Abstract
The global information revolution has precipitated a further revolution in data protection laws. Given the relative novelty and complexity of data protection problems, few countries, especially those in developing jurisdictions, can rely on existing legal institutions or previous regulatory experience to tackle the problems effectively and systematically. In contrast, western jurisdictions, in particular the European Union and the United States, have been working on data protection issues for several decades. This has given them not only valuable empirical experience in regulating data processing, but also considerable theoretical and legislative advantages. Data protection law has thus become one of the most heated areas for comparative legal research.Despite widely shared ambitions for an international legal framework for data protection, there is an issue at the heart of data protection law that creates tremendous difficulties and conceptual barriers for comparative study and thus global harmonization of data protection law, which is the obscure, intricate and unstable relationship between privacy and data protection. This conceptual barrier has, for instance, played a considerable part in thwarting China's initial inclination to align with western jurisdictions on the issue of data protection. This difficulty can be observed from three levels.
First, at the international level, conceptions of privacy vary so greatly across different societies that it provokes serious scepticism regarding the transferability of data protection law. Specifically, while EU data protection law was designed to preserve a concept of privacy that is commonly believed to be rooted in western liberal democracy, it is questionable whether the same legal model can also help protect a conception of privacy that is formed within very different social, political, and cultural contexts, such as in mainland China. Some scholars suggest downplaying the discrepancy among different conceptions of privacy to increase the chance of transnational consensus, yet this overlooks another crisis in data protection law, which is that western jurists and academics have made enormous efforts to stretch the concept of privacy to catch as many as possible data protection problems which otherwise would fall outside its scope. In this sense, comparative research of data protection law is now between a rock and a hard place: if, for the sake of international data protection coordination and harmonization, the differences between markedly divergent concepts of privacy in different countries/cultures were minimized, it would hamper efforts in western jurisdictions to stretch privacy to tackle increasingly complicated data protection issues. Conversely, if it follows this trend to stretch the concept of privacy in the transnational context, such a comprehensive concept of privacy, very likely, will not be acceptable or applicable in non-western societies.
Second, in the west where data protection law first arose, there is considerable disagreement between Europe and the United States regarding the concept of privacy. For some scholars, all the cross-Atlantic differences simply affirm the fact that privacy is a slippery, complicated, and much-debated concept. Yet, from the perspective of comparative research, transatlantic disagreements regarding privacy, inevitably and significantly, have produced immense confusion for researchers and interested legislators from non-western jurisdictions: what does privacy mean in the western ideological domain? As leading US privacy scholar Daniel Solove states, "privacy seems to be about everything, and therefore it appears to be nothing."1 However, without knowing what privacy is and is for in original western contexts, how can countries outside the western liberal democratic tradition transfer and implement legislation built upon it? To be sure, many non-western countries have already enacted EU-style data protection law, despite conceptual differences and ambiguities concerning privacy. This, however, can give rise to a serious problem: if neither the public nor their governments adhere to the foundational values underpinning the imported data protection law, how can such a new legal institution be accepted and implemented in the receiving society, rather than becoming mere legislation on paper?
Besides, even within the EU, the relationship between data protection and privacy is not as clear and concrete as it is generally believed. Gloria Fuster has produced extensive evidence that the concepts of data protection and privacy in Europe experienced a long and complicated process of "coupling" but are now undergoing the opposite process, ''de-coupling." 2 Not surprisingly, these historical complications and the ongoing uncertainty regarding the relationship between data protection and privacy in the European context significantly aggravate the difficulties of comparative researchers from other jurisdictions: If data protection is distinct from privacy protection, what then is data protection law supposed to achieve? It seems unwise, at least for prudent legislators who have a genuine desire for implementation, to transfer a new legal institution without a clear understanding of what is it for. Moreover, even if an EU-style data protection law was successfully transferred and enacted, how could the regulatory authorities of the recipient jurisdictions interpret and apply this law in practice without a basic understanding of its legislative purpose and underlying values? It is doubtful that international harmonization of data protection can be achieved simply by increasing the number of countries that enact an EU-style data protection law.
Given the serious complications and difficulties caused by divergent conceptions of privacy and the obscure relationship between privacy and data protection, this thesis proposes, for the sake of comparative legal research and widely desired global harmonization of data protection law, that data protection and privacy are better understood as interrelated but distinct concepts. This thesis dissects these two concepts according to three main aspects, i.e., their partially overlapping governing scope, distinctive dominant character, and different ethical focuses.
