Journal:Cross-border data transfer regulation in China
Full article title | Cross-border data transfer regulation in China |
---|---|
Journal | Rivista Italiana di Informatica e Diritto |
Author(s) | Li, Yuan |
Author affiliation(s) | University of Macerata |
Primary contact | Email: Unknown |
Year published | 2021 |
Volume and issue | 3(1) |
Page(s) | 69–80 |
DOI | 10.32091/RIID0028 |
ISSN | 2704-7318 |
Distribution license | Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International |
Website | http://nir.ittig.cnr.it/www.rivistaitalianadiinformaticaediritto.it/index.php/RIID/article/view/73 |
Download | http://nir.ittig.cnr.it/www.rivistaitalianadiinformaticaediritto.it/index.php/RIID/article/view/73/55 (PDF) |
This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed. |
Abstract
With the growing participation of emerging countries in global data governance, the traditional legislative paradigm dominated by the European Union and the United States is constantly being analyzed and reshaped. It is of particular importance for China to establish the regulatory framework of cross-border data transfer, for not only does it involve the rights of Chinese citizens and entities, but also the concepts of cyber-sovereignty and national security, as well as the framing of global cyberspace rules. China continues to leverage data sovereignty to persuade lawmakers to support the development of critical technology in digital domains and infrastructure construction. This paper aims to systematically and chronologically describe Chinese regulations for cross-border data exchange. Enacted and draft provisions—as well as binding and non-binding regulatory rules—are studied, and various positive dynamic developments in the framing of China’s cross-border data regulation are shown. Despite certain limitations, China's Cybersecurity Law, together with its Civil Code and Personal Information Protection Law, demonstrates China's great willingness towards a stronger data protection regime and more flexible regulatory mechanism.
Keywords: China, cross-border data flow, cybersecurity
Introduction
The regulation of cross-border data transfers represents one of the greatest challenges that information security experts and legislators are facing around the world.[a] The breadth and effectiveness of global data protection law is fragmented by the divergence among various data protection standards. As such, the potential negative effects are difficult to ignore. From the perspective of countries, the adoption of the “adequate level of protection” approach de facto restricts the efforts of less developed regions—especially those that have not enacted data protection laws—from entering the world of global dataflow. It further leads to the elimination of such countries from participating in global digital trade and exacerbates the polarization of the world economy. From the perspectives of entities, particularly those in the information and communications technology (ICT) sector, the legal requirements set out in different jurisdictions are likely to impose additional administrative and technical burdens when conducting business internationally. The overlapping jurisdictions over various countries, cumbersome transfer assessment rules, and excessive discretionary powers of supervisory authorities have led to increased compliance costs while reducing the transaction efficiency of multinational businesses. Additionally, from the perspective of data subjects, individuals’ rights and responsibilities vary from nationality, residence, or information collection region. It is, however, contrary to the original purpose of protecting personal data while promoting data sharing.
Global data transfer
The benefits that can be derived from cross-border data flows are growing, while the ability of countries to reap such benefits may vary.[1] Although it is widely recognized that countries should have a common interest in facilitating cross-border dataflows and reconciling different policy objectives in this field, the implementation of the free flow of cross-border data remains vague. Due to differences in digital economic development, legal systems, and data sovereignty objectives, it is difficult for countries to impose effective regulations on cross-border data transfer through one’s own. In contemporary legislations, a trend of preference for establishing one data flow model inside a region within a given group of countries is emerging.
A multilateral international agreement
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) adopted by the Council of Europe in 1981 is the first and only updated binding multilateral international agreement to set standards for transborder data flows. The early version of Convention 108 provided general principles that require signatory countries not to restrict or impose any special authorizations to prevent the flow of personal data among the member states and aims to achieve greater unity between its members.[2] Convention 108 was further developed in the Additional Protocol in 2001 to introduce the concept of an “adequate level of protection” for the intended data recipient countries that are not the signatories to Convention 108.[3] Such exporting party is also subject to exceptions where the transfer is in the need of individual’s legitimate interests and public interest, or is based on authority-approved contractual clauses.
Convention 108 is the result of the implementation of the European Convention on Human Rights with regard to privacy protection. It attempts to build consistent data protection principles to safeguard individual’s rights while keeping active exchanges of such personal information across the borders. As great as it may appear, the significance of Convention 108 is limited.[b] Although international agreement as an instrument for dealing with modern societal and legal topics is advantageous in terms of the applicable scope of the rules, enforcement, and guidance, its complex and lengthy establishment procedures have slowed down the reaction time to the emerging issues in the international community, especially in areas where international consensus has not yet been reached.
