Applicable Law to Transnational Personal Data: Trends and Dynamics

Abstract

The recent COVID-19 outbreak has pushed the tension of protecting personal data in a transnational context to an apex. Using a real case where the personal data of an international traveler was illegally released by Chinese media, this Article identifies three trends that have emerged at each stage of conflict-of-laws analysis for lex causae: (1) The EU, the US, and China characterize the right to personal data differently; (2) the spread-out unilateral applicable law approach comes from the fact that all three jurisdictions either consider the law for personal data protection as a mandatory law or adopt connecting factors leading to the law of the forum; and (3) the EU and China strongly advocate deAmericanization of substantive data protection laws. The trends and their dynamics provide valuable implications for developing the choice of laws for transnational personal data. First, this finding informs parties that jurisdiction is a predominant issue in data breach cases because courts and regulators would apply the law of the forum. Second, currently, there is no international treaty or model law on choice-of-law issues for transnational personal data. International harmonization efforts will be a long and difficult journey considering how the trends demonstrate not only the states’ irreconcilable interests but also how states may consider these interests as their fundamental values that they do not want to trade off. Therefore, for states and international organizations, a feasible priority is to achieve regional coordination or interoperation among states with similar values on personal data protection.

A. Introduction

The recent COVID-19 outbreak has pushed the tension of protecting personal data in a transnational context¹ to an apex. This is because COVID-19 spreads fast with the international travel of people.² Many countries require international travelers to disclose their personal information—such as name, gender, date of birth, travel history, and purpose of travel and residence—and impose quarantine requirements accordingly.³ In late March 2020, Chinese media widely reported an Australian lady with Chinese origin who breached the home quarantine requirement by jogging without wearing a mask in the residential complex where she was temporarily living in Beijing.⁴ A Chinese policeman required her to stay at home.⁵ The lady refused and alleged she was abused by the policeman.⁶ Chinese media released her photo,⁷ age, flight information, name,⁸ nationality, and temporary home address in Beijing. The Chinese and Australian universities she graduated from and the years of her graduation, her employment history and positions, and her current employer and salary were also released.⁹ Her employer was the Chinese subsidiary of German pharmaceutical giant Bayer.¹⁰ Bayer China quickly made an announcement and fired this lady for breaching the Chinese quarantine requirement.¹¹ Because her Chinese visa was sponsored by Bayer, the Chinese government revoked her visa and deported her after Bayer terminated her employment contract.¹² Clearly, the lady violated the COVID-19 mandatory self-quarantine regulation in China. Her conduct threatened the public health. However, did her offense justify releasing her detailed personal information online? Based on the released information, her identity can be easily ascertained. She is an Australian citizen and arrived in China just one day before the incident occurred. Therefore, she was unlikely to obtain a habitual residence in China in such a short period.¹³ She was a senior director working for Bayer China, which was owned by Bayer Germany, though news reports did not indicate whether she was hired by Bayer Germany and whether her personal employment information was processed in Germany. This incident is not a unique case. It is typical and demonstrates the tension between preventing COVID-19 and protecting transnational personal data: Which law should be applied to the personal data of an international traveler who violates a local quarantine law?

Protecting personal data in the transnational context is important and necessary. In modern society—where individuals often travel across borders¹⁴—technology such as the Internet and the cloud is inherently transnational,¹⁵ and online service providers also actively make their service accessible around the world.¹⁶ Domestic regulators have also become more serious about protecting personal data in the transnational context.¹⁷ The EU implemented the General Data Protection Regulation (GDPR).¹⁸ The California state government adopted the California Consumer Privacy Act.¹⁹ China incorporated the right to personal data into the Chinese General Rules of the Civil Law.²⁰ Australia is robustly creating the Consumer Data Right.²¹ Nonetheless, the contents of domestic laws for personal data protections are not the same. For example, Chinese media published the employment—both current and past employers—and education information of the international traveler who violated the COVID-19 quarantine requirement. In the EU, such personal information would be protected under the GDPR according to the Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak adopted by the European Data Protection Board.²² In Australia, some states may release the flight information and places where an international traveler infected by COVID-19 visited, but his or her full name, employment position and salary, and education information are never released, unless this information is necessary to lessen or prevent a serious and imminent threat to the health of the Australian public.²³

The different domestic responses to protecting personal data in combating COVID-19 demonstrate the need to identify the applicable law to transnational personal data. According to conflict of laws, in finding lex causae, there are three stages: First, characterize the issue into one of the established choice of law classifications by identifying the nature of the subject matter. Second, select the rule of conflict of laws which lays down a connecting factor for the issue in question. Third, identify the system of law which is tied by the connecting factor found in stage two to the issue characterized in stage one.²⁴ There are valuable national studies or comparative scholarship exploring personal data protection.²⁵ Yet, little conflict-of-laws literature has compared how China, the US, and the EU characterize the right to personal data, what connecting factors they consider, and which law they eventually apply to protect personal data. These issues are important, especially in the context of COVID-19, where states strictly monitor international travelers. Going beyond combating COVID-19, exploring these issues can inform domestic legislators of the convergence and divergence of different national laws. It also helps technology companies design their global service. It further provides useful references for international organizations who plan to propose treaties or model laws to coordinate national laws.

This Article is divided according to the three stages of conflict-of-laws analysis. The first section argues that China, the US, and the EU characterize the right to personal data in very different ways. The EU highlights it as a fundamental human right, the US deems it a civil liberty, and China considers the right to personal data as a personality right. The second section analyzes the connecting factors used in the three jurisdictions. All three jurisdictions make the territorial scope of their personal information protection law broad enough to ensure the application of lex fori. Alternatively, they consider the personal data protection law as a mandatory law and as a curtailment of party autonomy. The consequence is the spread-out unilateral applicable law approach in contracts, torts, and equity. Based on the lex fori approach discussed in the second section, the third section analyzes the substantive law for personal data protection in the US, the EU, and China. It argues that the global trend for the substantive law is shifting from Americanization to deAmericanization. The first three sections of the Article present three trends at each stage of conflict-of-law analysis: The multi-faceted legal nature of the right to personal data, the spread-out unilateral applicable law approach, and the de-Americanization of substantive personal data protection law. The fourth section explores the dynamics among these trends. It argues that the widely adopted unilateral applicable law approach in contracts, torts, and equity cases of personal data breach has almost eliminated the need for conflict of laws analysis in transnational data breaches. In contrast, the gaps between the substantive domestic law for personal data protection are widening with the deAmericanization movement. The fifth section concludes the Article.

