The right to data protection is a fundamental right recognized by the EU Charter of Fundamental Rights (Art 8) and constitutional law of most Member States, as well as ECJ case law. As a leading legislation, the European General Data Protection Regulation (GDPR) concretizes and materializes the right by means of granting a constellation of specific rights to data subjects, and establishes stringent law compliance mechanisms for their realization. Further, the GDPR claims a wide extraterritorial jurisdiction to protect all data subjects on the EU territory – regardless of their nationalities, when their personal data are transferred to third countries outside the EU. Apparently, many controllers and processors processing their data on Chinese territory will be directly influenced and may encounter law breaches with negative consequences that may lead to conflict of law and jurisdiction. This short article will first discuss data protection as a fundamental right under the EU law and how GDPR can protect that right with different instruments. Then, it will analyze in detail GDPR’s exterritorial application to controllers and processors in China and their related data protection roles and duties under various processing circumstances, as well as the different impacts on their data processing operations for law compliance and the potential incurred costs.
Zhao, Bo, Data Protection as a Fundamental Right: The European General Data Protection Regulation and Its Extraterritorial Application in China (June 4, 2019). US-China Law Review, March 2019, volume 16, no 3, 97-113.