Abstract
Based on the self-compiled corpora of the European Union and Chinese laws on data governance, this study adopts a corpus-driven approach to comparatively study the legislative design of the EU and China on digital governance, especially on key issues such as data protection, data processing and utilization, and cross-border data transfer. It is found through corpus analysis that the EU has developed a relatively comprehensive data protection system, which internally focuses on the protection of individual data rights and externally sets high standards on the cross-border transfer of data. Despite the data protection paradigm as it manifests, the EU is facing new challenges on data exportation, data jurisdiction in the competitive digital marketplace. Shared the same concern on the data protection legislation, Chinese data law has made significant progress in personal data protection with the nascent enactment of Data Security Law and Personal Data Protection Law. Notably, Chinese legislation features the hierarchal taxonomy of data under the principle of the national security exception, while it requires more legislative skills, flexible response mechanisms, and more subordinate laws to prevent future data security threats. Moreover, the corpus-driven method conducted in this study provides evidential insights for the comparative legal textual studies across jurisdictions.
Funding source: National Social Science Foundation
Award Identifier / Grant number: 20ZDA062
About the authors
Siyue Li
Siyue Li is Research fellow in the Institute of Cross-cultural and Regional Studies, School of International Studies, Zhejiang University. Her research fields include (socio-)semiotics, cybersecurity discourse, data protection laws, legal discourse and corpus linguistics.
Chunyu Kit
Chunyu Kit is Associate Professor of Department of Linguistics and Translation at City University of Hong Kong. His research interests and publications are in the areas of computational linguistics, terminology, machine translation, computer-aided translation, human computer interactive translation, cognitive studies of translation and terminology translation. Address for correspondence: Department of Linguistics and Translation, City University of Hong Kong, Hong Kong, China.
-
Research funding: This work was supported by the major project of the National Social Science Foundation under Grant 20ZDA062.
(Full): Legislations on cross-border data transfer in GDPR in the EU.
| Type | Content |
|---|---|
| General principle for transfers | Article 44. Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, …, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. |
| Transfers on the basis of an adequacy decision | Article 45. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, …, or the international organisation in question ensures an adequate level of protection. |
| Transfers subject to appropriate safeguards | Article 46. A controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards. The appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by: (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. |
| Transfer under binding corporate rules | Article 47. The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63. The binding corporate rules referred to shall specify at least: … the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question. |
| Derogations for specific situations | Article 49.1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (a) the data subject has explicitly consented to the proposed transfer (b) the transfer is necessary for the performance of a contract (c) the transfer is necessary for the conclusion or performance of a contract (d) the transfer is necessary for important reasons of public interest (e) the transfer is necessary for the establishment, exercise or defence of legal claims (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons (g) the transfer is made from a register which according to Union or Member State law. |
(Full): Legislations on cross-border data transfer in Data Security Law in China.
| Type | Content |
|---|---|
| General principle for transfers | Article 11. The state shall proactively engage in international exchanges and cooperation in data security governance, data development and utilization, and other fields, participate in the formulation of international rules and standards related to data security, and promote the secure and free cross-border flow of data. |
