Big Data and China’s new regulations

Prof. Dr Rogi­er Creemers

Chi­na has recent­ly passed new data pro­tec­tion laws in 2021 and issued its com­pre­hen­sive data pro­tec­tion law, the Per­son­al Infor­ma­tion Pro­tec­tion Law (“PIPL”), on August 20, 2021. Com­pa­nies who have busi­ness­es in Chi­na, regard­less of hav­ing an estab­lish­ment in Chi­na or not, should be aware of the com­pli­ance risks.

In her lat­est Duet inter­view with Chi­na Expert Prof. Dr Rogi­er Creemers, Dr Cal­daro­la, author of Big Data and Law, con­sid­ers China’s new reg­u­la­tions with regard to data pro­tec­tion and cyber security.

Before begin­ning with more detailed ques­tions, could you please pro­vide our read­ers with a short intro­duc­tion to the laws regard­ing China’s data pro­tec­tion and cyber secu­ri­ty reg­u­la­tions1?

Prof. Dr Rogi­er Creemers: Until about the mid-2010s, cyber secu­ri­ty was not real­ly an inte­grat­ed con­cept in Chi­na. There were dif­fer­ent bureau­cra­cies and dif­fer­ent admin­is­tra­tions- each pur­su­ing their own secu­ri­ty-relat­ed con­cerns. So, for this rea­son, the Min­istry of Indus­try and Infor­ma­tion Tech­nol­o­gy (MIIT) was there to deal with these issues and still exists today. They were real­ly look­ing at things like com­put­er virus­es. But oth­er con­tent-con­trol­ling author­i­ties also exist­ed and exist who were look­ing at the top­ic from a more Russ­ian-inspired ver­sion of infor­ma­tion security.

It is impor­tant to remem­ber that Chi­na was only slow­ly digi­tis­ing itself- a late­com­er to the dig­i­tal world in many ways as a devel­op­ing coun­try. And what hap­pened around that time was a num­ber of devel­op­ments took place which coin­cid­ed with the idea that data pro­tec­tion and cyber secu­ri­ty need­ed to be tak­en more seri­ous­ly and need­ed to be bet­ter inte­grat­ed. And part of these devel­op­ments were tech­no­log­i­cal evo­lu­tions: The smart phone arrived, and Chi­nese com­pa­nies start­ed mak­ing inex­pen­sive smart phones which many Chi­nese peo­ple could afford. Accord­ing to the lat­est fig­ures, Chi­na has up to a bil­lion peo­ple con­nect­ed around Chi­na and they are main­ly con­nect­ed to the inter­net using their mobile devices. So that was the point where most Chi­nese had smart phones which, in turn, led to the emer­gence of a num­ber of giant online com­pa­nies. That was a time where a lot more data was being gen­er­at­ed and IT became much more relevant.

Not sur­pris­ing­ly, that was also when data theft began to emerge. Chi­na had peo­ple, for exam­ple, who worked in a local depart­ment for motor vehi­cles and were sell­ing infor­ma­tion that belonged to car own­ers. There were cas­es where peo­ple were try­ing to get data bases of tele­phone num­bers in order to engage in mobile phone-based fraud or try­ing to swin­dle peo­ple out of their mon­ey. There were a cou­ple of famous cas­es, such as the case of a young school­girl who was swin­dled out of her col­lege mon­ey by these kinds of tele­phone scams and then com­mit­ted sui­cide. And that case served as a start­ing point.

But there were also for­eign con­cerns: That was the time when there were the Snow­den rev­e­la­tions. That served as a cat­a­lyst for con­cerns in Chi­na about the risk posed by the Unit­ed States- mean­ing what the US might under­take to derail Chi­nese progress.

So, for all of these rea­sons, cyber secu­ri­ty took on a new impor­tance lead­ing to Chi­na cre­at­ing a new cen­tral coor­di­nat­ing body in 2014: the Cen­tral Lead­ing Group for Cyber­se­cu­ri­ty and Infor­ma­ti­sa­tion which was chaired by Xi Jin­ping per­son­al­ly. The cre­ation of this new body meant the cen­tral com­mis­sion for cyber­se­cu­ri­ty and infor­ma­ti­sa­tion was being upgraded. 

