This article is part of our special report Re-connecting Europe.
Last year, China launched its bid to shape global data governance, eager to create its own approach alongside those created by the United States and the EU. Since then, it has been working on a comprehensive data protection framework that could be a game-changer for potential Western investors.
In September, China launched its Global Initiative on Data Security. A month later, Beijing presented the draft Personal Information Protection Law (PIPL), a set of privacy rules experts say are inspired by the General Data Protection Regulation (GDPR), the landmark EU privacy law.
The second draft of the Personal Information Protection Law (PIPL) was published at the end of April for public consultation.
Alicia Garcia Herrero, chief economist Asia Pacific at Natixis and Senior Research Fellow at BRUEGEL, told EURACTIV there are significant similarities between PIPL and GDPR.
However, she also pointed out that “there are important differences, such as the provision related to national security. This means that European companies will still need a China PIPL compliance strategy in their operations in China”.
Article 27 of the PIPL in fact provides the legal basis for collecting images and data for reasons of public security, without the person concerned being informed. This provision might lead to abuses if there is no independent control over the work of the public authorities.
Asked about the Comprehensive Agreement on Investment (CAI), Herrero said ‘no agreement has been reached on cross-border services. This means that the issue of data localisation remains and that European investors will find it difficult to compete with local cloud giants with no guarantees on data transfer and storage.’
The CAI is a proposed investment deal the European leaders agreed in principle.
Pending approval by the European Parliament, the ratification of the agreement has been officially suspended following an exchange of sanctions between the European Union and China over the human rights violations in the Xinjiang province.
Beijing retaliated by sanctioning, among others, prominent Members of the European Parliament. The quarrel over Bejing’s treatment of the Uyghur minority is part of broader tensions between the West and China.
The United States, in particular, has been engaged in a technological competition with the Asian giant, which has escalated into a trade war and economic sanctions. For Herrero, “as the world’s only economy that can balance the power between the US and China, the EU should pursue strategic autonomy and remain neutral between the two.’
International data transfers remain a major cause of concern for international trade, especially since the Schrems II ruling invalidated for the second time the EU-US framework data transfer agreement, the Privacy Shield.
Similarly, “although China’s draft PIPL shares a few similarities with the EU’s GDPR framework, it doesn’t mean that the EU could easily find a global agreement on data governance as China’s version still differs from both the US’ the EU’s framework and in fact represents a third way,” Herrero said.
One of the points Western policymakers reproach to Chinese tech companies is that they are too close to the government.
However, last month the Chinese authorities issued a record fine on e-commerce giant Alibaba, while the PIPL would for the first time regulate data protection. Several observers interpreted these moves as attempts to regain control over companies that are now perceived as too powerful.
Similarly, Herrero added, “the activism highlights the increased security concerns as the digital economy expands. The draft law is an important step in the government’s efforts to consolidate its data governance and to strike a balance between data protection and technological improvement”.
At the same time, the PIPL also imposes restrictions on public authorities, which is a fundamental aspect since the Chinese state is the largest data processor in the country.
Herrero also noted that “any personal identification equipment in public areas must serve the purpose to safeguard public security and shall not be provided to others without consent by individuals or regulations”.
[Edited by Zoran Radosavljevic]