| This article is about the rules of cross-border transfer of personal data,which oftenly be called as cross-border data flow(hereinafter “TBDF”).The first chapter breaks through the vertical and development of TBDF rules with the time axis as the starting point.The main purpose of this chapter is to serve as an introduction to the key issue discussed-TBDF rules,for analysis and discussion of the current rules.First,the meaning and origin of the TBDF rules are discussed in Section 1 of this chapter.Under the meaning of the TBDF rule,it is pointed out here that the TBDF rule is a technology-induced phenomenon.This phenomenon is not novel,but the development of technology has caused the technology to pose an increasing threat to the suspect.As for the law's attention to this phenomenon.Thus,Section 1 also draws the link between TBDF rules and the division of cyberspace.It reflects the exercise of national judicial power in cyberspace,and there is no irrefutable explanation in the current international law that this state division right is still a controversial issue.Section 2 of Section 1 discusses how the TBDF rule was generated.The main argument is that the TBDF rule originates from the protection of the right to personal data in the European Union,and that the TBDF rule was triggered.The dispute was due to the conflict of different legislative values,that is,different legislators' different understandings of freedom of information circulation and personal information freedom.Therefore,in demonstrating the cause of TBDF,the Ministry decentralized and analyzed the reasons for the European Union's gradual adoption of TBDF regulations to regulate data transfer.And political reasons.When the relationship between the front and the back,the question is discussed here by discussing the target validity of the general rules(target validity of data protection).Second,the second section of this chapter is entitled "Modern Expression of Unilateral TBDF Rules".From a practical point of view,the TBDF rule is still more of a domestic law(because the EU's personal data protection law has completed harmonization,this article considers the EU's personal data protection law represented by GDPR as domestic law).In Section 2,this article mainly selects the United States and China as a comparison of EU legislation,that is,in terms of the legislative system and the completion of the rules,both of them cannot be compared with the EU,but because the United States and China are in terms of economic volume,It is at the same level as the EU,and the legislative model is significantly different from the EU.Therefore,both legislative models are of significant reference.Third,Section 3 of this paper introduces and discusses international multilateral rules on TBDF.An important feature of the evolution of TBDF rules is that domestic rules and international rules alternate and affect each other.Among them,the OECD rules of developed countries' economic organizations are the guide and they are gradually extended to other regions.Section 3,Part 1 analyzes the important soft law documents that affect the formation of the TBDF rules,including(1)the 1980 OECD Guidelines.The significance of this guide is that it integrates forward-looking legislation in some Western European countries and outlines eight privacy protections.Principles,and put forward that privacy protection can be used as an exception for data circulation.The earliest proposed framework has a profound impact on the national data privacy legislation of OECD member countries.(2)The APEC privacy framework is the first multilateral privacy framework in the Asia-Pacific region,and its privacy protection rules are slightly weaker than the OECD guidelines.However,under this framework,APEC proposed a CBPR data cross-border transfer framework in 2011.Although a framework is not binding,it has to some extent filled a gap in the multilateral data cross-border transfer mechanism.Section 3,Part 2 mainly analyzes the regional conventions related to the TBDF rules,including the 108 conventions of human rights nature,the TPP conventions of international trade nature and GATs under the WTO.The first chapter strives to elicit the existence of TBDF rules at all levels,laying the foundation for discussion in this article.Chapter II of this article focuses on the current challenges that data cross-border restriction rules will face.Cross-border data transmission is not a natural legislative measure.In the process of formulation and implementation,it faces dual pressures both at home and abroad.This pressure is manifested in three aspects.That includes three challenges: technical,foreign legislation,and theory.This chapter focuses on the analysis of these three challenges,and then provides relief ideas for the following discussion.The first section of this chapter mainly discusses the theoretical dilemma faced by TBDF rules.Due to its incorporeal and virtual nature,cyberspace does not have a border similar to physical space.Therefore,the theoretical premise that is ignored when the TBDF rule of the European Union is established is that the country must control the cross-border data transmission by setting border.The question is divided into two levels: first,is there an independent cyberspace law? Second,what are the differences between international cyberspace and international physical space? First,this article discusses what are the differences between cyberspace rules and physical space rules,and what are the reasons for these distinctions.The second section discusses the practical challenges of the TBDF rules,mainly including two aspects: first,the lack of law enforcement power;second,the challenge of foreign law.The lack of law enforcement has been discussed in Chapter 2 and Chapter 4 of this article,and the challenges