B. Multi-Faceted Right to Personal Data

There is no uniformity to characterize the right to personal data in the US, EU, and China. This is because this right is considered a fundamental human right in the EU, a civil liberty in the US, and a personality right in China.²⁶ Although apparently both the US and China can protect the right to personal data as a consumer right or a property right, their laws differ in nature.²⁷

I. Human Right

In the EU, a data subject’s right to his or her personal data is characterized as a “right to privacy with respect to the processing of personal data.”²⁸ Such a right is considered to be a fundamental one and cannot be outweighed by other values.²⁹ Protection of personal data is founded upon human rights treaties within the EU.³⁰ Under the heading “Right to respect for private and family life,” Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms states: “Everyone has the right to respect for his private and family life, his home and his correspondence.”³¹ The European Charter for Fundamental Human Rights goes a step further, providing in Article 8(1) that “[e]veryone has the right to the protection of personal data concerning him or her.”³² Article 8(2) of the Charter authorizes the processing of personal data if certain conditions are satisfied—providing that personal data “must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.”³³ Additionally, a right to data protection is also protected by Article 16 of the Treaty on the Functioning of the European Union.³⁴

The US is not a party to the European Convention for the Protection of Human Rights and Fundamental Freedoms or the European Charter for Fundamental Human Rights. In the US, the right to privacy is defined as the “right to be alone.”³⁵ It is a civil liberty protected by the Constitution of the US.³⁶ The Fourth Amendment protects personal information from unreasonable searches and seizures of the government.³⁷ As such, it has limited implications for most scenarios involving transnational personal data, where a data breach was conducted by a data company, media, or an individual, rather than a government.³⁸ In Roe v. Wade, the Supreme Court of the US held that the right of privacy is “founded in the Fourteenth Amendment’s Concept of personal liberty and restrictions on state action.”³⁹ Other cases have been less deferential to information privacy as a protectable civil liberty interest,⁴⁰ and the right remains uncertain.⁴¹

In contrast, the Constitution of the US firmly establishes the free flow of information by the First Amendment’s free speech clause,⁴² which may be more likely to be considered as a fundamental human right in the US.⁴³ For example, Sorrell v. IMS Health Care is concerned with a Vermont law that prohibits pharmacies from disclosing or otherwise allowing prescriber-identifying information to be used for marketing.⁴⁴ The Supreme Court of the US held that this law should be subject to heightened judicial scrutiny because it was “content- and speaker-based” and “burden[ed] disfavored speech by disfavored speakers.”⁴⁵ Vermont contended that its law was necessary to protect medical privacy.⁴⁶ The Court rejected this argument because this law allowed pharmacies to share prescriber-identifying information with anyone for any reason except for marketing.⁴⁷ The state also contended that this law advanced important public policy goals by lowering the costs of medical services and promoting public health. The Court held that while these policy goals may be proper, the law did not advance them in a permissible way.⁴⁸ The Court concluded that “the ‘fear that people would make bad decisions if given truthful information’ cannot justify content-based burdens on speech.”⁴⁹ The law was set aside because it violated the First Amendment.⁵⁰

In China, the right to personal data is considered a personality right. There are two reasons. First, unlike the EU, Chinese legislators do not consider the right to personal information a fundamental human right. This is not because they cherish the free flow of information like the US. Instead, an individual’s right to personal information should be limited because it should not interfere with the authority of the Chinese government, as the largest data controller, to collect, process, save, and use personal information.⁵¹ It may be true that in highly decentralized distributed systems established in a democratic society, “there is no central controller of information” and “almost everyone connected to the network is a ‘controller’ of personal data.”⁵² However, this statement does not describe the Chinese situation. Although the Internet is decentralized, the Chinese government is still the ultimate controller because it controls the Internet connections between its territory and the outside world.⁵³ For example, China has built an Internet Great Fire Wall to censor the information flow across its border and prosecuted people who used or provided VPNs.⁵⁴ The Chinese government controls and accesses personal data of users of Chinese Internet service providers, such as Wechat.⁵⁵ Although the Chinese Constitution limits government access to Chinese citizens’ correspondence to the circumstances of national security and criminal investigations,⁵⁶ other Chinese laws have gone beyond this constitutional limit. For example, Article 25 of the Chinese Ecommerce Law allows government departments to require e-commerce operators to provide e-commerce data—which includes personal information, privacy, and business secrets—according to provisions of laws and administrative regulations, and the ecommerce operators shall provide this information as required.⁵⁷ E-commerce Law does not provide any grounds or remedy for e-commerce operators to reject the government information request.

Second, the Chinese Constitution provides very limited protection for an individual’s right to personal information. The Constitution provides that the residence of Chinese citizens is inviolable, and that freedom and privacy of correspondence of Chinese citizens are protected by law.⁵⁸ These provisions have limited implications on personal data protection in China. Literally speaking, these constitutional provisions are for residence and correspondence. Personal data protection concerns far more information than an individual’s address and other contact information. It is unclear whether these constitutional provisions can cover all other personal data. More importantly, these constitutional provisions are about protecting privacy; however, in China, protecting personal data is not the same as protecting privacy. The General Rules of the Civil Law, a fundamental law for civil rights and obligations in China, was enacted in 2017.⁵⁹ It prescribes privacy and personal data protection in different articles. Article 110 provides that “natural persons have the right to life, body, health, name, portrait, reputation, honour, privacy, marriage autonomy and others.”⁶⁰ Article 111 indicates that:

[T]he personal information of natural persons is protected by law. Any organization or individual who needs to obtain personal information of others shall obtain and ensure the security of the information according to law, and shall not illegally collect, use, process, or transmit the personal information of others, and may not illegally buy, sell, or disclose the personal information of others.⁶¹

There are two opinions regarding the relationship between Article 110 and Article 111. The first is that Article 110 is lex generalis and Article 111 is lex specialis: Protecting personal information—Article 111—is to enhance the protection of privacy—Article 110—in the digital economy. The second opinion is that Article 111 is not lex specialis, as opposed to Article 110, because personal information is different from privacy. This second opinion is endorsed by the recently enacted Chinese Civil Code.⁶² Enacted on May 28, 2020, this unprecedented Civil Code is considered a significant milestone of the rule of law and a profound symbol of the prosperity of China.⁶³ Article 1032 of the Chinese Civil Code defines privacy as “the tranquility of the private life of a natural person, and the private space, private activities, and private information that he is unwilling to be known to others”; and Article 1033 provides that the right to privacy should be protected as erga omnes.⁶⁴ Articles 111 and 1034–37 address personal data, but, focus on collection and processing of personal data according to principles of legality, proportionality, and necessity.⁶⁵ Namely, the provisions for privacy focus on non-instruction of privacy, while those for personal data highlight how to legally use personal data. Therefore, the right to privacy and the right to personal data are distinguishable.

The second opinion has also gained wide support from Chinese scholars.⁶⁶ Their arguments can be summarized as follows.⁶⁷ First, privacy focuses on protection of an individual’s personal information.⁶⁸ In contrast, personal data protection in the digital economy emphasizes protection of personal data of a collective of individuals.⁶⁹ This is because the digital economy relies on big data, which requires a collective of individuals’ information rather than on an individual’s information.⁷⁰ Second, being a protector is the main role for a state regarding an individual’s privacy. In contrast, big data of personal information is a valuable resource for a state to develop its digital economy, maintain social stability, and safeguard national security.⁷¹ Therefore, a state not only protects personal data but also has an interest in accessing, collecting, and analyzing personal information.⁷² Third, data collectors—for example, data companies—contribute to the value of personal information, because if personal data is not collected and processed, it has no value.⁷³ In contrast, the right to privacy is against collecting and processing, and its value lies in “being left alone.”⁷⁴ As a conclusion, personal data protection is not an absolute right like privacy or property ownership, and its protection is comparatively weaker.⁷⁵

Distinguishing personal data from privacy can also find support in other Chinese legislation and judicial practice. For example, the Provisions of the Supreme People’s Court on Several Issues about Applicable Law in Civil Cases of Using Information Network to Infringe Personal Rights and Interests (SPC Provisions on Applicable Law for Personal Rights Infringement) also suggest that not all personal data can be considered as privacy.⁷⁶ Article 12.1 provides that Internet users or network service providers shall not use the Internet to disclose personal privacy and other personal information. ⁷⁷ Article 87 of the E-commerce Law also provides that “if a State functionary … sells or illegally provides others with the personal information, privacy and trade secrets that come to his knowledge in the performance of his duties, he shall be subject to legal liability according to law.” If personal data were to be equal to privacy, the italicized part of this provision would be redundant.

