Rethinking Higher Education/Chapter 3/en-zh
< Rethinking Higher Education | Chapter 3
Jump to navigation
Jump to search
Revision as of 05:52, 8 April 2026 by Maintenance script (talk | contribs)
Chapter 3 — Bilingual View (EN | ZH) — EN only · ZH only · Book Overview
Chapter 3: Student Data Protection in the Digital University: GDPR and China's PIPL Compared
Martin Woesler
| English (Source) | 中文 (Target) |
|---|---|
| == Student Data Protection in the Digital University: GDPR and China‘s PIPL Compared == | == 数字化大学中的学生数据保护:GDPR与中国PIPL之比较 == |
| Martin Woesler | Martin Woesler |
| Hunan Normal University | 湖南师范大学 |
| Abstract | == 摘要 == |
| The digital transformation of higher education generates unprecedented volumes of student data — from learning management system interactions and assessment records to biometric proctoring data and predictive analytics profiles. Two of the world’s most consequential data protection regimes now govern how universities collect, process, and transfer this data: the European Union‘s General Data Protection Regulation (GDPR, effective 2018) and China‘s Personal Information Protection Law (PIPL, effective 2021). Yet despite superficial similarities — both establish individual rights over personal data, both impose significant penalties for violations, and both restrict cross-border data transfers — the two regimes reflect fundamentally different philosophical orientations: individual autonomy versus state sovereignty. This article provides a systematic comparison of GDPR and PIPL as they apply to the specific context of higher education. Drawing on enforcement data showing that EU data protection authorities have imposed 270 fines totaling more than EUR 29.3 million on educational institutions, and on research documenting that 81 percent of UK universities fail to meet GDPR compliance standards, we demonstrate that neither system has achieved satisfactory data protection in practice. We examine learning analytics, AI-driven assessment, cross-border student recruitment, and joint EU-China academic programs as four domains where the regulatory frameworks face their most serious tests. We argue that universities operating in both jurisdictions face a dual compliance challenge that current guidance inadequately addresses, and we propose a framework for navigating these overlapping obligations. | 高等教育的数字化转型产生了前所未有的学生数据量——从学习管理系统交互和评估记录到生物特征监考数据和预测分析档案。当今世界上两种最具影响力的数据保护制度规范着大学收集、处理和传输这些数据的方式:欧盟的《通用数据保护条例》(GDPR,2018年生效)和中国的《个人信息保护法》(PIPL,2021年生效)。尽管表面上存在相似之处——两者都确立了个人对个人数据的权利,两者都对违规行为处以重大处罚,两者都限制了跨境数据传输——这两个制度反映了根本不同的哲学取向:个人自治与国家主权。本文对GDPR和PIPL在高等教育具体背景下的应用进行了系统比较。基于执法数据(显示欧盟数据保护机构已对教育机构开出270张罚单,总额超过2930万欧元)以及记录81%英国大学未能达到GDPR合规标准的研究,我们证明两个体系在实践中都未能实现令人满意的数据保护。我们考察了学习分析、人工智能驱动的评估、跨境学生招生以及中欧联合学术项目这四个监管框架面临最严峻考验的领域。我们认为,在两个管辖区同时运营的大学面临着当前指导未能充分解决的双重合规挑战,并提出了应对这些重叠义务的框架。 |
| Keywords: GDPR, PIPL, student data protection, learning analytics, higher education, cross-border data flows, privacy, EU-China comparison, AI in education | 关键词:GDPR、PIPL、学生数据保护、学习分析、高等教育、跨境数据流、隐私、欧中比较、教育中的人工智能 |
| 1. Introduction | == 1. 引言 == |
| The digital university is, at its core, a data-generating institution. Every interaction a student has with a learning management system, every submission to an automated grading platform, every login to a campus network, and every engagement with an adaptive learning tool produces data that is collected, stored, analyzed, and — increasingly — shared across institutional and national boundaries. The COVID-19 pandemic accelerated this process dramatically: the rapid shift to online and hybrid learning normalized the collection of data streams that would have been unthinkable a decade earlier, including webcam footage from remote proctoring systems, keystroke dynamics for identity verification, and engagement metrics tracking how often and how long students interact with course materials. | 数字化大学本质上是一个数据生成机构。学生与学习管理系统的每一次交互、向自动评分平台的每一次提交、每一次校园网络登录以及与自适应学习工具的每一次互动都会产生被收集、存储、分析并越来越多地跨机构和国界共享的数据。新冠疫情极大地加速了这一进程:向在线和混合学习的快速转变使十年前难以想象的数据流收集正常化,包括远程监考系统的网络摄像头录像、用于身份验证的按键动态,以及跟踪学生与课程材料互动频率和时长的参与度指标。 |
| Two comprehensive data protection regimes now govern how universities handle this information. The European Union‘s General Data Protection Regulation, which took full effect in May 2018, established the world’s first comprehensive framework for personal data protection, with specific implications for educational institutions that process student data. China‘s Personal Information Protection Law, effective from November 2021, created a parallel framework that, while structurally similar to the GDPR in many respects, reflects fundamentally different assumptions about the relationship between individuals, institutions, and the state. | 两种综合性数据保护制度现在规范着大学处理这些信息的方式。欧盟的《通用数据保护条例》于2018年5月完全生效,建立了世界上首个全面的个人数据保护框架,对处理学生数据的教育机构具有特定影响。中国的《个人信息保护法》自2021年11月起生效,创建了一个在许多方面与GDPR结构相似的平行框架,但反映了关于个人、机构和国家之间关系的根本不同假设。 |