| Article 46. Where any important data is provided to any overseas recipient in violation of Article 31 of this Law, the appropriate department shall order corrective action to be taken by and issue a warning to the violator, and may impose a fine of not less than 100,000 yuan nor more than 1 million yuan on the violator and a fine of not less than 10,000 yuan nor more than 100,000 yuan on any directly liable executive in charge or other directly liable person; | |
| Transfer of national core data | Article 21. The state shall establish a categorized and hierarchical data protection system to provide categorized and hierarchical protection for data based on the importance of data in economic and social development and the degree of harm caused by data tampering, destruction, or divulgence or illegal acquisition or utilization of data to national security, public interest, or lawful rights and interests of individuals and organizations. |
| Article 25. The state shall impose export control in accordance with the law on data as controlled items related to safeguarding national security and interest and performing international obligations. | |
| Transfer of important data | Article 31. The security management of cross-border transfer of important data collected and generated by operators of key information infrastructure during their operations in the territory of the People’s Republic of China shall be governed by the Cybersecurity Law of the People’s Republic of China; the measures for the security management of cross-border transfer of important data collected and generated by other data processors during their operations in the territory of the People’s Republic of China shall be developed by the national cyberspace authority in conjunction with the relevant departments of the State Council. |
| Transfer of other data | Article 24. The state shall establish a data security review system to conduct national security reviews on data processing activities that affect or may affect national security. |
| Article 26. Where any country or region takes any discriminatory prohibition or restriction or other similar measures against the People’s Republic of China in investment or trade, among others, related to data and data development and utilization technology, among others, the People’s Republic of China may take measures against the country or region reciprocally based on the actual circumstances. | |
| Foreign judicial or law enforcement data request | Article 36. The competent authority of the People’s Republic of China shall process a request for data from a foreign judicial or law enforcement authority in accordance with relevant laws and international treaties and agreements entered into or acceded to by the People’s Republic of China, or under the principle of equality and reciprocity. |
References
Bach, David & Abraham Newman. 2007. The European regulatory state and global public policy. Journal of European Public Policy 14. 827–846. https://doi.org/10.1080/13501760701497659.Search in Google Scholar
Baker, Paul. 2006. Using corpora in discourse analysis. London: Continuum.10.5040/9781350933996Search in Google Scholar
Bradford, Anu. 2012. The Brussels effect. Northwestern University Law Review 107(1). 1–67.Search in Google Scholar
Cheng, Le & Jiamin Pei. 2018. Interpreting cybersecurity law: A semiotic perspective. Journal of Zhejiang University (Humanities and Social Sciences) 48(6). 125–139.Search in Google Scholar
Cheng, Le, Jiamin Pei & Marcel Danesi. 2019. A sociosemiotic interpretation of cybersecurity in U.S. legislative discourse. Social Semiotics 29(3). 286–302. https://doi.org/10.1080/10350330.2019.1587843.Search in Google Scholar
Cheng, Weidong. 2018. A critical analysis of negative views on cyber sovereignty. Chinese Journal of European Studies 36(05). 61–75+7.Search in Google Scholar
Cheng, Winnie, Chris Greaves & Martin Warren. 2006. From n-gram to skipgram to concgram. International Journal of Corpus Linguistics 11(4). 411–433. https://doi.org/10.1075/ijcl.11.4.04che.Search in Google Scholar
Colangelo, Giuseppe & Mariateresa Maggiolino. 2018. ISPs’ copyright liability in the EU digital single market strategy. International Journal of Law and Information Technology 26(2). 142–159. https://doi.org/10.1093/ijlit/eay005.Search in Google Scholar
Custers, Bart, Francien Dechesne, Alan M. Sears, Tommaso Tani & Simone van der Hof. 2018. A comparison of data protection legislation and policies across the EU. Computer Law & Security Review 34(2). 234–243. https://doi.org/10.1016/j.clsr.2017.09.001.Search in Google Scholar
Dove, Edward S. & Jiahong Chen. 2020. Should consent for data processing be privileged in health research? A comparative legal analysis. International Data Privacy Law 10(2). 117–131. https://doi.org/10.1093/idpl/ipz023.Search in Google Scholar
Engels, Barbara. 2016. Data portability among online platforms. Internet Policy Review 5(2). 1–17. https://doi.org/10.14763/2016.2.408.Search in Google Scholar
