[co-author: Ken Dai]
- Introduction
As the digital economy continues to thrive and remote work becomes increasingly mainstream, an “offshore model” of business operation has emerged. Under this model, companies may provide services to users in a given country—often through websites, platforms, or applications—without maintaining a legal entity, employees, or servers within that jurisdiction. Such operations inherently involve cross-border data flows and the remote processing of personal or sensitive information.
China’s Personal Information Protection Law (PIPL) explicitly applies to certain foreign data processing activities under Article 3, establishing clear extraterritorial reach. The EU’s GDPR similarly asserts extraterritorial applicability and requires foreign controllers to appoint local representatives, with limited exemptions. In contrast, the U.S. lacks a unified federal privacy law and relies on sectoral and state regulations. Recent federal rules limit data access by “countries of concern” but allow certain exemptions, aiming to balance security with legitimate cross-border activity.
- China’s Approach: Extraterritorial Reach and Local Representation Requirements
China has adopted a relatively strict regulatory approach toward foreign entities that access or process data from within its territory without a local presence. Under Articles 3 and 27 of the PIPL, foreign data processing activities are subject to China’s extraterritorial application when they involve: (1) Providing products or services to individuals located in China; (2) Analyzing or evaluating the behavior of individuals in China; or (3) Other legally prescribed scenarios. In such cases, the foreign data processors must either establish a dedicated entity or designate a representative, and submit their contact details to the relevant supervisory authority.
The first condition is generally interpreted to include foreign businesses that target Chinese users, assessed through factors such as a Chinese-language website, use of local payment systems, or other indications of market intent. The second condition, which involves analyzing or evaluating behavior, is similar to the GDPR’s concept of monitoring behavior. It includes profiling activities such as targeted advertising, wearable health data analysis, and location tracking.
The 2025 Regulation on Network Data Security Administration further requires that representative information be reported to the local municipal-level Cyberspace Administration (CA). While a foreign company may choose to designate its Chinese subsidiary as the responsible entity, the regulatory framework does not yet clarify whether formal approval or filing is required for the representative’s designation.
Moreover, the scope of responsibility for such a representative remains broadly defined. It is unclear whether the representative must be substantively involved in processing activities—e.g., collecting personal information or participating in processing decisions—or whether it may serve a more limited liaison or emergency response function. These practical questions remain subject to future regulatory interpretation and enforcement.
- Comparative Note: EU’s Representative Requirement under the GDPR
Article 3(2) of the GDPR applies to non-EU controllers or processors if they (1) offer goods or services to people in the EU, or (2) monitor their behavior. Where this applies, Article 27 requires the designation of a representative in the EU to act as a point of contact for supervisory authorities and data subjects.
The GDPR sets out two limited exemptions to the representative obligation:
(1) Low-risk, occasional processing — A representative is not required if the processing:
- Is occasional, i.e., not part of regular or systematic operations;
- Does not involve large-scale processing of special category data or criminal data; and
- Is unlikely to result in a risk to data subjects’ rights and freedoms.
(2) Public authority exemption — Public bodies outside the EU are not subject to the representative requirement, based on sovereign immunity principles. According to the European Data Protection Board (EDPB), whether an entity qualifies depends on its nature, functions, and the purposes of the data processing.
Notably, the representative obligation is enforced in practice. On May 12, 2021, the Dutch Data Protection Authority (AP) fined the U.S.-based website Locatefamily.com €525,000 for failing to appoint an EU representative while offering services to individuals in the EU. This case marked the first penalty issued under Article 27 for non-compliance with the representative requirement.
Although China’s regime under the PIPL differs in structure and enforcement maturity, the underlying principle—requiring local accountability for foreign personal information processors targeting domestic individuals—is broadly aligned with the GDPR. However, unlike the GDPR, China’s framework currently provides no explicit exemptions for low-risk or occasional processing, and no enforcement cases to date have clarified the role, obligations, or practical implementation of the designated representative.
- United States: No Local Representative Rule, Fragmented and Security-Focused Oversight
Unlike the GDPR, U.S. federal law does not require foreign companies to appoint a local representative when collecting personal data from individuals in the United States through purely online channels.
Nevertheless, certain state privacy laws have begun to assert extraterritorial reach over offshore data processing. The California Privacy Rights Act (CPRA) applies to businesses “doing business in California,” a term interpreted broadly by reference to California tax law and regulatory guidance. Foreign companies may fall within scope even without a physical presence in the state—such as when offering online services to California residents, processing payments from California, or employing remote staff. 1Similarly, New York’s SHIELD Act has a broad scope. It applies to any entity that “owns or licenses” computerized private information of New York residents, regardless of whether the company operates in New York. This makes data collection—not business location—the key trigger, significantly expanding the law’s geographic reach.2
In addition to these civil frameworks, the U.S. has introduced national security-based restrictions targeting offshore access to sensitive data. In January 2025, the U.S. Department of Justice finalized rules under Executive Order 14117, aiming to restrict entities from “countries of concern”—including China, Russia, Iran, and others—from accessing large volumes of sensitive personal or government-related data. The rules prohibit or condition certain transactions involving genomics, biometric data, precise geolocation, and personal health or financial information, especially where the recipient is linked to a restricted jurisdiction through ownership, residence, or corporate control.
At the same time, the rule includes numerous exemptions—for example, data transfers related to telecommunications, international travel, financial services, clinical trials, and intra-group operations. These carve-outs reflect a policy balance between national security concerns and maintaining functionality in global commerce, healthcare, and communications.
These exemptions reflect three key policy considerations. First, certain data use cases—such as non-commercial personal communications, cross-border transfers of expressive content, or routine intra-group operations—are generally low-risk and not closely tied to national security concerns. Second, some industries already operate within mature regulatory frameworks that mitigate data risks under existing rules, such as financial services, telecommunications, and pharmaceutical research. Third, certain categories involve sovereign functions or international obligations of the U.S. government—such as official activities or treaty-based cooperation—which are not appropriate for general data transaction controls.
Overall, the exemptions aim to safeguard national security while preserving essential functions in global commerce, government operations, and international engagement.
- Comparative Reflections and Compliance Implications
The EU and China have both adopted proactive regulatory approaches to offshore data processing, grounding extraterritorial jurisdiction in statutory provisions and requiring foreign companies to establish local accountability mechanisms. While the GDPR offers a more mature and enforceable framework—backed by defined exemptions and enforcement precedents—China’s model under the PIPL is still evolving. Key aspects, such as the scope and legal status of designated representatives, remain underdefined, and no public enforcement cases have been reported to date.
By contrast, the U.S. takes a more fragmented and security-driven approach. Without a unified data protection law or representative requirement, its offshore data controls focus on restricting sensitive data flows to foreign jurisdictions, balanced by broad exemptions for key industries.
For companies engaging with Chinese users under an offshore model, it is essential to monitor regulatory developments closely, assess whether the PIPL may apply extraterritorially, and begin preparing for potential compliance obligations—especially with regard to the requirement to appoint a local representative if the PIPL applies.
1 See https://www.krcl.com/insights/doing-business-in-california-the-california-privacy-rights-act-is-coming
2 See https://www.termsfeed.com/blog/eu-us-privacy-laws-foreign-businesses/