Con­se­quent­ly, one can observe a move­ment towards greater leg­is­la­tion lead­ing to the pub­li­ca­tion of a cyber secu­ri­ty law in 2016. This law was real­ly sort of an omnibus that cre­at­ed man­dates – a whole ros­ter of spe­cif­ic reg­u­la­to­ry regimes. Two of them are relat­ed to data pro­tec­tion. One on per­son­al data and one on impor­tant data. The leg­is­la­tion of 2016 also became a man­date for online con­tent con­trol, because the Chi­nese gov­ern­ment clas­si­fied that as a risk fac­tor. There­fore, con­trol­ling con­tent is part of the Chi­nese def­i­n­i­tion of cyber secu­ri­ty. But it also includes the cyber inci­dence response or the social secu­ri­ty dis­clo­sure of dig­i­tal prod­ucts and ser­vices.  So, all these ele­ments are part of Chi­nese cyber security.

As I men­tioned above, cyber secu­ri­ty con­tains man­dates on per­son­al data pro­tec­tion and impor­tant data pro­tec­tion. How­ev­er, the pro­vi­sions of the law are quite vague. Vague­ness is some­thing that hap­pens quite often in Chi­nese leg­isla­tive doc­u­ments, which tend to be abstract and open-end­ed. So, Chi­na real­ly leaves it up to the indi­vid­ual min­istries to come up with more spe­cif­ic reg­u­la­tions with regard to what is pro­hib­it­ed and what is allowed and what is oblig­a­tory.

What one can observe since then is that there are essen­tial­ly two major reg­u­la­tors in the dig­i­tal sphere: the Cyber­space Admin­is­tra­tion of Chi­na (CAC) and the Min­istry of Pub­lic Secu­ri­ty which over­see Chi­nese domes­tic secu­ri­ty and police func­tions. Both reg­u­la­tors real­ly have not got­ten any­where when it comes to reg­u­lat­ing data pro­tec­tion. Part of the prob­lem was that these two admin­is­tra­tions do not see eye to eye at all. Anoth­er dif­fi­cul­ty is also that it is and was real­ly hard to reg­u­late some­thing that is devel­op­ing so quick­ly and where enor­mous inter­ests were at stake-both at the eco­nom­ic and social level.

And so, between 2016 – when the cyber secu­ri­ty law was pub­lished – and let’s say 2019 – 2020, there were sev­er­al draft reg­u­la­tions that were issued but none got adopt­ed or enforced. Con­se­quent­ly, the Chi­nese gov­ern­ment had begun recog­nis­ing that data is a domain requir­ing spe­cialised leg­is­la­tion. And from that point on, Chi­na start­ed draft­ing the two pieces of leg­is­la­tion that form the core of Chi­nese data pro­tec­tion regime until today: The PIPL and the Data Secu­ri­ty Law. They were draft­ed in tan­dem. Both came out ear­li­er in 2021 with­in a few months of each oth­er. And both are now in effect.

My opin­ion is:

“Data is now a fac­tor of pro­duc­tion just like land, cap­i­tal and labour. Being good Marx­ists, the Com­mu­nist Par­ty of Chi­na thus needs to con­trol and reg­u­late it”.

Prof. Dr Rogi­er Creemers

Is the con­cept of pri­va­cy and/or data pro­tec­tion the same for Europe and Chi­na? Or do dif­fer­ences only arise because the law reflects a dif­fer­ent con­cept of ethics and gov­er­nance model?

I think there are a cou­ple of very impor­tant dif­fer­ences. It begins with the word “pri­va­cy” itself. I think we can safe­ly say that here in Europe data pro­tec­tion and pri­va­cy tend to be over­lap­ping con­cepts, mean­ing that in Europe we see pri­va­cy as a fun­da­men­tal right, guar­an­teed to us con­sti­tu­tion­al­ly at EU lev­el. So Euro­pean res­i­dents have a fun­da­men­tal right to pri­va­cy towards any­one or any­thing. They have it towards each oth­er as pri­vate indi­vid­u­als, they have it towards com­pa­nies which might want to process per­son­al data and they have it with regard to the government.

Con­verse­ly, in Chi­na there are two dif­fer­ent ele­ments: The con­cept of a fun­da­men­tal right doesn’t exist with­in the Chi­nese legal order. So, if the con­cept of a fun­da­men­tal right doesn’t exist then the Chi­nese gov­ern­ment is bal­anc­ing com­pet­ing objec­tives in a glob­al­ly-ori­ent­ed man­ner with regard to the top­ic of data pro­tec­tion. Chi­na wants the dig­i­tal econ­o­my to grow but Chi­na also wants to ensure that peo­ple don’t get angry because their data is con­stant­ly being sold.

