Regulation Of Cross-Border Data Flows Under EU And U.S.:a Comparative Study

The digital economy is based on the cross-border data flow,where data gains value through its unprecedented mobility and access.Cross-border data flow has become the latest battlefield of international trade,and how to use data has become a key factor in the development of digital trade.Although cross-border data flow plays a huge role,it also has a negative impact on national security,public order and consumer privacy.Laws make it hard to keep up with the pace of the technology,the current regulatory approach is not match with the cross-border data flows,the lack of certainty and coordination between different rules Will have a negative impact on the digital economy.The regulation of the cross-border flow of personal data has attracted multi-dimensional attention from the government,consumers and enterprises.Whether it is possible to strike a balance between national security interests,economic interests and personal data protection interests is a question under consideration by all countries.EU hopes to continue EU’s basic values and nomative standards in the digital space,at the heart of its policy is to increase concerns for the fundamental rights of EU citizens in the context of human rights.The U.S.is concerned about the value of commercial assets in personal data and the ecomonic value of the data flow,so “market openness” and “the impact of restricitons ” are major concerns in the U.S..China is in the period of rapid development of information technology,and the personal data of Chinese citizens is a huge market.The development of cross-border E-commerce inevitably involves the transmission and exchange of data in global level.So it is urgent to regulate the cross-border flow of personal data at both domestic and international levels.The construction of rules for the cross-border flow of personal data is under the dual pressure from the EU and the U.S..Especially since the EU and the U.S.have reached a partial consensus and most G20 economies follow the rules of them,China is marginalized by the rules.As cross-border data flow is both a domestic issue and an international issue,involving domestic policies and international coordination,in order to cope with the two regulatory systems of the EU and the U.S.,this paper conducts a comparative study on the cross-border flow rules of personal data in EU and the U.S.from the perspective of data privacy protection.After a detailed analysis of the research status at home and abroad,the author believes that the current research on cross-border flow of personal data is not systematic and shows the characteristics of fragmentation.The problems are mainly divided into several categories: first,the research on the specific manifestation of the differences between European and American policy objectives is not systematic enough;Second,the analysis of the European and American regulatory models mainly focuses on the differences of the regulatory model itself,and there are few studies on the embodiment of the regulatory model in the trade negotiations.Thirdly,it is not systematic enough to study the differences of the legislative framework and the basic concepts of data privacy protection.Fourth,it has not systematically studied the enforcement mechanism from the perspective of the differences in government functions,extra-territorial jurisdiction,supervisory and remedy rules.Fifth,most of the researches on cross-border regulatory cooperation focus on market behavior regulatory cooperation,and few domestic literatures involve data exchange in law enforcement cooperation.Sixth,the current research has not been from the perspective of Comparative Studies in Europe and the United States,nor by refining and summarizing the main contradictions in the rules of Europe and the United States,no systematic suggestions on the construction of the rules of China.Therefore,based on the existing research results,this paper analyzes and compares the EU and U.S.models of cross-border flow of personal data,and finds out the main contradictions in rule construction.This article is influenced by subjective and objective factors,it is not yet possible to exhaust all the issues involved in the cross-border movement of personal data.This paper chooses the perspective of data privacy protection to discuss this issue,mainly because data protection and privacy legislation routinely regulate the cross-border movement of personal data,one of the main motivations for the regulation of cross-border data flows is that cross-border data flows may circumvent national data protection laws,behind which is the issue of harmonization of Data Protection and privacy laws.The rules of international agreements related to the cross-border movement of personal data are derived from the data protection laws of the participating countries.The main reasons for the differences between EU and the United States is also the fundamental differences in data privacy protection systems.Based on this,from the perspective of data privacy protection,this paper discusses the differences and causes between European and American through theoretical and empirical analysis.Based on the key issues in " Privacy Shield Agreement" negotiations,this paper study the rules of the five aspects :the policy objectives,regulating modes,legislative frameworks,enforcement mechanisms,cross-border regulatory cooperation.The focus of this thesis is analysis the differences between the European and American rules,and the construction of Chinese rules at the domestic and