Ye Zhu v. Baidu, the first case on privacy protection concerning cookie technology,⁷⁸ sheds light on the differences between privacy and personal data.⁷⁹ Baidu.com—China’s largest Internet search engine—employs Cookie technology to record and track the search keywords used by a customer, and provide tailor-made advertisements for this customer.⁸⁰ Zhu alleged that Baidu.com invaded her privacy; Baidu, without her permission, recorded keywords she searched, such as “breast enhancement,” “weight loss,”and “abortion,” and used these keywords to provide advertisements to her. Baidu argued that Cookie technology was a lawful, basic, and neutral technology, and had been used by Google, Yahoo, Amazon, and other Internet service providers. Further, the Cookies collected by Baidu did not include any identifiable personal information—that is, as a search provider, Baidu would not be able to locate a specific individual who used its service. The advertisement relating to the search keywords that Zhu used appeared only on Zhu’s computer and was not published by Baidu to other parties. Baidu, therefore, contended that it did not infringe on Zhu’s privacy. The Nanjing Intermediate People’s Court, as the appellate court, agreed with Baidu and held that there was no invasion of privacy for three primary reasons. First, the information collected by Baidu was not personal because it could not identify Zhu. Cookie technology identified a particular browser rather than a certain user. Thus, when the same user used a different browser to search the Internet, Baidu identified this user as a different user. Second, Baidu did not publish Zhu’s personal information because Cookie technology conducted machine-to-machine communication rather than machine to human. Third, the Baidu user’s agreement allowed users to freely opt out of using Cookies. However, Zhu did not do so. The court also held that Cookie technology was widely used, and even if the Baidu user’s agreement did not explain what Cookies were, an average person—like Zhu—should be assumed to understand this technology.

Ye Zhu helps us to understand how Chinese courts distinguish privacy from personal information. The court held that the records of keyword searches of an Internet user could reflect the user’s activity history and Internet browsing preferences, so they were considered to be privacy attributes. However, if separated from the data subject, they could not identify the data subject, so they were not personal data. The court seems to suggest that if a piece of privacy information, used individually, cannot identify a data subject, this privacy information is not a piece of personal information. This is so even if the relevant piece of privacy information, combined with other information collected by a website, may be able to identify a data subject. For example, searching “weight loss” is an activity conducted by Zhu. Zhu does not want others to know of this activity, which should be considered as her privacy. However, “weight loss,” as a searched keyword, is not personally related to Zhu and cannot identify Zhu. Therefore, keyword searches are not personal data. Yet, the court does not consider whether Baidu may have collected other information from Zhu, such as her location or her search habits. The court improperly ignores that the accumulated information may be combined to identify Zhu.

There are three different definitions of personal data co-existing in Chinese law. The first is provided in the Provisions on the Protection of Personal information of Telecommunications and Internet Users (Provisions), enacted by the China Ministry of Industry and Information Technology in September 2013. Article 4 defines a “user’s personal data” as “(1) the user name, date of birth, ID number, address, telephone number, account number, and password that can be used alone or in combination with other information to identify an individual user, and; (2) the time, place, and the like of the user’s use of the service.” Article 4 does not require “the time, place, and the like of the user’s use of the service” to identify an individual user. Nevertheless, the Ye Zhu court dismissed the application of Article 4 without a clear reason.

The second definition of personal data can be found in Article 67(5) of the Chinese Cybersecurity Law. It provides that personal data refers to various information—recorded by electronic or other means—that can be used alone or in combination with other information to identify an individual natural person, including but not limited to the person’s name, birthday, personal identification number, biometric information, address, and phone number. The Chinese Cybersecurity Law was enacted by the Standing Committee of National People’s Congress and came into effect in June 2017. This was after Ye Zhu was decided. The definition of personal data in Ye Zhu is inconsistent with the Chinese Cybersecurity Law, as personal data is the information, alone or jointly with other information, that can be used to identify a data subject.

The third definition can be found in the Information Security Technology—Personal Information Security Specification (Personal Information Security Specification), made jointly by the State Administration of Quality Supervision, Inspection and Quarantine, and the China National Standardization Administration.⁸¹ It came into effect in May 2018. Article 3.1 defines “personal data as various information recorded electronically or otherwise that can identify a particular natural person or reflect the activity of a particular natural person, either alone or in combination with other information.” This definition does not limit personal data to those pieces of information able to identity a particular natural person.

Among the three definitions, the one provided by the Chinese Cybersecurity Law is the most authoritative. The Chinese Cybersecurity Law was enacted by the Standing Committee of National People’s Congress, which retains more stature and influence compared with the bodies that enacted the other two regulations. The Chinese Cybersecurity Law is also a more recent piece of legislation compared with the Provisions. The Personal Information Security Specification was made later in time compared with the Chinese Cybersecurity Law. But the Personal Information Security Specification is not a law. It serves as guidance of best practices for the industry. Its foreword provides that, if these Specifications contradict with law, the latter should prevail. Therefore, the definition under the Cybersecurity Law—which requires that personal information, alone and in combination with other information, should be able to identify a particular natural person—represents the prevailing view in China.

II. Consumer Right

The US law considers that the data subject’s personal information may be used to exchange for Internet service—as opposed to the EU, where personal data is a fundamental right which cannot be traded.⁸² At the state level, for example, the California Consumer Privacy Act of 2018 explicitly provides that “it is the intent of the Legislature to further Californian’s right to privacy by giving consumers an effective way to control their personal information.”⁸³ Satisfying requirements under the law, a business can offer financial incentives to consumers for the collection and sale of their personal data.⁸⁴ At the federal level, the primary privacy enforcement agency is the Federal Trade Commission, whose jurisdiction is limited to regulate privacy violations by organizations who conduct “deceptive” or “unfair” information practices.⁸⁵ Therefore, commentators conclude that the US Privacy Act is a system of broad consumer protection laws that have “been used to prohibit unfair or deceptive practices involving the disclosure of, and security procedures for protecting, personal information.”⁸⁶

Like the US, in China, consumer law also allows personal information to be traded.⁸⁷ Chinese consumer law requires data companies to clearly indicate the purpose, manner, and scope of the collection and use of information, and seek the consent of the consumers.⁸⁸ The personal information collected by the data companies must be kept strictly confidential and not be disclosed, sold, or illegally provided to others.⁸⁹ Chinese consumer law also offers explicit remedies for personal data breaches. For example, Article 50 provides that if a business operator infringes upon the consumer’s personal data, the operator shall stop the infringement, restore the reputation, eliminate the influence, apologize, and compensate the loss. Article 56 also indicates that in cases where business operators infringe upon consumers’ personal information, the Administrative Department for Industry and Commerce or other relevant administrative departments shall order corrections, and may—according to the circumstances of the case—impose warnings, confiscate illegal income, and levy fines.⁹⁰ If the circumstances are serious, the operator shall be ordered to suspend business for rectification and revoke the business license.⁹¹

