Legal Considerations For EU Businesses Using China-Based AI Services (Part II: Personal Data Protection)

Since ChatGPT's debut and the rise of DeepSeek for deep reasoning, generative AI tools has become essential for business operations. More and more companies are increasingly embracing AI, albeit cautiously, by permitting workplace use, purchasing enterprise AI subscriptions and creating corporate AI accounts for employees, with the aim of bringing employee AI usage under corporate risk management.

When European multinationals, particularly their Chinese subsidiaries, permit employees to use China-based generative AI tools like DeepSeek, Kimi, or Doubao, what legal regimes might apply? This article examines the legal landscapes both in China and the EU from two lenses: AI governance and personal data protection. It addresses a pressing concern for such businesses: which Chinese/EU regulations apply, and how extensive are the compliance obligations?

Regarding the AI governance aspect, please read “Legal Considerations for EU Businesses Using China-Based AI Services (Part I: AI Governance)”

II.       Personal Data Protection

Both China and the EU (as well as other European countries) have their laws governing the processing and protection of personal data. Personal data is broadly defined in all these jurisdictions, encompassing virtually any information that can identify a specific natural person, alone or in combination with other information, or that relates to an identifiable natural person. In the specific scenario that Chinese subsidiaries of European multinationals use Chinese AI services to process personal data (uploading documents, inputting prompts, or generating outputs containing personal data), companies need to consider whether they fall under the jurisdiction of Chinese or EU personal data protection laws and assume obligations as data controllers.

1)       China’s Personal Information Protection Law (“PIPL”)

China’s Personal Information Protection Law applies to any processing activity occurring within Chinese territory.¹ Consequently, when staff at a China-based subsidiary of European multinationals use AI services to process personal data locally, that processing is subject to PIPL.

2)       EU  General  Data  Protection  Regulation (“GDPR”)

The EU’s primary data protection law, the General Data Protection Regulation, adopts more complex rules on the jurisdictional scope. Under either the territorial rule in Article 3(1) or the extraterritorial rule in Article 3(2), processing activities by a China-based subsidiary, though physically occurring in China, may fall within GDPR scope.

2.1  Article 3(1) GDPR - Territorial Scope

Unlike PIPL, which in principle looks to where processing activity actually occurs, GDPR Article 3(1) asks whether the processing is carried out “in the context of the activities of an establishment² of a controller or a processor in the Union”. ³ In other words, even processing outside the EU may still be deemed within the scope of the GDPR if it is closely related to the activities of an EU-based entity. The European Data Protection Board (“EDPB”) further clarified in its Guidelines 3/2018⁴ that where processing outside the EU has an “inextricable link” with the activities of an EU establishment, the GDPR will apply.⁵

To avoid triggering Article 3(1), employees of a China-based subsidiary should keep their AI-related processing sufficiently independent from the EU parent's activities. For example, where the Chinese subsidiary processes personal data solely for its own operational purposes such as using AI to process its internal HR data (e.g., recruitment or performance evaluation) or to process sale orders containing personal data of its customers, such activ- ities will generally NOT be regarded as having an inextricable link with the activities of the EU parent. Conversely, if the EU parent company’s activities are primarily intended to support or fund the processing activities of the Chinese subsidiary, or if the parent company directly instructs the subsidiary to carry out specific processing activities, the processing may fall within the scope of the GDPR.⁶

2.2  Article 3(2) GDPR - Extraterritorial Scope

As noted, GDPR’s broad territorial rule already covers some processing outside the EU. Article 3(2) goes further by setting out two additional situations that trigger GDPR’s extraterritorial application:

1. Where the processing of personal data outside the EU is carried out for the purpose of offering goods or services to data subjects within the EU (i.e., the specific natural persons identified by the personal data). According to Recital 23, this provision is only triggered when an overseas entity demonstrates clear intent to offer goods or services to data subjects within the EU; or
2. Where individuals’ behavior within the EU is monitored. According to Recital 22 and the EDPB Guidelines 3/2018 referenced above, such “monitoring” typically refers to profiling individuals based on their preferences or behavior in order to conduct targeted advertising, personalized health analysis, or other similar activities.

In the scenario discussed in this article, if a Chinese subsidiary uses AI services to process EU customers’ personal data to market products or services to them or to handle their orders, such activities may fall within (a) above. As for situation (b), behavior monitoring generally requires specialized software to build user profiles. Such monitoring is less likely to be carried out using general- purpose generative AI services. Therefore, the use of ordinary generative AI services by a Chinese subsidiary to process personal data normally won’t trigger (b). 

Summary: Personal Data Protection

In summary, when a China-based subsidiary of a European enterprise uses AI services to process personal data, such processing will first be subject to China’s PIPL. Only in specific circumstances and depending on the processing purposes may it also fall within GDPR’s scope. Therefore, if enterprises wish to avoid GDPR compliance obligations and reduce the associated burden, they should appropriately limit the use cases in which Chinese subsidiaries deploy AI services to process personal data and avoid triggering either the territorial or extraterritorial jurisdiction provisions of the GDPR.

Footnotes

^{1 The territorial scope of a law refers to the geographical area within which the law is effective. As a general rule, Chinese laws are effective within the territory of China. The PIPL also contains provisions on extraterritorial application; that is, under specific circumstances, the PIPL applies to the processing of personal information of natural persons within China even if such processing occurs outside China. This article does not involve this issue and therefore leaves it aside.}

^{2 According to Recital 22 of the GDPR, the term “establishment” in the GDPR refers to “the effective and real exercise of activity through stable arrangements”, and is not tied to legal forms such as companies or The EU parent company of the Chinese subsidiary discussed in this article aligns with this concept of “establishment”, hence it is only referenced in the footnotes.}

^{3 In the scenario assumed herein, where a Chinese subsidiary uses AI to process personal data, the Chinese subsidiary constitutes either the controller or the processor. A potential question arises: could the EU parent company be deemed an “establishment within the EU” of the Chinese subsidiary? Since the provision itself does NOT explicitly state that it only catches the situation where the overseas entity controls the EU establishment, we reckon that the related relationship between the two entities is sufficient to prompt a prudent player to consider whether it falls under GDPR jurisdiction.}

^{4  EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3)}

^{5 The landmark 2014 European Court of Justice ruling Google Spain SL v. AEPD provides guidance on what constitutes an “inextricable link.” In Case C-131/12, the European Court of Justice determined that Google Spain SL’s advertising sales activities in Spain funded Google Inc.’s processing of personal information in the United States, establishing an “inextricable link” between the two entities. Consequently, Google Inc.’s personal data processing activities in the United States fall under the jurisdiction of EU law.}

^{6 In fact, if the processing activities of the subsidiary are carried out on behalf of the parent company, the two entities inherently form an entrusted processing The parent company is subject to the GDPR as a data controller under Article 3(1) of the GDPR, and the subsidiary is also subject to the GDPR as a data processor.}

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.