Journal:Cross-border data transfer regulation in China - Revision history

Shawndouglas: Moved completed code from live wiki to here.

2021-07-31T19:21:56Z

Moved completed code from live wiki to here.

Shawndouglas: Saving and adding more.

2021-07-19T23:49:13Z

Saving and adding more.

← Older revision		Revision as of 23:49, 19 July 2021
Line 92:		Line 92:

	CII is in essence a network facility, information system, digital asset, or a collection of such elements.<ref name="CreemersNational16">{{cite web \|url=https://chinacopyrightandmedia.wordpress.com/2016/12/27/national-cyberspace-security-strategy/ \|title=National Cyberspace Security Strategy \|author=Creemers, R. \|work=China Copyright and Media \|date=27 December 2016}}</ref><ref name="USPatriot">{{cite web \|url=https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf \|format=PDF \|title=Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001 \|author=107th Congress \|publisher=GPO \|date=26 October 2001}}</ref><ref name="BarrettFrame18">{{cite web \|url=https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11 \|title=Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 \|author=Barrett, M.P. \|publisher=NIST \|date=16 April 2018}}</ref> In the early stages of informatics, CII was considered a part of critical information (CI) systems that was scoped clearly. With the changing of the technical landscape, sources of risks are far beyond the scope of CI, such as the attacks coming from virtual entities, i.e., the information communication technology (ICT) or operational technology (OT) domain.{{Efn\|For example, some malware target industrial operational systems in electricity, gas, or chemical plants, while some cyber attacks target the control or tampering of information and data.}} At present, large-scale network destruction of CII is a high-risk yet low-probability incident, with very few examples of CII being damaged from cyber-attacks or data leakage able to be provided. Therefore, the assessment of security and risks of CII mainly rely on the experts in the domain, instead of evidence or case studies. This brought inconsistency in determining the scope of CII and eventually made it difficult to implement relevant policies. Generally, all ICT service providers fall within the scope of CII operators according to the laws, which is not efficient in the digital economic community.		CII is in essence a network facility, information system, digital asset, or a collection of such elements.<ref name="CreemersNational16">{{cite web \|url=https://chinacopyrightandmedia.wordpress.com/2016/12/27/national-cyberspace-security-strategy/ \|title=National Cyberspace Security Strategy \|author=Creemers, R. \|work=China Copyright and Media \|date=27 December 2016}}</ref><ref name="USPatriot">{{cite web \|url=https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf \|format=PDF \|title=Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001 \|author=107th Congress \|publisher=GPO \|date=26 October 2001}}</ref><ref name="BarrettFrame18">{{cite web \|url=https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11 \|title=Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 \|author=Barrett, M.P. \|publisher=NIST \|date=16 April 2018}}</ref> In the early stages of informatics, CII was considered a part of critical information (CI) systems that was scoped clearly. With the changing of the technical landscape, sources of risks are far beyond the scope of CI, such as the attacks coming from virtual entities, i.e., the information communication technology (ICT) or operational technology (OT) domain.{{Efn\|For example, some malware target industrial operational systems in electricity, gas, or chemical plants, while some cyber attacks target the control or tampering of information and data.}} At present, large-scale network destruction of CII is a high-risk yet low-probability incident, with very few examples of CII being damaged from cyber-attacks or data leakage able to be provided. Therefore, the assessment of security and risks of CII mainly rely on the experts in the domain, instead of evidence or case studies. This brought inconsistency in determining the scope of CII and eventually made it difficult to implement relevant policies. Generally, all ICT service providers fall within the scope of CII operators according to the laws, which is not efficient in the digital economic community.

			====Personal information protection====
			There is no chapter entitled “personal information protection” in the CSL, yet provisions related to the protection of personal information are scattered through this law. Chapter 4 on Network Information Security covered most of the personal information protection provisions. Most of the obligations are imposed upon network operators. Data subjects’ rights have been conferred passively through the legal obligations for network operators. For example, the network operator shall correct or delete information on the request of the data subject when the personal information are incorrect or wrongly processed.

			The structure comprises basic principles for processing personal information, legal grounds for processing personal information, and a non-exhaustive example list of prohibited conduct. Personal information can only be collected when the data subject is informed and agrees to the purpose and scope of the collection. The processing of personal information must follow basic principles listed in Articles 40, 41, 42, 47, and 49 of the CSL<ref name="CACCybersecurity17" />, which share substantive similarities with the APEC privacy framework. Consent is the only legal ground for processing of personal information.<ref name="CACCybersecurity17" /> This is to ensure that the data subject has sufficient autonomy to decide the way his or her personal data will be collected, processed and distributed. Such autonomy is endorsed by the sufficient informing requirement, meaning that only after data subject is informed of the purpose, scope, and means of processing of the personal data can he or she be capable of giving genuine consent. The network operator has to perform the information obligation before collecting the individual’s personal data.

			===Enforcement and authorities===
			The CSL’s provisions relating to data privacy formed the most comprehensive and broadly applicable set of privacy rules. It acts as an umbrella that covers a bundle of administrative regulations and numerous normative texts scattered across most of the industries. To date there is no independent authority for data protection. Multiple competent authorities or supervisory authorities are in charge of the implementation and enforcement of the rules.

			====Regulatory framework====
			Various types of documents have the force of law in China. Among all the legal instruments, the Constitution enjoys the highest primacy yet is rarely applied directly. The law made by the National People’s Congress or the Standing Committee of NPC has the highest legal effect in the respective regime, including the CSL.

			Administrative regulations are rules promulgated by the State Council. Its legal effect is lower than the laws of the NPC but higher than the Department rules. To date, two administrative regulations have been issued: the Regulation on Critical Information Infrastructure Security Protection and the Regulation on Cybersecurity Multi-level Protection Scheme. Additionally, sector-specific administrative regulations also affect China’s personal data export study, such as the Regulation on Computer Information Security Protection and the Regulation on Human Genetic Resources Information Management.

			Department rules are legal documents issued by the ministries and commissions under the State Council, along with other agencies with administrative functions directly under the State Council. The applicable scope is determined by the competence of the issuing government department. For example, the aforementioned Measures on Personal Information and Important Data Export Security Assessment is a department rule issued by the CAC. To date, around 30 department rules have been issued by various authorities in the field of security, data protection, and export.

			Judicial interpretations are the explanations to specific legal questions made by the State Supreme judicial institutions during the application of the laws. Both the Supreme People’s Court and the Supreme People’s Procuratorate have released interpretations relating to cases that infringe personal information.