However, the difference between Chinese consumer law and its US counterpart is that the former is much more ambiguous than the latter regarding the competence, necessity, and proportionality to collect personal data. For example, in November 2019, a Chinese professor brought a case against Hangzhou Safari Park in the Hangzhou Huyang District People’s Court.⁹² The professor alleges that the Safari Park would like to mandatorily collect his facial features without his consent.⁹³ The professor bought an annual pass for the Safari Park for the period of April 2019 to April 2020.⁹⁴ In October 2019, without asking the professor’s consent, the Park informed him that the annual pass system was updated and the old system was abolished; now, visitors must record their facial features at the Park, and the Park will use a facial recognition system to verify visitors’ identities.⁹⁵ If a visitor refuses to record his or her facial features, the annual pass cannot be used, and a refund will not be issued.⁹⁶ The Park explains that using the facial recognition system will speed up the Park admission process and save consumers’ waiting time.⁹⁷ What is stunning in this case is that the only way for the safari park to provide admission is to collect and use facial features of customers. Facial features are personal biometric information. They are with the natural person for his or her lifetime and cannot be changed. Facial features are more sensitive than fingerprints and other personal data because they are mostly exposed. For public safety and national security, government law enforcement departments, such as the border control and traffic regulation department, can collect this information. Hangzhou Safari Park is not a government department and collects facial features for commercial purposes. Even if it can ensure the collected information will be well protected, saving consumers’ waiting time cannot justify the necessity and proportionality to collect such information. This case shows that while Chinese facial recognition technology is widely used, the law to regulate the competence, necessity, and proportionality to collect personal data is insufficient.

III. Property Right

Characterizing personal data as “property” derives from scientific research on the physical reality of information.⁹⁸ It reflects the need to delimit the ownership of data within the booming digital trade where personal data is treated as a product.⁹⁹ It is also appealing for data controllers to claim independent or shared property rights with the data subjects, especially when the controllers process information that is generated by machines based on anonymized personal data.¹⁰⁰

In 1905, the Supreme Court of the US held that data can be considered as property.¹⁰¹ Moreover, the modern digital trade in transferring, licensing, and selling personal data has further fostered the view that personal data should be characterized as property.¹⁰² Property scholars argue that “[p]roperty rights in information focus on identifying the right of a company or individual to control disclosure, use, alternation and copying of designated information.”¹⁰³ In China, the People’s Court Daily positively reported a judgment issued by the Hangzhou Internet Court in November 2019.¹⁰⁴ In this case, the plaintiffs operated an online database called Lvzhuang Wang, or “female clothing net.” The defendant manages a competing online database called Zhongfu Wang, or “China clothing net.” Many users who registered with the plaintiffs also registered with the defendant. Twenty-four users of the defendant’s database authorized the defendant’s staff to use their IDs and passwords to access their accounts on the defendant’s website. Because many users may use the same IDs and passwords on different websites, the defendant’s staff used the “crashing the library” technology to log into the twenty-four users’ accounts on the plaintiff’s website.¹⁰⁵ Consequently, the defendant downloaded information valuable to clothing dealers from the plaintiffs’ website. The plaintiffs brought an unfair competition claim against the defendant. The defendant argued that the plaintiffs’ user agreement did not specify who was the owner of the users’ IDs and passwords; even if the defendant misused the users’ IDs and passwords, it should be the users, not the plaintiffs, to claim the right to the users’ IDs and passwords. The court rejected this argument, holding that the users’ IDs and passwords were property and should be protected. Furthermore, the court held that the IDs and passwords were highly correlated with the users’ identity authentication, and the property right generated by this information was like that of computer information system data, so the rights of the users’ IDs and passwords should belong to the website—in this case, the plaintiffs.

The property right argument is deeply problematic. In the above case, it is doubtable that a data controller can obtain absolute property rights over data collected from data subjects. This is because the data controller has to use personal data strictly according to the agreements with the data subjects. Moreover, the data controller does not exclusively possess personal data. Data subjects can provide the same piece of personal data to other data controllers. Nevertheless, the data controllers invest time, money, and energy in compiling, organizing, or processing personal data. Alternatively, personal data may be generated while data subjects use the Internet service provided by the data controllers. Therefore, the data controllers have legitimate interests in the personal data they collect. However, this legitimate interest is not a property interest in personal data. Rather, it is a property interest that lies with the data controller, who invested in the process of gathering personal data under the guise that they would not be taken advantage of by other competing data controllers.

Further, in the American context, the property right theory is criticized because there are strong policy reasons, such as First Amendment civil liberty, against marking all personal information as property.¹⁰⁶ However, in China, the property right argument is doomed to fail for a reason not existing in the American context. The property right argument can enhance every data subject’s right of self-determination and control of his or her data. Yet, such self-determination and control are inconsistent with the Chinese government’s digital surveillance measures that rely on gathering a huge amount of personal data.¹⁰⁷ These data are collected under an over-comprehensive concept of national security without proper judicial review and public transparency supervision. Although the Chinese Civil Code provides that the collection and processing of personal information is subject to the principles of legality, proportionality, and necessity,¹⁰⁸ there are not many genuine opportunities for Chinese consumers to say no and find convenient alternatives for many basic services in China. For example, Chinese consumers are required to use facial recognition as a precondition to receive mobile phone and banking services in China.¹⁰⁹ There is no alternative for them except providing their facial features. If there is no genuine consent, how can the legality of collecting facial biometric information be decided? If consumers do not know what facial information is collected, how to process it, and where to store it, it is hard to determine proportionality. Moreover, the most common justification for granting property rights is to enable efficient and effective allocations of scarce resources. This does not seem to apply to facial biometric information or personal data, because in digital society, “[w]hat is scarce is information privacy, not personal data.”¹¹⁰ Therefore, the rhetoric of property law is also inconsistent with the right to personal data as a personality right in China.

The limitation of applying property law to personal data raises the question whether personal data can be considered as a copyright in the context of intellectual property protection? Personal data may not satisfy the threshold in becoming an original work, trademark, or patent.¹¹¹ For example, “female” as a gender is an important piece of personal information for an individual but cannot be regarded as an original and creative work under the copyright law.¹¹² In Shanghai Hantao Information Consultation Co. v. Aibang Juxin (Beijing) Technology Co., the No. 1 Intermediate People’s Court in Beijing held that if a comment provided by an individual customer expresses his or her original thoughts, character, emotions, and experiences, this comment would be considered as a work under the Chinese Copyright law. However, the plaintiff in this case failed to prove that every comment on its platform satisfied the originality and creativity requirement under the Chinese Copyright Law.¹¹³Shanghai Hantao Information Consultation Co. is like Feist Publ’ns, Inc. v. Rural Telephone Serv. Co., where the Supreme Court of the US also concluded that it is difficult to justify copyright protection unless sufficient creativity exists in the development of databases of factual information.¹¹⁴

C. Spread-Out Unilateral Applicable Law Approach

The second stage of conflict-of-laws analysis involves identifying connecting factors. The US, EU, and China either adopt connecting factors leading to the law of the forum or consider their data protection laws as mandatory law. Consequently, they predominantly apply lex fori to data disputes in torts, contracts, and equity, with little consideration of the conflicting foreign laws that transnational personal data may involve.

