Since ChatGPT's debut and the rise of DeepSeek for deep reasoning, generative AI tools has become essential for business operations. More and more companies are increasingly embracing AI, albeit cautiously, by permitting workplace use, purchasing enterprise AI subscriptions and creating corporate AI accounts for employees, with the aim of bringing employee AI usage under corporate risk management. When European multinationals, particularly their Chinese subsidiaries, permit employees to use China-based generative AI tools like DeepSeek, Kimi, or Doubao, what legal regimes might apply? This article examines the legal landscapes both in China and the EU from two lenses: AI governance and personal data protection. It addresses a pressing concern for such businesses: which Chinese/EU regulations apply, and how extensive are the compliance obligations? Regarding the AI governance aspect, please read “Legal Considerations for EU Businesses Using China-Based AI Services (Part I: AI Governance)”

Since ChatGPT's debut and the rise of DeepSeek for deep reasoning, generative AI tools has become essential for business operations. More and more companies are increasingly embracing AI, albeit cautiously, by permitting workplace use, purchasing enterprise AI subscriptions and creating corporate AI accounts for employees, with the aim of bringing employee AI usage under corporate risk management. When European multinationals, particularly their Chinese subsidiaries, permit employees to use China-based generative AI tools like DeepSeek, Kimi, or Doubao, what legal regimes might apply? This article examines the legal landscapes both in China and the EU from two lenses: AI governance and personal data protection. It addresses a pressing concern for such businesses: which Chinese/EU regulations apply, and how extensive are the compliance obligations?

Since the implementation of the Personal Information Protection Law of the People’s Republic of China and its supporting regulations, a growing number of multinational enterprises have focused on the compliance of cross-border data transfers. Under the applicable laws, when a personal information processor provides personal information overseas, unless an exemption applies, it must follow one of the following three statutory pathways to ensure lawful and compliant data transfers: passing a security assessment organized by the Cyberspace Administration, obtaining personal information protection certification, or completing the cross-border data transfer standard contract filing.