It’s a glaring danger. Chinese law requires companies to hand over all data upon the Communist government’s request. Yet Chinese companies continue to collect European and American personal data.
After years of overlooking this risk, both Europe and the US are waking up. European privacy regulators are investigating data collection by Chinese companies and have levied a €530 million fine against TikTok, while new US rules restrict Chinese companies from buying Americans’ bulk health, location, biometric, and government data.
How effective is shutting off the flow of personal data – anything that identifies you, from a selfie to a shopping history – remains doubtful. Europe’s courts still need to rule on the legality of transferring data to China. The new US rules neither block onward transfers to China nor blunt Beijing’s demands.
European data protection law allows personal data to leave the continent only when the destination has a European-style privacy law protecting it. The European Commission certifies that parity with an adequacy decision, a formal seal already awarded to a narrow club that includes Israel, Japan, New Zealand, Switzerland, and, after much courtroom back‑and‑forth, the United States to companies participating in the EU-US Data Privacy Framework.
Washington keeps winning and losing that label because its intelligence laws still allow sweeping access to foreign data. China has never even applied for the stamp, so companies fall back on Standard Contractual Clauses and other legal Band‑Aids that look flimsy next to Beijing’s far‑reaching security legislation.
New American legislation forces divestitures when Chinese companies gain sensitive data – leverage that still hangs over TikTok. President Joseph Biden signed an executive order aimed at stopping China and other hostile governments from buying Americans’ bulk health, location, biometric, and government data. The Justice Department turned that order into a binding rule, and the new restrictions took effect in April.
Back in Europe, Max Schrems, the Austrian privacy activist who shot to fame by toppling two transatlantic data pacts, has turned his sights to China. This year, his None of Your Business filed complaints against TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi, arguing that that none keep EU personal data out of Chinese government reach, breaching Europe’s “essentially equivalent” protection abroad. The cases seek to freeze the flows and levy fines of up to four percent of global revenue.
TikTok has already felt the regulatory heat. In May, the Irish Data Protection Commission fined the company €530 million for allowing staff in China to access European personal data and for failing to inform users where their data travelled. The decision gave the platform six months to comply or face a full ban on transferring data.
European authorities long have been aware of the danger of data transfers to China. A 2015 European Parliament analysis concluded that China still lacked “the basics of international data protection.” The European Data Protection Board warned in 2021 that Standard Contractual Clauses alone cannot bridge China’s strict surveillance laws.
But officials rejected an embargo as self-defeating: cutting the pipe would “stifle commercial and other relationships” while doing little to shield Europeans’ information. The favorite workaround is building or leasing data centers inside Europe or the US. Costs are high and technical exceptions abound. TikTok, for instance, is rushing to build out Project Clover, a €12-billion scheme to warehouse encrypted European data in Norway, Ireland, and Finland. Its first site is in Hamar, Norway.
In the US, TikTok proposed Project Texas, a multi-billion-dollar plan to store all US user data on American soil with Oracle’s infrastructure. Despite these assurances, Congress passed a law, upheld by the Supreme Court, requiring TikTok to be sold to US investors or be shut down. President Donald Trump has postponed the divest-or-shutter deadline three times and says a consortium of “very wealthy” US investors is ready to buy TikTok.
Neither brick-and-mortar storage in Europe nor a US spin-off neutralizes Beijing’s reach. TikTok’s Project Clover and Project Texas encrypted servers in Norway, Ireland, and Finland still rely on engineers in China to police content and tune the algorithm, effectively re-opening a legal backdoor for Chinese authorities.
Beijing, for its part, is tightening outbound data controls. China’s Cyberspace Administration obliges any exporter of “important data” to pass a national security review that probes the transfer’s purpose, volume, recipient, and safeguards. Beijing flags detailed mapping, genomic, health, and credit files for extra scrutiny. Data exporters must keep detailed logs, undergo periodic audits, and demonstrate robust technical and contractual safeguards.
Europe and China have established a Cross-Border Data Flow Communication Mechanism, but the forum is limited to non-personal, industrial data, leaving the thornier privacy questions — and Beijing’s sweeping state-access powers — untouched. Should European court challenges against China data transfers prevail, the shock will be felt on European screens. Popular apps may shed features, crawl, or vanish, while firms scramble to duplicate servers inside Europe and wade through thick Transfer Impact Assessments.
The dilemma over personal data transfers to China marks another fracture in the global internet. Privacy, industrial policy, and geopolitical rivalry now tug cross‑border data in opposing directions, and legal Band‑Aids cannot hold forever. Unless Beijing narrows its surveillance laws, Brussels relaxes its privacy standards, or the US declares a truce in its tech conflict with China — all improbable — companies will navigate a patchwork of localization, encryption, and regulatory risk.
Dr. Anda Bologa is a senior researcher in the Tech Policy Program at the Center for European Policy Analysis (CEPA).
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
Tech 2030
A Roadmap for Europe-US Tech Cooperation
