At the beginning of the Internet, the cross-border flow of data was free. However, since 2016, countries have promulgated laws to restrict the cross-border transmission of data to protect network security, data security and personal information security. Laws are political, so there are preferential and harsh. Today, let's compare the cross-border data transmission regulations of the European Union, the United States and China to see if Europe and the United States have given each other preferential treatment? Have you unreasonably raised the standards for China? And if Chinese enterprises are discriminated against, do we have any countermeasures?

一、 Data cross-border transmission rules of various countries

1. EU

The EU general regulation on data protection (hereinafter referred to as gdpr) has strict control over the transmission of personal data within the EU to the outside of the EU, but it also provides a variety of ways to realize cross-border transmission of personal data, which is mainly divided into three mechanisms: the first is based on the adequacy identification mechanism (also known as the white list); The second is the mechanism to take appropriate safeguard measures, including signing standard contracts (standard contractual clauses or SCC), binding corporate rules (BCR), certification mechanism, code of conduct (COC), etc; The third is necessary for obtaining the consent of the data subject and performing the contract.

2. USA

Compared with the EU's strict control policy, the United States advocates the free flow of personal data across borders, and adopts the industry self-regulation mode to assist the government's supervision to protect data across borders. In terms of industry self-discipline, the most representative standards for enterprises to formulate privacy policies are the ISO / iec29100 series of standards, including privacy protection framework, privacy system framework, privacy capability protection assessment model, Privacy Impact Assessment, personal identifiable information protection guide, etc.

The legal system of the United States has two levels: federal law and state law. In terms of government regulation, at the level of federal legislation, data protection legislation in the United States is classified by industries and fields, such as the Financial Modernization Act (GLBA), the health insurance privacy and Liability Act (HIPAA), the foreign investment risk assessment Modernization Act (firrma), the export control regulations (ear), etc; At the level of state legislation, American states are also introducing corresponding data privacy laws, such as the California consumer privacy act (CCPA), the California Privacy Rights Act (CPRA), the Virginia consumer data protection act (vcdpa), and the Colorado Privacy Act (CPA).

At the same time, the United States has not deregulated the control of important domestic data, such as the foreign investment risk assessment Modernization Act, the export control regulations and other bills, which take relevant cross-border restrictive measures on data in key fields by means of foreign investment security review and export control.

3. China

Since 2016, China's three major data laws and regulations and important supporting regulations, namely, the network security law, the data security law and the personal information protection law, have been issued in succession, further improving the protection rules for personal information leaving the country, and clearly requiring personal information processors to take corresponding protection measures when providing personal information overseas. The personal information protection law further clarifies that there are three paths for China's personal information to leave the country, namely, passing the security assessment of the Internet Information Department, the personal information protection certification of professional institutions, and signing the standard contract of the Internet information department.

二、 The path of EU's cross-border transmission of personal data to China and the United States

Previously, there was a shortcut to the privacy shield system for the transmission of personal data between the EU and the United States, but it has been abolished by the European Court of justice. At present, the path of cross-border transmission from the EU to the United States and China is virtually the same. Enterprises need to take alternative paths other than the white name stand-alone system to realize cross-border transmission of data.

1. White list and standard contract

The adequacy recognition mechanism (also known as the white list) specified in the gdpr of the European Union refers to the countries, regions or international organizations that have been recognized by the European Union as having adequate protection of personal data, and can directly transmit data to them without further protection measures. However, China is not included in the white list countries that determine the limited cross-border free flow of data through "Sufficiency determination". Therefore, the EU must find corresponding alternative ways to transfer personal data to China, including mechanisms to take appropriate safeguard measures, such as signing standard contract terms issued by the EU.

2. Abandoned European and American data transmission privacy shield shortcut

In 2016, the United States and the European Union signed the privacy shield agreement, a cross-border data transfer mechanism between the United States and Europe, which allows companies certified by the "privacy shield" to freely transfer personal data between the EU and the United States. Therefore, the EU determines that the white list countries with limited cross-border free flow of data include the United States through "Sufficiency determination". Therefore, it is unnecessary for enterprises to take further protection measures for cross-border data transmission from the EU to the United States. However, in July 2020, the European Court of Justice ruled that the privacy shield agreement could not provide sufficient protection for the personal data transferred from the EU to the United States, and ruled that the privacy shield agreement was invalid.