			Standards (no legal effect) are mandatory or voluntary technical standards published by the Standardisation Association of China (SAC). In Cybersecurity and Data protection fields, the TC260 group under the SAC is responsible for a series of standards titled “Information Security Technology” that covers methodologies, definitions, or scopes of the norms. Within China, national standards play an important role in implementing laws and regulations. Despite the non-compulsory nature, they are better understood as a quasi-regulation rather than a technical specification typically presented in Western context. Since 2010, over 240 national standards in this field have been published. The necessity of such a large amount of technical standards being in force remains debatable, however.

			Additionally, local regulations are directly applied within the scope of the provinces, autonomous regions, and municipalities directly under the Central Government.

			====Competent authorities====
			Under the CSL, different parties are in charge of specific area of works. The State is required to (i) make cybersecurity strategies, (ii) clarify fundamental requirements and objectives of cybersecurity, and (iii) guide key areas of cybersecurity policies and measures. Additionally, the State shall adopt measures to guarantee the cyberspace free from attacks, interferences, and crimes. The network-related industrial associations shall provide guidance for entities’ self-regulation and promote the healthy development of the industries. The network operators are required to fulfill obligations addressed in the CSL and to uphold societal responsibilities.

			Respectively, the Congress is responsible for determining the scope of CII and key areas. The Cyberspace Administration of China, an administrative agency directly under the State Council, is in charge of the coordination and management of all cybersecurity related issues. The MIIT (Ministry of Industry and Information Technology of the People’s Republic of China) and MPS are responsible for supervising and managing affairs within the scope of their competence.<ref name="CACCybersecurity17" /> The SAC publishes national and sectorial technical standards.

			The CAC, also framed as an agency directly under the Chinese Communist Party, inherently carries a heavy stroke of political color. It is the most important supervisory authority of cybersecurity and directly reports to the State Council for managing internet information and content. It works independently from the Ministries of Information, Public Security, or Commerce. The CAC also leads the drafting of department rules implementing the CSL. Its branches at the provincial level are the main enforcement institutions that supervise, investigate, and impose administrative fines.

			====Enforcement====
			Enforcement of the CSL and related rules in China follows a typical bottom-up approach. Supervisory authorities have broad discretionary powers as well as the competence to impose administrative fines upon entities. Overlapping areas of jurisdictions often pop up among different authorities. The CAC is responsible for coordinating all issues that arise through the enforcement. Although not legally binding, the competent authorities often refer to the Information Security Technology standards when performing assessments or issuing certifications.

			The supervisory authorities have been actively performing their duties since 2015. Means of enforcement include communication with the operator, supervising the modification of business, or administrative fines and termination of the operation. A special operation targeting the illegal collecting and processing of personal information through mobile applications is jointly conducted by the CAC, MIIT, and SPS.

Shawndouglas: Saving and adding more.

2021-07-19T23:14:30Z

Saving and adding more.

← Older revision		Revision as of 23:14, 19 July 2021
Line 81:		Line 81:

	The MLPS was born from the demands of national computer system security in 1994 and thus falls under the competence scope of the Ministry of Public Security (MPS). After a series of developed administrative regulations, the updated draft of the Regulation on Cybersecurity Multi-level Protection Scheme was released in 2018. Together with a bundle of supplementary national technical standards, the so-called MLPS 2.0 framework of cybersecurity in China was finalized.{{Efn\|The three newly released national standards are: (1) GB/T 22239-2019 Information Security Technology-Basic Requirements for Multi-level Protection; (2) GB/T 25070-2019 Information Security Technology - Cybersecurity Multi-level Protection Security Design Technical Requirements; and (3) GB/T 28448-2019 Information Security Technology - Cybersecurity Multi-level Protection Assessment Requirements, which went into force on December 1, 2019. Another national standard titled GB/T 25058-2019 Information Security Technology - Implementation Guide for Cybersecurity Classified Protection came into effect on March 1, 2020.}} The MLPS Regulation as a supporting document of CSL’s Article 21 defines descriptive obligations and requirements for the network operators, which fall under different levels of MLPS. Eleven general obligations are listed to clearly allocate the liability and to set technical and organizational security measures. Specific obligations need to be met according to the level of the network operator’s activities that would affect the state and public security, scaled from 1 (the least risky) to 5 (the most risky).{{Efn\|For the description of the security levels, see Table 1, found in the section of this paper on "Data export regulations."}} After being classified via a self-assessment, network operators are required to deploy special security measures such as personnel management, dataset backup, and [[encryption]] to protect important data.		The MLPS was born from the demands of national computer system security in 1994 and thus falls under the competence scope of the Ministry of Public Security (MPS). After a series of developed administrative regulations, the updated draft of the Regulation on Cybersecurity Multi-level Protection Scheme was released in 2018. Together with a bundle of supplementary national technical standards, the so-called MLPS 2.0 framework of cybersecurity in China was finalized.{{Efn\|The three newly released national standards are: (1) GB/T 22239-2019 Information Security Technology-Basic Requirements for Multi-level Protection; (2) GB/T 25070-2019 Information Security Technology - Cybersecurity Multi-level Protection Security Design Technical Requirements; and (3) GB/T 28448-2019 Information Security Technology - Cybersecurity Multi-level Protection Assessment Requirements, which went into force on December 1, 2019. Another national standard titled GB/T 25058-2019 Information Security Technology - Implementation Guide for Cybersecurity Classified Protection came into effect on March 1, 2020.}} The MLPS Regulation as a supporting document of CSL’s Article 21 defines descriptive obligations and requirements for the network operators, which fall under different levels of MLPS. Eleven general obligations are listed to clearly allocate the liability and to set technical and organizational security measures. Specific obligations need to be met according to the level of the network operator’s activities that would affect the state and public security, scaled from 1 (the least risky) to 5 (the most risky).{{Efn\|For the description of the security levels, see Table 1, found in the section of this paper on "Data export regulations."}} After being classified via a self-assessment, network operators are required to deploy special security measures such as personnel management, dataset backup, and [[encryption]] to protect important data.

			Compliance with the MLPS 2.0 will be essential for understanding the personal data export regulation in China. This is true not only because such compliance is mandatory, but also becayse the second pillar of the CSL concerning critical information infrastructure protection is based on the classification within MLPS.

			====Critical information infrastructure====
			The consideration of critical information infrastructure (CII) is a major challenge in implementing China’s cybersecurity strategy and had been a recurring discussion at top-level national cybersecurity meetings. On the basis of the cybersecurity MLPS, the state implements key protections to CII which, “if destroyed, suffering a loss of function, or experiencing leakage of data, might seriously damage national security, social welfare, and public interests.”<ref name="CACCybersecurity17" /> A non-exhaustive example list (including public telecommunication and information service, energy, transportation, water resources, finance, public service, and e-governmental information) is given in Article 31 of the CSL<ref name="CACCybersecurity17" />, showing the broad scope of the application of the CII requirement. In principle, any network operators that are being graded above level III (including level III) under the MLPS shall be regarded as CII operators.

