| With the rise of new business models such as cloud computing,Internet-connected devices(Internet of Things)and social media,data flows have grown rapidly over the past decade.Along with this growth,companies have stepped up their ability to capture,store and analyse data and integrate the results into their Corporate Value Chains,in order to improve their products and services or to sell such data to third parties.Thus,data has become a key asset for the economy and societies and is now of similar importance as human capital or financial resources.In todays globalized world,the Cross-Border Transfer of Data has not only evolved into an indispensable asset for companies but is often even a prerequisite for participating in a Global Value Chain.While companies wish to freely generate and distribute data on a global scale,this has raised concerns amongst governments and natural persons not only in regard to the ownership of data,but also in relation to the information contained therein,especially on matters related to privacy or security.Due to these concerns,governments have implemented laws restricting the generation and flow of data across borders,aiming to find an appropriate balance between the conflicting interests of the free use and flow of data on the one hand and interests of national security and privacy on the other.Such laws may establish a strict requirement of Data Localisation by prescribing that certain types of data must be stored locally or impose conditional requirements for the permissibility of Cross-Border Transfer of Data.In China and the EU,this development resulted in the adoption of the PRC Network Security Law(CSL)and the EU General Data Protection Regulation(GDPR)respectively.Given the importance of the Cross-Border Transfer of Data for companies and the massive presence of international businesses in China,this thesis aims at analysing the specific regulations set forth in the CSL as well as their effects on the offshore data transfer and business models of companies.The EU is not only by far the PRC's most important trading partner but has only recently implemented the GDPR,providing for a framework on the Cross-Border Transfer of Personal Data.Against this backdrop,the author will examine the regulatory and practical effects of the CSL on the corporate Cross-Border Transfer of Data by a three-fold approach:First,the relevance of the Cross-Border Transfer of Data will be introduced by outlining its technical scope and commercial significance.Secondly,the underlying rationales governments refer to for the implementation of legal restrictions on the Cross-Broder Transfer of Data will be discussed,with special consideration of the conflicts between economic and national/personal interests.These general considerations will thirdly be applied in a detailed discussion of regulations on the Cross-Broder Transfer of Data contained in the CSL from a European perspective.While the Chinese legislator's intent and the legislative development that resulted in the CSL will also be considered,a comparative analysis contrasting corresponding regulations in both pieces of legislation constitutes the main portion of this thesis.In light of the novelty of the law,the author hereby hopes to contribute to a better understanding of the rapidly developing legal framework regulating the Cross-Border Transfer of Data in China as well as its practical implications on businesses,thereby closing gaps in foreign language scholarship on the topic.This threefold approach will show that the Cross-Border Transfer of Data is of major significance not only to individual businesses but to national economies as a whole,as businesses not only create value from a free CrossBroder Transfer of Data,but in many cases even rely thereupon.However,the CSL is strongly influenced by the concepts of National Security and Cyber Sovereignty reflected in China's Cyber Space Strategy,while economic considerations play a subordinate role,and imposes a strict regime on data transmissions,that has numerous effects on corporate CrossBroder Transfer of Data.Based on this legislator's intent,the CSL sets forth restrictions for a wide range of data that must be stored in China and may only be transferred offshore after a security assessment.In contrast,the GDPR sets forts a regulatory regime that can be considered conditional”,as it only sets forth particular requirements for any offshore transfer of personal data.The author also finds that strict requirements set in place by the CSL can be considered as per se contradicting business interests.The insufficient clarification of key terms of the law and number of state supervisory organs pose additional challenges for businesses to set up a lean and efficient CSL compliant IT-system or Code of Conduct,as they will have to set up internal monitoring systems and provide data storage capacities within the PRC.Moreover,the evaluation of permissibility of the Cross-Border Transfer of Data will consume time,thereby slowing down business processes and response rates.Some data may be prohibited from any offshore transfer,thus posing a big challenge for companies operating in a Global Value Chain.In any case,the CSL regime on the Cross-Border Transfer of Data creates a certain financial exposure.In comparison,the GDPR provides for some concepts and standardized tools that help to reduce the negative impact of its regime on Cross-Border Transfer of Data on businesses.In light of these findings,the following recommendations are formulated to ease these negative effects on global businesses operating in China: A central authority should be appointed to ensure coherent application of the law and streamline supervision of offshore data transfers.Subsequent legislation should clarify certain key terms currently left open by law.Lastly,the provision of official standards of conduct for offshore data transfers would help to reduce the bureaucratic burden of businesses. |
PDF Full Text Request