross Border D
328、ata Flows(January 2021),https:/www.pdpc.gov.sg/help-and-resources/2021/01/asean-data-management-framework-and-model-contractual-clauses-on-cross-border-data-flows(accessed on 4 March 2022)122.12330To set up a third-party certification agency to conduct impartial conformity assessment on cross-bounda
329、ry data transfers within the GBAMany jurisdictions,including Mainland China and the EU,allow international data transfer if data users have obtained certain certifications issued by professional organisations that are recognised by local authorities or regulators.The Government should consider estab
330、lishing an independent and professional organisation,or leveraging existing professional organisations if practical,to provide certifications to companies with robust data governance frameworks as trusted data users or processors for cross-boundary transfer within the GBA(and beyond in the future).T
331、he organisation should be entrusted to issue certifications by making reference to a set of data governance principles,covering data security principles for the protection of the data being retained or analysed.A set of reliable data governance frameworks can be derived by referencing standards of o
332、ther major jurisdictions,for instance,the DSL,PIPL,CSL,PDPO,and GDPR,as well as the GBA data governance standards and frameworks proposed in this research paper.Ideally the organisation should also have the capacity to issue certifications related to AI adoption,based on a set of AI standards indica
333、ted in the OGCIO Ethical AI framework.Similarly,references can be taken from the data regulations mentioned above.For an organisation to be qualified as a certification agency,one should have sufficient expertise and experience of legal knowledge within the systems of Mainland China and Hong Kong,and should also be recognised by regulators of both sides.Hence,existing professional organisations th