			CII operators must follow stricter security requirements due to the nature of the data being processed. More importantly, Article 37 of the CSL rules states that “critical information infrastructure operators that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China.”<ref name="CACCybersecurity17" />

			Transferring CII information outside of China is only allowed under exceptional circumstances where actual needs for business are in place and a security assessment is approved by competent authorities. Under the CSL, a CII operator is the only entity that is required to comply with the data localization policy and security assessment for cross-border data transfer. However, the definitions of CII and other key concepts such as important data remain unclear.

			CII is in essence a network facility, information system, digital asset, or a collection of such elements.<ref name="CreemersNational16">{{cite web \|url=https://chinacopyrightandmedia.wordpress.com/2016/12/27/national-cyberspace-security-strategy/ \|title=National Cyberspace Security Strategy \|author=Creemers, R. \|work=China Copyright and Media \|date=27 December 2016}}</ref><ref name="USPatriot">{{cite web \|url=https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf \|format=PDF \|title=Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001 \|author=107th Congress \|publisher=GPO \|date=26 October 2001}}</ref><ref name="BarrettFrame18">{{cite web \|url=https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11 \|title=Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 \|author=Barrett, M.P. \|publisher=NIST \|date=16 April 2018}}</ref> In the early stages of informatics, CII was considered a part of critical information (CI) systems that was scoped clearly. With the changing of the technical landscape, sources of risks are far beyond the scope of CI, such as the attacks coming from virtual entities, i.e., the information communication technology (ICT) or operational technology (OT) domain.{{Efn\|For example, some malware target industrial operational systems in electricity, gas, or chemical plants, while some cyber attacks target the control or tampering of information and data.}} At present, large-scale network destruction of CII is a high-risk yet low-probability incident, with very few examples of CII being damaged from cyber-attacks or data leakage able to be provided. Therefore, the assessment of security and risks of CII mainly rely on the experts in the domain, instead of evidence or case studies. This brought inconsistency in determining the scope of CII and eventually made it difficult to implement relevant policies. Generally, all ICT service providers fall within the scope of CII operators according to the laws, which is not efficient in the digital economic community.




Line 90:		Line 103:

	==Notes==		==Notes==
	This presentation is faithful to the original, with only a few minor changes to presentation, though grammar and word usage was substantially updated for improved readability. In some cases important information was missing from the references, and that information was added. The original lists citations and footnotes all together under "Notes"; this version split the two out and and lists them in order of appearance, by design. The original articles Note 11 does not at all verify the quoted statistics; a citation to support at least the 2018 statistic was found and used for this version. Another citation was found and added for this version to support the claim more than one trillion euros e-commerce at 37.6% total of imports and exports. The quote about defining personal information had no citation in the original; for this version, a source was found, with slightly altered English text, and used.		This presentation is faithful to the original, with only a few minor changes to presentation, though grammar and word usage was substantially updated for improved readability. In some cases important information was missing from the references, and that information was added. The original lists citations and footnotes all together under "Notes"; this version split the two out and and lists them in order of appearance, by design. The original articles Note 11 does not at all verify the quoted statistics; a citation to support at least the 2018 statistic was found and used for this version. Another citation was found and added for this version to support the claim more than one trillion euros e-commerce at 37.6% total of imports and exports. The quote about defining personal information had no citation in the original; for this version, a source was found, with slightly altered English text, and used. The citation for the Cybersecurity Law is added in multiple places for this version.

	<!--Place all category tags here-->		<!--Place all category tags here-->

Shawndouglas: Saving and adding more.

2021-07-19T22:28:36Z

Saving and adding more.

← Older revision		Revision as of 22:28, 19 July 2021
Line 77:		Line 77:
	The downside is, however, observable. It is not unusual that such generality and flexibility—and sometimes excessive omissions—can be found in the drafting of Chinese law. Coupled with a wide discretionary power conferred on lower-level competent authorities in order to implement the law, predictability and certainty of law are often compromised. Furthermore, in order to identify a complete set of independent objectives and to prioritize them, law makers are required to use clear concepts, logical foundations, and thought-provoking procedures.<ref name="KeeneyIdent13">{{cite journal \|title=Identifying, prioritizing, and using multiple objectives \|journal=EURO Journal on Decision Processes \|author=Keeny, R.L. \|volume=1 \|pages=45–67 \|year=2013 \|doi=10.1007/s40070-013-0002-9}}</ref> In China, most of the data protection rules were made in response to an existing problem. However, due to insufficient experience in data protection law making and “rent-seeking” among various authorities, one essential aspect that is missing is that of a unified value for the protection of personal information. It is not yet crystal clear in other jurisdictions, as technology and law in this regime are significantly interdependent. Without a clear value set ahead of time, multiple objectives would affect the fundamental principles as well as the conceptual framework of data protection. The immediate consequence has been the vague defining of rights and obligations for those involved stakeholders. This echoes the prior mentioned lack of legal predictability and certainty.		The downside is, however, observable. It is not unusual that such generality and flexibility—and sometimes excessive omissions—can be found in the drafting of Chinese law. Coupled with a wide discretionary power conferred on lower-level competent authorities in order to implement the law, predictability and certainty of law are often compromised. Furthermore, in order to identify a complete set of independent objectives and to prioritize them, law makers are required to use clear concepts, logical foundations, and thought-provoking procedures.<ref name="KeeneyIdent13">{{cite journal \|title=Identifying, prioritizing, and using multiple objectives \|journal=EURO Journal on Decision Processes \|author=Keeny, R.L. \|volume=1 \|pages=45–67 \|year=2013 \|doi=10.1007/s40070-013-0002-9}}</ref> In China, most of the data protection rules were made in response to an existing problem. However, due to insufficient experience in data protection law making and “rent-seeking” among various authorities, one essential aspect that is missing is that of a unified value for the protection of personal information. It is not yet crystal clear in other jurisdictions, as technology and law in this regime are significantly interdependent. Without a clear value set ahead of time, multiple objectives would affect the fundamental principles as well as the conceptual framework of data protection. The immediate consequence has been the vague defining of rights and obligations for those involved stakeholders. This echoes the prior mentioned lack of legal predictability and certainty.

			====Multi-level protection scheme====
			Article 21 of the CSL requires all network operators to be obliged with different security measures according to the cyberspace Multi-level Protection Scheme (MLPS). Under the MLPS, network operators shall safeguard cyberspace from interference, destruction, or unauthorized access, and protect internet-hosted and –transmitted data from leak or fraud. Security obligations include but are not limited to (i) the establishment of an internal security management protocol; (ii) the appointment of a person in charge of security affairs; (iii) the deployment of technical measures for cyberattacks; (iv) the recording of internet-based operational activities for no shorter than six months and the response plan for security incidence; and (v) the classification, backup, and encryption of important data.

