Legal Regulations Governing EU Companies' Use Of Chinese-Made AI Services (Part 2: Personal Information Protection)

With the emergence of ChatGPT and the popularization of deep thinking by DeepSeek , generative AI services have gradually become indispensable practical tools for enterprises. More and more companies are choosing to (within limits) embrace AI , allowing employees to use it, and even purchasing AI services and creating work accounts for employees , hoping to incorporate employees' use of AI into the enterprise's risk management framework.

What specific legal regulations might European multinational corporations, especially their Chinese subsidiaries, be subject to if they plan to or have already allowed employees to use locally developed generative AI services in China, such as DeepSeek , Kimi, and Doubao, in the workplace? This article will examine the relevant laws in China and the European Union from the perspectives of AI regulation and personal information protection, and attempt to answer common questions from such companies in this scenario: Which Chinese / EU regulations do I need to pay attention to, and to what extent do I need to fulfill compliance obligations?

Regarding regulations related to artificial intelligence, please read: What Chinese and European laws govern European companies using Chinese AI services? (Part 1)

1. Personal information protection regulations

Both China and the European Union (and other European countries) have laws related to personal information protection, regulating the processing of personal information. Personal information is a broad concept, encompassing almost everything that can, alone or in combination with other information, identify a specific natural person or be related to that specific natural person. Specifically, regarding the scenarios where employees of the aforementioned companies use Chinese AI services to process personal information in their daily work (which may include uploading files containing personal information, or other AI inputs or outputs containing personal information), companies need to pay attention to whether they are governed by relevant Chinese and European laws on personal information protection and bear the responsibilities of personal information processors.

1. China's Personal Information Protection Law ( "Personal Information Protection Law" )

The territorial jurisdiction of China's Personal Information Protection Law¹ is determined based on the "place where the processing occurs," meaning that as long as the processing occurs within China, it is subject to this law. Therefore, the processing of personal information by employees of EU companies' Chinese subsidiaries during the use of AI occurs within China and is subject to China's Personal Information Protection Law.

2. EU General Data Protection Regulation ("GDPR")

The EU's General Data Protection Regulation ( GDPR ) has more complex territorial jurisdiction rules. Whether based on its Article 3(1) "territorial jurisdiction" rule or its Article 3(2) "extraterritorial jurisdiction" rule, certain processing activities (occurring in China) of a Chinese subsidiary may be subject to GDPR jurisdiction.

1. GDPR Article 3(1) "Territorial Jurisdiction" Rule

Unlike the Chinese Individual Protection Law, which generally determines jurisdiction based on the place where the processing occurred, the GDPR does not use the actual place where the processing occurred as the basis for judgment. Instead, it requires examining whether the processing is "in the context of the activities of an establishment of a controller or a processor in the Union " . [ ^{2, 3} In other words, if a processing occurs outside the EU but is closely related to the activities of an entity within the EU, then the processing is considered to have occurred within the EU and is subject to the GDPR . The European Data Protection Board ( EDPB ), the EU's data law harmonization body, further explains in its Guideline 3/2018⁴ that if a processing occurring outside the EU has an " inextricable link " to the activities of an entity within the EU , then the processing will be subject to the GDPR .⁵

Therefore, in order to avoid the application of Article 3(1) of the GDPR , the personal information processing activities of employees of European-funded Chinese companies using AI should maintain a certain degree of independence from the activities of the EU parent company and avoid being deemed to be closely related. We understand that if a Chinese subsidiary processes personal information only for its own operational purposes, such as using AI to process the subsidiary's personnel information (e.g., in recruitment, performance appraisal, etc.) or using AI to process orders containing personal information of the subsidiary's customers, such processing is generally not considered "inseparable" from the parent company's activities; on the contrary, if the main purpose of the parent company's activities is to directly support or fund the processing activities of the Chinese subsidiary, or even if the parent company directly instructs the subsidiary to carry out specific processing activities, then the processing activities of the Chinese subsidiary will fall under the jurisdiction of the GDPR .⁶

2. Article 3(2) of the GDPR "Extraterritorial Jurisdiction" rule

As stated above, the GDPR's broad territorial jurisdiction provisions already cover some processing activities that occur outside the EU. Going further, Article 3(2) of the GDPR provides for two additional situations that trigger GDPR extraterritorial jurisdiction.

1. The processing of personal information outside the EU is for the purpose of providing goods or services to data subjects within the EU (i.e., the specific natural persons identified by the personal information). According to Article 23 of the GDPR legislative interpretation , this article can only be triggered if a foreign entity has a clear intent to provide goods or services to a data subject within the EU.
2. Monitoring of personal behavior occurs within the EU . According to Article 22 of the GDPR Legislative Explanation and the aforementioned EDPB 3/2018 guidance, "monitoring" here mainly refers to the creation of personalized user profiles based on individual preferences and behaviors , and the resulting personalized health analysis and targeted advertising.

Specifically, in this article, if a Chinese subsidiary uses AI services to process the personal information of natural persons in the EU for the purpose of marketing products or services to those customers or processing their order information, it may fall under item a above and be governed by the GDPR . Regarding item b , since user profiles often need to be created using specialized software, it is difficult to monitor individuals in the EU using general generative AI services. Therefore, the use of general generative AI services by a Chinese subsidiary to process personal information generally will not trigger the application of item b .

Summary of Personal Information Protection

In summary, when EU companies' Chinese subsidiaries use AI services to process personal information, they are primarily governed by China's Personal Information Protection Law. Only under specific circumstances and for specific processing purposes may they be subject to the EU's GDPR . Therefore, companies wishing to avoid GDPR regulation and reduce their personal information protection compliance burden should appropriately limit the scenarios in which their Chinese subsidiaries use AI to process personal information, thus avoiding triggering GDPR 's territorial or extraterritorial jurisdiction.

Footnotes

1. Territorial jurisdiction of a law refers to the geographical area within which the law is effective. Generally speaking, Chinese laws are effective within China. The Personal Information Protection Law of China also contains provisions on extraterritorial jurisdiction, meaning that under certain circumstances, the Personal Information Protection Law of China has jurisdiction over the processing of personal information of natural persons within China outside of China. This issue is not discussed in this article, so it will not be elaborated here.

2. According to Article 22 the GDPR legislative explanation,an"entity"in the GDPR means"effective and real exercise of activity through stable arrangements"and is not associated with legal forms such as companies or partnerships. The EU parent company of the Chinese subsidiary discussed in this article meets the definition of an"entity"and is therefore only mentioned in a footnote.

3. The original wording of the article is"an entity whose controller or processor is located within the EU". In the scenario assumed in this article, the Chinese subsidiary uses AI to process personal information, and the Chinese subsidiary must constitute a controller or processor. It may be questionable whether the EU parent company can be considered"an entity of the Chinese subsidiary located within the EU". Since the article itself does not explicitly state that only when a foreign entity has a controlling relationship with a domestic entity can it fall under this article, we understand that the relationship between the two is sufficient to prompt a prudent entity to consider whether it falls under of the GDPR.

4. EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3)

5. The landmark 2014 European Court of Justice, Google Spain SL v. AEPD, provides guidance on understanding what constitutes an "inseparable connection." In Case C - 131/12 , the European Court of Justice found that Google Spain SL's advertising sales activities in Spain funded Google Inc."inseparable connection"between the two, and therefore Google Inc.'s personal data processing activities in the United States were governed by EU law.

6. In fact, if the subsidiary's processing is done on behalf of the parent company, then the two constitute a commission relationship. The parent company is subject to the GDPR as a data controller under Article 3(1) the GDPR as a data processor.