| For universities engaged in international cooperation — joint degree programs, student exchange, collaborative research, cross-border recruitment — these two regimes create a dual compliance challenge of considerable complexity. A European university recruiting Chinese students must comply with the PIPL’s requirements for processing the personal information of Chinese residents; a Chinese university participating in an Erasmus+ partnership must understand GDPR obligations that may attach to data about European students. Yet the two systems diverge precisely where the compliance challenges are most acute: in their approaches to cross-border data transfer, consent requirements, enforcement mechanisms, and the treatment of minors. | 对于从事国际合作的大学——联合学位项目、学生交换、合作研究、跨境招生——这两种制度造成了相当复杂的双重合规挑战。招收中国学生的欧洲大学必须遵守PIPL关于处理中国居民个人信息的要求;参加Erasmus+合作项目的中国大学必须了解可能适用于欧洲学生数据的GDPR义务。然而,两个体系恰恰在合规挑战最为尖锐的地方出现分歧:在跨境数据传输、同意要求、执法机制以及未成年人的处理方面。 |
| This article provides a systematic comparison of GDPR and PIPL as they apply to higher education, organized around four questions. First, how does each framework regulate the core data processing activities of universities — enrollment, assessment, analytics, and communication? Second, where do the two systems converge and where do they diverge in their philosophical foundations and practical requirements? Third, what specific challenges arise for institutions operating simultaneously under both regimes? Fourth, what practical strategies can universities adopt to achieve meaningful compliance with both frameworks? | 本文对GDPR和PIPL在高等教育中的应用进行了系统比较,围绕四个问题展开。第一,每个框架如何规范大学的核心数据处理活动——入学、评估、分析和沟通?第二,两个体系在哲学基础和实际要求方面在何处趋同,在何处分歧?第三,同时在两种制度下运营的机构面临哪些具体挑战?第四,大学可以采取哪些实际策略来实现对两个框架的有效合规? |
| 2. The GDPR Framework for Education | == 2. 教育领域的GDPR框架 == |
| 2.1 Legal Bases for Student Data Processing | === 2.1 学生数据处理的法律基础 === |
| The GDPR (Regulation 2016/679) provides six lawful bases for processing personal data, of which three are most relevant to universities: consent (Article 6(1)(a)), performance of a contract (Article 6(1)(b)), and legitimate interests (Article 6(1)(f)). European universities typically rely on a combination of these bases. Enrollment and academic administration are generally processed under contractual necessity — the student has entered into an educational contract with the institution. Research involving student data may rely on legitimate interests or, where sensitive data categories are involved, explicit consent. | GDPR(第2016/679号条例)提供了六种处理个人数据的合法基础,其中三种与大学最为相关:同意(第6条第1款第(a)项)、合同履行(第6条第1款第(b)项)和正当利益(第6条第1款第(f)项)。欧洲大学通常依赖这些基础的组合。入学和学术管理通常以合同必要性为基础处理——学生已与机构签订了教育合同。涉及学生数据的研究可以依赖正当利益,或在涉及敏感数据类别时依赖明确同意。 |
| The application of these legal bases to learning analytics has proven particularly contentious. Liu and Khalil (2023), in a systematic review of 47 studies published in leading educational technology journals, identify a fundamental tension: the GDPR’s principle of purpose limitation — that data collected for one purpose should not be repurposed without additional legal basis — sits uncomfortably with the open-ended, exploratory nature of learning analytics, where the value of data often emerges only through analysis that was not anticipated at the time of collection. Prinsloo, Slade, and Khalil (2022) argue from a critical data studies perspective that purely technological solutions to this tension are insufficient; the power asymmetry between institutions and students means that meaningful consent is often illusory, particularly when students feel they cannot refuse data collection without academic consequences. | 这些法律基础在学习分析中的应用被证明特别有争议。Liu和Khalil(2023)在对发表于主要教育技术期刊的47项研究的系统综述中,指出了一个根本性的紧张关系:GDPR的目的限制原则——为一个目的收集的数据不应在没有额外法律基础的情况下被再利用——与学习分析开放式、探索性的本质之间存在矛盾,在学习分析中,数据的价值往往只在收集时未预见到的分析中才显现出来。Prinsloo、Slade和Khalil(2022)从批判性数据研究的角度论证,纯技术解决方案不足以应对这种紧张关系;机构与学生之间的权力不对称意味着有意义的同意往往是虚幻的,特别是当学生觉得如果拒绝数据收集就会产生学术后果时。 |
| 2.2 Enforcement Landscape | === 2.2 执法状况 === |
| The enforcement of GDPR in the education sector has been uneven but increasingly significant. According to the CMS GDPR Enforcement Tracker Report for 2024/2025, data protection authorities across 25 EU member states have imposed a total of 270 fines on schools, universities, and other educational institutions, amounting to more than EUR 29.3 million. The most common violations are processing without a sufficient legal basis (90 fines) and insufficient technical and organizational measures to protect data (76 fines) (CMS 2025). | GDPR在教育领域的执法虽不均衡但日益显著。根据CMS 2024/2025年GDPR执法追踪报告,25个欧盟成员国的数据保护机构已对学校、大学和其他教育机构开出总计270张罚单,金额超过2930万欧元。最常见的违规行为是在缺乏充分法律基础的情况下进行处理(90张罚单)以及技术和组织保护措施不足(76张罚单)(CMS 2025)。 |
| The most consequential individual case for higher education was the Italian data protection authority’s 2021 decision against Bocconi University, which imposed a EUR 200,000 fine for the use of the Respondus remote exam proctoring software. The authority found that the university had failed to obtain valid consent, had not conducted a data protection impact assessment, had provided insufficient transparency about data processing, and lacked a lawful basis for processing biometric data — violations that collectively illustrate the compliance challenges universities face when deploying surveillance-adjacent educational technologies (Garante 2021). | 对高等教育影响最大的个案是意大利数据保护机构2021年对博科尼大学(Bocconi University)的决定,该决定因使用Respondus远程考试监考软件而处以20万欧元罚款。该机构发现大学未能获得有效同意、未进行数据保护影响评估、未就数据处理提供充分透明度,且缺乏处理生物特征数据的合法基础——这些违规行为共同说明了大学在部署具有监控特性的教育技术时面临的合规挑战(Garante 2021)。 |