international levels.Specifically,this paper consists of six chapters with nearly 240,000 words in all,as follows:Chapter 1,"The difference analysis of policy objectives ".The primary purpose of this chapter is to answer the differences in the policy objectives of the cross-border flow rules of personal data in Europe and the United States,and to lay a foundation for the following chapters to further analyze the differences in the legislation,implementation and regulatory cooperation rules under the guidance of the policy objectives.This paper argues that EU regulation is mainly concerned with data privacy protection.The EU has strengthened the protection of data sovereignty interests in the regulation of cross-border data flow.The EU hopes to shape a true "Single Digital Market" through the implementation of three important documents: "Shaping Europe’s digital future","white paper on artificial intelligence" and "European data strategy",reduce dependence on key technologies in other parts of the world and regain "technological sovereignty".The EU protects personal data and privacy rights as fundamental rights.When other interests conflict with the data privacy policy,proportionality analysis is carried out,and any behavior that reduces the constitutional interest and violate data privacy is not allowed.The EU introduced the data privacy policy objectives into the WTO,made the "GATS privacy exception clause" become the basis of international law,and continuously advocates the global culture of data privacy protection in multilateral forum.The United States focuses on industrial interests and national security interests.It advocates the freedom of speech and the free flow of data,insists that the free flow of data is the core of democratic system,attaches importance to the construction of a strategic system of data sovereignty,attaches importance to the evaluation of the economic value of cross-border data flow,and constantly improves the assessment system.The United States explained the value of cross-border data flow to the WTO from three aspects: the importance of cross-border data flow to economic development,the impact of restrictive measures on digital trade,the balance between cross-border data flow and privacy protection.At the same time,the United States is committed to reducing the impact of digital trade policy barriers in two ways,one is for digital trade special measures to reduce the impact of data localization rules and Data Privacy Protection Rules on trade;Second,traditional market access and investment policies affecting commodity and service providers,emphasis is placed on regulating regulatory measures,censorship measures,intellectual property-related regulatory policies,digital payments affecting market access,technical standards,government procurement and foreign investment policies for both private and public cybersecurity.After 9 / 11,the United States raised its national security goals to an unprecedented level,and the data protection law established a "process-oriented" legal standard,which means that the process should be paid attention to when determining and implementing measures to ensure the rationality of the process,in the interests of national security.Through the analysis,this paper believes that Europe and the United States have big differences on the basic concept of cross-border data flow.The high standard of data protection is the demand of EU society for data privacy,while the free flow of data across borders reflects the economic interests of American industries.In the face of U.S.national security interests,industrial interests and freedom of speech,the goal of data privacy protection is a kind of interest that can be "sacrificed".Chapter 2," The difference of regulation mode ".This chapter attempts to study the "adequacy" model and the "accountability" model of cross-border data flows between the EU and the US.and analysed the differences of regulation mode reflected in WTO multilateral and FTA negotiations.This chapter firstly analysed the origin,definition and authentication methods of the "adequacy" mode in EU,and analysed that the "adequacy" mode has the dual characteristics of flexibility and limitation,and its applicability is decreasing.At present,the United States tends to strengthen the construction of "accountability" model,the USMCA supports the expansion of "accountability",the National Institute of Standards and Technology(NIST)privacy framework version 1.0 proposed to strengthen the implementation of "accountability",the United States hopes to use APEC and OECD to further promote and consolidate the regulatory approach.The "accountability" model and the "adequacy" model are different and more related,and now tend to the combination of the two.As for the regulation of data localization,the EU will build a single EU digital market internally,promote the free flow of data within the EU,strengthen the external supervision and data privacy protection.The EU is trying to create a "europe-only cloud" or a "Schengen cloud" that would limit Internet traffic within Schengen area.The United States has identified data localization requirements as the main digital barriers to trade,placing greater emphasis on the free flow of data.In foreign policy,the US focuses on market openness and the restrictive policies adopted by various countries,strictly restricting the rules of data localization.The differences between European and American regulatory models are embodied in the position of WTO and their respective dominant FTA.From the perspective of the combination of Trade and privacy,this