Data Protection – European Chinese Law Research Hub

Navigating Stricter Data Privacy Rules for Cross-Border Data Transfers With China

3. October 2023

A new paper by W. Gregory Voss and Emmanuel Pernot-Leplay

Cross-border data transfers are a sensitive topic in many jurisdictions, even more so when China is concerned. The EU and the U.S. regulate those flows in very different ways, and China just issued rules showcasing its own specific approach, mixing privacy and national security together, which have become a compliance hurdle for many multinational companies. Our study observes holistically the regulation of personal data flows both into and from China.

Why and how the USA and the EU regulate data flows to China

In both the EU and the USA, China is often seen as an untrusted destination for data exports because of the risks that would exist for both individual rights protection and national security. These concerns are addressed by restricting the cross-border data transfers to China, but it’s done differently in the EU and the USA.

The USA does not have general data transfer restrictions, but it has taken specific actions for national security and user privacy reasons that limit data flows to China. Those are best exemplified by the Grindr and TikTok cases, both on national security protection grounds, for fear of access to the data by the Chinese government and potential blackmailing against nationals of the USA in a position to obtain access to sensitive materials. This is a regulatory risk for Chinese companies, which has sometimes resulted in them storing data in the USA. Because the USA currently lacks an omnibus data privacy law covering data flows, unlike the EU and China, data privacy restrictions cannot serve as the grounds for such procedures, and therefore the USA must resort to national security rules, instead. Nonetheless, this solution remains impractical and used only for high-profile cases. In the future however, proposed data privacy legislation in the USA may impose requirements on transferring personal data to China, resembling restrictions in other major regions.

On the other hand, the EU has strong data privacy rules in the GDPR, including on cross-border data transfers, but by virtue of the division of powers between the EU and its component Member States, national security issues are left to the prerogative of each of the Member State. The GDPR sets several conditions and safeguards to be applied to data transfers for them to be legal. The main ones are the adequacy decision on the one hand, and standard contractual clauses from the European Commission on the other. The latter provide a legal framework that obligates both the data exporter and the data importer (the entity outside the European Economic Area receiving the data) to protect the personal data in accordance with GDPR principles. An adequacy decision, however, means an entity can freely export data to the country that has received this adequacy decision from the European Commission, which greatly facilitates business operations for companies and economic exchanges between the two jurisdictions. But, in the case of China, such decision is currently virtually unforeseeable. This is due to the fact that the European Commission assesses issues such as the rule of law in the destination country in deciding adequacy. Because of the structural specificities of its political and legal system, China is unlikely to meet this first condition. Companies can still export data to China, but the exporting and receiving parties will need to commit to the standard contractual clauses.

China now restricts cross-border data flows to protect both personal data and national interests

Whereas the USA acts on outbound data flows using mainly national security arguments, and the EU focuses on data privacy, China combines both rationales in its own approach.

To provide contextual clarification, it is pertinent to underscore that the progression of data protection legislation in China has followed a peculiar trajectory. At first, there were only a few rules targeting specific sectors, with lightweight protections. This resembled the US-approach and favoured a free use of personal data without many safeguards and rights for the individuals. However, faced with the increase of privacy abuse threatening to cause social unrest, China gradually moved towards a more protective approach and started the legal transplantation of certain rules and concepts from the EU, offering more protection to Chinese consumers against misuse of their data by the private sector. As one may expect protection of the citizen against data collection by the government remains embryonic, due to the specificities of China’s political and legal system.

This progress culminated in the Personal Information Protection Law (PIPL) from 2021, sometimes dubbed as China’s GDPR, which also showcases China’s own approach to the regulation of personal data use, especially on cross-border data transfers through mechanisms implemented in 2023. In a syncretic manner, China has indeed combined data privacy and national security concerns into its mechanism to restrict data flows, impacting both domestic and international companies.

Under the PIPL, companies seeking to transfer data outside of China have possibilities: certification, standard contractual clauses (SCCs), and security assessments. These mechanisms aim to ensure that personal data remains protected and that its transfer aligns with the law’s requirements. The certification mechanism offers a route for intra-group data transfers (akin to Europe’s Binding Corporate Rules (BCRs)). However, its adoption may be hindered by complexities and potential costs. The PIPL’s SCCs provide a standardized framework for data transfers, mirroring similar processes under GDPR. However, unlike in the EU, an organization can use those two systems only under a threshold that may easily be crossed by bigger corporations. Above it, and for more sensitive data transfers, a state-led security assessment is required. This assessment evaluates not only data protection levels but also considers China’s national security, economic stability, and political implications. This is especially the case for organizations deemed critical information infrastructure operators, and is a Chinese specificity that does not exist in either the EU or the USA. Because of the large room for discretionary interpretations, favoured by the vague terminology used in the requirements, this assessment puts multinationals looking to take data out of China in a grey zone, with potential high impact on their business operations. However, it is a risk that China does want to mitigate.