A bilateral international agreement
In view of the latency of the international community’s cooperation in the field of cross-border personal data transfer, multiple emerging countries engaging in the digital economy have actively launched bilateral negotiations based on their own development needs. By reaching a bilateral agreement, a legal basis for the personal data exchanges between signatory countries is developed. The E.U.-U.S. Privacy Shield Framework is such an example. In 2014, as a direct response to the Snowden revelations, the Schrems I case led to the Court of Justice of the European Union (CJEU) revoking the Safe Harbor Framework as a valid mechanism for transfers between the E.U. and the U.S.[c] The E.U. and the U.S. then successfully developed the alternative Privacy Shield Framework, putting forward more stringent and descriptive data transfer requirements for data controllers.[5] The framework received wide criticism, the the E.U. Commission’s adequacy determination for the Privacy Shield has been upheld.[d] American companies may be permitted to acquire personal data from a total of 28 European countries after registering under the Privacy Shield program and demonstrating that they fulfill the “adequacy protection” requirement by self-certification procedures. The Privacy Shield Framework additionally includes verification, assessment, and supervision mechanisms, as well as special rules related to arbitration procedures.[e] The bilateral agreement allows two countries to make more detailed arrangements for cross-border data transfer issues. It is advantageous in terms of negotiation efficiency and enforcement, as well as the flexibility of contents. However, its scope of application is limited to the jurisdictions of the two countries. For the establishment of a regional framework of personal data cross-border transfer, such a bilateral agreement has very limited effect on bridging different legal standards.
Soft laws
Footnotes
- ↑ There is a lack of clarity as to the meaning of the term “cross-border data transfer” even inside one jurisdiction, and often regulatory instruments use different definitions to apply the measures. The E.U. General Data Protection Regulation (GDPR) refers to “transfer to a third country of personal data” (recital 153) without defining “data transfer”; the APEC Privacy Framework variously uses the terms “international transfer,” “information flows across borders,” “cross-border in-formation flow,” and “cross-border data transfer” interchangeably to refer to the movement of personal data across national borders. The OECD Privacy Guidelines refer to “transborder data flows,” defining the term as “movements of personal data across national borders” (Section 1(c)). Convention 108 refers to “transborder flows of personal data,” defined as “the transfer across national borders, by whatever medium, of personal data undergoing automatic processing or collected with a view to their being automatically processed” (Article 12(1)). It is also unclear whether merely making personal data accessible should be considered to result in such a transfer, or whether this requires some active or automatic transmission of the data (see Case C-101/01 Bodil Lindqvist v Åklagarkammaren i Jönköping [2003] ECR I-12971). In this article, “cross-border data flow” and “transborder data flow” are interchangeable, based on the context as well as the specific document it is referred to.
- ↑ Limited signatory countries, overbroad content, and free applicable scope eliminate the practical performance of Convention 108. Additionally, the International Law Commission listed “protection of personal data in the transborder flow of information” in its long-term working programs as early as 2006, yet it has proved fruitless so far.[4]
- ↑ The CJEU found that the U.S. government permitted generalized access to electronic information and failed to provide redress mechanisms. Therefore, the CJEU determined that the U.S. law did not provide an adequate level of protection that was essentially equivalent to E.U. laws. See Max Schrems v. Data Protection Commissioner.
- ↑ Digital Rights Ireland brought the first challenge on 2016, seeking the annulment of the determination on the basis that the Shield failed to provide sufficient substantive changes from the Safe Harbor Framework. This challenge was dismissed for lack of admissibility. French advocacy group La Quadrature du Net also challenged the Commission’s decision, arguing that the Shield not only continues to violate the Charter, but also fails to provide effective redress mechanisms. This case remains pending.
- ↑ Similarly, the U.S. also agreed to the Swiss-U.S. Privacy Shield Framework with Switzerland.
References
- ↑ "Declaration on Transborder Data Flow". OECD.org. 11 April 1985. https://www.oecd.org/sti/ieconomy/declarationontransborderdataflows.htm.
- ↑ Council of Europe (1 October 1985). "Details of Treaty No. 108 - Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data". Council of Europe. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108?module=treaty-detail&treatynum=108.
- ↑ Council of Europe (1 July 2004). "Details of Treaty No. 181 - Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows". Council of Europe. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/181?module=treaty-detail&treatynum=181.
- ↑ General Assembly (2006). "Report of the International Law Commission, Fifty-eighth session" (PDF). United Nations. p. 489. https://legal.un.org/ilc/documentation/english/reports/a_61_10.pdf.
- ↑ "COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems) - COM/2015/0566 final". EUR-Lex. European Union. 6 November 2015. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52015DC0566.
Notes
This presentation is faithful to the original, with only a few minor changes to presentation, though grammar and word usage was substantially updated for improved readability. In some cases important information was missing from the references, and that information was added. The original lists citations and footnotes all together under "Notes"; this version split the two out and and lists them in order of appearance, by design.