Finck, Michèle. 2018. Digital co-regulation: Designing a supranational legal framework for the platform economy. European Law Review 43(1). 47–68.10.2139/ssrn.2990043Search in Google Scholar
Gabrielatos, Costas. 2007. Selecting query terms to build a specialised corpus from a restricted-access database. ICAME Journal 31(31). 5–43.Search in Google Scholar
Gonçalves, Maria Eduarda. 2017. The EU data protection reform and the challenges of big data: Remaining uncertainties and ways forward. Information and Communications Technology Law 26(2). 90–115.10.1080/13600834.2017.1295838Search in Google Scholar
Goźdź-Roszkowski, Stanisław. 2021. Corpus linguistics in legal discourse. International Journal for the Semiotics of Law 3. 1–26.10.1007/s11196-021-09860-8Search in Google Scholar
Granmar, Claes G. 2021. Global applicability of the GDPR in context. International Data Privacy Law 11(3). 225–244. https://doi.org/10.1093/idpl/ipab012.Search in Google Scholar
Greenleaf, Graham. 2012. The influence of European data privacy standards outside Europe: Implications for globalisation of convention 108. International Data Privacy Law 2(2). 68–92. https://doi.org/10.1093/idpl/ips006.Search in Google Scholar
Greenleaf, Graham & Fumio Shimpo. 2014. The puzzle of Japanese data privacy enforcement. International Data Privacy Law 4. 139–154. https://doi.org/10.1093/idpl/ipu007.Search in Google Scholar
Guo, Meirong. 2018. China’s cybersecurity legislation, it’s relevance to critical infrastructures and the challenges it faces. International Journal of Critical Infrastructure Protection 22. 139–149. https://doi.org/10.1016/j.ijcip.2018.06.006.Search in Google Scholar
Hacker, Philipp. 2017. Personal data, exploitative contracts, and algorithmic fairness: Autonomous vehicles meet the internet of things. International Data Privacy Law 7(4). 266–286. https://doi.org/10.1093/idpl/ipx014.Search in Google Scholar
Hajlaoui, Najeh, David Kolovratnik, Jaakko Väyrynen, Ralf Sternberger & Daniel Varga. 2014. DCEP-digital corpus of the European parliament. In Proceedings of the 9th international conference on language resources and evaluation (LREC 2014), 3164–3171. Reykjavik: European Language Resources Association (ELRA).Search in Google Scholar
Hall, Peter, Claude Heath & Lizzie Coles-Kemp. 2015. Critical visualization: A case for rethinking how we visualize risk and security. Journal of Cybersecurity 1(1). 93–108. https://doi.org/10.1093/cybsec/tyv004.Search in Google Scholar
de Hert, Paul & Vagelis Papakonstantinou. 2021. Framing big data in the council of Europe and the EU data protection law systems: Adding “should” to “must” via soft law to address more than only individual harms. Computer Law & Security Review 40. 1–11. https://doi.org/10.1016/j.clsr.2020.105496.Search in Google Scholar
de Hert, Paul, Vagelis Papakonstantinou, Gianclaudio Malgieri, Laurent Beslay & Ignacio Sanchez. 2018. The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Computer Law and Security Review 34(2). 193–203. https://doi.org/10.1016/j.clsr.2017.10.003.Search in Google Scholar
Hojnik, Janja. 2017. Technology neutral EU law: Digital goods within the traditional goods/services distinction. International Journal of Law and Information Technology 25(1). 63–84.10.1093/ijlit/eaw009Search in Google Scholar
Hong, Yu & Gerald Thomas Goodnight. 2020. How to think about cyber sovereignty: The case of China. Chinese Journal of Communication 13(1). 8–26. https://doi.org/10.1080/17544750.2019.1687536.Search in Google Scholar
Hoofnagle, Chris Jay, Bart van der Sloot & Frederik Zuiderveen Borgesius. 2019. The European Union general data protection regulation: What it is and what it means. Information & Communications Technology Law 28(1). 65–98. https://doi.org/10.1080/13600834.2019.1573501.Search in Google Scholar
Huang, Zhixiong & Kubo Macak. 2017. Towards the international rule of law in cyberspace: Contrasting Chinese and western approaches. Chinese Journal of International Law 16(2). 271–310. https://doi.org/10.1093/chinesejil/jmx011.Search in Google Scholar
Hunston, Susan. 2011. Corpus approaches to evaluation: Phraseology and evaluative language. New York: Routledge.10.4324/9780203841686Search in Google Scholar
Kirby, Michael D. 2011. The history, achievement and future of the 1980 OECD guidelines on privacy. International Data Privacy Law 1. 6–14. https://doi.org/10.1093/idpl/ipq002.Search in Google Scholar
Kuner, Christopher. 2012. Regulation of transborder data flows under data protection and privacy law: Past, present, and future. SSRN Electronic Journal 187. 0–39.10.2139/ssrn.1689483Search in Google Scholar
