EU data laws puts China research collaborations at risk

Universities in Europe sharing research data with institutions in China could be in breach of new European Union laws on data protection, legal experts said in a warning that could have an impact on Europe-China research collaborations, particularly in the medical field and some areas of artificial intelligence.

The new EU General Data Protection Regulation (GDPR) which came into force in May sets up strict rules for the use of personal data including in all areas of academic and scientific research, and encompasses the transfer of data outside the EU, including China.

“The road is somewhat bumpy when it comes to sharing personal data in research collaborations with China,” said Henk Kummeling, chancellor (rector magnificus) of Utrecht University in the Netherlands and a professor of law, economics and governance.

Cooperation in the academic field with China “offers unique opportunities but also risks when it comes to handling of data, specially personal research data,” he told a seminar on Europe-China Cooperation held in Oxford in the United Kingdom on 1 October.

Stijn van Deursen, a researcher at Utrecht University, said the GDPR applies to personal data use in research and covers the processing of data, including its distribution and deletion, with EU rules making the researcher and the university responsible for the control of data and any breaches of the GDPR.

“The main aim [of the GDPR] is to ensure the protection of the EU regime travels with the data, wherever the data goes,” so protections are preserved even if the data is shared or used outside the EU with third countries, he said.

Binding agreements with third countries

With regard to third countries outside the EU, the rules for protection must be laid down in binding agreements and they must be rules “that cannot be affected by state power”, Van Deursen said.

Some countries such as Australia have already indicated they will conform to the EU’s GDPR regime and Japan has announced it will also bring its own laws in line with the GDPR.

But Kummeling pointed to a possible “culture clash” with China. The EU enshrines individual rights, for example in its laws and on the constitutional level, but in China “it’s somewhere there in legislation but not there in the constitution, and as far as it is in [China’s] constitution, a tiny part, it’s not legally binding”, he said.

According to the new law, consent for the use of personal data must be obtained and the consent “must be explicit and given freely”. Data may only be transferred if it is not “repetitive” and “concerns only a limited number of data subjects”.

“Personal data is any kind of data that can directly or indirectly be traced back to an individual, a natural living person – a very broad definition which also covers data covered in a research context,” Van Deursen said, adding that the EU regulation is particularly strict on sensitive personal information that may reveal religious or sexual preferences.

Problem of independent supervision

“Looking through this lens at China we see some problems which might hamper research cooperation,” Van Deursen said. “There is no coherent framework [in China] regarding the protection of personal data,” such as would be required by the EU. More particularly, some Chinese public bodies are excluded from the scope of China’s own regulations.

“China also has no independent supervisory authority, which would be problematic from the EU perspective, and less enforceable data rights for subjects compared to the EU, such as the right to correction, and no right to be forgotten,” Van Deursen said.

“The rule of law seems to be less well-established in China,” he noted. “Many agreements concluded between universities and researchers may be affected by all kinds of governmental forces, which, of course, decreases the chances of setting up safeguards in order to ensure data protection,” he told the seminar.

Within China, under regulations made public in April, all data must be submitted to Chinese government data centres, which, “from a perspective of data protection is also a very worrying development,” Van Deursen said. EU rules say data use must be overseen by an “independent authority in the home country”.

China’s personal information protection law is currently pending before China’s National People’s Congress, which Chinese researchers believe will meet the GDPR requirements.

“We are not quite sure about that,” said Kummeling, pointing to the strict GDPR requirements, “but what we are sure about is that this piece of new legislation in China will not enter into force before the year 2023, so in the meantime you can be sure as hell there will be problems of the assessment of transfer of personal data within the EU legal framework and also the exchange of research.”

Existing rules on personal data in China allow for implied or silent consent to the use of data that would be inadequate from the EU perspective.

“Research institutions are not fully aware of what the implications will be of the GDPR,” Van Deursen acknowledged. But “the most important step is to decide what is personal data and what is not”.

Where research involves personal data, “then it is very problematic to share with China. You should stop sharing data with China or with any other countries that do not match up to EU standards.”