| Yet enforcement captures only part of the picture. A 2024 study by the consultancy 7DOTS examined 335 UK universities and higher education colleges and found an 81 percent non-compliance rate with GDPR standards. Only 32 percent had implemented a Consent Management Platform, and of those, 66 percent were improperly configured (7DOTS 2024). These findings suggest that the education sector’s compliance deficit is not primarily a matter of deliberate violation but of institutional capacity: universities lack the resources, expertise, and organizational structures to implement the GDPR’s requirements effectively. | 然而,执法只反映了部分情况。咨询公司7DOTS在2024年的一项研究中检查了335所英国大学和高等教育学院,发现GDPR标准的不合规率为81%。只有32%实施了同意管理平台,其中66%配置不正确(7DOTS 2024)。这些发现表明,教育部门的合规缺陷主要不是故意违规的问题,而是机构能力的问题:大学缺乏有效实施GDPR要求的资源、专业知识和组织结构。 |
| 2.3 Student Privacy Beyond the Classroom | === 2.3 课堂之外的学生隐私 === |
| The privacy challenges facing universities extend well beyond the learning management system. Giuffrida and Hall (2023) demonstrate that technology integration in higher education creates privacy risks at the enterprise level — institutional data systems, campus networks, and administrative platforms — that are distinct from the pedagogical context. Blackmon and Major (2023), in a PRISMA-based systematic review of student perspectives on privacy in technology-enhanced courses, find significant awareness gaps: students often do not understand what data is collected about them, how it is used, or what rights they have. Kumi-Yeboah and colleagues (2023) document fear and anxiety about data encroachment among diverse student populations, with particular concerns about learning management systems and social media integration. These findings collectively suggest that the GDPR’s emphasis on informed consent faces a practical obstacle: the information asymmetry between institutions and students is so large that genuine informed consent may be unattainable for many data processing activities. | 大学面临的隐私挑战远远超出了学习管理系统的范畴。Giuffrida和Hall(2023)证明,高等教育中的技术整合在企业层面——机构数据系统、校园网络和行政平台——创造了与教学情境不同的隐私风险。Blackmon和Major(2023)在基于PRISMA方法的对技术增强课程中学生隐私观点的系统性综述中发现了重大的认知差距:学生往往不了解关于他们收集了哪些数据、如何使用以及他们拥有哪些权利。Kumi-Yeboah及其同事(2023)记录了不同学生群体对数据侵入的恐惧和焦虑,特别关注学习管理系统和社交媒体整合。这些发现共同表明,GDPR对知情同意的强调面临一个实际障碍:机构与学生之间的信息不对称如此之大,以至于对于许多数据处理活动来说,真正的知情同意可能是无法实现的。 |
| 3. China‘s PIPL: Structure and Educational Implications | == 3. 中国的PIPL:结构与教育影响 == |
| 3.1 Architectural Overview | === 3.1 架构概述 === |
| China‘s Personal Information Protection Law, effective 1 November 2021, establishes a comprehensive framework for personal data protection that is structurally parallel to the GDPR in many respects — extraterritorial scope, individual rights (access, correction, deletion, portability), requirements for data protection impact assessments, and significant penalties for violations — while reflecting fundamentally different philosophical commitments (Li and Chen 2024; Lim and Oh 2025). | 中国的《个人信息保护法》自2021年11月1日起生效,建立了一个在许多方面与GDPR结构平行的全面个人数据保护框架——域外适用范围、个人权利(访问、更正、删除、可携带性)、数据保护影响评估要求以及对违规行为的重大处罚——同时反映了根本不同的哲学承诺(Li和Chen 2024; Lim和Oh 2025)。 |
| The PIPL defines „personal information“ broadly as any information relating to an identified or identifiable natural person recorded by electronic or other means (Article 4). Like the GDPR, it establishes lawful bases for processing — consent, contractual necessity, legal obligation, public health emergencies, news reporting in the public interest, and reasonable processing of publicly available information (Article 13). Unlike the GDPR, however, the PIPL does not include „legitimate interests“ as a standalone legal basis, making consent the primary mechanism for lawful processing in most educational contexts (IAPP 2021; Zhu 2022). | PIPL将"个人信息"广泛定义为通过电子或其他方式记录的与已识别或可识别的自然人相关的任何信息(第4条)。与GDPR类似,它建立了处理的合法基础——同意、合同必要性、法律义务、公共卫生紧急事件、公共利益的新闻报道以及对公开信息的合理处理(第13条)。然而,与GDPR不同的是,PIPL不包括"正当利益"作为独立的法律基础,使同意成为大多数教育情境中合法处理的主要机制(IAPP 2021; Zhu 2022)。 |
| 3.2 Enhanced Protection for Minors | === 3.2 未成年人的强化保护 === |
| The PIPL’s treatment of minors represents one of its most significant divergences from the GDPR. Article 28 classifies all personal information of individuals under the age of 14 as „sensitive personal information,“ regardless of its nature, requiring parental consent for processing and a separate privacy impact assessment. Zhang and Kollnig (2024), in a study published in International Data Privacy Law, trace five legislative developments that progressively strengthened children’s protections under Chinese law, while documenting significant gaps between legal requirements and actual practice in Chinese applications. | PIPL对未成年人的处理是其与GDPR最显著的分歧之一。第28条将所有14岁以下个人的个人信息归类为"敏感个人信息",无论其性质如何,要求获得父母同意并进行单独的隐私影响评估。Zhang和Kollnig(2024)在发表于International Data Privacy Law的研究中追踪了逐步加强中国法律下儿童保护的五项立法发展,同时记录了法律要求与中国应用程序实际做法之间的重大差距。 |
| For universities, the implications are indirect but important. While most university students are over 14, secondary school recruitment activities, summer programs for minors, and dual-enrollment programs all involve processing data of individuals who may fall within this protected category. The PIPL’s approach is arguably stricter than the GDPR’s in this specific area: the GDPR sets the age of digital consent at 16 (with member state discretion to lower it to 13), but does not automatically classify all data of minors as sensitive. | 对于大学而言,影响是间接但重要的。虽然大多数大学生超过14岁,但中学招生活动、面向未成年人的暑期项目以及双录取项目都涉及处理可能属于这一受保护类别的个人数据。在这一具体领域,PIPL的方法可以说比GDPR更为严格:GDPR将数字同意年龄设定为16岁(成员国可酌情降至13岁),但并不自动将未成年人的所有数据归类为敏感数据。 |
| 3.3 Data Localization and Cross-Border Transfer | === 3.3 数据本地化与跨境传输 === |
