One of the most frequently discussed aspects of the GDPR is its global scope – if a data controller is established in the EU or if it markets its goods or services in the EU, then the Regulation generally applies. For the most part, practical and scholarly analysis has focused on how that will affect businesses in the United States. Given the drama surrounding the end of the Safe Harbor and the (likely) drama surrounding Privacy Shield, there’s no shortage of interesting things to say on EU-US data issues.
But it seems that far less attention has been paid to the GDPR’s effect on Chinese companies – which is baffling, given the size, scope, and reach of Chinese enterprise and investment in Europe. In 2016, Chinese outbound direct investment in the EU hit nearly $200bn, with no signs of slowing. For context, in 2010, China’s ODI in Europe was a mere $6bn.
This is great news for Chinese businesses, of course. Whether data security practices and compliance have kept pace is an entirely different question altogether.
“Wait!,” you might say, “I’ve read that there are exceptions to the GDPR’s applicability.” That’s certainly true, but it’s much less true than you may have been lead to believe. If you’re established in an EU Member State and you’re processing EU citizen data, the Regulation applies, full stop. Same thing if you’re outside the EU but you still process in the EU or you market your goods or services in the EU. Put simply, you can’t avoid the GDPR if you’re working in Europe, no matter where your company is based.
Along those same lines, the GDPR applies to your operations outside Europe if personal data is transferred out of the EU. The GDPR explicitly states that no personal data on an EU citizen can leave the EU unless the European Commission has issued a declaration of “adequacy” about the receiving country or if other “appropriate safeguards” are in place. There has been no adequacy decision regarding China, and one is not likely to be forthcoming any time soon. So Chinese companies can only rely on safeguards, such as Binding Corporate Rules (“BCRs”) or “standard clauses,” which contain language pre-approved by the Commission.
The problem is that Standard Clauses are under review by the Court of Justice of the EU (referred there by the Irish High Court, which is an extremely active bench when it comes to data security). My best guess is that they don’t survive scrutiny, much like Privacy Shield is at risk. BCRs, although quite helpful for now, face the same challenge, and still require formal approval from the European Commission. To date, not a single company from China has an approved set of BCRs.
What are Chinese companies to do? Compliance with GDPR is burdensome, but compliance with both GDPR and China’s Cybersecurity Law (enacted last year and already vigorously enforced) may be doubly complicated. Imagine a company in Shanghai with a branch in Lisbon that collects data from Chinese and Portuguese citizens. GDPR requires data portability, but the Cybersecurity Law mandates data localization for many forms of data obtained in China. The dual data streams are therefore subject to conflicting (or at least not complementary) legal requirements, and would likely need separate internal management, storage, transfer, and destruction policies. Of course, there are potential exceptions (such as whether the Chinese and Portuguese entities are the same “establishment,” for instance), but the point remains that navigating both the EU’s and China’s data security requirements will require a great deal of vigilance.
For now, there are a few helpful first steps to take for Chinese companies. First, identify your data inflows and determine whether it includes personal data on European citizens. Then ascertain whether your company qualifies as a “controller” or “processor,” so that you will know if the GDPR applies. Then, seek out advice on how to structure your operations and revise policies to ensure that you don’t inadvertently violate GDPR, the Cybersecurity Law, or both.
Finally, don’t assume that a smaller business can avoid GDPR’s requirements. It won’t only be Alibaba or Tencent that are subjected to the Regulation, and there is every reason to believe that Data Protection Authorities will pursue small and medium-sized entities from day one. The costs of compliance may be real, but the risks of noncompliance are much higher. If they take a datasmart approach to the GDPR, Chinese companies can continue their astonishing growth in Europe.