With the so-called Industry 4.0 revolution ongoing, end-to-end digitalisation of all assets and integration into a digital ecosystem led the world to the unprecedented increases in connectivity and global flows. Cross-border data flow has become the cornerstone of the cross-border economy, especially for digital products. Without cross-border data flow, there will be no transactions. As a result, governments have started updating the data-related policies, such as restrictive measures for data cross-border flows or rules to mandate local data storage. Against this background, this study focuses on emerging research topics, starting with contemporary public policies on the cross-border data transfer. The objective is to examine whether the policymakers from both regions could better achieve their goals of promoting digital economy by establishing a mutual understanding with the industrial entities, while maintaining the balance between the protection of personal information and the innovation in digital markets. For that purpose, this research explores the historical development of data transfer regulatory measures in China, the EU and the U.S., studied the specific challenges they are encountering in the data globalisation era. Part I studied the evolvement of the CBDT rules. It is pointed out that the CBDT regulation is a technology-led phenomenon yet not novel. It is an emerging threat to privacy posed by the development of technology, thus attracted the scrutiny from the public and the authorities. The CBDT regulation reflects the enforcement of national jurisdiction in the cyberspace, which does not enjoy an indisputable general consensus in the contemporary international law. The rulemaking of CBDT cannot avoid the controversial debate over the legitimacy of state supervision of the network. CBDT regulation is originated from the protection of personal data in the EU, yet the disagreement with regard to its philosophy is derived from the conflict of different legislative values, that is, different legislators have different understandings of the freedom of free flow of information and the right to personal information. The author also questioned the rationale of the EU data transfer rules by discussing the target validity of the current rules, that is, the target validity for data protection. Part II compared the EU and China’s data protection laws as well as the CBDT rules respectively. Challenges that CBDT restriction measures might face are listed, since the data transborder transmission is not a legislative measure by nature. In the process of rulemaking and implementation existed dual pressures from domestic and abroad, categorised as technological, international legislative and theoretical challenges. Theoretically, Cyberspace does not have a boundary similar to a physical space, the theoretical premise that the EU CBDT rules ignored is that the state must control the transborder transmission of data by setting the borders. Thus, for China, two aspects must be addressed: is there an independent cyberspace law, and where is the boundary between the virtual and real world. International legislative challenges arise from the oversea data access of the U.S. government. The EU CBDT framework has limited impact when facing such data access under the cover of FISA and CLOUD Act of the U.S. Particularly, this dissertation discussed the potentials for a free flow of data transfer mechanism between the EU and China. It is worth exploring the possibility for a region-based bilateral collaboration, such as a free trade zone in China, to seek for the EU Commission’s recognition of adequate level of protection of personal information. For general data-intensive entities, binding corporate rules and standard contractual clauses are still the preferrable approaches. Part III examines the data protection implementation and data transfer compliance in the context of the HEART project. By analysing the use-cases the HEART deployed, as well as the architecture that it proposed, Chapter 6 studies the privacy-enhancing measures from both the organisational and technical perspectives. Specifically, the data classification system and dynamic data security assessments are proposed. Chapter 7 studied the use case of federated recommender system within the HEART platform and its potentials for the promotion of GDPR compliance. The recommender system is thoroughly analysed under the requirements of the GDPR, including the fundamental data processing principles and threat assessment within the data processing.

CROSS-BORDER DATA TRANSFER REGULATION: A COMPARATIVE STUDY OF CHINA AND EUROPE

Li Yuan
2021-01-01

Abstract

With the so-called Industry 4.0 revolution ongoing, end-to-end digitalisation of all assets and integration into a digital ecosystem led the world to the unprecedented increases in connectivity and global flows. Cross-border data flow has become the cornerstone of the cross-border economy, especially for digital products. Without cross-border data flow, there will be no transactions. As a result, governments have started updating the data-related policies, such as restrictive measures for data cross-border flows or rules to mandate local data storage. Against this background, this study focuses on emerging research topics, starting with contemporary public policies on the cross-border data transfer. The objective is to examine whether the policymakers from both regions could better achieve their goals of promoting digital economy by establishing a mutual understanding with the industrial entities, while maintaining the balance between the protection of personal information and the innovation in digital markets. For that purpose, this research explores the historical development of data transfer regulatory measures in China, the EU and the U.S., studied the specific challenges they are encountering in the data globalisation era. Part I studied the evolvement of the CBDT rules. It is pointed out that the CBDT regulation is a technology-led phenomenon yet not novel. It is an emerging threat to privacy posed by the development of technology, thus attracted the scrutiny from the public and the authorities. The CBDT regulation reflects the enforcement of national jurisdiction in the cyberspace, which does not enjoy an indisputable general consensus in the contemporary international law. The rulemaking of CBDT cannot avoid the controversial debate over the legitimacy of state supervision of the network. CBDT regulation is originated from the protection of personal data in the EU, yet the disagreement with regard to its philosophy is derived from the conflict of different legislative values, that is, different legislators have different understandings of the freedom of free flow of information and the right to personal information. The author also questioned the rationale of the EU data transfer rules by discussing the target validity of the current rules, that is, the target validity for data protection. Part II compared the EU and China’s data protection laws as well as the CBDT rules respectively. Challenges that CBDT restriction measures might face are listed, since the data transborder transmission is not a legislative measure by nature. In the process of rulemaking and implementation existed dual pressures from domestic and abroad, categorised as technological, international legislative and theoretical challenges. Theoretically, Cyberspace does not have a boundary similar to a physical space, the theoretical premise that the EU CBDT rules ignored is that the state must control the transborder transmission of data by setting the borders. Thus, for China, two aspects must be addressed: is there an independent cyberspace law, and where is the boundary between the virtual and real world. International legislative challenges arise from the oversea data access of the U.S. government. The EU CBDT framework has limited impact when facing such data access under the cover of FISA and CLOUD Act of the U.S. Particularly, this dissertation discussed the potentials for a free flow of data transfer mechanism between the EU and China. It is worth exploring the possibility for a region-based bilateral collaboration, such as a free trade zone in China, to seek for the EU Commission’s recognition of adequate level of protection of personal information. For general data-intensive entities, binding corporate rules and standard contractual clauses are still the preferrable approaches. Part III examines the data protection implementation and data transfer compliance in the context of the HEART project. By analysing the use-cases the HEART deployed, as well as the architecture that it proposed, Chapter 6 studies the privacy-enhancing measures from both the organisational and technical perspectives. Specifically, the data classification system and dynamic data security assessments are proposed. Chapter 7 studied the use case of federated recommender system within the HEART platform and its potentials for the promotion of GDPR compliance. The recommender system is thoroughly analysed under the requirements of the GDPR, including the fundamental data processing principles and threat assessment within the data processing.
File in questo prodotto:
File Dimensione Formato  
7.4.2021 - TESI DEFINITIVA Dissertation_draft_YL_v1.pdf

accesso aperto

Descrizione: tesi di dottorato
Tipologia: Documento in post-print (versione successiva alla peer review e accettata per la pubblicazione)
Licenza: Creative commons
Dimensione 982.95 kB
Formato Adobe PDF
982.95 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11393/283978
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact