Navigating Cross-Border Data Compliance: A Practical Guide for Chinese Tech Companies Expanding into the EU

Key Takeaways

• The EU AI Act came into force in August 2024, and its effect has extraterritorial scope (Art. 2). Chinese AI service providers may fall within the scope of the AI Act where the AI systems or outputs are used within the EU, with obligations depending on their role and the risk category of the system.
• Cross-border data transfer may require parallel compliance under both Chinese and EU data protection rules, where China's PIPL outbound transfer requirements, including Art. 38, should be assessed and where EU personal data is transferred to China and SCCs are relied upon, the SCCs should be accompanied by a transfer impact assessment under GDPR Art. 46.
• For B2B outbound enterprises, a compliance package is often expected to be prepared, including the DPA, RoPA, Privacy Policy, and Technical and Organizational Measures (TOMs), to respond to EU customer onboarding and vendor due diligence.
• The ePrivacy Directive (Art. 5(3)) requires the use of SDKs and Cookies to obtain the user's prior informed consent, and where consent is requested, refusing or withdrawing consent should not be made more difficult than giving consent.

I. Main Legal Framework for EU Data Compliance

Chinese tech companies expanding to the EUface a highly developed and comparatively demanding digital regulatory environment. Current compliance is not limited GDPR (General Data Protection Regulation) compliance alone, but a multi-layered regulatory framework where multiple regulations are cross-applicable.

(I) GDPR: The Fundamental Rules for Personal Data Processing The GDPR is the cornerstone of EU data protection. According to Art. 3 GDPR (Territorial Scope), even if an enterprise is located in China, it is compulsorily applicable as long as it offers goods or services to individuals in the EU or monitors their behavior within the EU. It often functions as the baseline framework for privacy notices, user-facing terms, data processing architecture and internal governance.

(II) AI Act: A New Compliance Focus for AI Products Entering the European Market Regulation (EU) 2024/1689 (AI Act) officially entered into force in August 2024. According to Art. 2 AI Act , the Provider of an AI system is governed regardless of its location, as long as the system is placed on the EU market or put into service in the EU. Chinese enterprises need to pay attention to the prohibited AI practices and AI literacy obligations starting from 2 February 2025; General-Purpose AI (GPAI) obligations apply from 2 August 2025, while more rules apply from 2 August 2026.

(III) ePrivacy: Rules for Cookies, SDKs, User Tracking, and Electronic Marketing The ePrivacy Directive (2002/58/EC), which complements the GDPR, focuses on electronic communications privacy. According to Art. 5(3) ePrivacy Directive, any act of storing or accessing information on a terminal device (such as using Cookies or embedding a third-party SDK) must obtain the user's informed consent. This is particularly relevant for mobile apps and SaaS tools.

(IV) Contextual Application of Data Act, NIS2, DSA, and other Rules For cloud services, critical infrastructure, or large platforms, attention must also be paid to the supply chain security obligations brought by NIS2 (such as reporting major incidents within 24 hours) and Data Act requirements on cloud switching , data portability and interoperability, where applicable. These regulations together constitute the complete regulatory landscape that Chinese tech companies expanding overseas must face.

II. GDPR: Compliance Obligations Surrounding Personal Data Processing

In the EU market, GDPR compliance is often a baseline expectation in EU customer onboarding and a relevant factor for corporate trust.

(I) Identifying Personal Data, Processing Purpose and Legal Basis Enterprises should clearly define the legal basis for each processing activity according to Art. 6 GDPR. For Chinese B2B SaaS companies, this usually relies on "necessity for the performance of a contract" or "legitimate interests," while for B2C business, "Consent" is particularly relevant.

(II) Establishing Foundational Documents such as Privacy Policy, DPA, and RoPA Compliance should be demonstrated and properly documented. Enterprises must formulate transparent Privacy Policies according to Art. 13 and Art. 14 GDPR; when outsourced processing is involved, a Data Processing Agreement (DPA) containing the mandatory clauses of Art. 28 must be signed; furthermore, maintaining Records of Processing Activities (RoPA, Art. 30) is the primary document for responding to requests from supervisory authorities. Special reminder: Chinese enterprises that have not established a branch in the EU may need to designate an EU Authorized Representative in accordance with Art. 27 GDPR.

(III) Addressing Cross-Border Data Transfer and Remote Access Issues The transfer of data from the EU/EEA to China are subject to the requirements of Chapter V GDPR. In practice, the commonly adopted mechanism is the "Standard Contractual Clauses" (SCCs) under Art. 46 GDPR, which must be supplemented by a Transfer Impact Assessment (TIA) to analyze whether Chinese law (such as Art. 40 Personal Information Protection Law (PIPL) concerning restrictions on the retrieval of important data) would weaken the level of protection afforded by the GDPR.