China’s data localization rules are robust and align with global trends in privacy protection on one hand, but feature significant specificities on the other, which leads to uncertainty for companies but provides more maneuvering room to authorities looking to protect China’s interests. As the EU’s GDPR influenced several other jurisdictions’ data privacy rules, time will tell if China’s own approach on data flow screening will be mimicked by other countries, and if the intertwining of data privacy with national security will confirm a new trend.

The article “China Data Flows and Power in the Era of Chinese Big Tech” is forthcoming with the Northwestern Journal of International Law & Business, Vol. 44, Issue 2.

W. Gregory Voss is an Associate Professor at TBS Business School (formerly Toulouse Business School). His research focuses primarily on technology law and fundamental rights (e.g., privacy & data protection).

Dr. Emmanuel Pernot-Leplay is a principal data privacy specialist at Schneider Electric. He holds a PhD degree in Comparative Law from Shanghai Jiaotong University and writes on comparative law and policy, in the fields of data privacy, digital policy and their implications for national security.

Rules for Ensuring the Accuracy of Social Credit Data

30. July 2023

A new paper by Hannah Klöber

Born from an intention to establish a financial credit (investigation) system, the Social Credit System (SCS) is a mega-project to improve governance capabilities and legal compliance. However, the modern publicly run SCS resembles rather an interconnected set of initiatives under the umbrella term of creating “trust” than being a comprehensive system to monitor and rank all citizens. Currently, the basic components at the national level that are being created are the information infrastructure and the joint enforcement mechanism. Both components rest on the sharing among agencies and the general disclosure of compliance information on subjects, to on the one hand punish and educate, but also to facilitate assessing any entity’s “trustworthiness”. They constitute an emerging state-led data processing mechanisms which may strongly impact the lives of individuals, companies, social organizations and other actors throughout China, with the centrepiece being the information it holds about its subjects. Acknowledging the wide-reaching consequences that the contents of social credit information about a subject may have, this article (draft) asks: What legal framework do SCS builders create to guarantee the accuracy of personal social credit information?

Why is Personal Data Accuracy Important?

One area where social credit information is currently bringing about consequences for subjects is the joint enforcement mechanism – or “joint disciplining for trust-breaking”. The joint enforcement mechanism is mostly set up by State Council policy documents, promoting desired behaviours and discouraging unwanted ones through so-called blacklists and redlists. Listing might lead to punishment or benefits by unrelated actors (as redlists confer benefits, they are much less problematic and thus not discussed in detail). It has to be noted that the mechanism’s main focus rests on companies but there is a corporate overlap, as leading personnel can get blacklisted due to their company’s wrongdoings. So far, there is no real central management to these lists. For the purpose of analysing the legal aspects of joint enforcement, four stages must be differentiated: preparatory acts before blacklisting, the blacklisting decision, the publication of the blacklist and the ensuing disciplinary action. They can be based on the same facts and norms but may be executed by different actors and be linked together.

To achieve its goal of promoting trust and steering behaviour, the SCS needs large amounts of accurate data. Simultaneously, data inaccuracy in this behemoth of a reputational shaming machine could potentially harm a large number of people: Because open government data is intended to be reused, it is very hard to control once publicised. For example, if an entity is entered on one of the many blacklists for trust-breaking, she may find her name on display in public spaces as well as online platforms, screenshots of which may be further shared across social media. The inaccuracy discussed here encompasses only factual errors, thus instances where data is not correct, complete, or timely, resulting from inattentiveness during handling. Legal errors on the other hand concern the application of law (for example excessiveness of punishment) and are outside the scope of this study.

What Legislation is There?

The looseness of the concept of social credit and the plurality of actors involved make the regulatory situation quite complex. There is no national social credit law (although a draft f o r s o l i c i t i n g c o m m e n t s f r o m t h e p u b l i c has been published in November 2022), but a host of special sectoral and provincial regulations dealing with different social credit initiatives create a jumbled regulatory landscape. Apart from this, in the context of personal data accuracy national legislation such as the 2021 Personal Information Protection Law (PIPL) and the Regulation on Open Government Information (ROGI, revised in 2019) apply. Administrative legislation on procedural issues should be applicable, but the placement of joint enforcement measures under administrative law is still disputed.

