While Chinese companies operating in Europe comply with the General Data Protection Regulation (GDPR), the EU's sweeping privacy law, they must also abide by intelligence laws back home in China that might contradict the GDPR. | Lluis Gene/AFP via Getty Images Europe eyes privacy clampdown on China A global standoff over Huawei and Chinese surveillance is prompting Europe to question whether its data is safe in China.

The European Union is waking up to a new surveillance threat, except this time the bad guy is China, not the United States.

Amid a global standoff between Washington and Beijing, the European Commission is re-evaluating its policies toward China on everything from technology transfers to unfair competition and dependency on foreign tech companies like Huawei.

A crucial part of that review now concerns privacy, amid worries that Europeans’ data is not secure from snooping when it’s handled by Chinese companies, say Commission officials.

EU officials, including its chief watchdog, underscore that current guarantees for Europeans’ data in China are not sufficient. Beijing — due to its surveillance regime — would not be eligible for a blanket legal arrangement covering all data exchanges with the EU, known as an "adequacy agreement," the same officials said.

“The debate around Huawei reinforces the need for reassurances to the public,” Giovanni Buttarelli, the European data protection supervisor, the top watchdog in the region, told POLITICO.

"In Europe, the backlash against Big Tech is focused almost exclusively on the U.S. tech giants" — Nick Clegg

If the EU starts demanding stricter privacy guarantees from Beijing, Chinese tech giants like e-retailer Alibaba would be the first to feel the heat. Alibaba and companies like Tencent and Huawei already do big business in the EU. Any clampdown on how they access and transfer EU consumers’ data could hurt their development in the bloc — and that of the many smaller Chinese players looking to scale up in Europe.

Meanwhile, Silicon Valley is openly encouraging the EU to get tough on Chinese privacy.

After ex-NSA contractor Edward Snowden revealed wholesale U.S. snooping in 2013, American tech giants weathered an ongoing wave of tech regulation as well as the collapse of the Safe Harbor Transatlantic data flows deal. Now, they say it’s China’s turn to face scrutiny from the EU.

"In Europe, the backlash against Big Tech is focused almost exclusively on the U.S. tech giants," Nick Clegg, a former U.K. deputy prime minister who is now Facebook's top lobbyist, told POLITICO in an interview last week.

"But we don’t hear so much about China, which combines astonishing ingenuity with the ability to process data on a vast scale without the legal and regulatory constraints on privacy and data protection that we require on both sides of the Atlantic."

Chinese companies in catch-22

Clegg's speech to European policymakers hit a nerve.

In the wake of Snowden's revelations, the EU revised its mechanisms for companies to send data from Europe to the U.S., triggering a wave of new regulation on privacy.

A legal challenge by Austrian privacy activist Max Schrems brought down key EU-U.S. data transfer deal Safe Harbor in 2015, and EU and U.S. officials scrambled to put together its successor Privacy Shield — which is still under annual review and challenged before the European Court of Justice.

The EU and U.S. have also had to update arrangements on sharing law enforcement data, airline passenger data and lots of other personal information.

The two sides are still working out how their respective police authorities can access the data of suspects through, respectively, the U.S. CLOUD Act and the EU's draft laws on electronic evidence. The Commission is asking EU capitals for a mandate to start the discussions this week.

However, Europe has yet to apply the same scrutiny to data flows between Europe and China.

While Chinese companies operating in Europe comply with the General Data Protection Regulation (GDPR), the EU's sweeping privacy law, they must also abide by intelligence laws back home in China that might contradict the GDPR.

Commission officials stress that the intelligence and law enforcement regime in China does not pass the EU's standard for privacy protections.

"The problems in the private sector [with Chinese companies], you can solve," said Schrems, pointing to contractual agreements between companies that would allow Europeans to appeal when rights are violated. "A whole different world, and one we can't fix, is when there is government surveillance law in another country."

At the core of the EU's concerns about Huawei and data flows is China's National Intelligence Law of 2017, which requires companies to assist intelligence services and, according to European officials, lacks safeguards, transparency and democratic oversight.

Commission officials stress that the intelligence and law enforcement regime in China does not pass the EU's standard for privacy protections, and that EU citizens would not have legal certainty when seeking redress before Chinese courts for privacy violations.

That means the EU would not sign an "adequacy decision" with China, ruling out Europe's preferred mechanism to challenge excessive surveillance, the official said. In other words, China is unlikely to benefit from an overarching legal agreement like Privacy Shield, the current arrangement with the United States on data flows.

Asked about the legal protections against Chinese mass surveillance, the European Commission did not provide answers to questions at the time of writing.

Currently, Chinese companies in Europe have to use mechanisms like "binding corporate rules" or "standard contractual clauses" in order to provide privacy guarantees when they transfer data outside of the EU — including to China.

However, both instruments are under review by the Commission, and the latter is also under pressure at the EU's highest court.

The situation leaves Chinese companies facing a legal dilemma: When asked by national intelligence services to hand over data, they would have to do so to comply with Chinese law. But doing so would bring them into conflict with European law.

In an attempt to assuage western fears about surveillance, Huawei's CEO has stated that he would not comply with a request from the Chinese government to hand over data, stating that he would "definitely refuse" such a request. Chinese officials also insist that companies like Huawei are private and not subject to oversight by the government.

But legal experts say Huawei and other Chinese companies would not have a choice. A paper by the law firm Kallan, shared with POLITICO, argues that "companies and individuals who are subject to [China's National Intelligence Law] have an obligation to support, assist and cooperate with Chinese intelligence agencies. Such obligation can result in conflicts with core principles of the GDPR" including principles of fairness, purpose limitation and confidentiality.

The issue is likely to rise to the top of Europe's policy agenda in coming months, as the Commission figures out its approach to China on technology and strategic sectors. EU and Chinese officials are expected to meet in March to discuss data protection, the Commission said earlier, and Brussels has a big summit with Beijing planned for April.

"Every intelligence service should spy, by default. Otherwise it wouldn't be effective ... The question is to whom they report and what is predictable and proportionate," said Buttarelli, the EU's privacy watchdog.

He said that, in negotiating surveillance regimes with U.S. companies, "we're speaking about companies established in democratic countries. So what about the new world?"

This article is from POLITICO Pro: POLITICO’s premium policy service. To discover why thousands of professionals rely on Pro every day, email pro@politico.eu for a complimentary trial.