paper analyzes and discusses the general exception of sata privacy under GATS and whether the protection of network data privacy can be an exception under GATS,it is argued that GATS sets minimum restrictions on the enforcement of data privacy law.The EU tries to avoid lowering data protection standards under FTAs.Although FTAs has some convergence with the EU system,it is far from harmonisation with EU rules.And the United States,through the FTA channel,places the issue of the free flow of data in bilateral agreements for negotiation,then moves to regional agreements,then to multilateral forums,and negotiates repeatedly in bilateral,regional and multilateral settings as required,cross-border data flow is regulated in the chapter of FTA Electronic Commerce and digital trade,and the requirements of promoting cross-border data flow and strictly restricting data localization to reduce digital trade barriers are clearly put forward.This paper analyzes the rules of cross-border data flow in American FTAs before USMCA and the latest regulations of USMCA,as well as the possible influence of USMCA on privacy law.Further analyzes the dispute focus and reasons for the stagnation of TTIP and Ti SA negotiations.This paper believes that FTA is likely to redefine the future cross-border data flow and data privacy legislation.Chapter 3,"The difference in the legislative framework ".This chapter tries to analyze the differences of constitutional protection,basic legislative mode and the basic idea of data privacy protection.According to the analysis,European data protection law provides comprehensive constitutional protection at the constitutional level,and the discourse pattern favored is "rights talk".The constitutional provision of data protection in American law is very limited,and the preferred discourse pattern is "market discourse".In the legislative framework,the EU uses a strict top-down regulatory system.The GDPR adopts a unified legislative model,and maintains the three-level regulation mode in the cross-border data transfer,which not only restricts the transfer but also provides comprehensive tools and measures to guarantee the data flow.The United States does not broadly restrict cross-border data flows,and the traditional approach is to regulate specific data types by sector.The U.S.adopts "patchwork approach" in data privacy protection,which is a combination of federal and state statutory laws and common law.In terms of consumer privacy protection,the United States first advocates "self-regulation",which combines the regulation of sectoral law with the self-control of enterprises.Taking the principle of free flow of information as a starting point,American law locates the Law of information privacy in the field of market.Market discourse and market logic dominate the law,allowing the processing of any personal data except those restricted by law,so there is no uniform statutory requirement in the United States.The U.S.Congress is still faced with the internal data protection legislation problems,such as "normative definition method" and "result based" selection problem,the definition of the protected information problem,how to improve the execution limited,private litigation and prosecuting qualification problem,state and federal laws of priorities,CCPA will have a profound impact on the federal legislation.In the definition of personal data(information),there is a difference between consistency definition and diversity definition,the EU tends to "expand interpretation",the US tends to "simplify interpretation",and the definition of personal information under CCPA gradually get close to the GDPR.The EU protects the "rights of data subjects",and the controller of data is the data subject,while the U.S.protects the "privacy of consumers",and the control of data is more inclined to enterprises.The U.S.attaches more importance to the interests of "data processors",and the American law is more favorable to "data processors".The EU law reflects a kind of "inalienability of data privacy",while the U.S.law does not rely heavily on "inalienability of data privacy",does not establish a set of non-exempt mechanism for the legality of data processing,nor is there a strong limit to the "contract and consent" model.Chapter 4,"The difference of execution mechanism ".This chapter mainly interprets the differences in the implementation mechanism from four aspects: the difference in government functions,extraterritorial jurisdiction,supervision and redress rules.Firstly,through the analysis,it is believed that the obligation of the U.S.government in the protection of privacy is to refrain from taking special measures as much as possible,which is a "negative duty".The EU considers privacy and data protection as fundamental constitutional rights,requiring active government action to protect individual rights,which is a "positive duty".Secondly,in the extraterritorial application of rules,both the US and EU rules have market forces in their extraterritorial effects,but the EU’s international influence on data protection comes more from Europe’s "regulatory capacity" to set,monitor and enforce regulations,while the US is more dependent on "market forces".This paper analyzes the extraterritorial jurisdiction of EU GDPR and the jurisdiction scope of US Cloud Act,and concludes that EU extends its extraterritorial influence through the application of Gdpr data transfer rules,and GDPR is not only considered as EU privacy law,it is also the "privacy law of the world",which has formed the "Brussels effect" of EU rules,and countries take GDPR