of foreign law discussed in this chapter are mainly from the US foreign data retrieval method.The first research object in this section is the US FISA Act,which authorizes the government to obtain data on foreigners,including personal data,during investigations involving foreign intelligence supervisors.It also analyzes how EU law responds to this and its effectiveness.This article believes that the EU TBDF regulation is actually difficult to deal with when accessing overseas data.On the one hand,GDPR excludes data processing activities that involve public safety.On the other hand,the EU cannot implement punitive countermeasures against foreign data retrieval.The second research object in this part is the US Cloud Act,which means that the United States will expand the scope of overseas data retrieval from national security grounds to serious criminal offenses.Cope with and resolve.The third section discusses the challenges faced by the existing data cross-border transmission mechanism in dealing with new technologies.This section takes cloud computing technology as an example and discusses the TBDF mechanism under the EU paradigm in cloud computing scenarios because it uses data storage.The groundbased restrictions cannot respond to cross-border data needs in cloud computing scenarios from the regulatory level or the execution level.On the one hand,if the law enforcement is too strict,it will consume huge regulatory costs,and it will inevitably cause substantial restrictions on the cloud computing industry;on the other hand,due to the fragmentation of data in cloud computing scenarios,distributed storage features,and cloud The global layout of computing infrastructure data centers has caused cloud computing to cross-border data transmission all the time in the process of processing data,and regulators obviously do not have sufficient resources to cope with this phenomenon.Therefore,in this part of the article,we judge that in the cloud computing scenario,the EU TBDF legislation model based on the protection of personal information to restrict data storage and transmission laws and regulations can not meet the challenges brought by new technologies.Chapter III of this article deconstructs and analyzes the elements of the TBDF rule.This article proposes that the TBDF rule as a specification has three elements: role factor,legal benefit element and behavior element.First,the first section is entitled "Overview of TBDF Regulation".This section contains two sections.The first section introduces and discusses the specific performance of TBDF regulation.This section proposes "unilateral direct supervision" and "unilateral indirect supervision." The related concept of “sex supervision” is the socalled unilateral restriction that a country has made without international negotiation procedures.The so-called “direct” means that the data is directly used as the measurement standard.The indirect means does not use data.Location is the benchmark,but the quality of the data transmitter and data receiver needs to be considered.In addition,this section discusses why the EU paradigm is difficult to become a global regulatory paradigm and the need to reshape the legislative logic of direct unilateral regulation,and proposes the possibility of the transformation of unilateral regulation into joint regulation(through international cooperation)Sex.Section 1 Section 2 analyzes two problems in the EU TBDF regulatory paradigm: First,it lacks an argument for cyberspace jurisdiction,and discusses why cyberspace jurisdiction countries implement unilateral regulation in the TBDF rules.Prerequisites;Second,it analyzes that the nature of the TBDF rules is a technical specification,which is updated with the development of technology,and it is difficult for legal norms to respond positively and promptly to technological updates,and it is supported by SWIFT cases.Secondly,Section 2 of this chapter discusses the contents of the TBDF rules,including the subject of TBDF supervision,the objects to be supervised,and the interests protected by supervision.First of all,in the part of the supervisory body,this article analyzes the independent supervisory authority in the unilateral mechanism.This concept is derived from the EU Personal Data Protection Law and discusses whether the supervisory body has reference in China in light of China's specific circumstances.In addition,taking the joint supervisory bodies set out in the US-European Safe Harbor Agreement as an example,the possibility of joint supervision through state cooperation under bilateral or multilateral agreements is discussed as a reference meaning.Secondly,in terms of protected interests,the interests protected by the TBDF rules,that is,the right to protect personal data,were discussed,combined with the right to information privacy in the United States and the right to personal information widely discussed in our civil law community,and evolved from the historical evolution and development of this right Based on the current discussion,it discusses whether the recognition of protected interests under different paths affects the TBDF regulatory path and how it affects it.It also proposes that the right to personal information should not follow the EU 's theory of self-realization and the right to self-determination of personal information.the reason.Finally,in terms of the objects of supervision,it is discussed that the objects of supervision include data transmitters and data receivers,corresponding to the concepts of the European Union,namely data processors,data controllers,and data transmitters under secondary transfer.In the data transmitter section,this article mainly analyzes how data processors are gradually included in the data transmitter during the process from instruction to GDPR development,and