|
Library
|
Your profile |
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.|
Law and Politics
Reference:
zhao L.
The main models of cross-border data transmission regimes: EU, USA and China
// Law and Politics.
2024. ¹ 4.
P. 50-60.
DOI: 10.7256/2454-0706.2024.4.70797 EDN: WNDYGF URL: https://en.nbpublish.com/library_read_article.php?id=70797
The main models of cross-border data transmission regimes: EU, USA and China
DOI: 10.7256/2454-0706.2024.4.70797EDN: WNDYGFReceived: 19-05-2024Published: 27-05-2024Abstract: The subject of this article is the system of regulation of cross-border data flows and its legal regime. Data is a fundamental resource for the development of the digital economy. Today, with the great development of globalization, the presence of cross-border data flows in international trade is inevitable. However, the transfer of data abroad creates hidden threats to the confidentiality of personal information of citizens and national security. Many countries have established data transfer management systems to protect their own interests. Mature data transfer management regimes abroad often become an example for other countries. The adopted laws also served as a model for other countries. The most representative regimes currently exist in the EU, the USA and China, which demonstrate three ways of managing data. The purpose of this article is to compare the regimes of cross–border data transmission in the European Union, the United States and China in order to analyze the structure of the three representative regimes, as well as to study the causes of their formation and the consequences of their functioning. Considering the three systems makes it possible to show more clearly that the European Union, the United States and China have different value orientations, which directly led to the formation of three different legal systems. The free market and national security have become the main elements of national considerations in the development of laws on cross-border data. Based on the conducted research, it can be concluded that the regime of cross-border data transfer in the EU is the most complete and effective, having a demonstration effect. The Chinese system currently has serious flaws. And in recent years, US law has been increasingly focused on serving the interests of geopolitics. Laws on cross-border data transfer demonstrate trends in political instrumentalization. The Balkanization of the Internet is becoming more and more obvious. Keywords: cross-border data transfer, Cybersecurity, data sovereignty, eu, USA, China, Balkanization of the Internet, Data management, data security, The digital economyThis article is automatically translated. Introduction In the 21st century, digital technologies have revolutionized production and people's lives. In January 2024, the number of Internet users in the world reached 5.35 billion people, which is 66.2 percent of the world's total population [1]. The world has entered the digital age. According to the World Bank, in 2022, the share of the digital economy in global GDP exceeded 15 percent, and in the last decade it has grown 2.5 times faster than the GDP of the physical world [2]. High technologies such as big data, artificial intelligence, the Internet of things and blockchain occupy leading positions in the world. As a product of digital technologies, data has become the fifth most important factor of production, along with land, labor, capital and technology. Data now forms the basis for the further development of digital technologies, and data control and protection are a top priority for governments. With the increasing frequency of transnational economic and social activities, the volume of cross-border data transmission is gradually increasing, which undoubtedly raises a number of security problems, such as data theft, violation of privacy and leakage of trade secrets. Therefore, the creation of a number of legal regulation systems for the transfer of data abroad is an issue that needs to be addressed by each country. Due to the recuperation of cyberspace, the concept of data sovereignty has been adopted by many countries and has become one of the main concepts of data management. Currently, there is no single global model for managing cross-border data flows, and each country has its own degree of digital development and is focused on protecting its own interests in its own way, which leads to large differences in current legislation on data transfer abroad. The United States and the European Union have previously carried out legislative work in the field of cross-border data transfer, their legal systems are more advanced and are the two main paradigms of data law. China's digital technologies and digital economy have been developing rapidly in recent years, but Chinese data legislation has appeared not so long ago. Currently, China has established a set of legal systems in the field of data transfer abroad, designed to solve problems arising in this area, including the problem of data security. The three data modes represent three systems of value orientations, and are also the most illustrative examples of global management of cross-border data transfer processes.
