Comparative study on the legal regulation of a cross-border flow of personal data and its inspiration to China

• Author: Zheng Weiwei
• Position: Ph.D. in International Law, School of Law, Jilin University, Changchun, China
• Pages: 280-312

FRONTIERS OF LAW IN CHINA

VOL. 15 SEPTEMBER 2020 NO. 3

DOI 10.3868/s050-009-020-0017-0

FOCUS

RESEARCH ON THE MAJOR ISSUES OF DATA FLOW AND INFORMATION PRIVACY

PROTECTION: A GLOBAL WATC H FR OM A CHINESE PERSPECTIVE

COMPARATIVE STUDY ON THE LEGAL REGULATION OF A CROSS-BORDER FLOW

OF PERSONAL DATA AND ITS INSPIRATION TO CHINA

ZHENG Weiwei*

Abstract In the context of today’s big data and cloud computing, the global flow of

data has become a powerful driver for international economic and investment growth.

The EU and the U.S. have created two different paths for the legal regulation of the

cross-border flow of personal data due to their respective historical traditions and

realistic demands. The requirements for data protection have shown significant

differences. The EU advocates localization of data and firmly restricts cross-border flow

of personal data. The U.S. tends to protect personal data through industry self-regulation

and government law enforcement. At the same time, these two paths also merge and

supplement with each other. Based on this, China needs to learn from the legal

regulatory paths of the EU and the US, respectively, to establish a legal idea that places

equal emphasis on personal data protection and the development of the information

industry. In terms of domestic law, the Cybersecurity Law of the People’s Republic of

China needs to be improved and supplemented by relevant supporting legislation to

improve the operability of the law; the industry self-discipline guidelines should be

established; and various types of cross-border data need to be classified and supervised.

In terms of international law, it is necessary to participate in international cooperation

based on the priority of data sovereignty and promote the signing of bilateral,

multilateral agreements, and international treaties on the cross-border flow of personal

data.

Keywords cross-border flow, personal data, legal regulation, data sovereignty, industry

self-regulation, key information infrastructure

* ZHENG Weiwei (郑维炜), Ph.D. in International Law, School of Law, Jilin University, Changchun, China;

Associate Professor, School of Law, Renmin University of China; Research Fellow, Law and Technology

Institute, Renmin University of China; Director, Center for Cross-Border Data Transfer and Online Dispute

Resolution, Renmin University of China, Beijing 100872, China. Contact: smileweiwei1014@sina.com

This article is supported by Law and Technology Institute, Renmin University of China. All mistakes and

omissions are the responsibility of the author.

2020] COMPARATIVE STUDY ON THE LEGAL REGULATION OF A CROSS-BORDER FLOW OF PERSONAL DATA 281

INTRODUCTION .................................................................................................................... 282

I. ANALYSIS OF THE CAUSES OF DATA SOVEREIGNTY CONFLICTS IN THE

CROSS-BORDER FLOW OF PERSONAL DATA............................................................ 283

A. The Challenge of the Cross-Border Flow of Personal Data to the Concept of

National Sovereignty......................................................................................... 283

1. Legality of Data Sovereignty......................................................................... 284

2. Redefinition of Data Sovereignty.................................................................. 286

B. Cross-Border Data Flow and Data Sovereignty Boundary Issues:

Jurisdiction ....................................................................................................... 287

C. Lack of International Regulation on Cross-Border Data Flow......................... 289

II. AN ANALYSIS OF THE LEGISLATIVE STATUS OF CROSS-BORDER DATA FLOW: A

CHINESE LAW PERSPECTIVE ................................................................................... 290

A. Three Stages of Legislation for Cross-Border Data Flow................................. 290

1. Decentralized Legislative Stage: Before the Promulgation of the

Cybersecurity Law ........................................................................................ 290

2. Regulatory Legislative Stage: Promulgation of the Cybersecurity Law ........291

3. Elaborate Legislative Stage: Supporting Measures for the Cybersecurity

Law ................................................................................................................ 292

B. Comment on the Status of Legislation............................................................... 294

III. COMPARATIVE STUDY ON THE LEGAL REGULATIONS OF CROSS-BORDER FLOWS OF

PERSONAL DATA IN THE EU AND THE US............................................................. 296

A. Legislative Value Orientation ............................................................................ 296

B. The Path of Legal Regulation............................................................................ 297

1. EU Legal Texts.............................................................................................. 297

2. U.S. Industry Self-Regulation........................................................................ 300

3. U.S.-EU Safe Harbor Framework.................................................................. 301

4. U.S.-EU Privacy Shield Framework.............................................................. 302

5. U.S.-Led Cross Border Privacy Rules Accountability System...................... 303

C. Summary ........................................................................................................... 304

