EU and China to tackle challenges in cross-border transfer of non-personal data

The initiative, known officially as the Cross-border Data Flow Communication Mechanism, is a result of a political agreement reached in 2023 between senior leaders from both sides. It was launched following concerns raised by EU businesses in China regarding cross-border flows of non-personal data.

Representatives from the EU and China recently held the inaugural formal meeting of the new mechanism, which is said by the EU to be “the first cooperation structure of its kind between the two sides”.

China introduced its Data Security Law in 2021, around the same time when its new Personal Information Protection Law came into effect. The data security legislation sets up a framework that classifies data collected and stored in China based on its potential impact on Chinese national security and regulates its storage and transfer according to the data’s classification level. In 2022, China adopted the Measures of Security Assessment for Data Export. Under the new regime, data classified as “important” to national security that has been collected and generated in China must be stored locally in China and the export of such data is subject to security assessment. 

According to a statement by the European Commission, European businesses in China have faced increasing uncertainty and difficulties when exporting data from China in recent years due to the new legislation. “They have been specifically concerned about the systematic application of security approvals to exports of all ‘important data'. This concern has been further exacerbated by uncertainty as to what constitutes ‘important data' as the concept has so far been only vaguely defined and applied in a far-reaching manner,” said the Commission.

Under China’s data security law, “core data” is broadly defined as any data concerning Chinese national and economic security, Chinese citizens’ welfare and significant public interests. This type of data is given the highest level of protection and regulation. “Important data” is the second-most sensitive level of data, but its scope has not been defined.

“Cross-border data transfer restrictions are also a major contributing factor to a declining confidence of European investors in China,” it added.

The Commission said that data flows are essential to trade and for businesses to thrive, and a significant part of the EU-China foreign direct investment stock depends on companies' ability to manage their data across borders. It highlighted finance and insurance, pharmaceutical, automotive and information and communication technology (ICT) as some of the sectors where data is most relevant.

Further meetings and engagement under the mechanism are expected to be held at expert and technical levels, in a bid to find ways to make it easier for cross-border flows of non-personal data. 

In the EU, the newly enacted EU Data Act also provides rules on transferring non-personal data outside of the union. For example, the act limits the ability of cloud providers to comply with court rulings in other jurisdictions where those courts order them to provide foreign authorise with access to the non-personal data they hold in the EU.

Amsterdam-based data law expert Andre Walter of Pinsent Masons said: "When it comes to international data transfers of non-personal data, the Data Act focuses on data processing services, such as cloud providers, data centres and the like. There is still a gap in relation to connected IoT products, such as connected cars or Industry 4.0 applications. From this perspective, I very much welcome the bilateral initiative between China and the EU to address the challenges of cross-border transfer of non-personal data."