| The PIPL’s requirements for cross-border data transfer are among its most practically consequential provisions for international universities. Article 38 establishes three mechanisms for transferring personal information outside China: passing a security assessment organized by the Cyberspace Administration of China (CAC), obtaining personal information protection certification from a specialized institution, or concluding a standard contract formulated by the CAC with the overseas recipient. In October 2025, the CAC and the State Administration for Market Regulation jointly issued the Measures for the Certification of Cross-Border Transfer of Personal Information, effective 1 January 2026, completing this three-pillar framework (CMS Law-Now 2025). | PIPL对跨境数据传输的要求是其对国际大学最具实际影响的条款之一。第38条建立了三种将个人信息传输到中国境外的机制:通过国家互联网信息办公室(CAC)组织的安全评估、从专门机构获得个人信息保护认证,或与境外接收者签订CAC制定的标准合同。2025年10月,CAC和国家市场监督管理总局联合发布了《个人信息跨境传输认证办法》,自2026年1月1日起施行,完善了这一三支柱框架(CMS Law-Now 2025)。 |
| Additionally, the Regulations on Network Data Security Management, effective 1 January 2025, require organizations processing personal information of more than 10 million individuals to appoint a data security officer and conduct regular audits (State Council 2024). While few individual universities reach this threshold, aggregated educational platforms and national student information systems frequently do. | 此外,自2025年1月1日起施行的《网络数据安全管理条例》要求处理超过1000万个人信息的组织指定数据安全负责人并进行定期审计(国务院 2024)。虽然单个大学很少达到这一门槛,但聚合的教育平台和国家学生信息系统经常达到。 |
| The practical implications for international academic cooperation are significant. As the MIT Office of General Counsel (2022) has noted, the PIPL is triggered whenever an institution obtains admissions applications from Chinese citizens residing in China, conducts recruitment activities there, offers online courses accessible to Chinese residents, performs human-subjects research using Chinese residents’ data, or collaborates with Chinese academic institutions that share student data. The American Association of Collegiate Registrars and Admissions Officers (AACRAO 2022) has published specific compliance guidance for admissions and registrar offices, reflecting the growing awareness that routine international student recruitment now carries data protection obligations under both GDPR and PIPL. | 对国际学术合作的实际影响是重大的。正如麻省理工学院法律总顾问办公室(2022)所指出的,只要机构从居住在中国的中国公民那里获取入学申请、在中国开展招生活动、提供中国居民可访问的在线课程、使用中国居民数据进行涉及人类受试者的研究,或与共享学生数据的中国学术机构合作,PIPL即被触发。美国大学注册和招生官员协会(AACRAO 2022)发布了针对招生和注册部门的具体合规指导,反映了人们日益认识到常规的国际学生招生现在同时承载着GDPR和PIPL下的数据保护义务。 |
| 4. Systematic Comparison | == 4. 系统比较 == |
| 4.1 Philosophical Foundations | === 4.1 哲学基础 === |
| The most fundamental difference between GDPR and PIPL lies not in their technical provisions but in their philosophical orientations. The GDPR emerges from a tradition of individual rights protection, rooted in the European Convention on Human Rights and the EU Charter of Fundamental Rights. Its core assumption is that personal data protection is a fundamental right of the individual, which can be limited only under specified conditions and subject to proportionality review. Li and Chen (2024), in their analysis of the „Brussels Effect„ on Chinese data protection law, introduce a „gravity assist“ model: while the GDPR’s structural influence on the PIPL is evident, China‘s adoption reflects not convergence but strategic adaptation to its distinct political, cultural, and legal context. | GDPR和PIPL之间最根本的差异不在于其技术条款,而在于其哲学取向。GDPR源自个人权利保护的传统,根植于《欧洲人权公约》和《欧盟基本权利宪章》。其核心假设是个人数据保护是个人的基本权利,只能在特定条件下并经过比例审查后加以限制。Li和Chen(2024)在分析GDPR对中国数据保护法的"布鲁塞尔效应"时引入了"引力辅助"模型:虽然GDPR对PIPL的结构性影响显而易见,但中国的采纳不是趋同,而是对其独特政治、文化和法律背景的战略性适应。 |
| The PIPL, by contrast, reflects what Lim and Oh (2025) describe as a „state sovereignty“ orientation. The law serves multiple objectives simultaneously: protecting individual privacy, certainly, but also safeguarding national security, promoting the digital economy, and maintaining social stability. The law’s enforcement is centralized under the CAC, which is simultaneously responsible for internet censorship, cybersecurity, and data governance — a combination that would be impermissible under the GDPR’s requirement for independent supervisory authorities (Article 52). | 相比之下,PIPL反映了Lim和Oh(2025)所描述的"国家主权"取向。该法律同时服务于多个目标:保护个人隐私固然是其中之一,但也包括维护国家安全、促进数字经济和维护社会稳定。该法律的执法由CAC集中负责,CAC同时负责互联网审查、网络安全和数据治理——这种组合在GDPR对独立监管机构的要求下(第52条)是不允许的。 |
| 4.2 Structural Differences | === 4.2 结构差异 === |
| Several structural differences have direct implications for universities: | 几个结构性差异对大学具有直接影响: |
| Consent. The GDPR recognizes six lawful bases for processing; the PIPL’s absence of a „legitimate interests“ basis makes consent more central, particularly for educational data processing that goes beyond contractual necessity. The PIPL additionally requires separate consent for cross-border transfers (Article 39) and for processing sensitive personal information (Article 29). | 同意。GDPR认可六种处理的合法基础;PIPL缺乏"正当利益"基础使同意成为更核心的要素,特别是对于超出合同必要性的教育数据处理。PIPL还要求对跨境传输(第39条)和处理敏感个人信息(第29条)获得单独同意。 |
