Lessons Learned from Chinese Economic Coercion
This study provides a comparative analysis of Chinese data regulations and their European counterparts, with particular attention to the implications of Chinese cybersecurity and privacy laws for cross-border data transfer restrictions, data protection requirements, and the associated compliance challenges faced by EU firms operating in the People’s Republic of China (PRC). While Chinese cybersecurity and privacy laws are comprehensive and increasingly sophisticated, their scope, implementation, and enforcement differ significantly from the EU’s data protection framework, particularly the General Data Protection Regulation (GDPR). These divergences present European businesses—especially small and medium-sized enterprises (SMEs)—with complex compliance burdens and heightened risks.
Background
Over the past decade, the geopolitical and geoeconomic rivalry between the United States and China has escalated, producing heightened tensions in global trade and investment flows. This rivalry has translated into increased scrutiny of multinational corporations, particularly US firms, but also, indirectly, of European companies operating in or trading with China. Since 2016, a series of new PRC laws have come into force, including the Cybersecurity Law (CSL), the Data Security Law (DSL), the Personal Information Protection Law (PIPL), the National Security Law (NSL), and the National Intelligence Law (NIL). Together, these create a complex regulatory environment that governs the handling, transfer, and security of data. The situation is further complicated by the “one country, two systems” framework, under which Hong Kong and Macao operate their own privacy regimes. Although these jurisdictions draw inspiration from international standards and in some respects from the GDPR, the differences between the mainland, Hong Kong, and Macao add another layer of complexity for EU firms operating across these regions.
Although these laws have not been used to target EU companies coercively, their ambiguous provisions, lack of detailed implementing rules, and significant local discretion in enforcement create considerable uncertainty. Larger EU firms may be able to devote resources to compliance teams, but for SMEs, these requirements often present disproportionate financial and administrative burdens. At the same time, Chinese authorities have begun to introduce reforms intended to reduce unnecessary obstacles for both foreign and domestic firms, which suggests responsiveness to business concerns.
Key findings
Our analysis indicates that Chinese data protection and cybersecurity regulations are burdensome and more demanding in practice for foreign firms than for domestic companies. While EU businesses have not to date experienced systematic targeting under these laws, the combination of regulatory ambiguity and uneven local enforcement practices poses significant challenges. In some provinces, local authorities interpret requirements more stringently than in others, leading to a fragmented compliance environment. This variability can significantly complicate operations for EU firms that must transfer data across Chinese borders or between subsidiaries located in different provinces.
It is important to note that, unlike in the case of US companies, there is no evidence that the PRC has weaponised these laws in a coercive manner against EU firms. Indeed, in recent years, several reforms introduced by Chinese authorities— such as the clarification of security assessment procedures for cross-border data transfers—suggest an effort to alleviate some of the compliance burden. Interviews with stakeholders, including representatives of the EU and Member State Chambers of Commerce in China, indicate that these reforms have in many cases been more beneficial to foreign firms than to domestic companies, given the greater reliance of foreign businesses on cross-border data flows. Nevertheless, risks remain. The laws in question could be applied in a coercive manner in the future should EUChina relations deteriorate, particularly in the context of escalating US-China tensions.
Write a comment