I. Lex Fori Based on Connecting Factors and Mandatory Law of the Forum

2019 has witnessed numerous seminars on topics such as “GDPR 18 Months On: Insights on Enforcement and Compliance for Non-EU Agencies” and the like.¹¹⁵ The connecting factors adopted by the EU GDPR go beyond the traditional ones for natural persons, such as habitual residence or active citizenship. Article 3.2 of the GDPR provides that it applies to the offering of free or paid goods or services to the data subject who is in the EU.¹¹⁶ This condition is fulfilled if the controller or processor envisages offering goods or services to data subjects in the EU, such as using a language or currency generally used in one or more EU member states, or targeting EU customers.¹¹⁷ The GDPR also applies if the data subject’s behavior is monitored, so far as their behavior takes place in the EU.¹¹⁸ This broad territorial scope enables the GDPR to be applied as a mandatory law to a large number of data subjects who are non-EU residents or citizens.¹¹⁹

In the US, data protection law also has a broad territorial scope. A foreign business that collects, holds, transmits, processes, or shares a US resident’s personal information is subject to US federal data protection laws and may also be subject to relevant state-based laws in the state where the data subject resides.¹²⁰ The newly-enacted California Consumer Privacy Act applies to companies collecting personal information from California residents who satisfy at least one of three requirements, indicating the requisite nexus with California: (1) Having over $25 million in annual gross revenue; (2) buying, receiving, selling, or sharing for commercial purposes the personal information of 50,000 or more Californian consumers, households, or devices; or (3) deriving 50 percent or more of their revenue from the sale of California consumers’ personal information.¹²¹ Commentators have criticized that the thresholds of the nexuses are so low so as to cover not only big companies but also many small- and medium-sized businesses.¹²² Nevertheless, this low threshold ensures that more California resident consumers can benefit from the Consumer Privacy Act.

The Chinese Cyber Security Law provides for personal data protection.¹²³ Article 2 states that the construction, operation, maintenance, and use of networks, as well as the supervision and management of networks in China, shall be subject to this law.¹²⁴ The Provisions on Online Protection of Children’s Personal Information provides that it shall apply to the collection, storage, use, transfer, disclosure, and other activities relating to children’s personal information that are conducted online within the territory of China.¹²⁵ The Safety Assessment Guide for Data Transferred Outside of China, Draft for Public Comments in 2017, provides that it applies to a foreign data controller or processor that is not registered in China but provides products or services to people in China.¹²⁶ The factors to determine whether a foreign data controller or processor operates in China or provides products or services to people in China include, but are not limited to, advertising in Chinese, using Chinese currency, and providing logistics service to China.¹²⁷ The Safety Assessment Guide for Personal Data Transferred Outside of China, Draft for Public Comments in 2019, explicitly indicates that it applies to companies registered outside of China but collecting personal information of people in China via the Internet.¹²⁸ Like their US and EU counterparts, these connecting factors enable these Chinese data protection laws to cover a broad territorial scope.

Moreover, data protection laws may be considered as mandatory law and directly apply to foreign-related civil relations without the guidance from the conflict rules. In China, the connecting factor to determine the applicable law for the personality right is a person’s habitual residence.¹²⁹ In 2012, the Supreme People’s Court issued a judicial interpretation that defines mandatory law as “provisions of the laws and administrative regulations that involve the social public interest of China, that the parties concerned cannot exclude their application through an agreement, or that are directly applicable to foreign-related civil relations without the guidance from the conflict rules.”¹³⁰ The judicial interpretation provides that the following situations are mandatory law: Involving the protection of the interests of labors; involving food or public health safety; involving environmental safety; involving financial safety such as foreign exchange administration; involving anti-monopoly or anti-dumping; or other situations that should be recognized as mandatory provisions.¹³¹ In the context of COVID-19, if a law for public health safety requires the releasing of personal information, this law should be applied because it is a mandatory law and consequently, foreign laws should be excluded. Applying this interpretation to the COVID19 case discussed in the first paragraph of this Article, although that lady’s habitual residence is Australia, Australian law should not be applied because Chinese law for COVID-19 is a mandatory law. On February 4, 2020, the China Central Cyber Security and Informatization Commission issued a Notification on Protecting Personal Information and Using Big Data to Support Joint Prevention and Control of Disease.¹³² Therefore, this Notification should be applied to international travelers whose habitual residences are not in China. Yet, if a law for personal information protection has nothing to do with protecting public health, the question arises whether this law is a mandatory law. The answer depends on whether this law involves the social public interest of China.¹³³ Personal data protection laws, such as the Chinese Cyber Security Law, The Provisions on Online Protection of Children’s Personal Information, and Consumer Law, address the social public interest of China. Therefore, they should be considered as mandatory laws.

II. Curtailing Party Autonomy

The user’s agreement between a data subject and a data controller is a consumer contract; so unsurprisingly, party autonomy regarding the law to protect personal data is usually restricted by the mandatory law discussed in Section I, Lex Fori Based on Connecting Factors and Mandatory Law of the Forum. The contract between a data controller and a processor is not a consumer contract. Yet, party autonomy for the applicable law is also restricted in the contract between the data controller and the processor.

In the EU, a data controller and a processor can conclude data-processing contracts.¹³⁴ However, parties are not allowed to use contractual choice of law clauses to diminish the personal data protection provided by the GDPR. This is for two reasons.

First, for the contractual relationship between a data controller and a data processor, if a controller or a processor is established in the EU, the GDPR applies to the processing of personal data in the context of its activities.¹³⁵ It does not matter whether the processing takes place in the EU or not.¹³⁶ The leading authority for defining “in the context of the activities of an establishment” is the Weltimmo case.¹³⁷ Weltimmo was registered in Slovakia¹³⁸ and managed a property dealing website concerning Hungarian properties. It had no registered office or branch in Hungary. However, the owner of Weltimmo lived in Hungary and the website was written exclusively in Hungarian. Weltimmo had also opened a bank account in Hungary for the recovery of its debts and had a letter box for everyday business affairs. It hired a representative in Hungary to negotiate the settlement of its unpaid debts with its advertisers. The Court of Justice of the EU (CJEU) held that “in the context of the activities of an establishment” should be broadly interpreted.¹³⁹ More specifically, the concept of “establishment” emphasizes the effective and real exercise of activity through stable arrangements. Within this construction, the legal form of such an establishment—for example, an entity with or without a legal personality—is not determinative.¹⁴⁰ The “establishment” extends to any real and effective activity based on the stable arrangements.¹⁴¹ Accordingly, the CJEU held that Weltimmo pursued a real and effective activity in Hungary. The Court further held that the operation of loading personal data on an Internet page should be considered to be “processing.”¹⁴² Therefore, Hungarian law should be applied to Weltimmo. Another leading authority is the Google Spain case.¹⁴³ In this case, the processing of the relevant personal data took place exclusively in California by Google US. Google Spain possessed a separate legal personality and provided support to the Google group’s advertising activity. The activity of Google Spain was separate from the search engine service in California. The CJEU held that Directive 95/46, the predecessor of the GDPR, should be applied as the processing of data in the US was carried out in the context of the activities of Google Spain. The activity of Google Spain was inextricably linked with the search service provided by Google US because without the advertising space, the search engine would not be economically profitable and may not be able to perform.¹⁴⁴