Management regimes and key laws in the field of cross-border data transfer in the EU, USA and China Unlike traditional resources, data is intangible, mobile, and non-consumable. Data can be used by different individuals and businesses at different stages of production and consumption, and they bring more benefits than conventional resources [3]. But data, on the one hand, is created by entities such as people or organizations, and on the other hand, it requires storage. And they are located within national borders. It is generally accepted that data sovereignty is a subset of cyber sovereignty [4]. According to the definition of sovereignty, data subjects, data carriers, data operations and data resources within a country are under the jurisdiction of the national Government within the national borders of the country; beyond its borders, the national Government has autonomy and has an independent and equal status along with other national governments. In the field of data management, EU legislation often borrows the experience of other countries, its legislative history can be traced back to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (1981) and the Directive on the Protection of Individuals in the Processing of Personal Data and on Free Circulation such data (Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the free Movement of such Data, Directive 95/46/EC, 1995). In the latest document, the EU introduced for the first time the standard requirement of an "adequate level of protection" for non–EU countries as recipients of data, a rule that is still in force today. In response to the development of digital technologies, on April 14, 2016, the Council of the European Union adopted the General Data Protection Rules (GDPR) [5], which entered into force on May 25, 2018 and replaced Directive 95/46/EC. GDPR is a mandatory law that requires direct and uniform action in all It does not require any changes in local legislation from the governments of the EU member states, which allows creating a harmonious data protection regime. Compared to Directive 95/46/EC, GDPR expands the scope of sovereignty over data, including companies located outside the EU but with an operational presence in the EU and serving entities in the EU. Penalties for GDPR violations have been significantly increased compared to previous laws, which also increases the effectiveness of GDPR. Theoretically, the GDPR is a territorial law, the fundamental boundaries of which are the entire European Union. The law makes a strict distinction between EU member States and non-EU member States. Article 46 of Chapter V states that the transfer of personal data to countries or international organizations outside the EU is allowed only if the level of data protection in the recipient country has been assessed as comparable to the level of data protection in the EU or if the recipient country is included in the list of countries "adequately protected" according to the GDPR. The GDPR explicitly states that the processing of personal data by processors or controllers whose organizations are established in the EU is subject to the GDPR, regardless of whether the action takes place in the EU, which reflects both the principle of territoriality and the principle of individuality. Therefore, it can be argued that the GDPR actually operates outside the EU. In general, data management in the EU is dominated by territorial jurisdiction, complemented by personal jurisdiction [6]. Its main purpose is the protection of personal data in the EU. It can be said that the law is conservative in nature. In recent years, new laws, such as the recently passed Data Management Bill and the Data Law, have contributed to further improvements in the EU's data management system. Compared to the EU, US legislation in the field of data transfer abroad is more fragmented. On the one hand, the United States usually adopts separate laws by industry, for example, the Right to Financial Privacy Act of 1978 and the Financial Services Modernization Act of 1999 in the financial sector, Export Administration Regulations and the Law on the Export Control Reform Act of 2018, the Foreign Investment Risk Review Modernization Act of 2018 in the investment sector; on the other hand, individual US states have independent legislative powers, for example, the states of California, Washington, Colorado, Virginia have local legislative provisions on confidentiality of personal information. The most important law in the field of data management in the United States is the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) [7], which was adopted in 2018 to settle the lawsuit of the US government against Microsoft. The law gives the U.S. government the right to access and receive data stored by Internet service providers in the country and anywhere outside of it. The CLOUD Act provides that data controlled by a data controller falls under U.S. jurisdiction if the data controller is a U.S. person (a U.S. citizen or an American company). This reflects the fact that CLOUD Law is based on the principle of citizenship. According to the Law, the United States can directly access data stored by American companies in other countries, and the fact that American Internet companies operate worldwide makes the jurisdiction of the "long arm" provided for by the CLOUD Law applicable to most countries around the world. In June 2015, the Standing Committee of the National People's Congress of the 12th Convocation adopted the Cybersecurity Law of the People's Republic of China, which states that critical infrastructure operators are required to conduct a security assessment when providing important data outside the country, except in cases where it is provided for by other laws. The Cybersecurity Law, as well as the Data Security Law and the Personal Information Protection Law, which were subsequently adopted as legislative acts, are the main laws on cross-border data transfer in China. These laws complete the development of the top-level Chinese data transfer regime abroad. With regard to the specific implementation of policy measures, special provisions are contained in by-laws, such as Measures to assess the security of data exports, Rules for the Certification of personal data Protection and Measures to conclude standard contracts for the export of personal data. For example, data such as important data, large-scale personal data and personal data processed by operators of critical information infrastructures meet the requirements of Data Export Security Assessment Measures, and data such as unimportant data, small and medium-sized personal data and personal data processed by operators of non-critical information infrastructures must meet the requirements of the Implementation Rules certification of personal data protection and Measures for the conclusion of standard contracts for the export of personal data. China has also developed targeted legislation in specialized areas of expertise, such as Anti-Money Laundering and Terrorist Financing Management Measures for financial Institutions, Regulations on the Management of Human Genetic Resources and Measures for the Management of Public Health Data. It can be argued that many legislative acts of different levels together constitute a complex Chinese system for managing cross-border data transmission.
