The introduction of the Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (comprising a set of standard contractual clauses, GBA SCC), together with its Implementation Guidelines marks a significant milestone in facilitating cross-border data flows between major cities in Guangdong province and Hong Kong, key cities in the Greater Bay Area (GBA). It provides an alternative to the existing requirements under the Personal Information Protection Law of the PRC to use one of three methods for transferring personal data outside of mainland China, namely by use of China standard contractual clauses (China SCC), obtaining certification from professional institutions and, if certain types of data are to be transferred or data quantity thresholds are met, submitting to a government-led security assessment review.

In June 2023, the Office of the Privacy Commissioner for Personal Data issued an updated Guidance on Data Breach Handling and Data Breach Notifications (“Guidance”). The Guidance updates a non-binding, end-to-end framework for data users to tackle data breaches, including recommended elements that go into a data breach response plan, questions that need to be addressed in the course of investigating a data breach incident, how to make a data breach notification and tips for preventing recurrence of data breaches.

In recent months, generative artificial intelligence has taken the world by storm.  Following plans to offer generative AI products announced by Chinese companies, the Cyberspace Administration of China released on 11 April 2023 the Measures for the Management of Generative Artificial Intelligence Services for public consultation. Following the consultation period, the interim measures were published on 13 July and take effect on 15 August.