Second, there is a question of whether a data controller can disclose personal data to an overseas processor and contract for a law providing a lower standard of privacy protection than the law of the controller’s place of registration. The answer is negative in the EU. The personal information collected in the EU can be disclosed only to overseas processors located in a jurisdiction recognized by the EU as a jurisdiction that offers equivalent data protection laws. In the case of outsourcing to a country without equivalent data protection laws to the EU’s laws, the GDPR requires the controller to apply adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals.¹⁴⁵ Therefore, parties are not allowed to select a law providing a lower standard of protection. This conclusion is also supported by judicial practice. In the German case Facebook v. Independent Data Protection Authority of Schleswig Holstein,¹⁴⁶ the general terms and conditions of Facebook contained a clause according to which, for German users, German law applied. The German court pointed out that, according to the Rome I Regulation, it was in principle possible to make an agreement on applicable law for the contract but not on data protection law. This was on account of the provisions on data protection—falling within the concept of overriding mandatory provisions—within the meaning of Article 9 of the Rome I Regulation, making it impossible for the parties to make an agreement on applicable law in this regard.

Different from the EU, Chinese law does not generally limit party autonomy in the choice of applicable law for contracts between a data controller and a processor. However, Chinese law does not allow a data controller to disclose personal data of a child to an overseas processor and contract for a law providing a lower standard of privacy protection than Chinese law. The Provisions on Online Protection of Children’s Personal Information provides that if a network operator transfers personal information of children to a third party, it shall conduct its own safety assessment, or engage an independent organization to conduct the same.¹⁴⁷ If a network operator entrusts a third party to process personal information of children, it should also conduct a security assessment of the entrusted party.¹⁴⁸ The entrustment contract between the network operator and the entrusted party shall provide that, among others, personal information of children shall be handled according to Chinese law and the entrusted party is not allowed to transfer the commission.¹⁴⁹

The purpose in restricting party autonomy in the contract between a data controller and a processor is to protect data subjects. There is often no direct contractual relationship between the data subject and the data processor, because the latter may not directly collect personal data from the former and, instead, the latter often obtains the data from a data controller. However, the right of the data subject against the data processor is derived from the contract between the data subject and the data controller. The contract between the data controller and the data processor should not impose any obligations on the data subject, and it should ensure that the data subject’s information is well protected. Namely, the data subject is the third-party beneficiary of the contract between the data controller and the data processor. Restricting party autonomy in the contract between a data controller and a processor is consistent with the mandatory nature of personal information law to protect data subjects.

III. Applying Lex Fori in Equity Cases

Besides torts and contracts, a personal data breach may also be pursued as a breach of confidence claim in the UK and other commonwealth countries. The lex fori approach leads to the application of forum law—the same result as applying mandatory law and curtailing party autonomy discussed in previous sections. For example, in Giller v. Procopets, the Court of Appeal of the Supreme Court of Victoria in Australia awarded equitable compensation for “distress arising from a breach of personal privacy that was framed as a breach of confidence claim.’”¹⁵⁰ Traditionally, both the principle and the balance of AngloAustralian authority favored the general application of lex fori in equity cases.¹⁵¹ Although the leading Australian case, Murakami v. Wiryadi & Ors, qualifies this approach by providing an unexhaustive list of exceptions, it never replaced the traditional lex fori approach.¹⁵² Similarly, this approach was upheld by the Court of Appeal in the UK in Douglas v. Hello!. This case concerned the unauthorized publication of the Douglas’ wedding photos in the UK. Subsequent to Michael Douglas and Catherine Zeta-Jones’s wedding in New York, a member of the paparazzi took unauthorized photos of this wedding and sold them to Hello! Magazine. The couple brought a claim for breach of confidence in the UK. Though Hello! Magazine argued that the proper law should be the law of New York—where the unjust enrichment occurred¹⁵³—this argument was effectively rejected by the Court of Appeal, who instead applied the English law of confidence to protect individual privacy.¹⁵⁴ Although the place of intrusion was New York, the court held that it was the English law of confidence that provided the remedy. This was consistent with the longstanding tradition of courts of equity using public policy concerns of the forum to exclude the operation of foreign law.¹⁵⁵ Scholars have advocated for other conflict of laws rules in breach of confidence cases.¹⁵⁶ However, it is undeniable that lex fori is the general rule for breach of confidence claims, which is most relevant in data breach cases.

D. De-Americanization of Substantive Data Protection Law

The nature of the right to personal data is characterized differently in the EU, the US, and China. Due to the mandatory nature of personal data protection law and the connecting factors leading to the law of the forum, the applicable law for transnational personal data depends on a race to courthouses or regulators.¹⁵⁷ Meanwhile, the domestic substantive data protection laws are experiencing a de-Americanization movement. The relationship between Internet data corporate giants and states needs to be reconsidered. The conventional wisdom is that Internet companies act, only to a small extent, in the shadow of state law.¹⁵⁸ Appearances, however, can be deceptive. These giants have to comply with the law of their domiciles, which is often US law. The developmental trend to regulate the Internet industry—especially the part of that industry concerned with data—has moved from Americanization to deAmericanization. This was triggered by the combination of legislative and nonlegislative approaches in the EU and China. Iconic examples include the passing of the GDPR in the EU, the Christchurch Call initiated by New Zealand and France, the Huawei ban, and the COVID-19 online propaganda that divide China and the US/EU.

I. Americanization

Professor Jack M. Balkin indicates that “[c]urrently the Internet is mostly governed by the values of the least censorious regime—that of the United States.”¹⁵⁹ From the perspective of conflict of laws, this phenomenon can be explained by the significance of the law of domicile. The main global Internet players are US companies and industry associations registered in the US. Among the top ten Internet companies in the world, six are US companies: Amazon, Google, Facebook, Netflix, Booking, and eBay.¹⁶⁰ The domicile of a data company is significant, sometimes determinative, in identifying the law that would apply to protect personal data collected by the company. The US data regulatory environment features freedom of speech,¹⁶¹ industry self-regulation,¹⁶² the Federal Trade Commission’s consent decrees,¹⁶³ and weak consumer privacy regulations.¹⁶⁴