So, by analysing the new reg­u­la­tion regimes, one can see that author­i­ties have tried to dis­ag­gre­gate all the dif­fer­ent rela­tion­ships between the dif­fer­ent par­ties when per­son­al infor­ma­tion is involved and reg­u­late those dif­fer­ent rela­tion­ships in spe­cif­ic ways.

Anoth­er dif­fer­ence with regard to Chi­na is the word pri­va­cy itself. It is a term of art in law and means some­thing very spe­cif­ic. In Chi­nese law the word pri­va­cy refers to per­son­al infor­ma­tion about a pri­vate per­son that in some way might be embar­rass­ing or shame­ful for that per­son. This draws back on ear­li­er cul­tur­al notions that are very much asso­ci­at­ed with shame­ful or immoral ele­ments. For this rea­son, pri­va­cy is pro­tect­ed under the Chi­nese Civ­il Code view­ing an infringe­ment of pri­va­cy as a civ­il wrong­do­ing. The Chi­nese Civ­il Code refers to a par­tic­u­lar kind of infor­ma­tion – per­son­al infor­ma­tion about a per­son which that per­son does not want dis­closed because it is shame­ful. That can be naked pic­tures of that per­son, the inte­ri­or of his or her house or the track­ing of the person’s move­ments, but it needs to have a strong con­no­ta­tion of shame. Where­as what the PIPL tries to do is some­thing dif­fer­ent. And in Chi­na that isn’t regard­ed as pri­va­cy. Infor­ma­tion pro­tect­ed under the PIPL is grouped by the extent to which it can iden­ti­fy a per­son. The Chi­nese leg­is­la­tor has deter­mined that, for exam­ple, a person’s tele­phone num­ber is not in and of itself shame­ful because if it is divulged, that act would not be embar­rass­ing for that per­son. It is just a ran­dom sequence of num­bers. But it can be used to iden­ti­fy that per­son and cause that per­son par­tic­u­lar kinds of harm. So that is what the new leg­is­la­tion is focus­ing on.

The terms “pri­va­cy” and “data pro­tec­tion” (or “per­son­al infor­ma­tion”, as in the CSL) thus appear to have dif­fer­ent mean­ings. The term pri­va­cy seems to be a term of art used in civ­il law but not in pub­lic law, tar­get­ing pri­vate con­fi­den­tial infor­ma­tion that a data sub­ject could find shame­ful and expo­sure of which would harm sub­stan­tial­ly. Pri­va­cy seems, there­fore, to cov­er the rep­u­ta­tion and good name of a per­son. Data pro­tec­tion instead seems to focus on infor­ma­tion to iden­ti­fy a per­son, is busi­ness-relat­ed (for exam­ple, a person’s bank­ing infor­ma­tion) and would harm the person’s law­ful rights and inter­ests if mis­used. Only pri­va­cy seems to be men­tioned in China’s con­sti­tu­tion but not data pro­tec­tion. Is this a key dif­fer­ence to the GDPR? In fact, one or two things that bear men­tion­ing is that Chi­nese reg­u­la­to­ry author­i­ties seem to have looked at the GDPR as a source of inspi­ra­tion. What they did, in fact, was to take over all the key ter­mi­nol­o­gy, some key mech­a­nisms- but then decou­pled it from the Euro­pean pur­pose of pro­tec­tion as a legal fun­da­men­tal right. So, we have in the end sim­i­lar mech­a­nisms intro­duced into a Chi­nese legal order.

Reg­u­la­tions in Chi­na appear to look at dif­fer­ent con­stel­la­tions, such as the indi­vid­ual, busi­ness­es, and the role of gov­ern­men­tal insti­tu­tions. Why are these con­stel­la­tions han­dled dif­fer­ent­ly to Europe? Are there priv­i­leges for cer­tain groups?

Part of the prob­lem is that in Chi­na you have a core piece of leg­is­la­tion -but a lot of details are miss­ing. Fur­ther­more, since the PIPL just came into force in Novem­ber 2021, there are some draft reg­u­la­tions on the cards, but none has been passed so far. There­fore, the com­par­i­son with the GDPR is dif­fi­cult because the reg­u­la­to­ry frame­work is not yet com­plete, a process which is meant to hap­pen in about a year or so.