| Penalties. The GDPR imposes maximum fines of EUR 20 million or 4 percent of global annual turnover, whichever is greater. The PIPL imposes maximum fines of RMB 50 million (approximately EUR 6.4 million) or 5 percent of the previous year’s annual revenue for grave violations, plus potential personal liability for responsible individuals — a feature without direct GDPR equivalent (IAPP 2021; DataGuidance 2022). | 处罚。GDPR的最高罚款为2000万欧元或全球年营业额的4%,以较高者为准。PIPL对严重违规的最高罚款为5000万人民币(约640万欧元)或上一年度年收入的5%,另外还对责任个人追究个人责任——这一特征在GDPR中没有直接对应项(IAPP 2021; DataGuidance 2022)。 |
| Enforcement. The GDPR’s enforcement is decentralized across national data protection authorities, with coordination through the European Data Protection Board. The PIPL’s enforcement is centralized under the CAC, with additional sector-specific oversight from the Ministry of Education for educational institutions. The GDPR requires supervisory authorities to be independent; the PIPL imposes no such requirement. | 执法。GDPR的执法通过各国数据保护机构分散进行,并通过欧洲数据保护委员会协调。PIPL的执法由CAC集中负责,教育部对教育机构进行额外的行业特定监督。GDPR要求监管机构独立;PIPL没有施加此类要求。 |
| Cross-border transfers. The GDPR permits transfers to countries with „adequate“ data protection (adequacy decisions), or through Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). The PIPL offers security assessment, standard contracts, and certification, but does not employ an adequacy mechanism — there is no list of „safe“ countries to which data may flow freely (Fernandez-Novel Escobar 2025). | 跨境传输。GDPR允许向具有"充分"数据保护的国家传输(充分性决定),或通过标准合同条款(SCC)和具有约束力的公司规则(BCR)传输。PIPL提供安全评估、标准合同和认证,但不采用充分性机制——没有数据可以自由流入的"安全"国家名单(Fernandez-Novel Escobar 2025)。 |
| Data subject rights. Both frameworks provide broadly similar individual rights: access, correction, deletion, and portability. The PIPL additionally grants next-of-kin the right to exercise deceased persons’ data rights — a provision with potential relevance for universities managing the records of deceased students (DataGuidance 2022). The PIPL also includes a broader definition of „sensitive personal information“ that encompasses financial data, location data, and biometric information alongside the categories recognized by the GDPR. | 数据主体权利。两个框架提供了大致相似的个人权利:访问、更正、删除和可携带性。PIPL还赋予近亲属行使已故人员数据权利的权利——这一条款对管理已故学生记录的大学具有潜在相关性(DataGuidance 2022)。PIPL还包括对"敏感个人信息"的更广泛定义,除GDPR认可的类别外,还涵盖财务数据、位置数据和生物特征信息。 |
| 4.3 Convergence and Divergence | === 4.3 趋同与分歧 === |
| Despite these differences, the two frameworks converge in important ways. Both require data protection impact assessments for high-risk processing. Both impose transparency obligations requiring clear, accessible privacy notices. Both provide for data portability — the right to receive one’s personal data in a structured, machine-readable format. Both establish extraterritorial scope, applying to entities outside their jurisdiction that process the data of their residents. And both impose requirements for data breach notification, though with different timelines: 72 hours under the GDPR (Article 33), versus an unspecified but prompt timeframe under the PIPL. | 尽管存在这些差异,两个框架在重要方面趋同。两者都要求对高风险处理进行数据保护影响评估。两者都施加透明度义务,要求清晰、易于理解的隐私通知。两者都提供数据可携带性——以结构化、机器可读格式接收个人数据的权利。两者都确立了域外适用范围,适用于在其管辖区外处理其居民数据的实体。两者都对数据泄露通知提出了要求,但时限不同:GDPR为72小时(第33条),PIPL为未具体规定但应迅速的时间框架。 |
| The pattern that emerges is convergence at the level of principles — both systems recognize that personal data deserves protection, that individuals should have rights over their data, and that organizations must be held accountable for their processing activities — with significant divergence at the level of implementation, philosophical justification, and enforcement culture. As Solove (2022) observes, the PIPL is often described as „China‘s GDPR,“ but this characterization obscures important structural differences that have direct practical consequences for organizations operating under both regimes. | 呈现出的模式是在原则层面趋同——两个体系都认可个人数据值得保护,个人应享有对其数据的权利,组织必须为其处理活动承担责任——但在实施、哲学论证和执法文化层面存在重大分歧。正如Solove(2022)所观察到的,PIPL常被描述为"中国的GDPR",但这种描述模糊了对在两种制度下运营的组织具有直接实际后果的重要结构性差异。 |
| 5. Learning Analytics: The Critical Test Case | == 5. 学习分析:关键测试案例 == |
| Learning analytics represents the domain where the tension between data protection and educational innovation is most acute. Universities increasingly deploy predictive analytics systems that use historical student data to identify students at risk of failure, recommend interventions, and personalize learning pathways. These systems require the processing of large volumes of student data — often aggregated from multiple sources and analyzed using machine learning algorithms — in ways that challenge the fundamental principles of both GDPR and PIPL. | 学习分析是数据保护与教育创新之间张力最为尖锐的领域。大学越来越多地部署预测分析系统,利用历史学生数据来识别有失败风险的学生、推荐干预措施和个性化学习路径。这些系统需要处理大量学生数据——通常从多个来源聚合并使用机器学习算法进行分析——这对GDPR和PIPL的基本原则都构成挑战。 |
| Under the GDPR, learning analytics systems face challenges on multiple fronts. Purpose limitation (Article 5(1)(b)) requires that data be collected for specified, explicit purposes and not further processed in a manner incompatible with those purposes. But the value of learning analytics often depends on precisely this kind of repurposing: data collected for course administration is analyzed for patterns that inform institutional strategy. Data minimization (Article 5(1)(c)) requires that only data adequate, relevant, and limited to what is necessary be processed — yet predictive models typically perform better with more data, creating a structural incentive toward maximal collection. Transparency (Articles 13-14) requires that individuals be informed about automated decision-making — but the complexity of machine learning models often makes meaningful explanation difficult. | 在GDPR下,学习分析系统在多个方面面临挑战。目的限制(第5条第1款第(b)项)要求数据为特定、明确的目的而收集,不得以与这些目的不相容的方式进一步处理。但学习分析的价值往往恰恰取决于这种再利用:为课程管理收集的数据被分析以发现为机构战略提供信息的模式。数据最小化(第5条第1款第(c)项)要求只处理充分的、相关的且仅限于必要的数据——但预测模型通常在数据更多时表现更好,产生了最大化收集的结构性激励。透明度(第13-14条)要求告知个人自动化决策——但机器学习模型的复杂性往往使有意义的解释变得困难。 |