			The MLPS was born from the demands of national computer system security in 1994 and thus falls under the competence scope of the Ministry of Public Security (MPS). After a series of developed administrative regulations, the updated draft of the Regulation on Cybersecurity Multi-level Protection Scheme was released in 2018. Together with a bundle of supplementary national technical standards, the so-called MLPS 2.0 framework of cybersecurity in China was finalized.{{Efn\|The three newly released national standards are: (1) GB/T 22239-2019 Information Security Technology-Basic Requirements for Multi-level Protection; (2) GB/T 25070-2019 Information Security Technology - Cybersecurity Multi-level Protection Security Design Technical Requirements; and (3) GB/T 28448-2019 Information Security Technology - Cybersecurity Multi-level Protection Assessment Requirements, which went into force on December 1, 2019. Another national standard titled GB/T 25058-2019 Information Security Technology - Implementation Guide for Cybersecurity Classified Protection came into effect on March 1, 2020.}} The MLPS Regulation as a supporting document of CSL’s Article 21 defines descriptive obligations and requirements for the network operators, which fall under different levels of MLPS. Eleven general obligations are listed to clearly allocate the liability and to set technical and organizational security measures. Specific obligations need to be met according to the level of the network operator’s activities that would affect the state and public security, scaled from 1 (the least risky) to 5 (the most risky).{{Efn\|For the description of the security levels, see Table 1, found in the section of this paper on "Data export regulations."}} After being classified via a self-assessment, network operators are required to deploy special security measures such as personnel management, dataset backup, and [[encryption]] to protect important data.

Shawndouglas: Saving and adding more.

2021-07-19T22:03:32Z

Saving and adding more.

← Older revision		Revision as of 22:03, 19 July 2021
Line 68:		Line 68:

	Personal Information was firstly defined in the Notice of the Supreme People's Court, the Supreme People's Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens in 2013, stating that the “personal information of citizens include the name, age, valid certificate number, marital status, employer, education background, resume, family address, phone number and other information or data that can identify the identities of citizens or involve the personal privacy of citizens.”<ref name="LICNotice13">{{cite web \|url=http://www.lawinfochina.com/display.aspx?id=14967&lib=law \|title=Notice of the Supreme People's Court, the Supreme People's Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens \|author=Supreme People's Court; Supreme People's Procuratorate; Ministry of Public Security \|work=Law Info China \|date=23 April 2013}}</ref> In response to the rapid development of technology, Chinese authorities released over 200 laws, administrative regulations, and sector-specific rules regulating the collection and processing of personal information across domains like banking, healthcare, medical records, and disease control.{{Efn\|China provides direct protection of personal information through The Seventh Amendment of Criminal Law, Tort Law, Telecommunication Law, Junior Protection Law, Consumer Protection Law, etc. Indirect protection of personal information is provided though Constitutional Law and Civil Law. For example, the Ministry of Industry and Information Technology is in charge of regulating the ISPs via Measures on Protecting Personal Information of Telecommunication and Internet Users, Measures on SMS service management, etc.}} However, a comprehensive framework for personal data protection laws is still urgently in need.		Personal Information was firstly defined in the Notice of the Supreme People's Court, the Supreme People's Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens in 2013, stating that the “personal information of citizens include the name, age, valid certificate number, marital status, employer, education background, resume, family address, phone number and other information or data that can identify the identities of citizens or involve the personal privacy of citizens.”<ref name="LICNotice13">{{cite web \|url=http://www.lawinfochina.com/display.aspx?id=14967&lib=law \|title=Notice of the Supreme People's Court, the Supreme People's Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens \|author=Supreme People's Court; Supreme People's Procuratorate; Ministry of Public Security \|work=Law Info China \|date=23 April 2013}}</ref> In response to the rapid development of technology, Chinese authorities released over 200 laws, administrative regulations, and sector-specific rules regulating the collection and processing of personal information across domains like banking, healthcare, medical records, and disease control.{{Efn\|China provides direct protection of personal information through The Seventh Amendment of Criminal Law, Tort Law, Telecommunication Law, Junior Protection Law, Consumer Protection Law, etc. Indirect protection of personal information is provided though Constitutional Law and Civil Law. For example, the Ministry of Industry and Information Technology is in charge of regulating the ISPs via Measures on Protecting Personal Information of Telecommunication and Internet Users, Measures on SMS service management, etc.}} However, a comprehensive framework for personal data protection laws is still urgently in need.

			===The Cybersecurity Law===
			In November 2016, the finalized version of the Cybersecurity Law (CSL) was passed by the Standing Committee of National People’s Congress, imposing new [[cybersecurity]] requirements on network operators that “own or manage networks, or provide network services.” It applies to any activities related to the “construction, administration, maintenance and use of networks.”<ref name="CACCybersecurity17" /> The CSL is the most up-to-date, highest-level legal instrument concerning personal information protection in China. Three pillars constitute the substantive provisions of the law: a multi-level protection scheme, critical information infrastructure protections, and personal information protections.

			====Objectives====
			Article 1 of the CSL sets multiple objectives aiming to “protect cybersecurity; safeguard cyberspace sovereignty, national security, and social public interests; protect the legitimate rights and interests of citizens, legal persons, and other organizations; and promote the healthy development of economic and social informatization.”<ref name="CACCybersecurity17" /> This is aligned with the special aspect in terms of multiple objectives in Chinese lawmaking, particularly those areas that face most of the challenges brought forward by emerging issues. As this provision suggests, the objectives are to govern everything within the country’s cyberspace infrastructure, ranging from internet activities to data export.

			The downside is, however, observable. It is not unusual that such generality and flexibility—and sometimes excessive omissions—can be found in the drafting of Chinese law. Coupled with a wide discretionary power conferred on lower-level competent authorities in order to implement the law, predictability and certainty of law are often compromised. Furthermore, in order to identify a complete set of independent objectives and to prioritize them, law makers are required to use clear concepts, logical foundations, and thought-provoking procedures.<ref name="KeeneyIdent13">{{cite journal \|title=Identifying, prioritizing, and using multiple objectives \|journal=EURO Journal on Decision Processes \|author=Keeny, R.L. \|volume=1 \|pages=45–67 \|year=2013 \|doi=10.1007/s40070-013-0002-9}}</ref> In China, most of the data protection rules were made in response to an existing problem. However, due to insufficient experience in data protection law making and “rent-seeking” among various authorities, one essential aspect that is missing is that of a unified value for the protection of personal information. It is not yet crystal clear in other jurisdictions, as technology and law in this regime are significantly interdependent. Without a clear value set ahead of time, multiple objectives would affect the fundamental principles as well as the conceptual framework of data protection. The immediate consequence has been the vague defining of rights and obligations for those involved stakeholders. This echoes the prior mentioned lack of legal predictability and certainty.