(IV) Safeguarding Data Subject Rights Chinese enterprises must establish a response mechanism to ensure users can exercise the rights stipulated in Art. 15-22 GDPR, including the Right of Access, Right to Erasure (Right to be Forgotten), and Right to Data Portability, generally requiring a response with undue delay and in any event within one month, subject to possible extension where permitted. .

(V) Regulating Employee Data and Vendor Data Processing Internal governance should also be addressed. Processing EU employee data needs to consider local labor law. Concurrently,vendors and sub-processors should be assessed through appropriate due diligence to support accountability across the supply chain.

(VI) Preparing Security Measure Documentation and Client Due Diligence Materials Large EU enterprises conduct vendor risk assessments when procuring Chinese technology services. Enterprises must, in accordance with Art. 32 GDPR requirements, demonstrate Technical and Organizational Measures (TOMs) such as encryption, anonymization, and multi-factor authentication.

III. AI Act: Building Risk Governance Capabilities Around AI Products

The AI Act adopts a "risk-based approach," setting differentiated obligations for AI systems with different risk levels.

(I) Determining the Risk Level of the AI Product Enterprises must first check against Art. 5 AI Act to determine if any prohibited practices exist (such as unauthorized real-time biometric identification). Subsequently, they must check against Annex III to determine if it is a high-risk AI system (such as AI used for human resources, credit scoring, or critical infrastructure).

(II) Determining the Enterprise's Role in the AI Supply Chain Chinese enterprises, as Providers, often carry the most extensive obligations, especially for high-risk AI systems or GPAI models; if they integrate third-party models into their own products, they may be deemed a Deployer. According to Art. 3(2) AI Act, the definition of a Provider is country-agnostic, only focusing on whether the product enters the EU market.

(III) Identifying Special Obligations for High-Risk AI, GPAI, and Generative AI Providers of GPAI models (such as large language models) placed on the EU market are subjected to the transparency obligations of Art. 53 AI Act, including compiling technical documentation, complying with EU copyright law, and disclosing a summary of training data. For AI systems generating synthetic audio, image, video or text content, , the outputs should also be marked in a machine-readable format and detectable as artificially generated or manipulated according to Art. 50 AI Act.

(IV) Preparing AI Compliance Documentation, Model Training Declarations, and Internal Responsibility Allocation Enterprises may consider establishing an internal AI Governance Committee and document relevant stages of the AI system lifecycle. For high-risk systems, a Quality Management System may need to be established and a conformity assessment may be conducted to ensure the CE marking or registration where applicable.

IV. How Chinese Tech Companies Should Start

In response to the complex regulatory requirements mentioned above, Chinese enterprises should adopt a strategy of risk prioritization and phased implementation.

(I) Sorting Out Business Models and Data Flows This is usually a practical starting point for compliance work. Enterprises should clarify: Where is data collected? Does it involve cross-border transfers? Who can remotely access the server? It is recommended to form a dynamic Data Flow Diagram as the fundamental basis for preparing TIAs, RoPA and client-facing explanations.

(II) Determining Applicable Rules and Key Risks Distinguish compliance priorities based on product attributes. Mobile-side focuses on ePrivacy (SDK consent mechanism); SaaS products often require particular attention to GDPR (data hosting and DPA); AI products require AI Act scoping and risk classification. Concurrently, attention must be paid to the connection between China's PIPL and EU rules, especially the outbound security assessment requirements.

(III) Establishing a Compliance Package for Procurement and Client Due Diligence To shorten the sales cycle, enterprises should consider preparing a client-facing compliance documentation package or Trust Center, where available, ISO 27001/27701 certification, executed SCCS or SCC template, the TIA report, DPO contact information and detailed TOMs documentation.

(IV) Embedding Compliance into Product, Sales, and Customer Success Processes Practice "Privacy by Design" (Art. 25 GDPR). Product teams should integrate privacy settings and data-minimisation choices where relevant; sales and customer success teams should be equipped with approved compliance messaging, explain the applicable transfer mechanism and safeguards in a consistent and legally reviewed manner.

V. Conclusion

For Chinese tech companies expanding to the EU, compliance should not be treated as a cost item, but as a factor supporting trust, procurement readiness and market access and participating in enterprise-level competition. Under the multiple constraints of GDPR, the AI Act, and PIPL, only by establishing a risk-based, documented and locally informed compliance framework can enterprises manage regulatory and geopolitical risks more effectively