In a push for greater transparency, European companies are requesting that China provide deeper explanations of key terminology in regulations governing international data transfers.

PrivSec Global

The plea was part of a statement released by a European business lobby group this week, in which firms were told they might see millions of euros go to waste should they decide to hold non-sensitive information in China.

The European Chamber of Commerce in China has asked authorities to give precise descriptions “important information” and “personal information” as stipulated in their guidelines. Additionally, the group urged the swift finalisation of proposed relaxations to specific aspects of regulations announced two months ago.

Over the past six years, European firms have grappled with the absence of a clear definition for ‘Critical Data’ since the introduction of the Cybersecurity Law in 2017, according to Stefan Bernhart, a vice president of the chamber.  

As revealed by a report based on the impact of China’s data regulations, European companies operating in China are faced with substantial operational and compliance risks, if greater specificity across numerous laws is not forthcoming.

Concerns have heightened among foreign investors in China over the past year due to corporate raids, primarily targeting consultancies and due diligence firms. Questions regarding compliance with the law present significant challenges, potentially dissuading smaller firms from investing in China.

The chamber’s report mirrors recent remarks from a European Commission official who, in September, expressed anxiety felt by European businesses about the lack of clarity in China’s data laws. 

In the same month, overseas business chambers and legal figures gave a positive response to China’s announcement over the possibility of waiving data export security assessments for cross-border manufacturing, international commerce, and other activities.

While the Chinese government’s draft revisions were seen as a good signal, European companies keenly anticipate their translation into action by the end of November. Employee personal information stands as the most common variety of data being sent across foreign borders by European firms, the survey found. Suppliers’ and customers’ personal details are also being transferred regularly.

For a third of companies, failing the cross-border transfer security assessment could cost ‘several million euros,’ while over 10 percent of businesses polled estimate a cost in ‘hundreds of millions of euros.’

Know the risks

Ambiguities in China’s data transfer rules underscore the risks businesses face when sending data across borders and holding sensitive information in overseas territories.

The issues take centre stage at PrivSec Global this month, where experts will debate international data transfers and what organisations need to do to avoid falling foul of regional regulatory frameworks.



Don’t miss these exclusive related PrivSec Global sessions:

→ India introduces new Digital Personal Data Protection Bill

  • Day 1: Wednesday 29th November 2023
  • 09:00 - 09:45am GMT

Highly relevant for India’s rich and vibrant community of privacy pros and highly relevant for the global privacy community whose organisations process data “in connection with any activity related to offering or goods or services” in India, the DPDP Bill, 2023, is the fifth iteration of India’s much-awaited data protection law, with previous versions released in 2018, 2019, 2021, and 2022.

→ Navigating International Data Transfers: Ensuring Privacy Compliance in a Global Data Ecosystem

  • Day 2: Thursday 30th November 2023
  • 14:30 - 15:00pm GMT

As data flows seamlessly across borders, ensuring privacy compliance in international data transfers has become a critical challenge. This session will provide insights into the legal, regulatory, and technical aspects of transferring data across borders while maintaining data protection standards.  

Explore the latest frameworks and mechanisms for legally and securely transferring data, including the implications of the GDPR, Schrems II, and other global privacy regulations.


Discover more at PrivSec Global

As regulation gets stricter – and data and tech become more crucial – it’s increasingly clear that the skills required in each of these areas are not only connected, but inseparable.

Exclusively at PrivSec Global on 29 & 30 November 2023, industry leaders, academics and subject-matter experts unite to explore these skills and the central role they play within privacy, security and GRC.

Click here to registe