compares the different understandings of the EU and the United States and China regarding the scope of data transmitters.,The former includes all types of data controllers and processors into the range of data transmitters without distinction,while the latter two distinguish between for-profit and non-profit enterprises,and have conducted turnover on data transmitters,Data processing scale and other restrictions,combined with their differences,this article concludes that it tends to limit the scope of data transfer.As far as data receivers are concerned,this article explains the nature of the TBDF rules,that is,protects the interests of data privacy,and concludes that EU regulations on data receivers do not fully comply with its legislative purpose,because the EU does not define transfer and does not Disclosure is an essential element of transfer,which makes it difficult for the recipient of the data to further screen whether they accept the data as subject to disclosure.In other words,in the EU model,the range of data recipients is improperly expanded.This article establishes that specific requirements should be made on whether the data accepted by the data receiver itself is subject to disclosure.For data that has been strictly encrypted and the data receiver does not have access rights,it should be excluded from the scope of qualified receivers.Third,the meaning of "transfer" is discussed in section 3 of this chapter.As pointed out in the article,transfer is the core concept of TBDF regulation,and unclear understanding of this concept will directly lead to the ambiguity of regulation and the applicability of laws.Section 3 first proposes the concepts of positive transfer and negative transfer creatively.This group of concepts lacks objective discussion in the existing academic circles.However,this article believes that the formulation of TBDF rules must be distinguished or it is necessary to clearly define positive transfer and negative transfer.Negative transfer.The so-called active transfer is the act of a domestic transmitter intentionally transmitting data to a recipient overseas.The recipient is generally clear and fixed.For negative transfer,the transmitter may only transmit the data to a public server.Anyone in the world can obtain relevant personal data by accessing the server it is transmitting,and this transfer is negative.In addition,for positive transfer and negative transfer,this article cited the most famous case of the Court of Justice of EU(ECJ)to prove it,namely the Lindqvist case.This case first proposed whether uploading data to a local server constitutes a transfer behavior.Problem,however,this case is inadequate.Because it does not respond to the transfer of the output to a server outside the domain,or to say that the data is obtained by a clear data receiver overseas.Therefore,based on the logic of the decision,this article has carried out further deductions and demonstrations.Repeatedly,Section 3 also focuses on the issue of secondary data transfer.The so-called secondary transfer,that is,after the data is transmitted to overseas data recipients,should the data recipients transmit the data to a third country for a second time? This approach is subject to TBDF regulation.This article considers that the secondary transfer limitation in GDPR comes from the agreement between the data receiver and the European Union.This agreement gives binding power to the secondary transfer,but Article 44 of the GDPR directly treats the secondary transfer as the object of the restriction because of its Lack of jurisdiction without restraint.Regarding EU secondary transfer rules,this article combines Zhang Xinbao and Ge Xin's "Expert Opinion Draft on Personal Information Protection Law" and "Measures for the Evaluation of the Exit of Personal Data Security(Consultation Draft)".Problems.The last part of this chapter discusses this article's understanding of the nature of transfer restrictions.This article believes that the nature of transfer restrictions is a state's exercise of jurisdiction over cyberspace actions,and therefore cannot be separated from the justification of such jurisdiction.Chapter IV of this paper is the core part of the thesis.This part mainly studies the mechanism of TBDF,that is,how its legislators restrict the data transfer across borders.Since the EU has formed a complete TBDF mechanism,it is mainly launched around the EU.First,section 1 is titled the types and objectives of the TBDF mechanism.The main purpose of this section is to clarify what types of TBDF mechanisms exist globally and what are the specific goals for the implementation of the mechanism.This section first notices that the TBDF mechanism is a mechanism for protecting the right to personal information,so it is closely related to the choice of personal information protection mode.Therefore,the first part of Section 1 compares several modes of personal information protection.The first is a comprehensive protection model based on the theory of information self-determination.The European Union has chosen this model.The adopted theory of information self-determination has directly caused the "crossborder" factor to become the basis for transfer restrictions.The second is the decentralization of information privacy rights in the United States based on the field theory.Sexual protection model,US law treats information privacy as a branch of privacy protection.And privacy is the protection of areas outside the public domain.This strict distinction between privacy and non-privacy areas makes not all identifiable personal information protected by U.S.information privacy laws,and identifiable personal information without privacy attributes is not protected by information privacy laws,so U.S.decentralized protection Modular restrictions are much