Liang, Zheng & Peiyi Wu. 2020. International comparison of data governance policies: History, features and implications. Science & Technology Review 38(5). 36–41.Search in Google Scholar
Lin, Zihan. 2021. The Research on construction of legal system about data governance in European Union. Journal of Information Security Research 04. 335–341.Search in Google Scholar
Liu, Lizhi. 2021. The rise of data politics: Digital China and evolving international relations. Studies in Comparative International Development 56(1). 45–67. https://doi.org/10.1007/s12116-021-09319-8.Search in Google Scholar
McDowall, Will, Yong Geng, Beijia Huang, Eva Barteková, Raimund Bleischwitz, Serdar Türkeli, René Kemp & Teresa Doménech. 2017. Circular economy policies in China and Europe. Journal of Industrial Ecology 21(3). 651–661. https://doi.org/10.1111/jiec.12597.Search in Google Scholar
Osula, Anna-Maria & Luukas Ilves. 2020. The technological sovereignty dilemma and how new technology can offer a way out. European Cibersecurity Journal 6. 24–35.Search in Google Scholar
Parasol, Max. 2018. The impact of China’s 2016 cyber security law on foreign technology firms, and on China’s big data and smart city dreams. Computer Law and Security Review 34(1). 67–98. https://doi.org/10.1016/j.clsr.2017.05.022.Search in Google Scholar
Pearce, Henry. 2017. Big data and the reform of the European data protection framework: An overview of potential concerns associated with proposals for risk management-based approaches to the concept of personal data. Information and Communications Technology Law 26(3). 312–335. https://doi.org/10.1080/13600834.2017.1375237.Search in Google Scholar
Pernot-Leplay, Emmanuel. 2020. China’s approach on data privacy law: A third way between the U.S. and the EU? Penn State Journal of Law & International Affairs 8(1). 49–117.Search in Google Scholar
Qi, Aimin, Guosong Shao & Wentong Zheng. 2018. Assessing China’s cybersecurity law. Computer Law and Security Review 34(6). 1342–1354. https://doi.org/10.1016/j.clsr.2018.08.007.Search in Google Scholar
Rackevičienė, Sigita & Liudmila Mockienė. 2020. Cyber law terminology as a new lexical field in legal discourse. International Journal for the Semiotics of Law 33(3). 673–687.10.1007/s11196-020-09690-0Search in Google Scholar
Reidenberg, Joel. 2000. Resolving conflicting international data privacy rules in cyberspace. Stanford Law Review 52(5). 1315–1371. https://doi.org/10.2307/1229516.Search in Google Scholar
Schreiber, Arye. 2014. Transborder data flows and data privacy law: The review. The Cambridge Law Journal 73(1). 185–188. https://doi.org/10.1017/s0008197314000233.Search in Google Scholar
Scott, Mike. 2020. WordSmith tools version 8. Stroud: Lexical Analysis Software.Search in Google Scholar
Scott, Mike & Christopher Tribble. 2006. Textual patterns: Key words and corpus analysis in language education. Amsterdam & Philadelphia: John Benjamins Publishing Company.10.1075/scl.22Search in Google Scholar
Selby, John. 2017. Data localization laws: Trade barriers or legitimate responses to cybersecurity risks, or both? International Journal of Law and Information Technology 25(3). 213–232. https://doi.org/10.1093/ijlit/eax010.Search in Google Scholar
Sinclair, John. 1991. Corpus, concordance, collocation. Oxford: Oxford University Press.Search in Google Scholar
Sinclair, John. 1996. The search for units of meaning. Textus 9(1). 75–106.10.4324/9780203594070-6Search in Google Scholar
Tognini-Bonelli, Elena. 2001. Corpus linguistics at work. Amsterdam & Philadelphia: John Benjamins Publishing Company.10.1075/scl.6Search in Google Scholar
Wang, Chunhui, Le Cheng & Jiamin Pei. 2020. Exploring the cyber governance discourse: A perspective from China. International Journal of Legal Discourse 5(1). 1–15. https://doi.org/10.1515/ijld-2020-2025.Search in Google Scholar
Yang, Fang. 2015. A historical sketch and critical review of the theory of the right to self-determination of personal information: An analysis on the protection object of personal information protect act. Journal of Comparative Law 29(06). 22–33.Search in Google Scholar
Zhang, Xiaojun. 2020. The building models of data sovereignty rules and the enlightment: On the rule building of China’s data sovereignty. Modern Law Science 42(6). 136–149.Search in Google Scholar
Zhang, Xinbao. 2015. From privacy to personal information: The theory of interest remeasurement and institutional arrangement. China Legal Science 32(03). 38–59.Search in Google Scholar
Zhou, Hanhua. 2018. Exploring an incentive-compatible personal information protection regime. Chinese Journal of Law 2(40). 3–23.Search in Google Scholar
© 2021 Walter de Gruyter GmbH, Berlin/Boston