What Does it Offer?

Basic Definitions

Generally, social credit is defined as the status of information subjects complying with legally prescribed obligations or performing contractual obligations in their social and economic activities (see e.g., Shanghai Municipal Social Credit Regulations art 2(1), Tianjin Municipal Social Credit Regulations art 2(2)), while social credit information is defined as (objective) data and materials that can be used to identify, analyse and judge the status of information subjects’ compliance with the law and contract performance (see e.g. Shanghai Municipal Social Credit Regulations art 2(2), Henan Provincial Social Credit Regulations art 3 (3)). What this means in detail remains unclear, though. Two types of social credit information exist: public credit information and non-public (or market) credit information, depending on the generating entity (state or private actor).

Accuracy Obligations for Data Processors

PIPL and ROGI provide some guidance on how to handle and publish government information, but data quality requirements are not sufficient for the complex processes of the SCS. The examined provincial documents either set up principles for the processing of public social credit data or impose data-quality responsibilities on information providers. The latter can also be found in sectoral regulation, but only in a third of the covered documents.

Notification Requirements

Because of the multi-actor structure of joint enforcement, credit subjects face the problem of recognizing the possibility of rights relief and identifying the right addressee for enforcing their rights. One important way to counteract this situation is notification requirements. The PIPL introduced a general notification obligation in 2021, covering among other things the processor’s name and contact information, and the methods and procedures for individuals to exercise their rights. But proper notification requirements are generally rare among special legislation documents. To best protect credit subjects, notification should occur at all four possible stages of joint enforcement. In the preparatory stage and after the listing decision they are however only seldom found. A few provincial documents provide for the notification of listing, but only for the so-called seriously untrustworthy lists, which cause stricter restrictions than normal blacklists. Some measures consider the publication of blacklists as a form of public notification. Notification of punishment is generally not covered by blacklist management documents, as the listing entity is usually not in charge of punishment. A quarter of the sectoral and most of the provincial documents do not set up any notification procedures.

Review Procedures Prior to Blacklisting

Among the analysed documents, procedures for prior review can be found only in those measures which also stipulate notification before inclusion. None of the norms provide for suspension, however. A clear classification of joint enforcement measures under administrative law would improve the situation, although there is no general administrative procedure law in China.

Access to One’s Personal Credit Information

General access rights are provided by both the PIPL and the ROGI. About half the provincial documents explicitly set up a right to inquire one’s own information. Other regulations appear to take accessibility for granted and only regulate the corresponding procedures for data providers.

Objection Procedures after Blacklisting

If personal information held by the government is found to be incorrect or incomplete, individuals have a general right to request correction under PIPL and ROGI. The content of specific objection procedures among the special legislation is uneven. Two models can be found in the analysed documents: objection to wrong information for a fixed time period after publication of the decision, or a general possibility of objection. In provincial documents, only the latter can be found, while some of the ministerial documents designate no objection possibilities at all. Generally, the stipulated handling time for objections in provincial documents is shorter than in the ministerial regulations, often calling for verification within a few days, rather than weeks. While the State Council calls for the suspension of enforcement during verification procedures, this is rare in implementing documents. On the contrary, some ministries and the SPC explicitly regulate that objection will not cause suspension or impact publication. A compromise, to mark objected information during verification procedures, is employed by almost two-thirds of the provincial documents. The deletion of non-verifiable data is not always required.

Dissemination of Corrected Data throughout the System(s)

The dissemination of corrected data is thinly regulated. Where it is mandated, it often merely requires that other providers of the information are informed. The information subject itself might only be informed of updates and corrections in its social credit information if the change is due to a successful objection the subject has initiated.

A Patchwork

The study finds that special legislation is inconsistent and that national legislation is often too vague to deal with the complicated and diverse processes of the SCS. Further legislation will be needed to standardise procedures. While it is often difficult for data subjects to exercise their rights against first-party collectors, when raised against third party-reusers of data, the problem multiplies. Special legislation by different national actors and local legislators is very diverse, and procedural requirements are often vague, fragmented or missing. Some regulations deviate from protection measures proposed in policy documents. The rules in the examined documents range from almost no regulation to some very promising models in the eastern, economically more developed provinces. The biggest issue remains a lack of solid ex ante control mechanisms, as most relief is only provided after the fact. This is problematic, as the spread of inaccurate data can cause unforeseen consequences, and reputational damage is difficult to repair.

The article The Regulation of Personal Data Accuracy in China’s Public Social Credit System was published in the Hong Kong Law Journal (2023, Vol. 53, No. 1). A free draft is available here.