The domicile of a company is also important for the purpose of judgment recognition and enforcement.¹⁶⁵ Consequently, it is concerned about whether a domestic law on personal data protection can be respected in other jurisdictions. In LICRA & UEJF v. Yahoo! Inc. & Yahoo France, Yahoo! was ordered by a French court to block French users from accessing the auction site on Yahoo.com offering Nazi memorabilia in contravention of French law.¹⁶⁶ Yahoo! was domiciled in the US. Unsurprisingly, it went to a US district court and successfully obtained a judgment declaring that the French judgment was not recognizable or enforceable because it violated the First Amendment of the US Constitution.¹⁶⁷ Although the district court judgment was reversed at the appellate level on the grounds of a lack of personal jurisdiction on LICRA & UEJF and the “ripeness” of the enforcement claim, it nevertheless demonstrates that the First Amendment to the US Constitution can potentially be used to protect US-domiciled websites from enforcing foreign judgments.¹⁶⁸ Similarly, in Google Inc. v. Equustek Solutions Inc., Google was required by a Canadian court to block websites violating Canadian law.¹⁶⁹ Google, yet another company with a domicile in the US, obtained a judgment at its home court that rendered the Canadian judgment unenforceable.¹⁷⁰ Furthermore, the US Securing the Protection of our Enduring and Established Constitutional Heritage Act (SPEECH Act 2010) expressly prohibits the recognition and enforcement of foreign defamation judgments against online providers, unless the defendant would have been liable under US law.¹⁷¹

II. De-Americanization

The substantive law for personal data protection and, broadly, international regulations is moving from Americanization to de-Americanization. The two main drivers are the EU and China.

1. EU

Although subject to criticism, the GDPR may commence the Europeanization of data protection law¹⁷² and symbolize the global trend of de-Americanization of data industry regulations.¹⁷³

The EU harmonizes data protection law through two means. The first is within the EU. The EU Data Protection Directive allows member states to apply their own law.¹⁷⁴ In contrast, the GDPR established a more harmonized framework, thanks to its direct application in member states.¹⁷⁵ Notably, Recital 21 of the GDPR provides that it “is without prejudice to the application of [the e-Commerce Directive] in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.” Therefore, the GDPR does not replace the intermediary liability rules of the e-Commerce Directive. Before the GDPR became effective, various cases attest to how courts in EU member states applied the e-Commerce Directive to personal information posted online by a third party.¹⁷⁶ However, considering the prohibitive penalty under the GDPR today, in practice, intermediaries would be more inclined to follow the GDRP rather than the e-Commerce Directive.¹⁷⁷ Also considering the long-arm jurisdiction created by the GDPR, courts may also be prone to apply the GDPR.¹⁷⁸ Further, compared with the e-Commerce Directive, the GDPR is especially relevant to protecting personal data in combating COVID-19. The European Data Protection Board has formally announced that the GDPR applies to the processing of personal data in the context of COVID-19.¹⁷⁹ In the processing of personal information by the competent public health authorities and employers, for reasons of substantial public interest in the area of public health, there is no need to rely on the consent of individuals.¹⁸⁰

Second, coordination of substantive law for personal data protection between EU members and non-members is also orchestrated through the European Commission’s adequacy decision, which requires that the state receiving data from the EU impose a highstandard data protection law equivalent to the EU standard.¹⁸¹ Article 45 of the GDPR provides that the transfer of personal data out of the EU is based on the European Commission’s adequacy decision. The Commission will take account of three elements when making the decision: Whether the non-EU country respects human rights and fundamental freedoms by general and sectoral legislation,¹⁸² whether the non-EU country has effectively established an independent supervisory authority for ensuring and enforcing compliance with the data protection rules,¹⁸³ and whether the non-EU country has entered into legally binding conventions or instruments relating to the protection of personal data.¹⁸⁴ The adequacy decision is not a final decision. The European Commission should conduct a periodic review at least quadrennially¹⁸⁵ and monitor developments in countries that receive a positive adequacy decision.¹⁸⁶

Besides the GDPR, another important global effort to curtail the impacts of lax US internet regulations is the Christchurch Call. On March 15, 2019, a gunman attacked two mosques in Christchurch, New Zealand.¹⁸⁷ The gunman livestreamed the massacre at the first mosque on his Facebook page. The attacks killed 51 people.¹⁸⁸ According to § 230 of the Communications Decency Act (CDA), an internet intermediary like Facebook is immune from civil liability caused by third-party contents.¹⁸⁹ Therefore, by applying US law, Facebook would have no liability for allowing the gunman to livestream the massacre online.¹⁹⁰ On May 15, 2019, New Zealand Prime Minister Jacinda Arden, French President Emmanuel Macron, heads of many other states, and leaders of technology companies all adopted the Christchurch Call.¹⁹¹ The Call aims to “bring together countries and tech companies in an attempt to bring to an end the ability to use social media to organise and promote terrorism and violent extremism.”¹⁹² Online service providers, including Facebook, have committed to take transparent and specific measures to prevent the uploading of terrorist and violent extremist content, and to stop its dissemination on content-sharing services.¹⁹³ Unlike the GDPR, the Christchurch Call is non-binding. Nevertheless, it has gained wide support in Oceania and the EU, and its soft-law nature may help to promote its popularity in the global community. Thus far, the Call has been signed by seventeen countries, ranging from developing countries like Senegal and India to developed countries such as Japan and Germany.¹⁹⁴ Many big-name US Internet companies have endorsed the Call.¹⁹⁵

Unlike the GDPR and other legislation, the Christchurch Call represents a non-legislative approach, which is increasingly used to obtain compliance of US Internet giants.¹⁹⁶ An important difference between a legislative and non-legislative approach is that the latter can circumvent the difficulties of enforcing foreign judgments under the SPEECH Act in the US.¹⁹⁷ This is because industrial compliance is embodied in the terms of service and can be applied all over the world.¹⁹⁸ In contrast, a court judgment may be enforced only in the judgment-rendering state.¹⁹⁹ If it is not recognizable and enforceable in the state where the company is domiciled—for example, the US—its efficacy is limited. Its global impact is further limited by the insufficient international mechanism for recognition and enforcement of judgments.²⁰⁰

2. China

China is another strong proponent of de-Americanization of data industry regulations. It does so for reasons very different from the EU. The EU promotes de-Americanization because it considers protecting personal data a fundamental human right and the US laissez-faire protection insufficient. For China, the main drive for de-Americanization is national security. This drive has been boosted by two recent incidents.

The first is the US Huawei ban.²⁰¹ Huawei is a leading Chinese 5-G manufacturer and the second-largest smartphone manufacturer in the world.²⁰² On May 16, 2019, President Donald Trump added Huawei to the US blacklist and banned US companies from doing business with them, without first obtaining US government approval,²⁰³ on the allegation that Huawei posed “threats against information and communications technology and services in the US.”²⁰⁴ Due to the ban, companies that stopped supplying Huawei include not only US companies, such as Google and Intel, but also non-US companies, including the UK’s ARM and Vodafone,²⁰⁵ Germany’s Infineon,²⁰⁶ and Japan’s KDDI and Docomo.²⁰⁷ These non-US companies have production lines in the US and are thus concerned over the US sanction in the case of non-compliance. Although the Huawei ban was issued by the US government, it has led to a broad snowball effect to largely preclude Huawei from the global supply chain. The Huawei Ban teaches a vivid lesson to private companies domiciled in China and other countries which are traditionally not allies to the US: Even though they are registered outside of the US, they are still subject to US law by relying on the global supply chain that is dominated by US companies and industry associations. Consequently, they may have to join the internet sovereignty camp. Previously, the internet sovereignty camp was constituted by states such as China and Russia, rather than private technology companies.²⁰⁸ Internet sovereignty is often considered to be more concerned with national security than private commercial interest. The prominent example is China’s 2017 Cybersecurity Law aiming to “safeguard cyber security, protect cyberspace sovereignty and national security.”²⁰⁹ However, the Huawei Ban may drag private companies domiciled in non-US allies into the internet sovereignty camp because the US does not treat companies as separate legal entities from the strate that they domicile. Therefore, the Huawei Ban will promote the deAmericanization in the data industry.

