Yang Xiong, Manager of Risk and Regulatory Services at PwC China: Compliance of data and new technologies has become an "existence question" | 2025 Going Global Conference

On July 25th, guided by the Department of Commerce of Zhejiang Province, the Secretariat of the China Cooperation Center for Special Economic Zones of BRICS Countries, the Hangzhou Bureau of Commerce, and the Qiantang District Bureau of Commerce, and jointly hosted by 36Kr and Qiantang Construction Group, the 2025 "From 'Ingenuity' to the 'World'" Overseas Expansion Conference will grandly kick off at the Grand Mercure Hangzhou Qiantang. As a brand - new IP event created by 36Kr focusing on the fields of globalization and overseas expansion, the conference will set up a main venue and a sub - venue, the "Invest in BRICS" - Country Cooperation Matching Meeting. The main venue of the conference will be divided into two major chapters: "Finding Certainty in Uncertainty" and "Doing Business Globally", focusing on popular overseas expansion fields such as consumption, technology, e - commerce, finance, and new energy. It will cover more than 10 keynote speeches, 5 round - table discussions, and the release of the East Forward 2025 Overseas Globalization Innovation List, decoding the certain logic of the coordinated growth of "product - technology - ecosystem" and providing a referable global development path for enterprises to break through the fog of globalization and build sustainable overseas expansion capabilities.

On that day, Yang Xiong, a risk and regulatory business manager at PwC China, will bring a theme sharing on "High - risk Areas for Chinese Enterprises' Overseas Expansion and One - stop Overseas Compliance Operations".

The following is the content of Yang Xiong's speech, edited by 36Kr:

Good afternoon, dear guests! When it comes to PwC, you may first think of fiscal and tax services, but actually our consulting business also has a wide coverage. The risk and regulatory team I'm in is an important part of it.

In previous years, our core business was to help foreign - funded enterprises enter China and deal with local regulatory challenges. After the pandemic, more and more Chinese enterprises have shifted from "going in" to "going up" - expanding their influence overseas, increasing investment and local - level construction, which has also shifted our work focus to "assisting Chinese enterprises in overseas expansion". Currently, 80% - 90% of our clients are overseas - expanding enterprises in fields such as trendy toys, tea drinks, intelligent manufacturing, and new energy vehicle manufacturers. We have deeply felt the compliance and risk challenges they face in the process of globalization.

Today, I'd like to focus on the compliance risks of data and new technologies and talk about how enterprises should respond to them in overseas expansion with practical cases.

I. Tightening Global Regulations: Data and New Technologies Become the "First Threshold" for Overseas Expansion

After the EU's GDPR came into effect in 2018, more than 80% of countries around the world have introduced data and security protection regulations. China has the "Personal Information Protection Law" and the "Data Security Law", and the United States, Brazil, and Southeast Asian countries also have their own regulatory requirements. Behind this "global legislative wave" is the consensus among countries on the strategic value of data: data is not only the core of technological innovation but also an important support for national development and people's well - being.

For enterprises, this means they must answer a key question during overseas expansion: Can data flow freely when operating in multiple countries? For example, can the Chinese headquarters collect the operation data, user information, and product data of overseas subsidiaries? The answer depends on local regulations:

The EU has set strict "adequacy assessments" for "data outbound transfer". Non - EEA or non - white - listed countries need to pass a cross - border data risk assessment to receive data;

The executive order issued by the United States in April this year for the first time restricted data transactions of specific data types from specific countries. Violations may result in criminal liability (including imprisonment);

The data compliance legislation in Southeast Asia and South America is gradually improving, and detailed requirements for the application of new technologies such as artificial intelligence have also been successively issued.

This "regional difference" requires enterprises to formulate differentiated compliance strategies according to the legislative models and political characteristics of different markets. Otherwise, the ineffective return of data will affect the headquarters' overall planning of global business, and illegal data transmission may lead to sky - high fines or even business suspension.

II. New Technology Regulations: "Compliance Minefields" from Artificial Intelligence to Daily Applications

In addition to data, the regulatory differences in new technologies are even more worthy of attention. China has strict requirements for artificial intelligence, such as algorithm filing and large - model filing, while the regulatory logics of other countries have different focuses. There are both "full - category regulations" covering generative and non - generative AI and "precise control" targeting specific technologies such as OCR and face recognition.

