On 23 September 2020, Dutch Member of the European Parliament (MEP) Bart Groothuis of the Renew Europe Group posed a written parliamentary question to the European Commission:
“On 13 September 2020, ABC Australia published an article about Zhenhua Data, a Chinese technology company that has been creating a database of detailed personal information of 2.4 million people around the world. According to the article, the company has been violating privacy not only by using open-source data, but also data from confidential sources. The purpose of this database remains vague, with the company allegedly having ties to the Chinese military, intelligence and the Chinese Communist Party. EU citizens’ data should be available for use, but in full respect of EU values and rules, and only with the consent of the citizens themselves. It is therefore important to get clarity on whether EU citizens (and institutions) are affected, and if so, how.
1. Which EU citizens (including EU institutional staff) were included in Zhenhua Data’s database, and could it state how many in total were included and for what reason?
2. Is Zhenhua Data physically located in Europe in the form of a ‘collection centre’, has it violated any EU data, privacy or security laws or regulations, and if so, which ones?
3. If it has violated EU laws or regulations, what kind of repercussions will follow and how will the Commission address this issue with the Chinese authorities?”
On 21 January 2021, Justice Commissioner Didier Reynders responded on behalf of the European Commission stating: “The Commission is aware of media reports related to the collection, by Zhenhua Data Company, of personal information about a large number of individuals, but has no additional information as to whether the Chinese government might be using this database for surveillance.
In case General Data Protection Regulation (GDPR) rules apply, the company must in principle appoint a representative in the EU to act on its behalf with respect to its GDPR obligations, cooperate with the supervisory authorities and ensure the exercise of data subjects’ rights.
This includes the possibility for supervisory authorities to address corrective measures or administrative fines imposed on the company to the representative.
The Commission stressed in the GDPR evaluation report of 24 June 2020 that ‘[w]here [such foreign] operators fail to meet their obligation to appoint a representative, supervisory authorities should make use of the full enforcement toolbox in Article 58 of the GDPR (e.g. public warnings, temporary or definitive bans on processing in the EU, enforcement against joint controllers established in the EU).’
While Member States’ national authorities are responsible for monitoring GDPR application, the Commission insists on the importance of appropriately handling European citizens’ data in line with the GDPR.”
Photo Credit : https://pixabay.com/photos/cyber-security-hacker-hacking-4498549/