Yet, if data protection is distinct from privacy protection, what then is data protection for? The answer is of vital importance for the comparative study of data protection law. By identifying a core goal of data protection law that is shared and valued across different societies and legal systems, we could then establish a basis for transnational discussion of data protection law. As Christopher Kuner has pointed out, "the different cultural and legal conceptions of data protection around the world, together with the lack of any data protection law in most States, will make it difficult to reach broad international agreement on a defined set of standards" even as the demand for an international data protection framework escalates as data processing becomes increasingly global.3
This thesis addresses this problem.
It starts by revisiting and exploring the social-economic contexts within which the new legal institution of data protection emerged, i.e., informational capitalism. It is found that there were close and complicated interconnections between data protection law and informational capitalism, including but not exclusive to the historical resemblances in timing. Drawing inspiration from the theory of legal institutionalism, this thesis posits that the emergence of data protection law was due to the inherent demand of informational capitalism for a legal institution capable of addressing a series of new relationships that were created along with unprecedentedly intensive and extensive data flows. As Manuel Castells declared, "all societies are affected by capitalism and informationalism, and many societies (certainly all major societies) are already informational." 4 In short, this thesis argues that data protection law is the foundational legal institution underlying information capitalism that most countries in the world have shifted or are shifting toward, which thereby establishes a basis for comparative study of data protection law.
Building upon the above understanding, this thesis proposes an alternative framework that is relatively neutral in cultural and political terms to perceive data protection law, namely, the "trust regime". The "trust regime" claims that the predominant goals of data protection law are twofold. First, at its most basic level, data protection law sets rules for a series of new relationships emerged along with unprecedently intensive and extensive information flows, maintaining certainty and stability in the informational capitalist societies. Second, at a more advanced level, data protection law, as a legal institution born from informational capitalism, should also be understood as a means of ensuring the sustainable development of informational capitalist societies in the future. In short, the "trust regime" suggests that data protection law is better conceived of as pursuing the core goal of ensuring the stability and sustainable development of informational capitalism by ensuring the trust of data subjects as both consumers and citizens. To that end, "trust regime" indicates that data protection law, on the one hand, must take into consideration the key characteristics of informational capitalism, such as the essential need for free flow of data, government-enterprises partnerships, and globalization of economy; on the other hand, it should also accommodate various aspects/dimensions of values underlying personal information, including individual personal rights, societal values, and proprietary interests.
After establishing the theoretical framework for the comparative study of data protection law, this thesis brings China into the picture, testing the applicability of the "trust regime" outside the western context. It is found that the key characteristics of western information capitalist society have also appeared in the social and economic context of mainland China in recent years. Furthermore, by comparing the emergence of the Chinese data protection regime with the rise of information capitalism in China, this thesis shows that the emergence of the Chinese data protection regime reproduces the same coincidence in timing with the rise of information capitalism in Chinese society—both of which lagging western counterparts by around four decades. These resemblances affirm that the "trust regime", while primarily based on examination of western countries, is equally applicable in a Chinese context.
In addition, based on a thorough examination of the current Chinese data protection regime, this thesis argues that the current Chinese data protection regime is fragmentary, incoherent, and largely ineffective, despite the fact that many elements of western data protection law have been ostensibly borrowed and incorporated into the Chinese regime. Furthermore, it argues that the obscurity of legislative purpose for data protection in China has become a fundamental defect impeding the normal functioning of the Chinese data protection regime. Hence, a concrete legislative justification other than privacy protection, such as the "trust regime", is urgently needed in China to facilitate the effective application and future development of data protection legislation.
This thesis concludes by discussing the possible implications of the "trust regime" for China. It advocates that China actively participate in the discussion and development of future global data protection standards for the sake of its own competitive advantage. It also draws attention to the fact that data protection focused solely on the private sector—as in the current Chinese data protection regime—cannot ensure people's trust in the era of informational capitalism that is characterized by partnerships between government and private enterprises, as well as transnational data flow.
1 Solove, Daniel J. "A taxonomy of privacy." U. Pa. L. Rev. 154 (2005): 477.
2 Fuster, Gloria González. The Emergence of Personal Data Protection as a Fundamental Right of the EU. Vol. 16. Springer Science & Business, 2014.
3 Kuner, Christopher. "An international legal framework for data protection: Issues and prospects." Computer law & security review 25, no. 4 (2009): 307-317.
4 Castells, Manuel. The rise of the network society: The information age: Economy, society, and culture. Vol. 1. John Wiley & Sons, 2011, at 21.
| Date of Award | 1 Jul 2021 |
|---|---|
| Original language | English |
| Awarding Institution |
|
| Supervisor | Perry Keller (Supervisor) & Tanya Aplin (Supervisor) |