Legal Frameworks for Corporate Data Transfers between China and Europe

Summary

This report analyses the fragmented legal landscape governing cross-border data transfers between China and the EU, where national security concerns, data sovereignty claims, and economic interests increasingly collide. As global data flows outpace regulatory coherence, gaps remain in reconciling localisation requirements with free-flow obligations, defining extraterritorial jurisdiction, and ensuring mutual recognition of privacy safeguards. Building on the 2024 conference, the report compares EU and Chinese approaches and sets the stage for a simulated case study examining practical compliance challenges.

China’s framework adopts a risk-based model combining security assessments, contract filing, certification, FTZ negative lists, and exemptions, whereas the EU system relies on EU General Data Protection Regulation (GDPR) adequacy decisions, safeguards, derogations, and emerging rules for non-personal data under the EU Data Governance Act (DGA) and the EU Data Act (DA). International law influences both regimes, particularly regarding sovereignty, privacy, and trade obligations. While each side seeks to balance economic openness with security, divergent standards create operational uncertainty for companies navigating both legal spaces. The report ultimately underscores the need for deeper EU–China coordination to support predictable, secure, and mutually trusted cross-border data governance.
 

Background

This report has been produced in the context of a larger research and dialogue project, in terms of which the China Institutes of Contemporary International Relations, EU Cyber Direct, the Geneva Centre for Security Policy, and Xiamen University and Suzhou Academy of Xi’an Jiaotong University convene a joint Sino-European Expert Working Group on the Application of International Law in Cyberspace (EWG-IL). The working group provides a platform for exchange among European and Chinese legal experts to examine the application of international law in cyberspace and examine related problems from a theoretically legal perspective. The main goal of the work in research groups is to provide more thorough analysis of the selected topics and identify points of divergence and convergence between Europe and China with the aim of creating a more evidence-based and trusted environment for policy discussions in Track 1.5. and Track 1 processes.