Hannah Klöber is a Research Assistant at University of Cologne, where she is currently working on her PhD with the Chair for Chinese Legal Culture. Her dissertation deals with the Proportionality Principle in Chinese administrative law, examining it from a comparative perspective, exploring its application by and use for Chinese actors, thereby gaining deeper insight into its function, potential and limitations. She holds a BA and MA in Chinese Regional Studies, Law from Cologne University. She can be contacted at hkloeber[at]smail.uni-koeln.de

The financial credit information system and China’s evolving data protection law

1. March 2021

A new paper by Lu Yu and Björn Ahl

The headquarters of the People’s Bank of China in Beijing, supervising entity of the financial credit information system

How is data protected in the evolving Social Credit System? Both, social credit and Chinese data protection law is diverse and fragmented, making the search for an answer to this question a complicated endeavour. Lu Yu and Björn Ahl dive into one arguably most sophisticated arm of the Social Credit System, that is, the financial credit information system (FCIS) in their new article “China’s evolving data protection law and the financial credit information system: court practice and suggestions for legislative reform” (free draft here).

The FCIS is not only one of the most mature parts of the overall SCS, as it regulates private entity’s data collection, it also features stricter and clearer data protection rules than those Social Credit subsystems that include data collection by state organs. Most importantly, Chinese data protection law requires data subjects’ consent to the collection and further transfer of personal data. The authors have found the consent requirement to be incompatible with the functions and purposes of the FCIS, with data subjects having no real choice, as consent is linked to obtaining the financial service in questions. Hence, future rounds of reform should establish exceptions to the consent requirement.

In their article “China’s evolving data protection law and the financial credit information system: court practice and suggestions for legislative reform” (free draft here) the authors investigate the limits that Chinese data protection law imposes on the FCIS. The FCIS receives both financial credit data from financial institutions and public data from public authorities. Yu and Ahl analyse the legal framework and how data protection rules are applied in court practice, including the preconditions for and levels of protection afforded data subjects’ rights and the legal consequences of any violations of those rights. Although the courts have adopted differing approaches to the interpretation of data protection law, the authors find that they have established consistent practice in protecting data subjects against the transfer of incorrect negative data. Chinese data protection law provides for neither an effective legal basis nor for limits on the collection and transfer of public data by public authorities. The Information Security Technology – Personal Information Security Specification (2020, hereafter: Specification) provides comprehensive protection for the personal data processed by all organisations, including public authorities, but it is only a recommended standard that lacks binding authority. Although the 2012 Regulations on the Administration of the Credit Investigation Industry grant data subjects a number of rights, the courts have difficulties applying the data protection rules in practice. In sum, there is a need in both the private and public sectors for nationally applicable, binding and more sophisticated data protection rules.

→ What is the FCIS? Different public authorities organise and maintain their own credit systems. The FCIS is one system at the national level that is supervised by the People’s Bank of China and functions as a public credit registry. It draws on financial credit data, the discredited judgment debtor list system operated by the SPC, which concerns individuals or entities refusing or failing to comply with an effective court judgement; and the information system operated by the China Securities Regulation Commission in relation to capital market activities. Founded in 2006, the FCIS is a predecessor of the Social Credit System: Pursuant to the Interim Measures for the Administration of the Basic Data of Individual Credit Information, the FCIS collects and stores individual credit data to provide inquiry services to commercial banks and individuals. It further offers information to be used for the formulation of currency policy, financial supervision and other purposes provided for by law. Hence, the purpose of the FCIS is twofold: to inform financial institutions for the purpose of reducing credit risks and to provide information to regulators to support policy making. At the end of 2018, the FCIS held personal data concerning 980 million natural persons.

Progress was recently made with the introduction of personal data protection to the new Civil Code, and a comprehensive data protection law is currently on the legislative agenda. Because the Specification has already established a sound model by providing very detailed data protection rules, the future comprehensive data protection law should address the processing of data by public authorities and further refine the already established data protection principles in the Cybersecurity Law and Specification. Improvements in data protection, in particular the regulation of data sharing between public authorities, could serve to balance social governance and individual rights and contribute to enhancing the legitimacy of the overall SCS.

Lu Yu is a research assistant at the chair of Chinese Legal Culture of Cologne University. She is about to submit her dissertation on European and Chinese data protection law to the Georg-August-Universität Göttingen where she has conducted research since October 2017, after working as a legal counsel with Rödl & Partner in Guangzhou. Reach out to her at yuluna5(at)gmail.com.