| Under the PIPL, learning analytics faces additional challenges. The absence of a legitimate interests basis means that universities must typically rely on consent for analytics that go beyond direct educational delivery. The requirement for separate consent for processing sensitive information (Article 29) may be triggered by analytics that process academic performance data in ways that reveal protected characteristics. And the data localization requirements mean that analytics platforms operated by international providers must navigate complex cross-border transfer rules. | 在PIPL下,学习分析面临额外的挑战。正当利益基础的缺失意味着大学在进行超出直接教育提供范围的分析时通常必须依赖同意。处理敏感信息需要单独同意的要求(第29条)可能因分析以揭示受保护特征的方式处理学术表现数据而被触发。数据本地化要求意味着由国际提供商运营的分析平台必须应对复杂的跨境传输规则。 |
| Xue and colleagues (2025), in an analysis of AI privacy concerns in higher education across Chinese and English-language media, found that while both contexts identify AI-driven proctoring, student data security, and institutional governance as central concerns, the emphasis differs: Western coverage foregrounds individual privacy rights, while Chinese coverage more frequently addresses the relationship between AI-driven educational innovation and institutional governance. This divergence mirrors the broader philosophical difference between the two regulatory frameworks. | Xue及其同事(2025)在对中文和英文媒体中高等教育人工智能隐私问题的分析中发现,虽然两种情境都将人工智能驱动的监考、学生数据安全和机构治理确定为核心关注点,但侧重点不同:西方报道侧重于个人隐私权,而中国报道更多地涉及人工智能驱动的教育创新与机构治理之间的关系。这种分歧反映了两个监管框架之间更广泛的哲学差异。 |
| Lachheb and colleagues (2023) argue that maintaining student privacy in educational technology requires attention not only to policy and law but to design ethics — the principles embedded in the technological systems themselves. They propose a framework to help instructional designers evaluate whether design patterns unintentionally undermine learner agency, suggesting that compliance with either GDPR or PIPL requires intervention at the design stage, not merely at the policy level. Liu, Khalil, and colleagues (2025) explore synthetic data generation with differential privacy mechanisms as a technical approach to this challenge, enabling learning analytics research without exposing individual student records. | Lachheb及其同事(2023)认为,在教育技术中维护学生隐私不仅需要关注政策和法律,还需要关注设计伦理——嵌入技术系统本身的原则。他们提出了一个框架来帮助教学设计师评估设计模式是否无意中损害了学习者的能动性,建议无论是GDPR还是PIPL的合规都需要在设计阶段进行干预,而不仅仅是在政策层面。Liu、Khalil及其同事(2025)探索了具有差分隐私机制的合成数据生成作为这一挑战的技术方法,使学习分析研究可以在不暴露个人学生记录的情况下进行。 |
| 6. AI-Driven Assessment and Proctoring | == 6. 人工智能驱动的评估与监考 == |
| The EU AI Act (Regulation 2024/1689), which entered into force on 1 August 2024, adds a further regulatory layer for European universities. The Act classifies AI systems used for educational assessment and proctoring as „high-risk“ under Annex III, Section 3, requiring conformity assessments, human oversight, and technical documentation. Article 5(1)(f) prohibits emotion recognition systems in educational settings (European Parliament and Council 2024). | 欧盟《人工智能法》(第2024/1689号条例)于2024年8月1日生效,为欧洲大学增加了又一层监管义务。该法案将用于教育评估和监考的人工智能系统归类为附件三第三节下的"高风险",要求进行合规评估、人工监督和技术文档记录。第5条第1款第(f)项禁止在教育环境中使用情绪识别系统(European Parliament and Council 2024)。 |
| The interaction between the AI Act and GDPR creates a layered compliance obligation: universities deploying AI-powered assessment tools must satisfy both the AI Act’s requirements for high-risk systems and the GDPR’s requirements for lawful data processing. The Bocconi University case demonstrates the consequences of failing to meet the latter; the AI Act will add additional requirements from August 2026 onward. A 2025 report by the Rockefeller Institute of Government recommends that universities map their AI use cases against the Act’s risk categories as a first step toward compliance, citing the governance models developed by Utrecht University and the University of Edinburgh as reference frameworks (Rockefeller Institute 2025). | 《人工智能法》与GDPR之间的互动产生了分层的合规义务:部署人工智能评估工具的大学必须同时满足《人工智能法》对高风险系统的要求和GDPR对合法数据处理的要求。博科尼大学案件展示了未能满足后者的后果;《人工智能法》将从2026年8月起增加额外要求。洛克菲勒政府研究所2025年的一份报告建议大学将其人工智能用例与该法案的风险类别进行对照映射,作为合规的第一步,并引用乌特勒支大学和爱丁堡大学开发的治理模式作为参考框架(Rockefeller Institute 2025)。 |
| China‘s approach to AI in educational assessment reflects its sector-specific regulatory philosophy. Rather than a single comprehensive AI law, China governs educational AI through a combination of the 2023 Interim Measures for Generative AI Services, the PIPL’s provisions for automated decision-making, and Ministry of Education directives. The use of AI proctoring and surveillance technologies in Chinese universities, while subject to PIPL consent requirements, does not face the categorical restrictions imposed by the EU AI Act‘s emotion recognition ban. This regulatory asymmetry has practical implications for technology companies developing educational assessment tools for both markets: systems designed for China may include features that are prohibited in the EU, and vice versa. | 中国在教育评估中使用人工智能的方法反映了其行业特定的监管理念。中国不是通过单一的综合性人工智能法,而是通过2023年《生成式人工智能服务管理暂行办法》、PIPL关于自动化决策的条款以及教育部指令的组合来规范教育人工智能。中国大学中人工智能监考和监控技术的使用虽然受PIPL同意要求的约束,但不面临欧盟《人工智能法》情绪识别禁令所施加的分类限制。这种监管不对称对为两个市场开发教育评估工具的技术公司具有实际影响:为中国设计的系统可能包含在欧盟被禁止的功能,反之亦然。 |