IV. SUGGESTIONS FOR IMPROVING THE LEGAL REGULATION OF CROSS-BORDER DATA

FLOW IN CHINA..................................................................................................... 306

A. The Necessity to Improve the Legal Regulation of Cross-Border Data Flow in

China ................................................................................................................ 306

B. Improving the Cybersecurity Law and Supplementing It with Relevant Supporting

Legislation ........................................................................................................ 307

C. Establishing Personal Data Self-Regulatory Guidelines .................................. 308

D. Participating in International Cooperation Based on Data Sovereignty

Priority.............................................................................................................. 309

CONCLUSION........................................................................................................................ 311

282 FRONTIERS OF LAW IN CHINA [Vol. 15: 280

INTRODUCTION

With the continuous and in-depth development of the Internet and expansion of

economic globalization, the role of “personal data”1 in society has become increasingly

important. Beginning in the 1960s and 1970s, the “cross-border flow of personal data”2

has become the main generator of global economic and investment growth. The report

“Digital Globalization: The New Era of Global Flows” released by the McKinsey Global

Institute states that the main growth of the global economy has shifted from cross-border

trade and investment to data flow, which not only accelerates the globalization of goods,

services, capital, and talent, but also deepens the degree of globalization.3 Generally

speaking, the cross-border flow of personal data can be divided into two types according

to the different forms of flow: One is that personal data are stored and used in other

countries across geographic boundaries; the other is that personal data do not cross

geographical boundaries but are accessed by other countries across borders. It is worth

noting that the “flow” of the cross-border flow of personal data does not actually cover all

“the act of processing and storing personal data in computers across geographical

borders,” because the technical background of the cross-border data flow determines that

1 See Art. 4, para. 1 of the 2016 General Data Protection Regulation (GDPR). Art. 2 of the 1995 EU Data

Protection Directive states: “‘personal data’ shall mean any information relating to an identified or

identifiable natural person (‘data subject’).” The GDPR follows the definition of the EU Data Protection

Directive in the definition of personal data. Art. 4, para. 1 states: “‘personal data’ means any information

relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one

who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an

identification number, location data, an online identifier or to one or more factors specific to the physical,

physiological, genetic, mental, economic, cultural or social identity of that natural person.” In general,

whether data are “identifiable” is the key criterion for distinguishing personal data from non-personal data,

which can be identified either independently or in combination with other data. Separate identifiability is a

kind of direct identification, according to the information reflected in the data, can locate specific individuals;

however, the identifiability after combining other data is a kind of indirect identification. Specific individuals

cannot be identified according to the data itself, and they will be able to be identified after combining other

data. See Viktor Mayer-Schönberger & Kenneth Cukier, 大数据时代: 生活、工作与思维的大变革 (Big Data:

A Revolution That Will Transform How We Live, Work, and Think), translated by SHENG Yangyan & ZHOU

Tao, Zhejiang People’s Publishing House (Hangzhou), at 64 (2012). See CHENG Xiao, 论大数据时代的个人

数据权利 (On Personal Data Rights in the Era of Big Data), 3 中国社会科学 (Social Sciences in China), 107

(2018).

2 The concept of cross-border flow of personal data was first introduced in the OECD Guidelines on the

Protection of Privacy and Transborder Flows of Personal Data (1980). The Guidelines define the cross-border

flow of personal data as “movements of personal data across national borders.” At the same time, it is also

regarded as an important program for the protection of personal data, which is divided into “basic principles

of national application” and “basic principles of international application.” This paper makes

recommendations on basic principles for the cross-border flow of personal data from the perspectives of

domestic law and international law.

3 LIU Zegang, 过度互联时代被遗忘权保护与自由的代价 (The Protection of the Right to Be Forgotten and

the Cost of Freedom in the Age of Excessive Interconnection), 33(1) 当代法学 (Contemporary Law Review),

91 (2019). See ZHANG Heng, 跨境数据流动的国际形势和中国路径 (The International Situation of

Cross-Border Data Flows and China’s Path), 12 信息安全与通信保密 (Information Security and

Communications Privacy), 21 (2018).