Björn Ahl is Professor and Chair of Cologne University’s Chinese Legal Culture. Before joining the University of Cologne in 2012, he was Visiting Professor of Chinese Law, Comparative Public Law and International Law in the China EU School of Law at the Chinese University of Political Science and Law in Beijing. Prior to that he held a position as Assistant Professor of Law in the City University of Hong Kong. He has also worked as Associate Director and Lecturer in the Sino German Institute of Legal Studies of Nanjing University and as a Researcher at the Max Planck Institute of Comparative Public Law and International Law in Heidelberg. Find him on LinkedIn.

How Comprehensive is Chinese Data Protection Law?

1. February 2021

A new paper by Anja Geller

When I told people that I am writing an article about Chinese data protection law, the most common reaction was the question “does that even exist?” The surprised and doubtful undertone motivated me to find a convincing answer. On my way, I encountered some obstacles. There is a plethora of regulations with different scopes, legislation bodies and legal effects. Even for specialised Chinese lawyers, it can be difficult to figure out which norms apply in a certain case. In the end, I chose to restrict my analysis to the 13 most important Chinese regulations with a nationwide scope of application.

Lacking a unified law, these norms have to be seen in combination to determine the comprehensiveness of Chinese data protection law. As the European General Data Protection Regulation (GDPR) is one of the most comprehensive and modern data protection regimes, I used it as a framework. When viewing the Chinese norms against this backdrop, it quickly becomes clear that especially the non-binding norms and drafted provisions are the most progressive and strict ones. They show that the Chinese legislators are moving towards the European system rather than the US or a taking a third way.

However, as is common for such cases of legal orientation, “Chinese characteristics” remain. For example, strong divergences exist in the area of administrative penalties. Instead of a focus on severe monetary penalties similar to the GDPR, there are many different sanctions. Starting with warnings and orders to correct, infringers may face a suspension or closure of their business, revocation of their business licences or even a definitive ban from the profession. Furthermore, measures of “naming and shaming” such as the publication of these sanctions in the “Social Credit Register” and other public announcements may be ordered. Compared to the European medieval equivalent of the pillory, such punishments have a long and living tradition in China. Especially the emerging “Social Credit System” relies on such punishments and is presented as a crucial tool for making citizens and companies comply with the law.

Another “Chinese characteristic” is the “real-name registration” requirement, which has already existed in many other fields for quite some time. Providers of network access and other digital services have to require users to provide true identity information before allowing access. Although this may help law enforcement in digital environments, there are well-founded fears concerning its negative implications on privacy and the freedom of speech.

Nevertheless, there are also a lot of positive developments from a European data protection perspective. The Chinese legislators have been very active in recent times and many new regulations and drafts appear on an annual basis. In fact, on 21 October 2020, one month after the online publication of my article, perhaps the most significant draft was published: the “Law of the People’s Republic of China on the Protection of Personal Information (Draft)” (中华人民共和国个人信息保护法（草案）). In the article, I covered an already very promising draft of the same name, which was proposed by several delegates of the National People’s Congress (NPC) in 2017. The 2020 draft, on the other side, was published by the Standing Committee of the NPC as a whole, which gives it much more weight. Both drafts intend to become the first national “laws” that aim to protect the right to personal information as a primary goal. All other regulations that share this as a central objective are on a lower level in the hierarchy of norms.

A quick comparison of their lengths and the amount of their articles – 70 compared to 44 – suggests that the 2020 draft is even more comprehensive. Among the most striking innovations is the broad extraterritorial applicability of the 2020 draft, which is relatively similar to the GDPR. One could say that reciprocity prevails here. As the introduction of the European rules have led to much discussion and controversy, it will be interesting to see what the international response will be as this draft becomes more widely known. Since a more detailed treatment of this new draft would go beyond the scope of this blog post, I refer to the comparisons here, here and here (all in Chinese), and a comprehensive analysis here (English). When and in which form this draft will be enacted is still unclear. Nonetheless, it shows yet again that the Chinese lawmakers are actively working to create an increasingly comprehensive data protection regime.

Therefore, to the question whether or not a Chinese data protection law exists, the short answer is: yes.

The paper “How Comprehensive Is Chinese Data Protection Law? A Systematisation of Chinese Data Protection Law from a European Perspective” appeared in GRUR International 2020, 1191-1203. It is available via open access here.

Anja Geller is a PhD candidate at the Ludwig-Maximilians-Universität and a junior research fellow at the Max Planck Institute for Innovation and Competition, Munich, Germany. Contact her via Anja.Geller@ip.mpg.de or via Linkedin.

European Chinese Law Research Hub

Tag: Data Protection