A key finding of the recent ad hoc civil liberties mission to China suggests that the country does not secure an adequate level of data protection due to the lack of specific legislation addressing the processing of personal data[1].
A group of members of the European Parliament (MEPs) from the European People’s Party have therefore requested the European Commission to clarify the existing guarantees for data transfers into China.
The question posed to the Commission on June 17th 2016 states that personal data flows from the EU to China have become a “pressing reality”. China has, indeed, adopted an aggressive commercial policy in order to attract the installation of data centers within its frontiers. As a matter of fact, Chinas has constructed an “International Offshore Cloud Computing Zone” in Chongqing and opened up the “Shanghai Free Trade Zone to foreign investors”.
The involved MEPs question also the Commission’s monitoring of the consequences of the so-called “big data dam” that China is allegedly building. A new law on counter-terrorism took effect on January 1st, for example, which would require internet and telecom companies to provide the authorities with technical support and, in certain cases, with the encryption keys to data, including decryption of user’s sensitive data, in order to investigate and fight terrorism[2]. China’s government has also proposed other laws regarding data mobility, relating, for example, to health and credit data[3].
In this scenario, the questions posed by the MEPs read: “While international cloud transfers to China cannot evidently be regulated under an EU ‘adequacy’ finding, how can the Commission guarantee that transfers of EU citizens’ data to China are compatible with EU requirements on privacy and data protection? What are the alternatives that the EU should examine in order to ensure safe transfers and guarantee that EU citizens’ data are fully protected in China? Has the commission opened discussions on exactly what (these developments) mean for EU citizens’ personal information? Has the commission monitored the consequences for EU businesses of the proposed Chinese rules relating to the so-called ‘big data dam’ and the potential restrictions on the free flow of data across borders?”
The Commission was due to answer these questions on Wednesday June 22nd. The hearing was postponed, however, due to “more pressing matters” and will be held “when they can find time”[4].
[1] EUROPEAN PARLIAMENT, Parliamentary Questions, June 17 2016, http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2F%2FEP%2F%2FTEXT%2BOQ%2BO-2016-000091%2B0%2BDOC%2BXML%2BV0%2F%2FEN&language=EN
[2] EINHORN, Bruce, A Cybersecurity Law in China Squeezes Foreign Tech Companies, Bloomberg Businessweek, January 21st 2016, http://www.bloomberg.com/news/articles/2016-01-21/a-cybersecurity-law-in-china-squeezes-foreign-tech-companies
[3] CLOVER, Charles and HORNBY Lucy, Business alarmed at Chinese plans to curb data transfer”, Financial Times, April 14th 2015, http://www.ft.com/cms/s/0/e11024f4-e281-11e4-aa1d-00144feab7de.html#axzz4CrzfIjfs
[4] BAKER, Jennifer, EU Data flows to China is next fight on privacy warriors hit list, ARSTechnica UK, June 23rd 2016, http://arstechnica.co.uk/tech-policy/2016/06/eu-data-flows-china-privacy/