smaller than those determined by the European Union.In addition,this part also analyzes the discussions on the basic theory of the right to personal information by foreign civil law scholars.This part is the key to the formulation of the personal data protection law in China and the key to how to choose the TBDF regulation model in China.This article notices that China 's civil law community is generally skeptical and critical of the EU 's absolute personal information right theory,and the right to self-determination of personal information has not reached a consensus in China 's current academic field.From the perspective of some legislative practices,we can also find that China has a comprehensive legislative draft of information privacy right,as well as a conflicting state of decentralized legislative practice,which shows that our academic circles have not really reached a consensus on how to protect information privacy.Reflected in the TBDF rules,there is little discussion on how to regulate them.The second part of Section 1 discusses the types of TBDF mechanisms.Broadly divided into three types: one is based on the principle of prohibiting cross-border transfer,with the exception of allowing data to be transmitted across borders.According to the reasons for allowing transfer,it can be divided into two types: the law of the data transfer place meets certain conditions(that is,the EU adequacy recognition type)and the domestic transfer provider provides a guarantee type(contract type);the second is to promote circulation as the principle and Restricted circulation is an exception.This type of TBDF rule is mainly found in multilateral data privacy frameworks,because most international agreements related to privacy protection are based on the principle of promoting the cross-border circulation of data,and privacy protection is a new emerging in the cross-border circulation of data.This issue should not be an obstacle to the cross-border flow of data,but countries can be permitted to make relevant data cross-border transfer exceptions for reasons of privacy protection.Third,it does not distinguish between internal and external,and adopts the same transfer supervision principles.The subtext of this model is that cyberspace is similar to a global public domain,and national jurisdiction does not necessarily map to cyberspace.This view does not recognize the existence of so-called borders in cyberspace,and the state can exercise jurisdiction over acts in cyberspace based on general jurisdictional principles,while domestic law certainly applies to data transfers that take place on servers abroad.This model is most typical in the United States.Section III discusses the purpose of the EU's restrictive TBDF mechanism.Although the EU has always stated that the GDPR aims to promote the free flow of data,the premise is that the country or international organization receiving the data can provide the EU's equivalent data protection standards.However,it is clear that other regions need to undergo long-term legislative changes to reach EU standards,and they will not be completed.In other words,EU legislation objectively restricts the transfer of data across borders.This article argues that the purpose of EU legislation is more based on economic and political considerations.As a technologically backward region,the EU has a very competitive market,and it has the right to speak in the relevant legislation economically.And most countries and regions in the world are in a relatively weak position in the digital service market,and EU legislation can swap the empathy of these regions.In addition,although the EU's relative technological strength and economic relative strength are declining,in recent years the EU has been enacting strict cross-border regulations to expand its political influence in the global market.The legislative industry has become the EU in the world today.An important means of demonstrating influence.In this regard,this article believes that this method of enlarging its influence through legislation is actually worthy of our study,especially in the formulation of TBDF rules.China has certain market advantages and technological advantages.Its rule making cannot be replicated and should be fully integrated with itself.Industrial policy.Secondly,the content discussed in Section 2 of this chapter is the specific provisions of the EU TBDF,which is mainly based on Articles 44 to 49 of the GDPR,and combines the relevant provisions in Directive 95 to study how the EU regulations have evolved gradually.The TBDF mechanism under the EU mechanism is based on the fact that the data receiving place can provide protection standards similar to the European Union.The first path is through the full admissibility of the European Commission.Therefore,Section 2 first discusses what is the adequacy determination,the procedures and content of the adequacy determination,and the problems existing in the adequacy determination.Finally,based on the analysis of China's current actual situation,it is proposed that China cannot meet the EU's overall requirements.The adequacy determination standard does not mean that the provision has no practical significance to China.Section 2 discusses the TBDF workaround in the case of not satisfying the adequacy determination.In the GDPR,such workaround is called "guaranteed transfer".Under the GDPR,guaranteed transfer mainly includes standard contract terms(SCC)and binding corporate rules(BCR).The former is applicable to general enterprises,while the latter is only targeted at powerful multinational companies due to complex procedures and high costs.Whether it is SCC or BCR,overseas business entities have proactively indicated that they are subject to the EU TBDF rules.The EU's jurisdiction is based on the consent of