According to news media reports, the American professor Christopher Balding has presented evidence that the firm Zhenhua Data collects and catalogues substantial amounts of EU citizens’ data. According to these allegations, Zhenhua Data has collected data on at least 2.4 million individuals. The data includes birth dates, addresses, partnership status, political affiliations and information on relatives – thus highly sensitive and personal data.
The Italian Parliamentary Committee for intelligence and security has already instructed its intelligence service to investigate the matter, as 4 500 Italian citizens are among those whose data has been collected by Zhenhua Data.
On 28 September 2020, German Member of the European Parliament (MEP), Moritz Körner of the Renew Europe Group, filed a written parliamentary question to the European Commission. MEP Körner asked the Commission “is it aware of these recent allegations?” and “how does it plan to react to the allegations against Zhenhua Data, especially regarding the data security of EU citizens?”
In his closing, MEP Körner enquired “what conclusions does the Commission draw in general about the growing influence of Chinese firms and the data security of EU citizens?”
On 17 December, Justice Commissioner Didier Reynders responded on behalf of the European Commission.
Commissioner Reynders declared “the Commission is aware of media reports related to the collection, by Zhenhua Data Company, of personal information about a large number of individuals, but it has no additional information concerning whether the Chinese government might be using this database for surveillance”. He reported that “in case the General Data Protection Regulation (GDPR) rules apply to this collection, the company must appoint a representative in the EU which can be addressed in addition to or instead of the company by, in particular, the independent EU data protection authorities (DPAs)” and “the DPA can address corrective measures to or impose administrative fines on the company to the representative”.
He also explained that “the Commission has stressed that, ‘[w]here [foreign] operators fail to meet their obligation to appoint a representative, supervisory authorities should make use of the full enforcement toolbox in Article 58 of the GDPR (e.g., public warnings, temporary or definitive bans on processing in the EU, etc.)’”.
Commissioner Reynders asserted that “with the COVID-19 crisis, China has become more assertive in advancing its political and economic goals”.
Finally, he declared that “the March 2019 Joint Communication ‘EU-China: A Strategic Outlook’ sets out a robust and realistic strategy that defines China simultaneously as a negotiation partner, a cooperation partner, an economic competitor, and a systemic rival”. He added that “China’s increasing level of assertiveness presents new challenges that need to be addressed including in relation to data security”.
Photo Credit : https://pixabay.com/illustrations/gdpr-castle-protection-privacy-3285183/