Value orientations and reasons for the adoption of laws in the field of cross-border data transmission in the EU, USA and China The development of national policies and laws should be based on the objective situation in the country, as well as meet national interests. The objective national conditions in the EU, the USA and China are very different, as are their national interests, therefore, the legal systems that are eventually formed have significant differences. The EU attaches great importance to the rights of individual citizens in the data management process and views their personal data as a projection of citizens' power in the online world. The protection of the fundamental rights of EU citizens is the responsibility of the EU. The processing of data containing a large amount of personal information undoubtedly creates a risk of violation of citizens' rights. Therefore, the EU GDPR reflects the idea of conservatism and enshrines the right of citizens to oblivion [8]. Based on the protection of privacy, the EU imposes strict restrictions on the transfer of data abroad and actually erects a high wall for data transfer. The protection of individual rights and privacy also protects the EU's digital security by preventing the leakage of critical information from the EU beyond its borders. At the beginning of the digital era, companies from the EU were competitive in the digital market and even held leading positions in the industry, but with the deepening of digital technologies, European digital companies, including Nokia, lost and were forced out of competition with American and Chinese companies. However, the EU, as one of the most developed regions in the world, has a huge digital consumer market with a population of over 400 million people. The EU relies on this market in its struggle for the right to set rules in global digital governance. Based on the GDPR and the subsequent Digital Markets Act (DMA), the EU has established a number of market access criteria. To enter the EU market, digital companies from other countries must comply with EU data processing rules. Offshore companies are required to comply with GDPR when processing EU user data, regardless of whether this action takes place inside or outside the EU. GDPR has a well-developed punishment mechanism, so it is difficult for companies to circumvent this powerful law. The effective and stable functioning of the EU's cross-border data transfer regime has led many countries to recognize the protection of privacy and national security provided by the GDPR, which has served as a model for the development of national cross-border data transfer regimes in many countries. In the process of drafting laws, other countries often refer to EU standards and interact with the EU at the institutional level. As a result, multinational corporations also seek to comply with EU legal requirements outside the EU in order to harmonize standards and reduce the cost of doing business. The EU uses market mechanisms to achieve the "Brussels effect". This has led to the spread of EU standards from the unilateral to the global level, increasing the EU's regulatory power. Using market access rules to create the "Brussels effect" is a common way to expand the EU's international influence. For example, in order to limit the monopolistic behavior of technology giants in the EU market, on July 5, 2022, the European Parliament adopted a DMA, which is considered to be directed against the main digital platforms (gatekeepers) in the EU in eight areas: online search engines, online intermediary services, social networks, video sharing platforms, communication platforms, advertising services, operating systems and cloud services [9]. The largest companies involved in the project include Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft. The law has been positively received by other countries and regions, including Brazil, India, Japan, South Korea and the United Kingdom, which have already adopted or intend to adopt legislation on the DMA model. Maintaining economic hegemony has always been a key strategic objective of the United States, where the idea of free trade has long existed. Today, in the digital age, data has become one of the main commodities. Free and fast cross-border data flow is a basic prerequisite for cross-border digital commerce. Therefore, the United States encourages the free flow of data on a global scale. Based on this, the United States is asking other countries to lower data transmission standards abroad and not to interfere with data transmission. Unlike the EU, the US has the most developed digital economy, and the American technology giants represented by MAMAA (Meta, Apple, Microsoft, Alphabet, Amazon) dominate many areas of the global digital market. By advocating for the free flow of data, the United States can collect and use the data it needs around the world thanks to the monopoly position of technology giants. The data can be replicated to accelerate technological progress and increase economic benefits, which further strengthens and strengthens the economic hegemony of the United States. In addition to the economic consequences, the United States can achieve its political goals through free trade in data. Thanks to the CLOUD Act, the United States uses the "long arm" principle to access information from other countries. The CLOUD Act not only gives the U.S. government jurisdiction over U.S. citizens, organizations, or businesses, but also allows the U.S. government to access data from countries whose entities belong to the United States. This poses a serious threat to other countries' sovereignty over data. Since American Internet companies operate all over the world, the United States de facto monitors global data, and the broad scope of the CLOUD law is actually hegemonic. In recent years, due to the changing geopolitical situation, the liberal ideology of the United States in the field of data has gradually been replaced by conservatism. Based on the idea of geopolitical confrontation, the United States is setting targeted barriers for data transfer