as the benchmark of data legislation.The US CLOUD act,based on the position of the "data controller" of US companies,breaks away from the traditional "geographical location" approach and facilitates US access to data from abroad,attempts to establish a legislative weather vane for cross-border data access in the criminal justice field.But the CLOUD Act could challenge a country’s "national data sovereignty" and in conflict with data localization rules and data-sharing rules.Thirdly,on the difference of supervision rules,it mainly expounds the disputes between Europe and America on the independence of supervision mechanism and data supervision problems.The Privacy Shield agreement guarantees the effectiveness of oversight mechanisms through the commitment of official United States agencies and the annual joint review mechanism,but it still faces instability because of the US political environment,the Brexit and CJEU’s judicial action.Fourth,on the difference of redress rules,this paper mainly expounds the disputes caused by the differences in the European and American systems in terms of the prosecution conditions and protected objects.In order to remedy this problem,this paper further analyzes the solutions of the Privacy Shield Agreement.Chapter 5," the Regulatory cooperation of cross-border flows ".As can be seen from the analysis in other parts of this paper,EU and the U.S.have tried to coordinate the differences in regulatory paths,the United States has tried to coordinate the EU privacy law into the U.S-style approach,and the EU has also tried to coordinate the U.S.law into the EU-style approach.But neither was successful,and both sides were firmly committed to their own approach,with differences in rules based mainly on political,economic and cultural reasons.The EU is a "civilian" or "soft power" when it comes to safeguarding national security,while the US is a "hard power".In the maintenance of data sovereignty,the European Union is mainly worried about the supremacy of the United States in cross-border data services,and wants to keep the important data storage and transmission in its own hands.The United States relies on the data superiority,has formed the complete data sovereignty strategic system.In terms of economic environment,the US is the consumer and provider of information technology,while the EU is the consumer of information technology.The EU hopes to successfully transform from a "consumer" to a "provider".In terms of privacy culture,the European Union regards "privacy" as "dignity" and "information self-determination",attaches importance to the "human rights attribute" of privacy.While the United States regards "privacy" as "freedom",attach importance to "physical security attribute"."individual" has a different status as a stakeholder in the European and American systems.The European Union creates a privacy culture of "rights talk" and the United States creates a privacy culture of "marketplace discourse".In the object of Privacy Law,the EU is mainly to prevent "private threat",while the United States is to prevent "government threat".Despite differences in European and American rules,Data Privacy Protection and the promotion of free flow of data are the two sides’ common understanding.In the face of common problems brought about by technological development,as well as the privacy concerns of European and American citizens,there is a basis for negotiation between Europe and the United States.From "Safe Harbor Agreement" to "Privacy Shield Agreement" has formed the trend of integration,compromise and development.The latest consensus between Europe and the United States is embodied in the G20 Osaka Declaration on Digital Economy,which promotes the concept of "trust in the free flow of data" and establishes the goals of sustainable development and inclusiveness.The supervision cooperation between Europe and America is embodied in the supervision of "market behavior" and "law enforcement behavior".This paper analyzes the "Safe Harbor Agreement" and "Privacy Shield Agreement" reached by the two parties in the supervision of market behavior,analyzes the reasons for the abolition of " Safe Harbor Agreement ",as well as the measures to improve the system of " Privacy Shield Agreement ",and thinks about the future replacement mechanism and improvement direction of " Privacy Shield Agreement ".The bilateral Mutual Legal Assistance Agreement,PNR agreement,SWIFT agreement and the EU-U.S.Umbrella Agreement reached in the cooperation of law enforcement.This paper argues that,both in the regulation of market behavior and in the area of law enforcement,bilateral agreements between Europe and the United States are mainly aimed at limiting the limited use of data originating from the European Union by the United States in order to balance data privacy,commercial economy and national security interests.The EU acts as both a "receiver" and an "assertive" of rules in negotiations with the US.In the PNR and SWIFT agreement,the EU tried to protect its data protection mechanism from the influence of the US anti-terrorism policy.The EU insisted that personal data should be handled in accordance with the "principle of proportionality",and finally won concessions from the US,it has prompted US law enforcement and intelligence agencies to commit themselves to making changes in their information practices.Chapter 6," The current situation and improvement of Chinese rules".This paper summarizes the general rules of personal data protection in China,the rules of cross-border transmission of personal data and the status of data