A little-noticed case at the German court in Düsseldorf could spell trouble for Huawei’s global operations.
The Chinese telecoms giant has been under fire from Western security officials for more than a year over concerns that it poses a cybersecurity threat to Europe and the United States.
But a court case filed by one of Huawei’s former managers at its European headquarters in Düsseldorf takes aim at another pitfall for the company: Its respect of European privacy rules.
Specifically, it opens up questions about whether Huawei is putting data at risk of slipping into the hands of Chinese state surveillance and intelligence operations. It also raises questions about whether Europe will sharpen its tone with China on sensitive data privacy matters — after years of focusing its ire on Silicon Valley’s giants and U.S. state surveillance.
A judge ruled March 5 that Huawei was in breach of European privacy law when it failed to comply with the former manager’s request to view the data the company had kept on him.
“I simply asked them to tell me what data they had, what they had deleted, when they had deleted it and what data they still had on file” — a former Huawei manager
The labor court ruled that Huawei has to provide the categories of data it had kept on him in the past and the purposes for which it had kept the data. The firm also failed to respect mandatory deadlines to respond to the request, the judge found, slapping it with a minor fee of €5,000.
“I simply asked them to tell me what data they had, what they had deleted, when they had deleted it and what data they still had on file,” the former manager told POLITICO.
But Huawei in the proceedings said they could not give him the requested information because they had deleted it.
“It’s a joke,” the former manager said.
The plaintiff spoke to POLITICO on condition that he would not be named, citing concerns for the safety of his family and himself. But he agreed to be identified as a man in his sixties who worked for Huawei in a managerial position from the early 2010s until 2018.
The former manager left the company in 2018 against his will. “This is also why I went to court,” he said, adding he also filed an earlier legal challenge claiming harassment by his former employer and saying the company pushed him out of his job in a case of age discrimination.
Huawei declined several requests to comment on the court case and on how it manages its data, citing the case is ongoing.
When the EU’s General Data Protection Regulation kicked in May 2018, the former manager immediately triggered a data subject request, a new right under the law that allows employees to ask a company to disclose and delete the data it holds on them.
“Since this was a Chinese company, I’d better know what they had done with my data,” he said.
When Huawei did not respond to the request, he filed a lawsuit in November 2018 to pressure it to release the information.
In court, the Chinese firm argued it had deleted most of the data it kept on the former manager.
In court, Huawei argued it had deleted most of the data it kept on the former manager | Christof Stache/AFP via Getty Images
The former manager has since lodged an appeal to that decision because he is seeking financial compensation and wants more detail on how Huawei handled his data.
“I want to get the information about what happened with my data,” he said.
Both parties are now preparing for the court’s upcoming appeals procedure.
China enters EU’s privacy fray
The court case, first reported in Wirtschaftwoche, opens up uncomfortable questions for Huawei as well as for European data protection officials.
The company beefed up privacy protections in the run-up to Europe’s General Data Protection Regulation, a key law that increased requirements for companies to protect data. On its website, the company said it “complies with applicable privacy laws globally including GDPR” and that it has a number of mechanisms in place to safeguard user and employee privacy.
Its detailed privacy policy and its end-user license agreement for consumer goods are comparable to other major technology companies in that it allows Huawei to collect personal data from using its services and devices, procure data from other companies and use the data for commercial purposes or to comply with legal requirements.
The company said on its website it may transfer personal data outside Europe under legal mechanisms provided by the GDPR.
The German court ruling showed Huawei had transferred the former manager’s data to its headquarters in China using “standard contractual clauses” — legal snippets that impose liability on a company when it transfers data to China, Malaysia and most other countries across the world.
And yet, the company’s legal protections are hardly comforting to those who fear the Chinese state’s surveillance.
Concerns over China and privacy have peaked since 2018, when European governments started discussing the security of 5G networks and several officials in Europe called out Chinese vendors for having “legal backdoors” — meaning they were subject to legal requirements to grant Chinese state authorities access.
Of specific concern is a 2017 intelligence law that obliges companies to “support, assist and cooperate with state intelligence services in accordance with the law, and maintain secret all knowledge on the national intelligence services.” Another is China’s cybersecurity law, which contains similar requirements.
Huawei has repeatedly said it wouldn’t comply with such requirements.
China’s surveillance laws were passed just as Chinese tech giants started gaining market share worldwide. Cloud and e-commerce giant Alibaba, video-sharing platform TikTok’s parent firm ByteDance, software-maker Tencent and others are taking the global market by storm.
Like Huawei, these firms often use standard contractual clauses to transfer user data outside Europe.
While the clauses do impose liability, they don’t come with checks or audits and leave it largely up to clients and consumers to challenge whether the data flows violate their privacy.
In past years, Europe has beefed up protections with countries including the United States and Japan through so-called adequacy decisions.
“Standard contractual clauses impose accountability, but there are no prior checks by data protection authorities. The system is based on companies’ decisions [and] the safeguard that a data protection authority can step in if there is a problem, including following an individual complaint,” a Commission official said, asking not to be named because the official wasn’t authorized to speak on the record.
“So far a lot of scrutiny has gone to U.S. firms. But these issues [of privacy protections] will become more relevant with Chinese firms too as they expand their presence on foreign markets,” the official said.
The success of Chinese tech firms like Huawei in Europe, together with a lack of scrutiny of their privacy standards, has policymakers concerned that the EU’s legislation is failing to properly protect Europeans’ privacy.
In past years, Europe has beefed up protections with countries including the United States and Japan through so-called adequacy decisions allowing for easier data transfers for companies. These deals also meant the EU could push counterparts to increase privacy oversight and redress, for instance by pushing the U.S. to trim down its pervasive surveillance laws.
The European Commission has ruled out closing an adequacy deal with China | Julien Warnand/EPA-EFE
In the case of data flows to China, however, the EU understands that’s a nonstarter: The Commission has ruled out closing an adequacy deal with China.
“There is no adequacy decision with China and there has never been a request for an adequacy decision from the Chinese government. For obvious reasons China currently wouldn’t be able to benefit from an adequacy decision either,” the Commission official said, adding the EU does discuss privacy in regular diplomatic talks on digital and human rights issues.
The European Commission is reviewing its standard contractual clauses mechanism. Europe’s highest court is also coming out with a ruling mid-July in a key court case that could strike down the mechanism entirely if judges find it doesn’t properly protect the privacy of European data abroad.
Vincent Manancourt contributed reporting.