A new paper by W. Gregory Voss and Emmanuel Pernot-Leplay
Cross-border data transfers are a sensitive topic in many jurisdictions, even more so when China is concerned. The EU and the U.S. regulate those flows in very different ways, and China just issued rules showcasing its own specific approach, mixing privacy and national security together, which have become a compliance hurdle for many multinational companies. Our study observes holistically the regulation of personal data flows both into and from China.
Why and how the USA and the EU regulate data flows to China
In both the EU and the USA, China is often seen as an untrusted destination for data exports because of the risks that would exist for both individual rights protection and national security. These concerns are addressed by restricting the cross-border data transfers to China, but it’s done differently in the EU and the USA.
The USA does not have general data transfer restrictions, but it has taken specific actions for national security and user privacy reasons that limit data flows to China. Those are best exemplified by the Grindr and TikTok cases, both on national security protection grounds, for fear of access to the data by the Chinese government and potential blackmailing against nationals of the USA in a position to obtain access to sensitive materials. This is a regulatory risk for Chinese companies, which has sometimes resulted in them storing data in the USA. Because the USA currently lacks an omnibus data privacy law covering data flows, unlike the EU and China, data privacy restrictions cannot serve as the grounds for such procedures, and therefore the USA must resort to national security rules, instead. Nonetheless, this solution remains impractical and used only for high-profile cases. In the future however, proposed data privacy legislation in the USA may impose requirements on transferring personal data to China, resembling restrictions in other major regions.
On the other hand, the EU has strong data privacy rules in the GDPR, including on cross-border data transfers, but by virtue of the division of powers between the EU and its component Member States, national security issues are left to the prerogative of each of the Member State. The GDPR sets several conditions and safeguards to be applied to data transfers for them to be legal. The main ones are the adequacy decision on the one hand, and standard contractual clauses from the European Commission on the other. The latter provide a legal framework that obligates both the data exporter and the data importer (the entity outside the European Economic Area receiving the data) to protect the personal data in accordance with GDPR principles. An adequacy decision, however, means an entity can freely export data to the country that has received this adequacy decision from the European Commission, which greatly facilitates business operations for companies and economic exchanges between the two jurisdictions. But, in the case of China, such decision is currently virtually unforeseeable. This is due to the fact that the European Commission assesses issues such as the rule of law in the destination country in deciding adequacy. Because of the structural specificities of its political and legal system, China is unlikely to meet this first condition. Companies can still export data to China, but the exporting and receiving parties will need to commit to the standard contractual clauses.
China now restricts cross-border data flows to protect both personal data and national interests
Whereas the USA acts on outbound data flows using mainly national security arguments, and the EU focuses on data privacy, China combines both rationales in its own approach.
To provide contextual clarification, it is pertinent to underscore that the progression of data protection legislation in China has followed a peculiar trajectory. At first, there were only a few rules targeting specific sectors, with lightweight protections. This resembled the US-approach and favoured a free use of personal data without many safeguards and rights for the individuals. However, faced with the increase of privacy abuse threatening to cause social unrest, China gradually moved towards a more protective approach and started the legal transplantation of certain rules and concepts from the EU, offering more protection to Chinese consumers against misuse of their data by the private sector. As one may expect protection of the citizen against data collection by the government remains embryonic, due to the specificities of China’s political and legal system.
This progress culminated in the Personal Information Protection Law (PIPL) from 2021, sometimes dubbed as China’s GDPR, which also showcases China’s own approach to the regulation of personal data use, especially on cross-border data transfers through mechanisms implemented in 2023. In a syncretic manner, China has indeed combined data privacy and national security concerns into its mechanism to restrict data flows, impacting both domestic and international companies.
Under the PIPL, companies seeking to transfer data outside of China have possibilities: certification, standard contractual clauses (SCCs), and security assessments. These mechanisms aim to ensure that personal data remains protected and that its transfer aligns with the law’s requirements. The certification mechanism offers a route for intra-group data transfers (akin to Europe’s Binding Corporate Rules (BCRs)). However, its adoption may be hindered by complexities and potential costs. The PIPL’s SCCs provide a standardized framework for data transfers, mirroring similar processes under GDPR. However, unlike in the EU, an organization can use those two systems only under a threshold that may easily be crossed by bigger corporations. Above it, and for more sensitive data transfers, a state-led security assessment is required. This assessment evaluates not only data protection levels but also considers China’s national security, economic stability, and political implications. This is especially the case for organizations deemed critical information infrastructure operators, and is a Chinese specificity that does not exist in either the EU or the USA. Because of the large room for discretionary interpretations, favoured by the vague terminology used in the requirements, this assessment puts multinationals looking to take data out of China in a grey zone, with potential high impact on their business operations. However, it is a risk that China does want to mitigate.
China’s data localization rules are robust and align with global trends in privacy protection on one hand, but feature significant specificities on the other, which leads to uncertainty for companies but provides more maneuvering room to authorities looking to protect China’s interests. As the EU’s GDPR influenced several other jurisdictions’ data privacy rules, time will tell if China’s own approach on data flow screening will be mimicked by other countries, and if the intertwining of data privacy with national security will confirm a new trend.
The article “China Data Flows and Power in the Era of Chinese Big Tech” is forthcoming with the Northwestern Journal of International Law & Business, Vol. 44, Issue 2.
W. Gregory Voss is an Associate Professor at TBS Business School (formerly Toulouse Business School). His research focuses primarily on technology law and fundamental rights (e.g., privacy & data protection).
Dr. Emmanuel Pernot-Leplay is a principal data privacy specialist at Schneider Electric. He holds a PhD degree in Comparative Law from Shanghai Jiaotong University and writes on comparative law and policy, in the fields of data privacy, digital policy and their implications for national security.