When we look at spe­cif­ic legal mech­a­nisms, the PIPL pro­vides very strong forms of pro­tec­tion, in some ways, and offers some forms of pro­tec­tion in ways that the GDPR does not nec­es­sar­i­ly have. There are strict rules regard­ing how reg­u­la­tions are to be imple­ment­ed, for exam­ple, which com­pa­nies must abide by when it comes to con­sent being required, or when a data con­troller has data from over a mil­lion users and/or has con­tacts abroad, then the data con­troller needs to go through a secu­ri­ty review if data is being export­ed abroad. These are forms that do not exist in the GDPR. At that same time, how­ev­er, there is a very broad mar­gin for what is allowed. There is a short sec­tion in the PIPL that per­tains to oblig­a­tions of gov­ern­ment bod­ies hold­ing data- and those gov­ern­ment bod­ies pret­ty much nev­er need to obtain con­sent for col­lect­ing data as long as they do it for the pur­pose of real­is­ing their statu­to­ry goals. And essen­tial­ly here is where the Chi­nese gov­ern­ment is try­ing to lay the ground­work for a fair­ly dif­fi­cult exer­cise by try­ing to dis­ag­gre­gate all these dif­fer­ent com­po­nents of the gov­ern­ment. I sup­pose we can expect to see dis­ci­pli­nary inter­nal reg­u­la­tions when deal­ing with these issues.

Ear­li­er, I men­tioned the exam­ple of the per­sons in the motor vehi­cle depart­ment who may have access to per­son­al data and sell it to car insur­ance com­pa­nies which is not some­thing that the Chi­nese gov­ern­ment wants to hap­pen. Sim­i­lar­ly, Chi­na does not want any­one in the admin­is­tra­tion hav­ing access to gov­ern­men­tal data who might be a pae­dophile using that access to do hor­ri­ble things to the tar­get of their stalk­ing. But, at the same time, Chi­na has these very pow­er­ful domes­tic secu­ri­ty forces that are try­ing to pre­vent all kinds of protests and sub­ver­sions. And obvi­ous­ly Chi­na does not want to cur­tail that kind of activ­i­ty being car­ried out by domes­tic secu­ri­ty forces. So, what we see hap­pen­ing is reg­u­la­tion in a very decen­tralised man­ner. In some cas­es, some dis­tinc­tion might be made between dif­fer­ent data con­trollers. And this is some­thing we are see­ing Chi­na work­ing on: Reg­u­la­tions that are not so dif­fer­ent to the Euro­pean Dig­i­tal Ser­vice Act and Dig­i­tal Mar­ket Act where large data con­trollers are going to come under greater scruti­ny and they are going to have greater oblig­a­tions than small­er ser­vice provider and gate-keepers.

The laws regard­ing cyber secu­ri­ty and data pro­tec­tion are vague­ly writ­ten- although they are meant to estab­lish objec­tives and man­dates for the gov­ern­ment. Which areas per­mit far-reach­ing inter­fer­ence on the part of the gov­ern­ment and how will this sort of activ­i­ty be eval­u­at­ed by west­ern coun­tries? Has this been estab­lished on pur­pose to give room for har­mon­i­sa­tion of data pro­tec­tion and pri­va­cy rules since data is cross­ing bor­ders as we speak by look­ing at the glob­al or inter­na­tion­al con­text? Or has it been draft­ed to give courts and oth­er author­i­ties more room for inter­pre­ta­tion and steering?

First of all, what we need to know about Chi­na is that courts play a min­i­mal role in inter­pret­ing or shap­ing the law. It is not like the Court of Jus­tice of the Euro­pean Union which inter­prets the law and then these inter­pre­ta­tions become author­i­ta­tive. Chi­nese courts apply the law with­out a strict rule of prece­dence. Obvi­ous­ly, there are attempts on the part of the judi­cia­ry sys­tem to ensure there is a degree of con­sis­ten­cy but a for­malised rule of prece­dence does not exist.

This means it will be up to the indi­vid­ual min­istries – and with regard to per­son­al infor­ma­tion pro­tec­tion most notably the Cyber­space Admin­is­tra­tion of Chi­na – to come up with rules.