the companies involved,that is,contracts between the European Commission and the companies.However,in the course of this study,I realized that there is a problem with both of them,that is,the validity of the contract between the two parties cannot counteract the mandatory regulations of the country where the data is received.However,in China 's legislation,the “Administrative Measures for the Evaluation of Outbound Personal Data Security(Consultation Draft)” in 2019 is used as an example to partially absorb and draw on the provisions of the SCC,but fails to directly resolve the validity of the contract and cannot counteract the legal effect problem.In addition,the GDPR also stipulates derogation rules,that is,in the absence of a sufficient adequacy determination and a guaranteed transfer mechanism,legal data can still be transmitted across borders through derogation channels.Third,Section 3 of this article discusses the bilateral agreement reached between the United States and Europe on TBDF.This mechanism is to address the need for cross-border data transfer on the premise of the huge differences in information privacy protection paths between the United States and Europe.But the Safe Harbor agreement in response to the Schrems case triggered by the Snowden incident has been abolished.And at this stage,the privacy shield agreement is still in an unstable state,and there is a possibility of being abandoned at any time.The section also discusses the USEuropean Passenger Name Record Agreement(PNR),which deals with specific types of personal data,and has been in use since it was first signed in 2004.This agreement has certain reference value for constructing specific types of bilateral TBDF rules.Fourth,section 4 is the core part of this chapter and a summary of the above discussion.This part of the article puts forward an important point of this article,that is,the current EU TBDF rules not only bring practical obstacles to the cross-border flow of data,but also its implementation is not fully effective and cannot meet the original intention of formulating the rules.The main effects of the poor results are: first,the contradiction between insufficient law enforcement resources and long-term growth in data traffic;second,the EU TBDF mechanism is fundamentally incompatible with the development of network technology.In addition,this section also summarizes the reasons for violating the EU mechanism in data transfer.The first is that the EU TBDF mechanism is too complex,so that many companies simply do not know or are familiar with the rule.Second,due to the high cost of compliance,through precise calculations,many Enterprises would rather violate the TBDF mechanism than intentionally.Finally,this article evaluates the EU TBDF mechanism,and considers that it is objectively the most complete mechanism for cross-border data transfer in comparative law,but its policy function is greater than legal function and its oath significance is greater than regulatory significance.In addition,the EU TBDF mechanism is not without any enlightenment,at least it reminds the latecomers to pay attention to the key significance of the market in data cross-border legislation,and use its own market advantages to serve legislative purposes.In addition,law-making ability is also the key to shaping a country's international discourse power.China should also strengthen its law-making ability and reasoning ability in international legislation.Finally,a glimpse into the whole leopard,the EU's TBDF rules exactly reflect the increasingly stringent personal data protection environment in the world,and it seems to be becoming the focus of attention like environmental issues.Chapter V mainly discusses the lessons China has learned from the TBDF mechanism set forth by other jurisdictions and how should we face the challenge it brings.First of all,this article believes that the regulatory logic of the TBDF mechanism should be clarified based on national security reasons rather than personal data protection.This is because China has not yet established a constitutional and human rights protection of personal data.A personal privacy benefit that should be addressed within the framework of civil law.However,the restriction on the exit of personal data is a public law measure,and it should be established under a more reasonable framework.This article insists that national security is a reasonable restriction logic.Secondly,this article also puts forward corresponding suggestions for the data collection laws outside the United States(that is,FISA and Cloud Act),and believes that first,data encryption requirements should be introduced into the law.The reason is that the security of data is not based on where the data is stored,but based on the control rights of the data,that is,the access rights and the rights to restrict access to others.Data encryption is obviously more directly related to the problem than localization requirements.Second,the concept of data localization The international community's evaluation is relatively negative.It is often regarded as a new type of trade barrier and is criticized.Therefore,the scope of data localization in Article 37 of the Cyber Security Law should be strictly limited.Finally,this article also analyzes how the Chinese government and Chinese enterprises should respond to the TBDF mechanism under the EU paradigm from the perspective of a third country.It proposes to the government to establish a EU-standard data safe harbor based on the free trade zone to attract domestic and foreign Internet companies.For large-scale Internet companies,in the current environment,BCR can be used to implement compliance data transfer with the European Union,and general enterprises can consider SCC mode for compliance transfer... |
PDF Full Text Request