The European Data Protection Board (EDPB) recently published the minutes of the 54th Plenary Meeting held in September 2021, which shed light on how the EDPB may address the issue of data transfers from Europe to third countries (including China). In the past, direct collection of personal data from European consumers were not considered as data “transfer” under the General Data Protection Regulation (GDPR). However, the EDPB new minutes indicates that companies that have no physical presence in Europe (therefore including Chinese companies) but need to collect data from European consumers are indeed subject to the GDPR by virtue of Art. 3(2)“Territorial Scope”, and therefore shall abide by Chapter V of data transfer mechanisms and related requirements. The minutes suggests that the EDPB is likely to adopt guidelines requiring Chapter V data transfer mechanisms to be put in place in this direct data collection scenario.
It remains to be seen how the soon-to-be issued guidelines will regulate direct data collection. However, Chinese companies offering products or services to European consumers shall bear in mind that, if the GDPR Chapter V becomes applicable to them, it raises higher data compliance requirements. Administrative fines up to 20,000,000 EUR or upon to 4% of the total worldwide annal turnover (whichever is higher) will be imposed on companies for infringement of Chapter V of the GDPR.
