European institutions concerned by Chinese data protection rules

As German universities and research organisations wrap their heads around China’s new data protection laws, an expert has said their experiences with European GDPR rules stand them in good stead.

Since November 2021, anyone who processes the data of Chinese citizens is subject to the country’s personal information protection law (PIPL). In the years since, Beijing has introduced and clarified ways to legally transfer such data outside the country, with the latest path opening in June 2023.

It’s a complex area, but European universities have something of an advantage navigating the rules, thanks to their familiarity with the GDPR, a European Union equivalent that the PIPL’s drafters looked at “quite extensively”, Rebecca Arcesati, an analyst at the Mercator Institute for China Studies, a thinktank, told Times Higher Education.

“I suspect that organisations that already are accustomed to a fairly cumbersome data protection environment and regulation could have an advantage, because they may already have some compliance mechanisms in place and know what questions to ask,” she said.

In January, the University of Amsterdam’s medical centre became the first foreign entity to have a transfer approved under the new regime, for a collaborative research project with Beijing Friendship Hospital and Capital Medical University.

While collaboration continues, political and regulatory pressure at both ends is making joint research harder. European research offices in China face ongoing uncertainty about their legal status, for example, and what information they must share with local authorities.

A spokeswoman for the German Research Foundation, the country’s main public funder, said German organisations with footprints in China were “strongly affected” by the red tape and “quite concerned” about the emerging data handling rules.

THE understands that the Max Planck Society, which runs 85 cutting-edge research institutes, is in the process of contracting a law firm to provide advice to its researchers on PIPL compliance, which provides four paths to export Chinese citizens’ data.

One covers transfers under international data agreements, which China is yet to sign with anyone, while June’s “standard contact” method hews closely to the GDPR, with both sharing an emphasis on data subjects’ consent and protections in force at the data’s destination.

Just querying databases stored on servers in China was not a workaround, said Ms Arcesati, with access potentially amounting to export under the law. “Organisations really need to be very careful with all these requirements,” she added.

If processors handle the personal data of more than 1 million Chinese citizens, cumulatively export the personal information of 100,000 citizens, or hold “sensitive” personal information on 10,000 citizens, they need to get a security review from the Cyberspace Administration of China (CAC), she said, a “complex and fairly cumbersome mechanism”.

While the joys of data handling are familiar to many European researchers, doing so under the watch of an authoritarian government brings extra ethical considerations. Seemingly innocuous data collected as part of a research project could be turned to party-political ends, for example.

In parallel, existing datasets may not have been collected with subjects’ consent, particularly in the Tibet and Xinjiang autonomous regions.

“European institutions in China are still dealing with a profoundly different system,” said Ms Arcesati, adding that the Chinese Communist Party “enjoys preferential access” to all personal data.

While approvals do happen, the CAC has proved itself happy to clamp down on academic links, such as a recent ¥50 million (£5.5 million) fine levelled at the country’s largest academic database for illegally handling personal information.

ben.upton@timeshighereducation.com