| The Bocconi case illustrates a broader tension. Remote proctoring systems — which typically capture webcam footage, track eye movements, monitor keyboard and mouse activity, and may use facial recognition to verify identity — process categories of data that trigger the GDPR’s most stringent requirements: biometric data (Article 9), automated decision-making (Article 22), and profiling. Under the PIPL, biometric information is classified as sensitive personal information requiring separate consent (Article 28), but there is no categorical prohibition comparable to the AI Act’s emotion recognition ban. The result is a regulatory landscape where the same technology may be lawful in one jurisdiction and prohibited in the other, depending on its specific capabilities and the legal basis invoked. | 博科尼案件揭示了更广泛的紧张关系。远程监考系统——通常捕获网络摄像头录像、跟踪眼球运动、监控键盘和鼠标活动,并可能使用面部识别来验证身份——处理触发GDPR最严格要求的数据类别:生物特征数据(第9条)、自动化决策(第22条)和用户画像。在PIPL下,生物特征信息被归类为需要单独同意的敏感个人信息(第28条),但没有与《人工智能法》情绪识别禁令相当的分类禁止。结果是一个监管格局,同一项技术可能在一个管辖区合法而在另一个管辖区被禁止,取决于其具体能力和所援引的法律基础。 |
| 7. Joint EU-China Programs: Dual Compliance in Practice | == 7. 中欧联合项目:双重合规的实践 == |
| The most acute compliance challenges arise in joint EU-China academic programs, where student data routinely crosses jurisdictional boundaries. A European university offering a joint degree with a Chinese partner institution must transfer enrollment data, academic records, and potentially learning analytics data between the two institutions — transfers that must comply simultaneously with the GDPR’s requirements for international data transfer and the PIPL’s cross-border transfer provisions. | 最严峻的合规挑战出现在中欧联合学术项目中,学生数据在其中经常跨越管辖区边界。一所与中国合作机构提供联合学位的欧洲大学必须在两个机构之间传输入学数据、学术记录以及可能的学习分析数据——这些传输必须同时遵守GDPR的国际数据传输要求和PIPL的跨境传输条款。 |
| The practical difficulties are considerable. GDPR transfers to China cannot currently rely on an adequacy decision (the European Commission has not recognized China as providing adequate data protection). Standard Contractual Clauses may be used, but must be supplemented by a transfer impact assessment that considers Chinese surveillance laws and government access provisions — an assessment whose conclusions may be unfavorable. In the other direction, PIPL transfers to Europe require one of the three mechanisms described above: CAC security assessment, standard contract, or certification. | 实际困难是相当大的。向中国的GDPR数据传输目前不能依赖充分性决定(欧盟委员会尚未认定中国提供充分的数据保护)。可以使用标准合同条款,但必须辅以传输影响评估,考虑中国的监控法律和政府数据访问条款——这种评估的结论可能是不利的。在另一个方向上,向欧洲的PIPL数据传输需要上述三种机制之一:CAC安全评估、标准合同或认证。 |
| The Future of Privacy Forum’s guidance for US higher education institutions (Zanfir-Fortuna 2020), while not directly applicable to the EU-China context, illustrates the complexity of international academic data flows. The report identifies ten compliance steps that international universities must address, including data mapping, legal basis identification, vendor management, and breach notification procedures — each of which must be adapted for both GDPR and PIPL requirements. | 隐私未来论坛对美国高等教育机构的指导(Zanfir-Fortuna 2020)虽然不直接适用于中欧背景,但说明了国际学术数据流的复杂性。该报告确定了国际大学必须解决的十个合规步骤,包括数据映射、法律基础识别、供应商管理和违规通知程序——每一个都必须适应GDPR和PIPL的要求。 |
| These challenges are not hypothetical. Sino-European joint programs have expanded significantly in recent decades. China hosts hundreds of Chinese-foreign cooperative education programs approved by the Ministry of Education, many of which involve European partner institutions. The EU’s Erasmus+ program supports academic exchanges with Chinese universities. The EU-China Tuning project has aligned degree structures across dozens of institutions. In each of these contexts, student data flows between jurisdictions are routine and necessary — yet the legal framework for these flows remains fragmented and uncertain. | 这些挑战不是假设性的。中欧联合项目在近几十年来已显著扩展。中国拥有教育部批准的数百个中外合作办学项目,其中许多涉及欧洲合作机构。欧盟的Erasmus+项目支持与中国大学的学术交流。欧盟-中国调优项目已在数十个机构之间对齐了学位结构。在这些情境中,管辖区之间的学生数据流都是常规和必要的——但这些流动的法律框架仍然碎片化且不确定。 |
| A specific challenge arises in the context of student recruitment. European universities actively recruit Chinese students — China was the largest source country for international students in Europe before the pandemic and has largely regained that position. Under the PIPL, a European university that collects personal information from prospective Chinese students through online application portals, recruitment events in China, or agent partnerships is processing the personal information of Chinese residents and is therefore subject to the PIPL’s requirements, including the obligation to obtain consent in Chinese, to provide a privacy notice compliant with Chinese law, and to navigate the cross-border transfer framework for transmitting application data back to Europe. Few European universities have adapted their recruitment practices to meet these requirements. | 学生招生方面出现了一个具体挑战。欧洲大学积极招收中国学生——在疫情前中国是欧洲国际学生的最大来源国,并在很大程度上恢复了这一地位。在PIPL下,通过在线申请门户、在中国的招生活动或代理合作从潜在的中国学生那里收集个人信息的欧洲大学,正在处理中国居民的个人信息,因此受PIPL要求约束,包括获得中文同意的义务、提供符合中国法律的隐私通知,以及为将申请数据传回欧洲而遵循跨境传输框架。很少有欧洲大学调整了其招生做法以满足这些要求。 |
