Study On Personal Information Protection In Cross-border Electronic Business

Personal data protection problems have frequently appeared in recent years.To begin with,GOOGLE was fined by data protection authorities(DPAs)in Germany and France due to abuse of their personal data.FACEBOOK was jointly sued by Europeans for the same reason.Xiaomi Mobile Phone was inspected by DPAs in Hongkong and Taiwan based on the their suspect of Xiaomi having sent personal data of local users back to its headquarter in the mainland.Following that,EU Court of justice announced that "the EU-US Safe Harbor Framework" became invalid in October 2015,affecting over 5500 American companies in the "harbor",which suggests that personal data protection issues have been lifted to the level of bilateral trade relationship.What's more,Trans-Pacific Partnership Agreement(TPP)that has attracted great attention of APEC economies also includes clauses about personal data protection in Chapter 14 "Electronic Business",namely,"Personal Information Protection"(14.8)and "Unsolicited Commercial Electronic Messages"(14.14),which embodies that personal data protection problems have entered the negotiation of multilateral economic agreement.Developed countries such as the U.S.and EU have attached great importance to personal data protection during recent years.EU proposed in January 2012 that Directive 95/46/EC issued in 1995 be modified and updated to regulation.The recent news shows that "General Data Protection Regulation"(GDPR)has been approved by a few EU institutions at the end of 2015.The new regulation will replace the previous 28 personal data protection laws.The U.S.accordingly has been promoting "Cross-border Privacy Rules"(CBPR)at APEC,and wishes TPP participants to join it.Why do powerful economies have paid so much attention to privacy issues? In fact,they are grabbing the discourse power on personal data utilization rules.In digital economy,personal data have become an indispensible part of commercial activities.Companies which collect,store,use,process and transfer personal data have to obey certain rules,which are personal data protection rules.In the coming global commercial competition,those who have more say in making privacy rules will win more advantage.That's why powerful economies are so dedicated to privacy rules making.Many regional economic organizations have also been pushing construction of personal data protection rules during recent years.The Council of Europe decided in 2012 to modify Convention 108 issued in 1981 and reform it in the direction of "modernization" and "internationalization".OECD has recently updated the privacy guideline first issued in 1980,emphasizing on global vision and international compatibility.APEC introduced "Cross-border Privacy Rules" in 2012 and invites economies to join.Countries in Africa and Latin America as well as ASEAN nations have enacted many personal data protection laws during recent years under the guidance of their regional economic organizations.Why are regional economic organizations so active in making and updating personal data protection rules,and some have showed clear intention of developing regional rules to international ones,such as the Council of Europe and OECD? Why are they pushing member economies to enact privacy laws? The mission of the regional economic organizations is to promote unification of internal market and increase competitiveness against outer world.However,differentiation of privacy laws between member economies will create obstacles to cross-border flow of personal data,producing unfavorable impact on regional economic development.Therefore,regional economic organizations have undertaken the task of coordinating national privacy laws to promote development of cross-border e-commerce in respective regions.Conclusions can be drawn from the above phenomena that personal data protection is closely related to cross-border e-commerce,and it does not only have impact on individual companies,but also on bilateral and even multilateral economic relationship.Powerful economies and regional economic organizations have attached more and more importance to personal data protection issues,and hope to have a greater say on privacy rules making.What core problems are involved in personal data protection in cross-border electronic commerce? They are utilization rules and legislation of personal data,jurisdiction of privacy laws,international coordination mechanism of privacy protection and international privacy standards.Collection,storage,use,process,transfer and disclosure of personal data should be based on certain rules.Privacy laws,frameworks and guidelines made by regional economic organizations are all making rules over personal data utilization.Laws have jurisdiction problems,and privacy laws are no exception.However,personal data in cross-border e-commerce cross borders frequently and cause much confusion to law jurisdiction.The development of cross-border e-commerce requires free flow of personal data,but differentiation in principles,content,protection level and jurisdiction of privacy laws form obstacles to personal data flow.To solve this contradiction,international coordination mechanisms including bilateral and multilateral ones need to be built.In addition to legislation,industry self-regulation can also play an important role.Advanced