Shawndouglas: Saving and adding more.

2021-07-19T21:38:49Z

Saving and adding more.

← Older revision		Revision as of 21:38, 19 July 2021
Line 65:		Line 65:
	Chinese concepts of privacy and personal data protection vary through different historical periods. Most of them are rooted in traditional Chinese ethics or moral standards, and partially integrated with the ideology of socialism.<ref name="McDougallChinese02">{{cite book \|title=Chinese Concepts of Privacy \|editor=McDougall, B.S.; Hansson, A. \|publisher=Brill \|page=8 \|year=2002 \|isbn=9789004127661}}</ref> With the economic transition from a central planned market to a free market in the 1990s, Chinese communities began to experience greater variety of roles in participating economic, societal, and political activities. Although traditional predominant values still hold a deep influence on people’s behaviors, individualism and subjectivity have dramatically been promoted in their social life. Scrutiny and concerns over the importance of an individual’s privacy and protection of emerging personal data processing are ever growing. Baidu, the largest Chinese search engine provider, was sued by a consumer rights protection association for illegally collecting user data without consent.<ref name="JingChina18">{{cite web \|url=https://www.scmp.com/tech/china-tech/article/2127045/baidu-sued-china-consumer-watchdog-snooping-users-its-smartphone \|title=China consumer group accuses Baidu of snooping on users of its smartphone apps \|author=Jing, M. \|work=South China Morning Post \|date=05 January 2018}}</ref> Alibaba, another internet giant, was challenged by Chinese users for the misuse of their digital transaction records and social media profiles on Zhima Credit (an online credit service that offers loans based on users’ digital activities).<ref name="XueyingZhima18">{{cite web \|url=https://news.cgtn.com/news/78637a4e35637a6333566d54/share_p.html \|title=Zhima Credit apologizes for its annual report’s ‘mistake’ \|author=Xueying, W. \|work=CGTN \|date=04 January 2018}}</ref> The concept of privacy in contemporary China has been gradually expanded, and individuals have raised their expectations for the right to be left alone.		Chinese concepts of privacy and personal data protection vary through different historical periods. Most of them are rooted in traditional Chinese ethics or moral standards, and partially integrated with the ideology of socialism.<ref name="McDougallChinese02">{{cite book \|title=Chinese Concepts of Privacy \|editor=McDougall, B.S.; Hansson, A. \|publisher=Brill \|page=8 \|year=2002 \|isbn=9789004127661}}</ref> With the economic transition from a central planned market to a free market in the 1990s, Chinese communities began to experience greater variety of roles in participating economic, societal, and political activities. Although traditional predominant values still hold a deep influence on people’s behaviors, individualism and subjectivity have dramatically been promoted in their social life. Scrutiny and concerns over the importance of an individual’s privacy and protection of emerging personal data processing are ever growing. Baidu, the largest Chinese search engine provider, was sued by a consumer rights protection association for illegally collecting user data without consent.<ref name="JingChina18">{{cite web \|url=https://www.scmp.com/tech/china-tech/article/2127045/baidu-sued-china-consumer-watchdog-snooping-users-its-smartphone \|title=China consumer group accuses Baidu of snooping on users of its smartphone apps \|author=Jing, M. \|work=South China Morning Post \|date=05 January 2018}}</ref> Alibaba, another internet giant, was challenged by Chinese users for the misuse of their digital transaction records and social media profiles on Zhima Credit (an online credit service that offers loans based on users’ digital activities).<ref name="XueyingZhima18">{{cite web \|url=https://news.cgtn.com/news/78637a4e35637a6333566d54/share_p.html \|title=Zhima Credit apologizes for its annual report’s ‘mistake’ \|author=Xueying, W. \|work=CGTN \|date=04 January 2018}}</ref> The concept of privacy in contemporary China has been gradually expanded, and individuals have raised their expectations for the right to be left alone.

			Prior to the CSL, China’s personal data protection policy was integrated in a number of laws and administrative rules through the protection of personal dignity and reputation. For example, Article 28 of the Chinese Constitution provides citizens an inviolable personal dignity from “insult, defamation or false charge.” Article 252 of Criminal Law (1997) prohibits any violation to the freedom of a citizen’s communication rights by hiding, destroying, or illegally opening other’s letters. And Article 101 of General Principles of Civil Law (1986) confers natural persons and legal persons the right of reputation. The Supreme People’s Court in 2001 for the first time confirmed the legal ground for claiming remedies for the damages caused by the violation of one’s privacy or other personal rights granted by these laws and rules.

			Personal Information was firstly defined in the Notice of the Supreme People's Court, the Supreme People's Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens in 2013, stating that the “personal information of citizens include the name, age, valid certificate number, marital status, employer, education background, resume, family address, phone number and other information or data that can identify the identities of citizens or involve the personal privacy of citizens.”<ref name="LICNotice13">{{cite web \|url=http://www.lawinfochina.com/display.aspx?id=14967&lib=law \|title=Notice of the Supreme People's Court, the Supreme People's Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens \|author=Supreme People's Court; Supreme People's Procuratorate; Ministry of Public Security \|work=Law Info China \|date=23 April 2013}}</ref> In response to the rapid development of technology, Chinese authorities released over 200 laws, administrative regulations, and sector-specific rules regulating the collection and processing of personal information across domains like banking, healthcare, medical records, and disease control.{{Efn\|China provides direct protection of personal information through The Seventh Amendment of Criminal Law, Tort Law, Telecommunication Law, Junior Protection Law, Consumer Protection Law, etc. Indirect protection of personal information is provided though Constitutional Law and Civil Law. For example, the Ministry of Industry and Information Technology is in charge of regulating the ISPs via Measures on Protecting Personal Information of Telecommunication and Internet Users, Measures on SMS service management, etc.}} However, a comprehensive framework for personal data protection laws is still urgently in need.