And, already in terms of the drafts reg­u­la­tions, we can see a cou­ple of trends both at the spe­cif­ic lev­el where spe­cif­ic indus­tries are tar­get­ed and at the gen­er­al lev­el. Already in Novem­ber 2021, the CAC pub­lished a first draft on secu­ri­ty pro­tec­tion rules that were main­ly gen­er­al guide­lines which pro­vide a lot of detail ‑and are pret­ty harsh, for exam­ple, the com­pli­ance and report­ing require­ments. Again, Chi­nese com­pa­nies are pri­mar­i­ly being tar­get­ed which have for­eign list­ings, and the Chi­nese gov­ern­ment is always very con­cerned with regard to for­eign sources of pow­er or author­i­ty or loy­al­ty. For exam­ple, Chi­na does not like the Catholic Church because the Catholic Church would rather lis­ten to Rome than to Bei­jing. So, for all these rea­sons, Chi­na is mak­ing it much more dif­fi­cult for Chi­nese tech com­pa­nies to list on for­eign mar­kets where these com­pa­nies wish to raise funds.

At the same time, the Chi­nese gov­ern­ment is clear­ly try­ing to have its piece of cake and eat it too: On the one hand, it wants to strict­ly pro­tect its own domes­tic data sphere while, on the oth­er hand, Chi­na wants to enable the eco­nom­ic val­ue of data flows and wants to prof­it from those as well. And so, Chi­na has been very vocal about want­i­ng to be part of the dig­i­tal part­ner­ship arrange­ment which was con­clud­ed between New Zealand and Sin­ga­pore in Chile. I expect that at some point Chi­na will make over­tures to the EU essen­tial­ly say­ing: Look we have a Per­son­al Data Pro­tec­tion Law and look how sim­i­lar it is in so many ways to the GDPR and the Euro­pean Dig­i­tal Ser­vice Act and Dig­i­tal Mar­ket Act.

Obvi­ous­ly, there is a legal argu­ment there- but also a polit­i­cal one. The legal argu­ment is, in a way, very sim­ple: Does Chi­nese leg­is­la­tion meet the require­ments for ade­qua­cy that the EU has set? The polit­i­cal ele­ment involves the nego­ti­a­tions between the EU and the US and also ‑and one can imag­ine how dif­fi­cult those nego­ti­a­tions might be- between the EU and Chi­na. Giv­en the fact that any set­tle­ment needs to pass the Euro­pean Par­lia­ment and that the EU has already demon­strat­ed that they are very scep­ti­cal with regard to the US, I, in turn, would not ter­ri­bly opti­mistic regard­ing the polit­i­cal chances of a big data flow deal with Chi­na- par­tic­u­lar­ly giv­en cur­rent ten­sions after the year the EU has had with mutu­al sanc­tions and invest­ments essen­tial­ly being put on ice. For all these rea­sons, I do not think a set­tle­ment of this kind is going to hap­pen any time soon.

The one thing that com­pa­nies need to remem­ber is that the PIPL is only one half of Chi­nese data pro­tec­tion infra­struc­ture. The oth­er half is the Data Secu­ri­ty Law. And this is the ele­ment with which we are not very famil­iar. Any­one with some expo­sure to GDPR will be able to look at the PIPL and will feel they are on famil­iar ground. But, in fact, the Data Secu­ri­ty Law is some­thing dif­fer­ent: It is not about the pro­tec­tion of the indi­vid­ual aris­ing from par­tic­u­lar uses of data. The data secu­ri­ty law is about pro­tect­ing nation­al secu­ri­ty and pub­lic inter­ests from harm enabled by the use of any data, not just by the use of per­son­al infor­ma­tion – i.e., data stem­ming from indus­tri­al con­trol sys­tems or infra­struc­ture – real­ly just any kind of data that could have a bear­ing on nation­al secu­ri­ty and pub­lic inter­est. And so, when Chi­nese com­pa­nies plan their data pro­tec­tion strat­e­gy, they not only have to con­sid­er per­son­al infor­ma­tion, but need to con­sid­er a broad­er range.

If laws are vague­ly writ­ten, does Chi­na reach pre­ci­sion through imple­men­ta­tion, such as, of tech­ni­cal stan­dards? Can you give our read­ers more insights into under­stand­ing bet­ter the mech­a­nism involved?

Yes. So essen­tial­ly three lev­els of reg­u­la­tions exist in Chi­na- no, actu­al­ly four levels!

The top lev­el is leg­is­la­tion called a law which has been draft­ed and passed by the Nation­al People’s Con­gress. Like I said, these tend to be vague. In gen­er­al, the Nation­al People’s Con­gress sets prin­ci­ples and cre­ates puni­tive stan­dards and man­dates for admin­is­tra­tive bodies.

The sec­ond lev­el is the reg­u­la­to­ry lev­el and here reg­u­la­tions are issued by a min­istry or some­times by mul­ti­ple min­istries work­ing togeth­er. They will already con­tain a lot more detail.