3. The new shortcut for data transmission in Europe and America has not been opened

However, according to the news on the official website of the European Union [1], on March 25, 2022, the European Union and the United States announced that they had reached an agreement in principle on the new transatlantic data privacy framework, which will promote the transatlantic data flow. Nevertheless, before the new data cross-border agreement between the EU and the United States came into effect, the EU could not transmit personal data to the United States through the white list mechanism, and other alternative ways must be adopted for cross-border transmission of personal data.

三、 The path of cross-border transmission of personal data from the United States to China and the European Union

As mentioned above, on the one hand, the United States advocates the free cross-border flow of personal data, and on the other hand, it has not liberalized the control of important domestic data.

The United States has no specific regulation on the path of data cross-border transmission, but there are still great differences in its strategies and attitudes towards the EU and China. As mentioned above, the European Union and the United States have reached consensus on a new transatlantic data privacy framework, and strive to promote the free flow of data between the two sides. In contrast, the United States has successively carried out unfair control measures against Chinese technology enterprises. For example, since 2020, the United States has suppressed tiktok (Tiktok overseas version)  and wechat international version [3] on the grounds of user data privacy and national security review, which also shows that the United States has increasingly strict policies on cross-border data transmission to China.

In particular, the national security and personal data protection act 2019 (nspdpa, which has not yet taken effect) of the United States of America imposes clear restrictions on the export of us user data, especially the transmission to China, with the aim of regulating all companies providing online services based on data (including "regulated companies") from directly or indirectly transmitting any user data or information (such as encryption keys) required for decrypting the data to China Russia and other "countries with doubts" have a very broad definition of "regulated companies", and most Internet enterprises can be included in its control scope. If the nspdpa bill is finally passed, it will greatly restrict the data transmission between the United States and China.

四、 The path of China's cross-border transmission of personal data to the EU and the United States

China's laws are fairly fair to foreign enterprises, and there are no provisions that discriminate against certain countries. However, if anyone wants to discriminate against Chinese enterprises, China's legislation also regulates this. Articles 42 and 43 of the personal information protection law stipulate that China will restrict or prohibit the transmission of personal information data to overseas organizations and individuals listed in the negative list, or countries and regions where China has taken reciprocal restrictive measures against them. If the nspdpa of the United States is finally passed and takes effect, the United States will restrict or prohibit the transmission of relevant personal data to China, while China may also take measures to restrict or prohibit the transmission of corresponding data to the United States according to the principle of reciprocity, which will have a significant impact on the cross-border transmission of data between China and the United States and pose a higher and stricter compliance challenge to the cross-border transmission of personal data by enterprises.

The following describes the specific system of our country. There are only three paths for transmitting personal data to the outside world: passing the security assessment of the Internet Information Department, the personal information protection certification of professional institutions, and signing the standard contract of the Internet information department.

1. Data type determines path

The triggering conditions for cross-border transmission of personal data paths are based on three considerations: first, look at the data type, whether it is important data or non important data; Second, look at the type of industry, whether it is a key infrastructure operator or has more than 1 million personal information; Third, look at the data volume, the amount of personal data or sensitive personal data that enterprises have accumulated for cross-border transmission.

Judging from the triggering conditions of the above routes, the exit routes are not different due to different countries or regions. Therefore, whether to the European Union or the United States, the path of cross-border transmission of personal data in China is the same.

Specifically, taking the path of security assessment as an example, as long as it meets any of the following conditions, the personal information processor shall report the security assessment of exit to the national network information department through the local provincial network information department: (1) providing important data to overseas; （2） Operators of key information infrastructure and data processors processing personal information of more than 1 million people; （3） Since January 1 of the previous year, a total of 100000 personal information or 10000 sensitive personal information has been provided to overseas. If the enterprise does not meet any of the above circumstances, it does not need to conduct safety assessment, that is, it belongs to the applicable scope of the standard contract and needs to exit the data through the path of the standard contract.

2. What are the differences in the focus of different safety assessments?

If the path of security assessment is applicable, it may need to be divided into two steps: the first step is the risk self-assessment carried out by the enterprise, and the second step is the security assessment carried out by the network information department. Risk self-assessment and security assessment are highly consistent in many aspects, such as assessing the legality, legitimacy and necessity of data exit, as well as the scale, scope, type and sensitivity of data exit. Of course, there are differences between the two. The security assessment of the Internet Information Department considers national security and public interests more than the self-assessment. Therefore, the security assessment of the Internet information department pays more attention to "whether data security and personal information rights can be fully and effectively protected overseas", while the risk self-assessment of the enterprise pays more attention to "whether the channels for personal information rights and interests are smooth".