Line 75:		Line 77:

	==Notes==		==Notes==
	This presentation is faithful to the original, with only a few minor changes to presentation, though grammar and word usage was substantially updated for improved readability. In some cases important information was missing from the references, and that information was added. The original lists citations and footnotes all together under "Notes"; this version split the two out and and lists them in order of appearance, by design. The original articles Note 11 does not at all verify the quoted statistics; a citation to support at least the 2018 statistic was found and used for this version. Another citation was found and added for this version to support the claim more than one trillion euros e-commerce at 37.6% total of imports and exports.		This presentation is faithful to the original, with only a few minor changes to presentation, though grammar and word usage was substantially updated for improved readability. In some cases important information was missing from the references, and that information was added. The original lists citations and footnotes all together under "Notes"; this version split the two out and and lists them in order of appearance, by design. The original articles Note 11 does not at all verify the quoted statistics; a citation to support at least the 2018 statistic was found and used for this version. Another citation was found and added for this version to support the claim more than one trillion euros e-commerce at 37.6% total of imports and exports. The quote about defining personal information had no citation in the original; for this version, a source was found, with slightly altered English text, and used.

	<!--Place all category tags here-->		<!--Place all category tags here-->

Shawndouglas: Saving and adding more.

2021-07-19T21:20:49Z

Saving and adding more.

← Older revision		Revision as of 21:20, 19 July 2021
Line 56:		Line 56:

	China’s cross-border data transfer regulation is an evolving project still under development, with various administrative regulations and department rules continuing to expand. The Personal Information Protection Law has been incorporated into the law-making plan of the 13th Standing Committee of National People’s Congress, released with the draft for public comment on October 21, 2020. The legislators especially emphasized the protection of public interest and state security, taking into account the needs of the protection of data subjects' rights, and took a sheepish position on the regulation of cross-border data transfer. The Cybersecurity Law (enacted in 2017) for the first time addressed data localization and security assessment of data export requirements for Critical Information Infrastructure providers.<ref name="CACCybersecurity17">{{cite web \|url=http://www.cac.gov.cn/2016-11/07/c_1119867116.htm \|title=中华人民共和国网络安全法 \|publisher=Cyberspace Administration of China \|date=07 November 2016}}</ref> The Civil Code of China (adopted May 28, 2020) newly introduced greater protection of privacy rights and personal information.{{Efn\|"The personal information of a natural person shall be protected by law. Any organization or individual that needs to acquire the personal information of an individual shall obtain such information in accordance with law and guarantee the safety of such information. Any illegal collection, usage, processing, and transfer of the individual’s personal information, or illegal trade, making available or disclosure of other’s personal information is a violation of law." - Article 111 Civil Code of the People’s Republic of China}} It clarified that (i) the rights and interests of natural persons over their personal information are civil rights and private rights; (ii) natural persons’ rights to their personal information belong to personality rights; and (iii) the distinction is made between privacy and personal information. These three pieces of legislations constitute the foundation of China’s personal information protection laws.		China’s cross-border data transfer regulation is an evolving project still under development, with various administrative regulations and department rules continuing to expand. The Personal Information Protection Law has been incorporated into the law-making plan of the 13th Standing Committee of National People’s Congress, released with the draft for public comment on October 21, 2020. The legislators especially emphasized the protection of public interest and state security, taking into account the needs of the protection of data subjects' rights, and took a sheepish position on the regulation of cross-border data transfer. The Cybersecurity Law (enacted in 2017) for the first time addressed data localization and security assessment of data export requirements for Critical Information Infrastructure providers.<ref name="CACCybersecurity17">{{cite web \|url=http://www.cac.gov.cn/2016-11/07/c_1119867116.htm \|title=中华人民共和国网络安全法 \|publisher=Cyberspace Administration of China \|date=07 November 2016}}</ref> The Civil Code of China (adopted May 28, 2020) newly introduced greater protection of privacy rights and personal information.{{Efn\|"The personal information of a natural person shall be protected by law. Any organization or individual that needs to acquire the personal information of an individual shall obtain such information in accordance with law and guarantee the safety of such information. Any illegal collection, usage, processing, and transfer of the individual’s personal information, or illegal trade, making available or disclosure of other’s personal information is a violation of law." - Article 111 Civil Code of the People’s Republic of China}} It clarified that (i) the rights and interests of natural persons over their personal information are civil rights and private rights; (ii) natural persons’ rights to their personal information belong to personality rights; and (iii) the distinction is made between privacy and personal information. These three pieces of legislations constitute the foundation of China’s personal information protection laws.

			The Measures on Personal Information and Important Data Export Security Assessment (draft for comments) was released in 2017 by the Cyberspace Administration of China (CAC). It was planned to contain elements in the scope of the security assessment, such as the consent of the data subject, the security protection status of the data recipient, and risk of data leaving China. Upon receiving constructive criticism, the CAC updated its draft a second time in 2019. One essential element–the important data–was removed, while one important element–the standard contractual clauses–was introduced.

			===About this paper===
			This paper aims to provide a comprehensive analysis of China’s cross-border data transfer regulation. The rest of the paper is organized as follows. The next section demonstrates how the personal data protections laws have evolved owing to transitions in the Chinese economy, with a focus on the objectives and characteristics of cybersecurity law, followed by how the Cybersecurity Law (CSL) is enforced and how authorities are responsible for the enforcement. The subsequent section highlights the Data Export Regulations in China, broadly classified into critical information infrastructure data export and personal data export, as well as how the approaches vary in terms of the measures and assessments. The paper ends with the conclusions derived from this study, as well as mentions of important drafts of laws and regulations to demonstrate possible future developments in China.

			==The evolution of China's personal data protection laws==
			Chinese concepts of privacy and personal data protection vary through different historical periods. Most of them are rooted in traditional Chinese ethics or moral standards, and partially integrated with the ideology of socialism.<ref name="McDougallChinese02">{{cite book \|title=Chinese Concepts of Privacy \|editor=McDougall, B.S.; Hansson, A. \|publisher=Brill \|page=8 \|year=2002 \|isbn=9789004127661}}</ref> With the economic transition from a central planned market to a free market in the 1990s, Chinese communities began to experience greater variety of roles in participating economic, societal, and political activities. Although traditional predominant values still hold a deep influence on people’s behaviors, individualism and subjectivity have dramatically been promoted in their social life. Scrutiny and concerns over the importance of an individual’s privacy and protection of emerging personal data processing are ever growing. Baidu, the largest Chinese search engine provider, was sued by a consumer rights protection association for illegally collecting user data without consent.<ref name="JingChina18">{{cite web \|url=https://www.scmp.com/tech/china-tech/article/2127045/baidu-sued-china-consumer-watchdog-snooping-users-its-smartphone \|title=China consumer group accuses Baidu of snooping on users of its smartphone apps \|author=Jing, M. \|work=South China Morning Post \|date=05 January 2018}}</ref> Alibaba, another internet giant, was challenged by Chinese users for the misuse of their digital transaction records and social media profiles on Zhima Credit (an online credit service that offers loans based on users’ digital activities).<ref name="XueyingZhima18">{{cite web \|url=https://news.cgtn.com/news/78637a4e35637a6333566d54/share_p.html \|title=Zhima Credit apologizes for its annual report’s ‘mistake’ \|author=Xueying, W. \|work=CGTN \|date=04 January 2018}}</ref> The concept of privacy in contemporary China has been gradually expanded, and individuals have raised their expectations for the right to be left alone.

