Data transfer to Russia and China in times of crisis

Peter Hense und Bettina Blawert//

In light of the “changed security policy situation” following Russia’s invasion of Ukraine, the Norwegian data protection regulator recently encouraged any company that exports personal data to Russia and Ukraine to review its practices to ensure that they are still actually legal.¹

This is a prime example of just how topical and potentially explosive the issue of transferring personal data to third countries really is. Especially in this day and age, when the economic value of personal data is growing and its protection is increasingly threatened by autocracy and even war, it is worth taking a closer look at data protection regulations around the world. This article will focus on data transfers to Russia and China, asking the question: have we all become transparent citizens, at least in those countries?

1. Schrems I, II and beyond

Since the Schrems rulings of the European Court of Justice (ECJ), companies and national data protection authorities alike have been required to assess data transfers carefully and shut them down whenever the regulations of the country where the data is being sent do not guarantee protection equivalent to the GDPR/CREU. This trend has had a major impact on data transfers to the US, but also to Russia and China.

2. Data transfer to Russia – and why these are a problem

2.1 Russia´s own data protection regulations²

Russian data protection law is a complex affair – not least because the country is currently waging a war of aggression against Ukraine and, by extension, the rest of the civilized world. The Russian federal law on personal data, 152-FZ (2006), underwent extremely relevant changes in September 2015 (N 242-FZ). These regulations give Russian authorities a wide range of excuses to gain access to personal data. Grounds for such access – even to special categories of personal data such as race, sexual life, and political and religious beliefs – include the purposes of defence, security, counterterrorism, transport security, combating corruption, operational investigative activities, enforcement proceedings, and the penal legislation of the Russian Federation.³ This means that an individual’s right to data protection and privacy can be restricted whenever the state claims national security interests are at stake. In addition, Russia often flagrantly violates the ECHR, especially when it comes to freedom of expression.⁴

Digitalization has also paved the way for new forms of state surveillance, censorship and information control. According to the EDPB’s final report, the Russian state uses existing data protection rights as an instrument to control the internet and protect government interests.⁵ Compared to the EU, there is a clear imbalance between the fundamental rights of data subjects and the protective interests of the state itself.⁶

2.2 Why does this threat concern us? The Russia-Ukraine war as an example⁷

The protection offered by Russia’s data protection regulations is not equal to that of the GDPR. This is something we should all care about, both in terms of data protection law and on a personal, practical level.

The dangers of an inadequate level of data protection can be considered from a socio-political and a legal point of view. In light of the Russian invasion of Ukraine, governments shouldn’t forget that personal data is of increasing economic value. While sanctions were swift – with bans on imports and exports of material goods already in force and Russia essentially cut off from the global payments system – another potential sanction could take the form of stopping the flow of personal data. In the early hours of 24 February 2022, Russian forces invaded Ukrainian territory. The military operation is said to have been accompanied by availability attacks on websites and sabotage attacks on selected Ukrainian institutions. The DDoS (distributed denial of service) attacks were allegedly limited to the websites of Ukrainian banks and ministries as well as the parliament.⁸ At the same time, data deletion programs, known as wipers, are said to have been discovered on Ukrainian computers. Banks and service providers of the Ukrainian government with offices in Lithuania and Latvia are also reported to have been affected. In some cases, the malware was allegedly distributed via Windows Group Policy.⁹ The perpetrators must therefore have already had the corresponding administrator authorizations and access to central servers, such as a directory service. Since the invasion, NATO partners have increasingly reported aggressive scanning activities in their networks. Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and National IT Crisis Response Centre (Nationales IT-Krisenreaktionszentrum, IT-KRZ) have issued a special situation report on the current developments in the Ukraine crisis with the rating “3 / Orange”. The IT threat situation, especially in critical infrastructures, is classified as business-critical; a massive impairment of regular operations cannot be ruled out. However, no changed threat is currently assumed for German companies.¹⁰

Furthermore, the BSI is currently warning against the use of virus protection software from the Russian manufacturer Kaspersky. The BSI recommends replacing applications from the Kaspersky virus protection software portfolio with alternative products.¹¹

The BSI states in this regard: “The actions of military and/or intelligence forces in Russia as well as the threats made by the Russian side against the EU, NATO and the Federal Republic of Germany in the course of the current armed conflict are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer could carry out offensive operations itself, be forced to attack target systems against its will, or itself be spied on as a victim of a cyber operation without its knowledge or be misused as a tool for attacks against its own customers.”¹²

All in all, this means that personal data could be at risk due to cyber-attacks.

3. Data transfers to China – life in a “transparent society”?

3.1 Data protection regulations in China¹³

The Data Security Law (DSL, 2021) is China’s first ever comprehensive data security regulation. Another first is its Personal Information Protection Law (PIPL, 2021). As the names suggest, their common aims are data security and the protection of personal information, but they also regulate cross-border data transfers. The laws are new pillars of China’s data security rules, with many provisions similar to those of the GDPR. Whenever a company operates in China, it must be certified according to its laws and establish a solid governance structure. PIPL covers the processing of personal data within China’s borders. However, it does not apply to processing activities that occur in Hong Kong, Taiwan and Xiamen (Art. 3 PIPL).

3.2 The problem

Although the People’s Republic of China has established a data protection regime, there are essentially no real restrictions preventing state access to personal data.

The new data protection law at least gives Chinese citizens as consumers new ways to protect themselves from data collection by providers, especially major corporations. In this respect, China’s data protection law is certainly comparable with the European GDPR. Even so, this new legislation by no means spells the end of the “transparent citizen” in China.

As regards the personal data of foreigners, the EDPS points out that the Chinese legal system also lacks sufficient safeguards comparable to those of the EU.¹⁴ For example, to the extent that China’s Cybersecurity Law provides for measures only “in accordance with the law”, Chinese law itself does not contain any restrictions on government access to data.¹⁵ Overall, the Chinese legal system legitimizes far-reaching and unrestricted access by state authorities to personal data.¹⁶ Furthermore, the principle of proportionality is not respected, since there is no mention of independent supervision and there are only limited safeguards for data subjects’ rights.¹⁷

The law is aimed at (or arguably against) the business world, in particular large internet companies and their misuse of data. However, it does not change anything about state-legitimized surveillance, such as that carried out by countless cameras in public places. And it certainly does not mean turning away from China’s planned Social Credit System. Though delayed in its implementation, this system will introduce data-based rewards or sanctions for the country’s own citizens.

3.3 Supply chain and vendor liability

Data transfers to insecure third countries are not always apparent at first glance. Many companies use service providers and services which in turn use vendors in the countries concerned, causing problematic data transfers for which the controller, at the end of the chain, is ultimately responsible under the GDPR. Only last year, the app Clubhouse came under fire because, in addition to significant violations of data protection law and non-compliance with the GDPR,¹⁸ it was even possible to eavesdrop on users. Clubhouse uses features from the Chinese start-up Agora.io, with which user conversations can be specifically recorded.

And the best way to transfer data to Russia or China? Just don’t do it

The unencrypted transfer of personal data to Russia and China is highly problematic from both a GDPR and human rights perspective. Neither state has adequate levels of data protection or safeguards for fundamental rights, and in both, state authorities have wide-ranging access to personal data processed domestically.

Peter Hense, Founder & Partner of SPIRIT LEGAL Fuhrmann Hense Partnerschaft von Rechtsanwälten

Bettina Blawert, SPIRIT LEGAL Fuhrmann Hense Partnerschaft von Rechtsanwälten