international privacy standards can improve privacy management level of enterprises in a short period,eliminate hidden dangers of personal information leak or infringment,and coordinate the privacy protection level in the same industry internationally.In order to make the four problems clear,this paper has adopted various research methods like literature reading,statistics,interviews,workshops,comparative study,cross-cutting research,induction and internet resources searching.Six conclusions have been drawn as follows:1.At least 109 privacy laws have been enacted in the world by the end of January 2015 including 95 countries and 14 other independent jurisdictions.The number of privacy laws enacted by European countries accounts for nearly half of the total.The speed of producing new privacy laws becomes higher every ten years,and 5.8 laws are issued every year on average recently,mostly from developing countries in Asia,Africa and Latin America.Four conclusions can be drawn from the pattern of world personal data protection legislation: European personal data protection laws place an important role in world privacy protection legislation;regional economic organizations exert major influence on privacy protection legislation process of member economies;most privacy laws are independent at national level governing both private and public sectors;most jurisdictions having privacy laws own data protection authorities.2.The paper has conducted comparative study of 10 privacy laws whose countries or areas have close economic relations with China,and found that all of them have clauses about collection,accuracy,security,access,verification and deletion of personal data;6 of them have clauses about protection of sensitive data;5 of them require independent DPAs to be set up with detailed power description.3.There are three tendencies for jurisdiction theories of privacy laws: applying traditional jurisdiction theories to information privacy protection,building new theories specialized for information privacy,and leaving it to internet self-regulation.Building totally new jurisdiction theory for internet is possible in the long run,but at present,the traditional theories still need to be fully utilized.Traditional jurisdiction theories are based on the principle of "nationality" or "territoriality" as well as "location of devices" mentioned in Directive 95/46/EC.According to "nationality" principle,the law of country where the data subject belongs to governs the privacy infringement case.However,most countries are unwilling to be governed by laws from other countries,thus the conflicts arise frequently.Principle of "territoriality" encounters the problem of choosing "territoriality" : that of the seller or the consumer.Choosing the former will put consumers at disadvantaged position,and choosing the latter will put enterprises under more risks of facing privacy laws of other countries."Location of devices" stipulates that the law of the country where the processing or computing devices are located govern the privacy infringement cases,but it is incapable of dealing with cloud computing cases.Cloud computing has posed the greatest challenges to traditional jurisdiction theories with its nature of frequent transfer between borders.The paper suggests that the principle of "nationality" should be mainly used,control of storage location be changed to control disclosure to third parties,and personal data in cloud computing be anonymized.4.Existing bilateral coordination mechanisms of personal data protection includes mutual legal assistance,contract and industry self-regulation.Multilateral mechanisms are basically formed along two paths: institutional path and non-institutional path.Only EU takes the institutional path,forcing members to enact privacy laws based on Directive 95/46/EC.Many other mechanisms follow non-institutional paths with greater variety and broader sense,which include "Convention 108" of the Council of Europe,privacy guideline of OECD,"Privacy Framework" and "Cross-border Privacy Rules" of APEC,guidelines of United Nations,international and regional DPA conferences.Multilateral coordination mechanisms about personal data protection have three development trends: difficulty of forming globally unified coordination mechanisms,non-institutional ones having more importance,and professional coordination mechanisms being formed.5.Regional privacy rules are products of multilateral coordination mechanisms and complementary methods of legal coordination.At present,there are only two regional privacy rules: CBPR of APEC and BCR of EU.The two rules have similarities but also many differences in participants,applicable range,application procedures and supervisory mechanisms.They both have advantages and disadvantages while serving the same purpose and pursuing mutual recognition.6.International privacy standards can be divided into technical standards and management standards.Management standards have experienced three periods of development,which are represented by Fair Information Practice,Privacy Impact Assessment and Privacy by Design.The development trends of international privacy standards are: developing from technical standards to management ones,from single standards to comprehensive ones,DPA starting to lead the design of management standards,a combination of standards and laws having been realized.