abroad. Initially, this idea was embodied in the National Security and Personal Data Protection Act of 2019 (NSPDPA, has not yet entered into force). Although this law has not been implemented, its concept of banning the transfer of data to countries recognized as a threat to US security (Russia, China, Iran, etc.) migrated to the already approved and adopted Protecting Americans' Data From Foreign Surveillance Act of 2023 and Protecting Americans’ Data from Foreign Adversaries Act of 2024. In order to achieve its own economic and political strategic goals, the United States seeks to promote standards of free digital mobility. The conclusion of bilateral and multilateral agreements is the main measure used by the United States to promote its ideas at the international level. Depending on the number of participants and the region in which they are located, they can be divided into bilateral agreements (the Free Trade Agreement between the United States and Chile), regional multilateral agreements (the Agreement between the United States and Mexico and Canada) and agreements of international organizations (a voluntary system of Cross-border Confidentiality Rules). Through these agreements, the United States promotes its own key definitions and basic principles of data transfer abroad, creating a stable environment for the free flow of data and forming a "data alliance". However, this approach is erroneous, and there is a risk that international agreements will be invalidated, such as the Safe Harbor and Privacy Shield agreements between the EU and the United States, which were eventually invalidated due to EU restrictions on data transfer abroad. Nevertheless, the US will include provisions on digital commerce and data flows in free trade agreements, and the concept of US data sovereignty will continue to be promoted around the world along with their political and economic activities. The situation in China is more complicated. On the one hand, China has a huge market with a population of 1.3 billion people, the volume of data generated is extremely large, there are many foreign enterprises operating in China, so the problem of transferring data abroad can pose a threat to the sovereignty and security of data in China. On the other hand, China is a fast–growing economy, and the digital economy is one of the main engines of its economic development. China has technology giants such as Huawei, Tencent, Alibaba and ByteDance, as well as a large number of foreign high-tech companies cooperating with Chinese companies. Too strict restrictions on cross-border data flows can weaken the competitiveness of national companies in the international arena and reduce the benefits of globalization [10]. Therefore, if higher standards of data transmission abroad are established, this will negatively affect China's economic development and international trade operations. As a result, China has adopted policies aimed at maintaining a balance between cyber sovereignty and free markets and data flows. In order to protect critical data from loss and facilitate the normal flow of ordinary data, China has developed a set of special ways to transfer data abroad, which mainly include three types: security assessment, standard contract and protection certification [11]. A security assessment is an assessment of the degree of risk through administrative licensing in accordance with the Measures for Assessing the Security of Data Exports issued by the State Internet Information Administration. The standard or standardized contract template signed between data exporters and data recipients requires other countries to provide the same level of data protection as in China. This initiative refers to the EU GDPR. Security certification means obtaining a certificate from an official or officially recognized third-party organization at the time of data transfer abroad that the recipient's data protection level is comparable to Chinese. However, in practice, the envisaged control system for data transmission abroad has not been implemented. Firstly, there are gaps in the regulation of non-vital and non-personal data; existing laws do not provide full coverage of all types of data, and data owners often prefer not to declare ambiguous data in order to avoid the additional responsibility that is associated with them. Secondly, the lack of clear boundaries between security assessments, standard contracts, and security certificates leads to overlap and confusion between regimes. In such circumstances, data owners prefer a more convenient, fast and simple security certification, and the effectiveness of security assessments and standard contracts is significantly reduced. Thirdly, the Cybersecurity Law stipulates that personal information and important data collected and generated must be stored in China, but the areas to which it applies are not specifically listed [12]. This "one question" phenomenon is widespread in the data management process in China. Fourth, theoretically, the Chinese government seeks to find a balance between protecting the security of network data and promoting the development of the digital economy; however, in the process of real work, security concerns still influence the relevant decisions of government departments, enterprises and organizations. Currently, the spread of standards and systems for cross-border data transmission in China is still very limited. An important achievement for China today is the Comprehensive Regional Economic Partnership Agreement (CEP) signed in 2020, to which China, Japan, South Korea, ASEAN, Australia and New Zealand are parties. In 2021, China and Arab countries published the Sino-Arab Data Security Cooperation Initiative, which calls on countries to respect data sovereignty. China is also promoting links with the global data market by applying for membership in recognized international organizations and international regulations such as the Regional Comprehensive Economic Partnership Agreement, the Comprehensive and Progressive Trans-Pacific Partnership Agreement (CPTTP) and the Digital Economy Partnership Agreement (DEPA).