Take a specific example: Can fingerprint attendance and face - recognition attendance, which are common in China, be directly replicated in overseas factories? The answer is "it depends on the country":

The EU's "Artificial Intelligence Act" classifies face recognition as a "high - risk technology" and requires enterprises to prove its "necessity" and "safety";

Some states in the United States (such as Illinois) have special licensing requirements for the collection of biometric data. Violations may lead to class - action lawsuits;

Brazil has proposed an "Artificial Intelligence Act" based on safeguarding citizens' rights, promoting technological innovation, and ensuring the safe use of AI. Currently, this law has passed the review of the Senate.

It can be seen that whether in developed markets or emerging markets, new technology regulations may become the "first threshold" for enterprises to enter.

III. The US Market: "New Rules" for Data Flow under Geopolitics

North America, as an important destination for Chinese enterprises' overseas expansion, has recently witnessed regulatory changes that are particularly worthy of attention. Under the new executive order of the Biden administration, the United States has shifted from "free data flow" to "selective restrictions" - setting obstacles to the cross - border transmission of specific data types (such as sensitive personal information and technology R & D data) from specific countries.

This has the greatest impact on three types of enterprises:

E - commerce platforms: The storage and cross - border access of user data need to meet the requirements of "data localization";

Connected device manufacturers: The operation data generated by devices may be classified as "sensitive information", and outbound transfer requires approval;

Technology service enterprises: In technological cooperation with US enterprises, data sharing may trigger national security reviews.

What's more serious is that the consequences of violations are not only fines but may also involve criminal liability. This is why not only US - funded enterprises but also leading Chinese enterprises are strengthening their research on US data regulations - geopolitics has become a variable that cannot be ignored in data compliance.

IV. Response Strategies: A "Full - Process Solution" from Data Sorting to Global Control

Based on our experience in serving many Chinese enterprises, we have summarized a set of "full - process compliance methodology", with the core including four dimensions:

Full - link Data Sorting

The prerequisite for compliance is to clarify "what data there is". Employee information, supplier data, sales data, user privacy, etc., all need to be included in the sorting scope. At the same time, whether the systems carrying data (such as ERP and CRM) and the underlying infrastructure (servers, cloud services) meet local requirements is also fundamental.

Phased and Scenario - based Responses

Enterprises often operate in multiple overseas markets simultaneously and cannot "solve all problems at once". They need to respond in a graded manner according to the business model (office, trading company, factory) and local regulatory intensity:

In markets with strict regulations (such as the EU and the United States), prioritize solving the localization storage and outbound approval of core data;

In emerging markets (such as Southeast Asia), focus on the emergency response mechanism for data breaches (such as 24 - hour / 72 - hour notification requirements).

Adaptation of Infrastructure and Technology Stack

The layout of data centers needs to balance "regulatory requirements, business needs, and geopolitical risks":

Due to tightened policies in the United States, it is more difficult to transfer data back. It is necessary to consider establishing independent data centers locally;

The EU requires "data sovereignty". It is recommended to adopt a regional - level data aggregation model (such as a European data center serving all European businesses);

The selection of the technology stack also needs to be localized. Some countries have restrictions on Chinese technologies (such as specific cloud services and algorithm models), and alternative solutions need to be evaluated in advance.

Establish a Global Data Sharing Control Mechanism

The data interaction with third - parties (suppliers, partners) is a high - risk link and needs to be prevented and controlled through three major measures:

Sign standardized data processing agreements to clarify rights, responsibilities, and liability - for - breach clauses;

Establish a data encryption and access permission management system to reduce the risk of internal data breaches;

Develop an emergency response plan to ensure that regulatory notifications can be completed within the legal time limit after a data breach.

V. PwC's Global Support Network

To better serve Chinese enterprises' overseas expansion, we have set up "China Business Service Centers" in 50 countries around the world, sending Chinese experts to stay in local areas. Whether in mature markets such as North America and Europe or emerging markets such as Africa and South America, local teams can provide services with "no language barriers and optimized costs", helping enterprises connect with resources and deal with sudden compliance issues.

From risk assessment and compliance system establishment before overseas expansion, to real - time regulatory tracking during overseas expansion, and to dispute resolution after overseas expansion, we can provide end - to - end support. If you have specific needs, please feel free to communicate with us after the meeting.

Finally, I'd like to emphasize that in today's era when globalization has entered the "deep - water zone", the compliance of data and new technologies is no longer an "optional question" but a "survival question". Only by establishing a systematic risk awareness and response ability can enterprises achieve stable and long - term development in overseas markets.

Thank you all!