By Peter Schaar, European Academy for Freedom of Information and Data Protection, former Federal Commissioner for Data Protection and Freedom of Information.
On November 1, 2021, China’s data protection law will come into force. Will this dispel all concerns about China’s handling of personal data? Can European companies trust that their data will be processed confidentially and in accordance with the rule of law?
The fact that legal regulations oblige Chinese companies to treat personal data confidentially is initially good news, especially since the
Chinese law is largely based on the European Union’s General Data Protection Regulation.
However, the provisions are limited to the commercial handling of data from private individuals. The law does not apply to government surveillance measures or to the extensive powers of state agencies and the party apparatus to access data of companies operating in China. It also does not affect the Social Credit System, in which a variety of information sources are drawn upon to comprehensively evaluate all citizens. In addition, the new Chinese data protection law does not remedy the deficits in the rule of law to which citizens and companies are exposed in the face of government measures.
It can be observed that the state and the party are increasing their access to digital companies in order to instrumentalize them for their political objectives. While “privacy by design” is being discussed in Europe, China is apparently following the motto “surveillance by design“. Manufacturers of digital devices are obligated to build in backdoors which allow government agencies secret access. Social media and other digital publications are subject to censorship. All Internet traffic to foreign countries goes through state-controlled gateways in a digital wall. The new Chinese data protection law does not change any of this.
Moreover, the debate continues as to whether China is (or could be) abusing its considerable market position to tap confidential information or manipulate critical infrastructure in Europe and other parts of the world.
Against this backdrop, European companies are well advised to carefully weigh the risks and opportunities of their digital engagement in and with China and to take precautions to minimize those risks. It is in their own interest to ensure the confidentiality and integrity of the personal and other sensitive data they process, including in terms of protection against prying eyes from the Chinese state and party apparatus.
Regardless, it is important for Europe to continue its dialogue with the Chinese government to create the legal, technical, and economic conditions for effective protection of personal data. It is not only in the relationship with China that the following applies: a high level of data protection facilitates digital cooperation. Universal fundamental and human rights – including data protection – remain a prerequisite for successful economic development.