Conclusion The continuous flow of data from countries with weak digital technologies to hegemonic countries can exacerbate digital inequality and even lead to the colonization of data. Therefore, the concept of data sovereignty is being adopted by an increasing number of countries. The EU, the USA and China represent three modes of exit from the digital space. Currently, the EU is the dominant player in upholding the data sovereignty paradigm, with a set of mature and practical data protection mechanisms. As for the United States, its dominant position in the digital space forces it to oppose barriers to data transmission and for the free flow of data, but the United States can also use restrictions on data transfer abroad as a weapon of geopolitical competition. China is trying to find a middle way, although its current regime of exiting the digital space still has serious drawbacks. In general, the EU model is a worthy model for other countries that are disadvantaged in terms of digital technologies, and its successes and established standards can reduce the cost of developing legislation and law enforcement in other countries. However, excessive barriers to digital mobility can also create pitfalls of anti-globalization and accelerate the formation of the phenomenon of cyberbullying. It is worth noting that there are institutional contradictions between the EU and the USA on data transfer abroad and information protection, which leads to frequent conflicts, which often end with the adoption of penalties by American companies, the most famous example is a series of changes in EU requirements for Apple products. However, other countries that do not have such a large market as the EU are unlikely to be able to achieve similar results on their own. The geopoliticization of cyberspace is also alarming, and the growth of political data tools is inevitable in the future. How to avoid the negative impact of geopolitics, especially in relations between China and the United States, on the global digital economy is an urgent issue. References
1. Number of internet and social media users worldwide as of January 2024. Retrieved from https://www.statista.com/statistics/617136/digital-population-worldwide/
2. Digital trust: How to unleash the trillion-dollar opportunity for our global economy. Retrieved from https://www.weforum.org/agenda/2022/08/digital-trust-how-to-unleash-the-trillion-dollar-opportunity-for-our-global-economy/ 3. Jones, C.I., & Christopher T. (2020). Nonrivalry and the Economics of Data. American Economic Review, 110(9), 2819-2958. 4. Chen B., & Wang B. (2024). Legal regulation and improvement of the procedure for data withdrawal from China within the framework of the principle of data sovereignty, Journal of Huaqiao University (Edition of Philosophy and Social Sciences), 2, 49-63. 5. General Data Protection Regulation. Retrieved from https://gdpr-info.eu/ 6. Voss, U.G. (2022). Cross-border data flows, general regulations for the protection of personal data and data management. Bulletin of international organizations: education, science, new economy, 17(1), 56-95. doi:10.17323/1996-7845-2022-01-03 7. CLOUD Act Resources. Retrieved from https://www.justice.gov/criminal/cloud-act-resources 8. Lyu, K.A. (2022). Key directions of development of supranational legal regulation of the EU digital space at the present stage. International Law, 1, 61-75. doi:10.25136/2644-5514.2022.1.37674 Retrieved from http://en.e-notabene.ru/wl/article_37674.html 9. Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance) Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32022R1925 10. Xiong T., & Kong S. (2024). Building a global governance mechanism based on the concept of data sovereignty-challenges, directions and ways. Journal of Regional and Country Studies, 2, 75-90. 11. Ye, C., & Yan, W. (2024). On the current situation, problems and ways to improve the cross-border data transmission system in China. Journal of the Beijing University of Aeronautics and Astronautics (Social Sciences publication), 1, 57-71. 12. Shelepov, A.V. (2022). Approaches of the BRICS countries to data regulation. Bulletin of International Organizations: education, science, new economy, 17(3), 212-234. doi:10.17323/1996-7845-2022-03-0
Peer Review
Peer reviewers' evaluations remain confidential and are not disclosed to the public. Only external reviews, authorized for publication by the article's author(s), are made public. Typically, these final reviews are conducted after the manuscript's revision. Adhering to our double-blind review policy, the reviewer's identity is kept confidential.
|
© 1998 – 2024 Nota Bene. Publishing Technologies. NB-Media Ltd.
