Infringement by Chinese intelligence agencies of European data protection rules

Infringement by Chinese intelligence agencies of European data protection rules

On 17 September 2020, the media reported that Chinese intelligence agencies are gathering information from European citizens via social media. A database of these intelligence services — the Overseas Key Information Database (OKIDB) — is reported to contain data on at least 2.4 million foreigners, including for example 686 Belgians and 700 Dutch nationals. It is said to mainly concern people involved in national decision-making, and even their children, but also, for example, people who have some link with the Beaulieu textile group (source: De Standaard, 17 September 2020).

On 17 September 2020, Belgian Member of the European Parliament (MEP), Geert Bourgeois of the European Conservatives and Reformists Group addressed a parliamentary question to the European Commission. MEP Bourgeois asked the Commission “how does it intend to address such breaches of the privacy of European citizens and prevent them from occurring?” and “does it consider that the GDPR currently provides sufficient protection in practice and, if not, what steps does it intend to take to ensure better protection?”

MEP Bourgeois enquired “how then does it intend to address data protection challenges at a global level?”

On 04 December 2020, Commissioner Didier Reynders, responsible for justice, responded on behalf of the European Commission.

Commissioner Reynders confirmed that “the Commission is aware of media reports related to the collection, by Zhenhua Data Company, of personal information about a large number of individuals. It has no information on whether the Chinese government might be using this database for surveillance”.

Commissioner Reynders stated that “in case the General Data Protection Regulation (GDPR) rules apply to this collection, something which is not for the Commission to assess but for the independent EU data protection authorities (DPAs), the company must appoint a representative in the EU which can be addressed in addition to or instead of the company by, in particular, the DPAs” and “the DPAs are generally responsible for monitoring the application of the GDPR”.

“Pursuant to Article 58.2 of the GDPR, DPAs can notably address ‘corrective’ measures to or impose administrative fines on the company’s representative, decide ‘a ban on processing’ or ‘order the suspension of data flows to a recipient in a third country’” added Commissioner Reynders.

The Justice Commissioner explained that “as described in its recent Communication ‘Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition — two years of application of the General Data Protection Regulation’, the Commission is actively engaging in a number of multilateral fora (e.g. the United Nations and the Organisation for Economic Cooperation and Development) to promote shared values and build convergence in the area of privacy and data protection at the regional and global level”.

Finally, Commissioner Reynders concluded that “the Commission will intensify this work to foster a global culture of respect for privacy”.

Photo Credit : https://www.cps.bureauveritas.com/media/3861

Leave a Reply

Your email address will not be published.

%d bloggers like this: