With the progressive digitalization of economic activities, companies increasingly operate on an international level, managing personal data flows across multiple jurisdictions.
In this article, we focus specifically on data transfers between the European union (EU) and the People’s Republic of China (PRC) – two legal systems, governed respectively by the General Data Protection Regulation (GDPR) and the Personal Information Protection Law (PIPL) – which, while sharing the common goal of protecting individuals’ personal data, differ significantly in their implementation and enforcement approaches.
Understanding how these two frameworks interact is therefore essential for organizations transferring data between the EU and the PRC.
Converging principles, diverging systems
At first glance, the GDPR and the PIPL seem to share many similarities. Both GDPR and PIPL have extraterritorial reach, applying to processing activities outside their territories when the personal data of EU or Chinese individuals is involved.
However, their approaches differ: the GDPR is based on the data controller’s accountability and supervisory oversight, while the PIPL reflects a model more centered on data governance, consistent with PRC’s regulatory framework on data security and sovereignty.
Cross-border data transfer
Under the GDPR, the transfer of personal data outside the EU is only possible in compliance with the conditions set out in Chapter V of the Regulation. These include:
As there is currently no adequacy decision between the EU and the PRC, data transfers between the EU and PRC generally rely on SCCs, preceded by a Transfer Impact Assessment (TIA). This document evaluates whether local laws – particularly those on government access – could compromise the protection granted to EU personal data.
A pivotal case in this regard is the United States, which over the years has faced several challenges concerning the transfer of personal data.
The Court of Justice of the European Union (CJEU), through the well-known Schrems I and Schrems II judgments, invalidated the previous adequacy decisions due to concerns related to the access of personal data by U.S. public authorities.
In this sense, despite the adoption of the new EU–US Data Privacy Framework, the debate over the actual level of data protection in the United States remains open, confirming the inherent complexity of the cross-border data transfer regime.
The PIPL, on the other hand, takes a different approach. Any company transferring personal information outside China may be required, based on specific parameters and thresholds, to:
However, certain exemptions or simplified procedures may apply. For example, some intra-group data transfers carried out for HR management or internal administrative purposes may not be subject to the provisions for data transfers.
Moreover, for certain categories of operators – such as those managing Critical Information Infrastructure (CII) or handling large volumes of data – data localization remains mandatory. This means that personal information must be stored within China, unless specific circumstances apply.
Practical implications for multinational companies
For multinational groups active in both markets, aligning GDPR and PIPL requirements can be challenging.
Companies must coordinate their privacy organizational model, internal procedures, privacy notices, and so on, while also managing contractual chains across jurisdictions and addressing potential government-access risks. They should likewise consider the risk of data breaches, including those that may occur in the context of cross-border data transfers, and ensure that adequate technical and organizational measures are in place to mitigate such events.
This often leads to the creation of dual compliance frameworks, with distinct documentation and obligations in each region.
However, despite their differences, GDPR and PIPL show a growing convergence around transparency, accountability, and security.
Therefore, for multinational companies, achieving compliance in one framework can significantly facilitate alignment with the other. The principles of privacy-by-design, lawful processing, and robust governance are increasingly universal. Even within a complex regulatory framework, a proactive and integrated approach can make a real difference. The support of professionals familiar with both jurisdictions enables companies to operate in a compliant, secure, and competitive manner on an international scale.
With the progressive digitalization of economic activities, companies increasingly operate on an international level, managing personal data flows across multiple jurisdictions.In this article, we focus specifically on data transfers between the European union (EU) and the People’s Republic of China (PRC) – two legal systems, governed respectively by the General Data Protection Regulation (GDPR) and
In July 2025, five government authorities, including the Ministry of Commerce, jointly issued the Work Plan to Support Beijing in Piloting the Implementation of the WTO E-Commerce Agreement.[1] This milestone marks a new stage in China’s efforts to align its institutional opening and digital trade rules with international standards. As a core hub for digital
On September 30, 2025, China’s State Council officially issued the Notice on Implementing Domestic Product Standards and Related Policies in Government Procurement (Guobanfa [2025] No. 34, hereinafter referred to as the “Notice“), which clearly outlines major adjustments to the evaluation mechanism for domestic products in government procurement. The policy takes effect on January 1, 2026, and its
