Listen to the audio version of the article
Recent data published by Alibaba Italia shows that since its opening in 2015, around 500 Italian companies have sold more than a thousand brands in China on its B2C platforms. Each sale corresponds to the collection of personal data of Chinese buyers. The number increases even more if we think about how many employees Italian companies employ in China and how much of their personal data is sent to the human resources office in Italy. The situation is very different when it comes to data exchange between Europe and the United States where a new regulatory framework has come into force a few months ago.
In light of complicated regulations and geopolitical tensions, how should Italian companies behave when collecting and transferring data with China and the United States?
The rules between Europe and the United States
With reference to the transfer of data from the EU to the USA, on 10 July 2023 the European Commission adopted the adequacy decision on the EU-US Data Privacy Framework which replaces the Privacy Shield invalidated in 2020 in its Schrems II decision. The adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to companies participating in the Framework. European organizations are able to transfer personal data to participating companies in the US, without having to put in place additional data protection safeguards. US companies can certify their participation in the Framework by committing to a detailed set of privacy obligations.
In China there has been a new procedure since June
Looking at the Chinese system instead, the first aspect to consider is that the collection and transfer of data in China is heavily regulated to protect individuals, however the state can request access to data if it deems it strategic for national security.
From June 1, 2023, the obligation for companies based in China to follow a procedure for the transfer (export) of personal data abroad has been in force. Export not only refers to the physical movement or transfer of personal data from China, but also to foreign companies accessing personal data stored in China.