The third lev­el involves tech­ni­cal stan­dards issued by a Tech­ni­cal Com­mit­tee called Tech­ni­cal Com­mit­tee 260 and this body issues stan­dards once the Cyber Secu­ri­ty Law had been passed. Many of them relate either to per­son­al infor­ma­tion pro­tec­tion or data secu­ri­ty. They will often con­tain a more spe­cif­ic def­i­n­i­tion of ter­mi­nol­o­gy or very spe­cif­ic frame­work. They might con­tain stan­dard con­trac­tu­al claus­es that the CAC refers to when it comes to data export. And that is where one finds a lot of details. The prob­lem is that there are so many of them! And we do not always have the resources to look through all of them in detail. So, this is where com­pa­nies oper­at­ing in Chi­na want to get input from local law firms who know what they are doing and who have gone through this enor­mous stack of paperwork.

And there is a fourth lev­el of reg­u­la­tion. And this fourth lev­el is one with which Euro­peans are not well acquaint­ed: It is called “self-reg­u­la­tion”. This comes from sec­tor asso­ci­a­tions which usu­al­ly work very close­ly with reg­u­la­to­ry author­i­ties and the Com­mu­nist Par­ty. They come up with sec­toral codes of con­duct. It’s not real­ly soft law or hard law, for that mat­ter, but some­where in the mid­dle. Those reg­u­la­tions con­tain clear state­ments of expec­ta­tions of how com­pa­nies should behave if they don’t want to get in trou­ble either with admin­is­tra­tive law enforce­ment or with courts. Many of those reg­u­la­tions are not for­mal­ly bind­ing in a legal sense.  How­ev­er, some of them are, while oth­ers are being incor­po­rat­ed into reg­u­la­tions. In any case, if you are ever deal­ing with a body of enforce­ment, such as admin­is­tra­tive reg­u­la­tors and courts, these bod­ies usu­al­ly view these stan­dards as best prac­tice or code of con­duct. So, when some­one wants to devi­ate from those stan­dards, he or she had bet­ter have a very good expla­na­tion for why he or she did so.

West­ern coun­tries talk about the three pow­ers and they talk about checks and bal­ances, so West­ern Coun­tries are talk­ing about a divi­sion of pow­er. Con­verse­ly, Chi­na talks about a divi­sion of labour. So, Chi­na doesn’t see the role of courts and min­istries as a leg­is­la­ture to check and bal­ance each oth­er. Rather, they see it as a more func­tion­al dif­fer­en­ti­a­tion of labour, where the leg­is­la­tion has cer­tain tasks, the min­istries have cer­tain oth­er tasks, and the courts have oth­er tasks. But those are not com­pet­i­tive. Rather, they are all sup­posed to work towards the same end in an, at least rhetor­i­cal­ly, har­mo­nious and coop­er­a­tive manner.

Prof. Creemers, thank you for shar­ing your insights in China’s new reg­u­la­tions with regard to data pro­tec­tion and cyber security

Thank you, Dr Cal­daro­la, and I look for­ward to read­ing your upcom­ing inter­views with recog­nised experts, delv­ing even deep­er into this fas­ci­nat­ing topic.

1 Trans­la­tion of the law can be found Trans­la­tion: Online Data Secu­ri­ty Man­age­ment Reg­u­la­tions (Draft for Com­ment) – Nov. 2021 (stan​ford​.edu)

About me and my guest

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.

Prof. Dr Rogier Creemers

Prof. Dr Rogier Creemers is Assistant Professor at the Leiden Institute for Area Studies (LIAS). His main fields of research interest are China's digital governance policies, as well as China's role in global Internet and cyber affairs. In 2018, he received an NWO Vidi grant for a project to study the development of a smart, IT-enabled state system in China, which is to be executed between 2019 and 2024. With support from the Dutch Ministry of Foreign Affairs and the Leiden Asia Centre, Professor Creemers is also developing a project on China's international activities in cyberspace. Dr Creemers is a co-founder of New America's DigiChina project and a regular commentator on related issues in international media. He teaches courses on Chinese law, development and innovation, as well as China in global cyberspace.
His academic research has been published in journals including the China Journal, the Journal of Contemporary China and DigiScape Digital Asia. This busy academic is also finalising a co-edited volume on the relationship between law and the Communist Party of China. Many of his papers are publicly available on SSRN.

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.