The second incident is the global pandemic of COVID-19. As discussed in Section I, Lex Fori Based on Connecting Factors and Mandatory Law of the Forum, the Notification on Protecting Personal Information and Using Big Data to Support Joint Prevention and Control of Disease is a mandatory law and should be applied to international travelers in China.²¹⁰ This Notification provides that all localities and departments should attach great importance to the protection of personal information; except for those agencies authorized by the State Council’s Sanitary and Health Department in accordance with China Cyber Security Law, the Law on Prevention and Control of Infectious Diseases, and Regulations on Public Health Emergencies, no other unit or individual may use personal information on the grounds of epidemic prevention and control or disease prevention without the consent of the person being collected.²¹¹ Where laws and administrative regulations provide otherwise, they shall be implemented accordingly.²¹² The collector of personal information necessary for joint prevention and control should refer to the national standard of Personal Information Security Regulations and adhere to the principle of minimum collection.²¹³ The collection object is limited to key groups—such as diagnosed persons, suspects, and close contacts in principle—and is generally not targeted at specific areas, to prevent de facto discrimination against specific geographic groups.²¹⁴ Personal information collected for epidemic prevention and control and disease prevention shall not be used for other purposes.²¹⁵ No entity or individual may disclose personal information such as name, age, identity card number, phone number, or home address without the consent of the person from whom the data is collected, except for the joint disease defense and control work.²¹⁶ All personal information used should be desensitized and anonymized.²¹⁷ Therefore, the Chinese media violated this Notification in the COVID-19 case discussed in the first paragraph of the Article, because they published that lady’s detailed personal information without her consent. The collection and release of her information did not comply with the minimum principle because her employment information, the university from where she graduated, and the year of her graduation have nothing to do with disease prevention and control.

According to the Notification, the Chinese network information department shall promptly deal with the illegal collection, use, and disclosure of personal information, and incidents that cause a large amount of leakage of personal data in accordance with China Cyber Security Law and related regulations.²¹⁸ The police department should severely crack down on relevant crimes according to law.²¹⁹ Yet, the Chinese authorities have not done anything to remedy the personal information violation caused to the lady discussed in the first paragraph of this Article. This reveals two issues. First, compared with the EU GDPR, the enforcement mechanism of the Notification and other Chinese law for personal data protection is much weaker. Violating the GDPR can result in a fine of up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.²²⁰ Comparatively, the China Cyber Security Law provides that personal data breaches can lead to a fine of up to ten times the illegal income; if there is no illegal income, the fine is less than RMB 1 million.²²¹ Second, Chinese law for personal information protection is subject to China’s national interest. This is especially true for COVID-19 online propaganda. In January and early February 2020, Chinese media widely reported that the spread of COVID-19 was due to people who sold and ate wild animals illegally.²²² However, with COVID-19 spreading to the rest of the world, the Chinese media has begun to publish articles criticizing the US as the origin of the disease since March 2020.²²³ It is not the intention of this Article to discuss what is the origin of COVID-19 and who should be liable. The point is that the sharp divide between China and the US regarding the origin of COVID-19 and the relevant state liability will further push China to firmly control online media and Internet companies located in China. De-Americanization is consistent with China’s national interest.

E. Dynamics Among Trends

Three trends have emerged at each stage of identifying the applicable law for transnational personal data: (1) The EU, the US, and China characterize the right to personal data differently, (2) the spread-out unilateral applicable law approach comes from the fact that all three jurisdictions either consider the law for personal data protection as a mandatory law or adopt connecting factors leading to the law of the forum, and (3) the EU and China strongly advocate de-Americanization of substantive data protection laws. These trends are developing and interacting with one another. Their dynamics are two-fold.

At the macro level, the trends are consistent with one another. The multi-faceted legal nature of the right to protect personal data fosters the spread-out unilateral applicable law approach. Consequently, de-Americanization has been supported by the EU and China. All the trends embody the fundamental value and national interest of states. However, because these values and interests are so diverse, the trends demonstrate the regulatory competition among states on personal data in transnational contexts. For instance, the US overarchingly values the freedom of speech, thus elucidating their adoption of lax data regulation and blockage of foreign judgments that violate the First Amendment of the US Constitution. Contrarily, in the EU, privacy of personal data is considered a fundamental human right. Therefore, it is unsurprising that the GDPR imposes broad extra-territorial jurisdiction. Chinese data governance derives from the national interest in using personal data as a valuable resource to develop the data industry and maintain social stability. Therefore, China distinguishes the right to personal data from the right to privacy and supports de-Americanization.

At the micro level, if we look into each individual trend, it is apparent that the divergent laws adopted by each jurisdiction in that trend are not actually reconcilable. The typical example is the industry self-regulation of personal data in the US that conflicts with the laws in China and the EU, which clearly push for more government regulations—in other words, de-Americanization. However, in the de-Americanization camp, the differences existing in the laws adopted by the EU and China exceed nuance. Because the contents of substantive laws adopted by the US, the EU, and China are so different, coordination of substantive law at the regional level by the GDPR adequacy decisions actually leads to a wider gap internationally.

F. Conclusions

As German Chancellor Angela Merkel indicated at the Harvard University 368th Commencement Ceremony on May 30, 2019: “[A]re we laying down the rules for technology, or is technology dictating how we act? Do we prioritize people as individuals with human dignity with all the manifests or do we see them as many consumers, data sources, objects of surveillance?” These questions are especially relevant for protecting personal information of international travelers and combating COVID-19. According to conflict of laws, determining an applicable law in a transnational case requires three stages: characterization, connecting factors, and identifying a legal system. Using the incident where the personal data of an international traveler was illegally released by Chinese media, this Article identifies three trends that have emerged at each stage: the multi-faceted legal nature of the right to protect personal data, the spread-out unilateral applicable law approach, and the de-Americanization of substantive law for personal data protection. The trends and their dynamics provide valuable implications for developing the choice of laws for transnational personal data. First, the choice of laws aims to provide comity, consistency, and predictability to international civil litigations and discourage forum shopping.²²⁴ Nevertheless, due to the spread-out unilateral applicable law approach and the consequent lesser possibility of applying foreign law, the importance of choice of laws significantly decreases in cases of transnational personal data breach. This finding informs parties that jurisdiction is a predominant issue in data breach cases because courts and regulators would apply the forum law. Second, currently there is no international treaty or model law on choice-of-law issues for transnational personal data. International harmonization efforts will be a long and difficult journey considering how the trends demonstrate not only the states’ irreconcilable interests, but also how states may consider these interests as their fundamental values that they do not want to trade off. Therefore, for states and international organizations, a feasible priority is to achieve regional coordination or interoperation among states with similar values on personal data protection.