Shawndouglas: Saving and adding more.

2021-07-19T20:49:58Z

Saving and adding more.

← Older revision		Revision as of 20:49, 19 July 2021
Line 51:		Line 51:

	Additionally, the Southern African Development Community (SADC) developed the Model Law on Data Protection in 2010, containing general data protection principles for cross-border data transfer. Notwithstanding the efforts, many African countries continue to struggle with enacting laws to regulate the collection and processing of personal information. The organization’s practices stopped at proposing a broad framework of guidance. While further discussions over effective solutions to the conflicts of applicable laws of personal data transborder regulation are needed, these and other international negotiations and cooperative efforts remain worthy of recognition.		Additionally, the Southern African Development Community (SADC) developed the Model Law on Data Protection in 2010, containing general data protection principles for cross-border data transfer. Notwithstanding the efforts, many African countries continue to struggle with enacting laws to regulate the collection and processing of personal information. The organization’s practices stopped at proposing a broad framework of guidance. While further discussions over effective solutions to the conflicts of applicable laws of personal data transborder regulation are needed, these and other international negotiations and cooperative efforts remain worthy of recognition.

			===Problem statement===
			China is imminently in need of a strong and more coherent data transborder flow regulatory framework, backed by transparent enforcement and legal certainty. As the world’s second largest economy, China’s demand for data exchange across borders has grown significantly. On one hand, cross-border e-commerce transactions reached 134.7 billion RMB (approximately 17.7 billion euro) in 2018<ref name="MoCRegular19">{{cite web \|url=http://english.mofcom.gov.cn/article/newsrelease/press/201902/20190202837696.shtml \|title=Regular Press Conference of the Ministry of Commerce (February 21, 2019) \|author=Ministry of Commerce, People's Republic of China \|publisher=Ministry of Commerce, People's Republic of China \|date=21 February 2019}}</ref>, with expectations in 2015 of it reaching more than one trillion euro by the year 2020, accounting for 37.6% of China’s total imports and exports.<ref name="ARInclusive17">{{cite web \|url=https://unctad.org/system/files/non-official-document/dtl_eWeek2017c11-aliresearch_en.pdf \|format=PDF \|title=Inclusive Growth and E-commerce: China's Experience \|author=Ouyang, C.; Pan, Y.; Sheng, Z. et al. \|publisher=AliResearch \|page=18 \|date=April 2017}}</ref> On the other hand, technical innovations have brought unprecedented threats to privacy and data security. Furthermore, global trade and political tensions are rising. Against this background, China needs to carefully assess domestic and international economic and legal situations to create a quality strategy for cross-border data flow regulation.

			China’s cross-border data transfer regulation is an evolving project still under development, with various administrative regulations and department rules continuing to expand. The Personal Information Protection Law has been incorporated into the law-making plan of the 13th Standing Committee of National People’s Congress, released with the draft for public comment on October 21, 2020. The legislators especially emphasized the protection of public interest and state security, taking into account the needs of the protection of data subjects' rights, and took a sheepish position on the regulation of cross-border data transfer. The Cybersecurity Law (enacted in 2017) for the first time addressed data localization and security assessment of data export requirements for Critical Information Infrastructure providers.<ref name="CACCybersecurity17">{{cite web \|url=http://www.cac.gov.cn/2016-11/07/c_1119867116.htm \|title=中华人民共和国网络安全法 \|publisher=Cyberspace Administration of China \|date=07 November 2016}}</ref> The Civil Code of China (adopted May 28, 2020) newly introduced greater protection of privacy rights and personal information.{{Efn\|"The personal information of a natural person shall be protected by law. Any organization or individual that needs to acquire the personal information of an individual shall obtain such information in accordance with law and guarantee the safety of such information. Any illegal collection, usage, processing, and transfer of the individual’s personal information, or illegal trade, making available or disclosure of other’s personal information is a violation of law." - Article 111 Civil Code of the People’s Republic of China}} It clarified that (i) the rights and interests of natural persons over their personal information are civil rights and private rights; (ii) natural persons’ rights to their personal information belong to personality rights; and (iii) the distinction is made between privacy and personal information. These three pieces of legislations constitute the foundation of China’s personal information protection laws.


Line 60:		Line 65:

	==Notes==		==Notes==
	This presentation is faithful to the original, with only a few minor changes to presentation, though grammar and word usage was substantially updated for improved readability. In some cases important information was missing from the references, and that information was added. The original lists citations and footnotes all together under "Notes"; this version split the two out and and lists them in order of appearance, by design.		This presentation is faithful to the original, with only a few minor changes to presentation, though grammar and word usage was substantially updated for improved readability. In some cases important information was missing from the references, and that information was added. The original lists citations and footnotes all together under "Notes"; this version split the two out and and lists them in order of appearance, by design. The original articles Note 11 does not at all verify the quoted statistics; a citation to support at least the 2018 statistic was found and used for this version. Another citation was found and added for this version to support the claim more than one trillion euros e-commerce at 37.6% total of imports and exports.

	<!--Place all category tags here-->		<!--Place all category tags here-->

Shawndouglas: Saving and adding more.

2021-07-19T18:10:30Z

Saving and adding more.

← Older revision		Revision as of 18:10, 19 July 2021
Line 46:		Line 46:

	====Soft laws====		====Soft laws====
			Soft laws often play important roles in encouraging reluctant states to consider and eventually agree upon policies and strategies in areas where serious differences exist. Many international organizations have issued soft laws to regulate cross-border transfer of personal data, which has given certain guidance to the national legislation and implementation. The OECD Privacy Guidelines released in 1980 serve as the first internationally agreed upon set of personal information protection principles and focus on balancing between the needs for digital economy and the protection of an individual’s rights. It addressed the needs for greater efforts to tackle the global dimension of privacy through improved interoperability and provided the member states a basic framework for the free flow of personal data for further negotiations.

