Chinese tech firms such as Huawei and Bytedance have developed their global presence through aggressive R&D and physical presence in the European Union (EU). Huawei, for instance, filed the highest number of patents in 2017 out of any company in the EU and booked billions in contributions to the EU economy the same year. 

Despite commercial successes, Chinese companies face must still deal with regulator perceptions of being weak on cybersecurity and privacy. 5G has further complicated matters by placing added scrutiny on these Chinese firms. Accordingly, Chinese tech firms have to comply with two different rigorous—and still developing—regulatory regimes.

Min-Si Wang writes about topics in privacy tech, blockchain, and emerging markets. She is a director at Aza Finance, and has experience in tech M&A and product development with PwC and Temasek.

Read more: Europe’s 5G challenge and why there is no easy way out

Europe’s approach to digital governance in privacy and data policy is setting a precedent for regulatory regimes around the world. Data and content regulations, most famously the General Data Privacy Regulation (GDPR), target any companies with customers in Europe. These have wide-ranging implications for foreign companies that do business in the EU. The overarching goal of the GDPR is to protect users’ privacy and return the control of personal data to users. The laws also promulgate the principle of privacy by design, in which transparency and a standard of privacy are non-negotiable pillars of service design and delivery.

For instance, companies need to obtain consent from customers on how their data will be used. Customers also need to be informed of any algorithm that makes use of their data (i.e. ad targeting), as well as business decisions resulting from the analysis of their data. Accordingly, the GDPR places a significant burden on IT and regulatory organizations in artificial intelligence to financial services sectors in the EU.

Compared to similar Chinese cybersecurity laws (in Chinese), the GDPR presents a new governance approach to data sovereignty for Chinese tech companies. GDPR seeks to regulate and safeguard personal privacy, which is a fundamental right under the EU Charter of Fundamental Rights. While China’s cybersecurity laws also cover data protection and network security of personal data, Chinese laws allow the state to access private data for national security purposes. As a result, Chinese companies have to adhere to both sets of regulations as the two different, though not completely competing, governance regimes continue to evolve. 

In addition to GDPR, EU governments have also raised concerns over cybersecurity risk of Chinese tech operations. A high profile example of this is Huawei, a leading ICT producer of 5G networks. Huawei has opened offices across the EU, hired more than 13,000 direct staff, and aggressively recruited research talents. In 2018 alone, the company has invested 2.8 billion euros (about $3 billion) in European operations, and has publicly affirmed its commitment to data sovereignty and local regulations. However, Huawei’s expansionary efforts in Europe have not translated into the adoption of its 5G network. For instance, pressure from the US and security concerns from the country’s intelligence community have resulted in stalled 5G agreement in Germany, which has originally leaned toward a comprehensive trade and commercial agreement (including 5G) with China.

Underscoring the bloc’s security concerns, the European Union has also issued a strict guideline governing “high-risk” suppliers in the opening of its 5G networks. The guideline indicates a protectionist regulatory approach with recommendations such as blocking high risk suppliers from critical parts of the network. It is clear that companies from different digital governance regimes needed to adopt a highly localized regulatory approach to participate in the EU market. 

Because of current geopolitical headwinds, Chinese firms have responded to recent regulatory roadblocks by investing in EU specific compliance and operations. TikTok, for instance, has vowed publicly that the company abides by EU regulations in Europe, and has not shared or removed contents from their platform due to oversight from regulators. The company also plans to grow its EU team up to 1,000 people to develop content policies specific to the EU market. Video content for the EU will also be managed by the local content team, thus creating a separate operation structure to counter any privacy concerns.

As Chinese tech firms continue to develop in a politically charged environment, they will continue to invest in local regulatory infrastructure to satisfy the unique EU digital governance regime. In effect, compliance know-how and infrastructure have emerged as key competitive advantages for firms operating on the continent. More established firms with the ability to invest in long term regulatory relationships in the EU and outlast medium term policy uncertainty will have an outsized advantage over rivals.

Min-Si writes about topics in privacy tech, blockchain, and emerging markets. She is a director at Aza Finance, and has experience in tech M&A and product development with PwC and Temasek.