protection regulators.Based on the above analysis,this paper believes that in the construction of rules for the cross-border flow of personal data in China,mainly focuses on five aspects: the balance of policy objectives,the choice of regulation mode,the improvement of the legislative framework,the improvement of the implementation mechanism,cross-border regulatory cooperation.Firstly,in the choice of policy objectives,guide by a Holistic View of National Security,national data sovereignty and national security should be put in the first place,while economic interests and privacy protection interests should be taken into account.Secondly,in the choice of regulation mode,GDPR cross-border transfer rules should be taken as a reference,and self-evaluation should be conducted according to the requirements of three levels and the "necessity test" and the "proportional test",so as to avoid the heavy fines imposed by the EU on multinational enterprises for misconduct.However,China must pay attention to the fact that,different from the status of the EU,China needs to form the strategy and steps of the international leading rule-making as a provider and a consumer.In addition,there are differences between China and the U.S.in industrial advantages,trade rule demands,and digital trade concerns.The U.S.pays more attention to the "digital" nature of digital trade,the shortage of WTO system supply,and the barriers brought by countries’ measures to restrict digital trade and cross-border data flows.While China strives to promote "facilitation" of cross-border goods trade,attaches importance to protecting the confidence of enterprises and consumers in digital goods trade,and focuses on improving policies such as facilitation measures,financial payment mechanism,personal information privacy protection and dispute settlement mechanism and other policies.China should conduct a special data security assessment for the U.S.to reduce the risk of data surveillance on Chinese citizens,and link up with the latest CCPA rules.This paper suggest adopt "safety assessment" methods,to evaluate the "security" of data protection in the data receiving country,instead of making an overall estimate of the data protection system in other countries,mainly to examine whether the security standards of the data receiving country meet the requirements of our country and the risk of data exit.According to the hierarchical protection 2.0 security assessment mode,Adopting the mode of graded safety assessment,approval and supervision are conducted according to different safety protection levels.But cross-border data flows are a long-term,dynamic regulatory process,and we should explore diverse assessment models.Thirdly,to improve the legislative framework,it is holds that the right of data protection should be the basis of legal norms,and should separate the right of data protection from the right of personality or privacy.To improve the consent mode of data subject,there are some cognitive limitations and structural problems in the consent mode,which may not provide comprehensive data privacy protection.It is proposed to combine enforcement with individual choice so that privacy can not be waived by "consent" in certain circumstances.However,we should distinguish the different requirements of "consent" in different legal texts,and avoid adopting a one-size-fits-all approach to "consent" mechanism,the ultimate effect is to guide individuals to make scientific and reasonable decisions.On the other hand,enterprises in our country should be encouraged to seek other methods besides "consent" as the legal basis of personal data processing,and reduce the reliance on "consent".We should focus on the regulation of data processing activities,strengthen the management of enterprise data collection and use behavior,and fully grasp the nature,background,scope and risk of data processing when designing data processing accountability mechanism.We should develop specific cross-border data flow legislation,with the Shanghai Free Trade Zone as the experimental field.Perfecting the legislation of network information security and strengthening the responsibility of network security management.Fourth,it is suggested to establish a special data protection agency,strengthen the supervision over the collection of personal information of APP,and improve the remedy rules.Fifth,for the mode of cross-border Regulatory Cooperation,China seeks the consistent mode of regulation on the one hand,and the mode of ensuring that the data receiving country can implement the data protection rules of China on the other hand,and follow the principle requirements of regulatory cooperation.we should to guide the Chinese enterprises to shape the global pattern of data privacy policies,and to cope with the digital divide and promote digitalization.Using the technical regulation method,drawing lessons from the "design privacy" provisions,limited use of encryption technology.At the international level,China should build a " data circulation area",increase consumer and business trust,take trade and privacy issues into joint consideration,insist on relevant negotiations under the WTO framework,and promote the interoperability of rules.China should make efforts to coordinate both domestic and foreign levels,the flow of data out and in,and take into account both security and economic development.We will do a good job in data security and cross-border data flow management in terms of regulations,responsibility systems and security assurance,and build regulatory synergies at the domestic and international levels.