			The APEC framework, published by the Asia-Pacific Economic Cooperation in 2004, is a framework to protect privacy while enabling regional personal information transfers to promote consumer trust and business confidence, to lighten compliance burdens, and boost digital economies. The data controllers’ obligations are particularly emphasized as a data subject’s consent is mandatory prior to the transfer of their personal information, and the adequate level of data protection must be guaranteed. This framework is used as a basis for the APEC Cross-Border Privacy Rules (“CBPR”). The U.S.-led CBPR system comprises a Privacy Enforcement Authority, privacy certification institutions, and recognized entities operating upon nine general privacy principles and a bundle of practical requirements. A joint APEC-EU working team has attempted to discover more opportunities for “double compliance” via E.U. BCR and APEC CBPR referential.{{Efn\|The Referential for Requirements for Binding CorporateRules (BCR) and APEC Cross Border Privacy Rules system serve as an informal checklist for companies to apply certifications under the BCR and CBPR system. The referential outlines common compliance requirements and ''ad hoc'' requirements for each of the systems. Although the referential was superseded after the enactment of the GDPR in 2018, E.U. representatives have continued to express a strong interest in developing a work plan for future efforts. See Article 29 Data Protection Working Party, Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the E.U. and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents.}}

			Additionally, the Southern African Development Community (SADC) developed the Model Law on Data Protection in 2010, containing general data protection principles for cross-border data transfer. Notwithstanding the efforts, many African countries continue to struggle with enacting laws to regulate the collection and processing of personal information. The organization’s practices stopped at proposing a broad framework of guidance. While further discussions over effective solutions to the conflicts of applicable laws of personal data transborder regulation are needed, these and other international negotiations and cooperative efforts remain worthy of recognition.


	==Footnotes==		==Footnotes==

Shawndouglas: /* Soft laws */

2021-07-14T23:46:33Z

Soft laws

← Older revision		Revision as of 23:46, 14 July 2021
Line 45:		Line 45:
	In view of the latency of the international community’s cooperation in the field of cross-border personal data transfer, multiple emerging countries engaging in the digital economy have actively launched bilateral negotiations based on their own development needs. By reaching a bilateral agreement, a legal basis for the personal data exchanges between signatory countries is developed. The E.U.-U.S. Privacy Shield Framework is such an example. In 2014, as a direct response to the Snowden revelations, the ''Schrems I'' case led to the Court of Justice of the European Union (CJEU) revoking the Safe Harbor Framework as a valid mechanism for transfers between the E.U. and the U.S.{{Efn\|The CJEU found that the U.S. government permitted generalized access to electronic information and failed to provide redress mechanisms. Therefore, the CJEU determined that the U.S. law did not provide an adequate level of protection that was essentially equivalent to E.U. laws. See ''Max Schrems v. Data Protection Commissioner''.}} The E.U. and the U.S. then successfully developed the alternative Privacy Shield Framework, putting forward more stringent and descriptive data transfer requirements for data controllers.<ref name="ELexCommun15">{{cite web \|url=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52015DC0566 \|title=COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems) - COM/2015/0566 final \|work=EUR-Lex \|publisher=European Union \|date=06 November 2015}}</ref> The framework received wide criticism, the the E.U. Commission’s adequacy determination for the Privacy Shield has been upheld.{{Efn\|Digital Rights Ireland brought the first challenge on 2016, seeking the annulment of the determination on the basis that the Shield failed to provide sufficient substantive changes from the Safe Harbor Framework. This challenge was dismissed for lack of admissibility. French advocacy group La Quadrature du Net also challenged the Commission’s decision, arguing that the Shield not only continues to violate the Charter, but also fails to provide effective redress mechanisms. This case remains pending.}} American companies may be permitted to acquire personal data from a total of 28 European countries after registering under the Privacy Shield program and demonstrating that they fulfill the “adequacy protection” requirement by self-certification procedures. The Privacy Shield Framework additionally includes verification, assessment, and supervision mechanisms, as well as special rules related to arbitration procedures.{{Efn\|Similarly, the U.S. also agreed to the Swiss-U.S. Privacy Shield Framework with Switzerland.}} The bilateral agreement allows two countries to make more detailed arrangements for cross-border data transfer issues. It is advantageous in terms of negotiation efficiency and enforcement, as well as the flexibility of contents. However, its scope of application is limited to the jurisdictions of the two countries. For the establishment of a regional framework of personal data cross-border transfer, such a bilateral agreement has very limited effect on bridging different legal standards.		In view of the latency of the international community’s cooperation in the field of cross-border personal data transfer, multiple emerging countries engaging in the digital economy have actively launched bilateral negotiations based on their own development needs. By reaching a bilateral agreement, a legal basis for the personal data exchanges between signatory countries is developed. The E.U.-U.S. Privacy Shield Framework is such an example. In 2014, as a direct response to the Snowden revelations, the ''Schrems I'' case led to the Court of Justice of the European Union (CJEU) revoking the Safe Harbor Framework as a valid mechanism for transfers between the E.U. and the U.S.{{Efn\|The CJEU found that the U.S. government permitted generalized access to electronic information and failed to provide redress mechanisms. Therefore, the CJEU determined that the U.S. law did not provide an adequate level of protection that was essentially equivalent to E.U. laws. See ''Max Schrems v. Data Protection Commissioner''.}} The E.U. and the U.S. then successfully developed the alternative Privacy Shield Framework, putting forward more stringent and descriptive data transfer requirements for data controllers.<ref name="ELexCommun15">{{cite web \|url=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52015DC0566 \|title=COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems) - COM/2015/0566 final \|work=EUR-Lex \|publisher=European Union \|date=06 November 2015}}</ref> The framework received wide criticism, the the E.U. Commission’s adequacy determination for the Privacy Shield has been upheld.{{Efn\|Digital Rights Ireland brought the first challenge on 2016, seeking the annulment of the determination on the basis that the Shield failed to provide sufficient substantive changes from the Safe Harbor Framework. This challenge was dismissed for lack of admissibility. French advocacy group La Quadrature du Net also challenged the Commission’s decision, arguing that the Shield not only continues to violate the Charter, but also fails to provide effective redress mechanisms. This case remains pending.}} American companies may be permitted to acquire personal data from a total of 28 European countries after registering under the Privacy Shield program and demonstrating that they fulfill the “adequacy protection” requirement by self-certification procedures. The Privacy Shield Framework additionally includes verification, assessment, and supervision mechanisms, as well as special rules related to arbitration procedures.{{Efn\|Similarly, the U.S. also agreed to the Swiss-U.S. Privacy Shield Framework with Switzerland.}} The bilateral agreement allows two countries to make more detailed arrangements for cross-border data transfer issues. It is advantageous in terms of negotiation efficiency and enforcement, as well as the flexibility of contents. However, its scope of application is limited to the jurisdictions of the two countries. For the establishment of a regional framework of personal data cross-border transfer, such a bilateral agreement has very limited effect on bridging different legal standards.

	===Soft laws===		====Soft laws====



	==Footnotes==		==Footnotes==