The regulations of cross-border data flows is a growing challenge for the international community. International trade agreements, however, appear to be pioneering legal methods to cope, as they have grappled with this issue since the 1990s. The World Trade Organization (WTO) rules system offers a partial solution under the General Agreement on Trade in Services (GATS), which covers aspects related to cross-border data flows. The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the United States-Mexico-Canada Agreement (USMCA) have also been perceived to provide forward-looking resolutions. In this context, this article analyzes why a resolution to this issue may be illusory. While they regulate cross-border data flows in various ways, the structure and wording of exception articles of both the CPTPP and USMCA have the potential to pose significant challenges to the international legal system. The new system, attempting to weigh societal values and economic development, is imbalanced, often valuing free trade more than individual online privacy and cybersecurity. Furthermore, the inclusion of poison-pill clauses is, by nature, antithetical to cooperation. Thus, for the international community generally, and China in particular, cross-border data flows would best be regulated under the WTO-centered multilateral trade law system.

In the context of today’s big data and cloud computing, the global flow of data has become a powerful driver for international economic and investment growth. The EU and the U.S. have created two different paths for the legal regulation of the cross-border flow of personal data due to their respective historical traditions and realistic demands. The requirements for data protection have shown significant differences. The EU advocates localization of data and firmly restricts cross-border flow of personal data. The U.S. tends to protect personal data through industry self-regulation and government law enforcement. At the same time, these two paths also merge and supplement with each other. Based on this, China needs to learn from the legal regulatory paths of the EU and the US, respectively, to establish a legal idea that places equal emphasis on personal data protection and the development of the information industry. In terms of domestic law, the Cybersecurity Law of the People’s Republic of China needs to be improved and supplemented by relevant supporting legislation to improve the operability of the law; the industry self-discipline guidelines should be established; and various types of cross-border data need to be classified and supervised. In terms of international law, it is necessary to participate in international cooperation based on the priority of data sovereignty and promote the signing of bilateral, multilateral agreements, and international treaties on the cross-border flow of personal data.

The right to privacy has been developed through judicial practice and has evolved from “the protection of the right to reputation” to “privacy interest” then to “privacy right.” The Civil Code of the People’s Republic of China (2020) clarifies the right to information privacy and the right to personal information as two independent personality rights and establishes a privacy priority protection mechanism for private information in civil law. The comparative efficiency of the right to personal information may mean that the protection of the right to information privacy is weakened or even replaced by the right to personal information. The uncertainty and fragmentation of private information also creates a wide gray space for judicial decisions. The development from traditional privacy right to information privacy right and personal information right is generally positive and shows the active legal response to the protection of private information in multiple ways. However, clarifications and systematization are required to increase the effectiveness of such protections.

With the development of the internet and the increasing role played by information technology in the economy, personal information protection has become one of the most significant legal and public policy problems. Since 2013, China has accelerated its legislation efforts towards protecting personal information. The Cybersecurity Law of the People’s Republic of China took effect on June 1, 2017. Legal scholars focus on the nature of personal information, discuss the necessity of enacting specific laws on protecting personal information, and attempt to propose relevant draft laws regarding personal information protection. Personal information protection, however, is not only a legal issue but also a political one. We need to look at the decision-making process about legislation on personal information protection in China. Why has China sped up its legislation on personal information protection since 2013? Is privacy, civil rights, or legal interest the main reason behind the legislation? Only after placing personal information protection legislation in a broader context, can we have a better understanding of the underlying logic and dynamics of personal information protection in China, and can perceive the potential content and possible future of these legislation. This paper argues that Internet industry development, the social consequences of personal information infringement, and national security are the main drivers of China’s personal information protection legislation.