| For universities engaged in EU-China cooperation, we identify four practical strategies for managing dual compliance. First, data minimization at the point of transfer: sharing only the minimum data necessary for the joint program, using anonymized or pseudonymized data wherever possible. Second, architectural separation: maintaining separate data systems for EU and Chinese operations, with controlled interfaces for necessary data exchange. Third, contractual frameworks: developing bilateral data sharing agreements that explicitly address both GDPR and PIPL requirements, including provisions for data subject rights, breach notification, and data retention. Fourth, institutional capacity building: investing in staff training and data protection expertise that spans both regulatory frameworks. | 对于从事中欧合作的大学,我们确定了管理双重合规的四种实际策略。第一,在传输节点进行数据最小化:仅共享联合项目所需的最低限度数据,尽可能使用匿名化或假名化数据。第二,架构分离:为欧盟和中国的运营维护独立的数据系统,并为必要的数据交换设置受控接口。第三,合同框架:制定明确涉及GDPR和PIPL要求的双边数据共享协议,包括数据主体权利、违规通知和数据保留的条款。第四,机构能力建设:投资于跨越两个监管框架的员工培训和数据保护专业知识。 |
| 8. The Readiness Gap | == 8. 准备度差距 == |
| Despite the significance of these regulatory frameworks, empirical evidence suggests that universities in both jurisdictions face a substantial readiness gap. In the European context, the 7DOTS (2024) finding that 81 percent of UK universities fail GDPR compliance standards is consistent with the CMS Enforcement Tracker data showing persistent violations across 25 member states. The XL Law and Consulting analysis documents 45 GDPR enforcement actions against educational institutions, with an average fine of approximately EUR 32,600 — modest compared to the technology sector, but meaningful for institutions with constrained budgets (XL Law 2023). | 尽管这些监管框架具有重要意义,实证证据表明两个管辖区的大学都面临着巨大的准备度差距。在欧洲背景下,7DOTS(2024)关于81%的英国大学未能通过GDPR合规标准的发现与CMS执法追踪数据一致,后者显示25个成员国存在持续的违规行为。XL Law and Consulting的分析记录了45项针对教育机构的GDPR执法行动,平均罚款约为32,600欧元——与技术行业相比属于适度水平,但对预算有限的机构来说意义重大(XL Law 2023)。 |
| XL Law and Consulting’s analysis of GDPR enforcement actions further reveals a sectoral pattern: educational institutions account for under 3 percent of all GDPR enforcement actions, with an average fine of approximately EUR 32,600 — compared to EUR 1.8 million across all sectors. Spain, Italy, and Poland are responsible for over 65 percent of enforcement actions against higher education institutions. Notably, self-reporting data breaches did not shield institutions from substantial fines, suggesting that proactive compliance efforts must go beyond incident response (XL Law 2023). | XL Law and Consulting的分析进一步揭示了一种部门模式:教育机构占所有GDPR执法行动的不到3%,平均罚款约为32,600欧元——而所有部门的平均值为180万欧元。西班牙、意大利和波兰贡献了超过65%的针对高等教育机构的执法行动。值得注意的是,主动报告数据泄露并未使机构免于重大罚款,这表明积极的合规努力必须超越事件响应(XL Law 2023)。 |
| In the Chinese context, the readiness gap manifests differently. While the PIPL has been in force since November 2021, enforcement in the education sector has been less visible than in the technology and financial sectors. The emphasis has been on platform companies processing data at scale rather than on individual educational institutions. However, the Regulations on Network Data Security Management (effective January 2025) and the Certification Measures for cross-border transfers (effective January 2026) signal an increasing regulatory attention to data governance practices across all sectors, including education. | 在中国背景下,准备度差距以不同方式表现。虽然PIPL自2021年11月起已生效,但教育部门的执法不如技术和金融部门那样明显。重点放在了大规模处理数据的平台公司而非个别教育机构上。然而,《网络数据安全管理条例》(2025年1月生效)和跨境传输认证办法(2026年1月生效)表明,各行业——包括教育——的数据治理实践受到越来越多的监管关注。 |
| The European Data Protection Board’s Opinion 28/2024, adopted in December 2024, addresses data protection aspects of AI model training and deployment, noting that GDPR applies to AI models trained on personal data because of their memorization capabilities (EDPB 2024). For universities developing or deploying AI-based educational tools, this opinion has significant implications: even AI models that do not store personal data in recognizable form may be subject to GDPR requirements if they can be prompted to produce personal information. | 欧洲数据保护委员会于2024年12月通过的第28/2024号意见涉及人工智能模型训练和部署中的数据保护问题,指出由于人工智能模型的记忆能力,GDPR适用于在个人数据基础上训练的人工智能模型(EDPB 2024)。对于开发或部署基于人工智能的教育工具的大学来说,这一意见具有重要影响:即使是不以可识别形式存储个人数据的人工智能模型,如果它们可以被提示产生个人信息,也可能受到GDPR要求的约束。 |
| 9. Recommendations for Universities | == 9. 对大学的建议 == |
| Based on our comparative analysis, we propose seven recommendations for universities seeking to navigate the overlapping requirements of GDPR and PIPL: | 基于我们的比较分析,我们为寻求应对GDPR和PIPL重叠要求的大学提出七项建议: |
| First, conduct a comprehensive data mapping exercise that identifies all personal data processing activities, their legal bases under both GDPR and PIPL, and all cross-border data flows. This mapping should cover not only formal academic processes but also ancillary systems: campus Wi-Fi analytics, library databases, career services platforms, and alumni management systems. | 第一,进行全面的数据映射,确定所有个人数据处理活动、它们在GDPR和PIPL下的法律基础以及所有跨境数据流。此映射不仅应涵盖正式的学术流程,还应涵盖辅助系统:校园Wi-Fi分析、图书馆数据库、职业服务平台和校友管理系统。 |
| Second, establish a unified data governance framework that addresses both GDPR and PIPL requirements. While the two laws differ in their philosophical orientations, their practical requirements overlap substantially. A framework designed to meet the stricter of the two requirements in each area will generally achieve compliance with both. | 第二,建立一个涵盖GDPR和PIPL要求的统一数据治理框架。虽然两部法律在哲学取向上不同,但其实际要求在很大程度上重叠。在每个领域设计为满足两者中更严格要求的框架通常将实现对两者的合规。 |
| Third, adopt a consent-plus model for learning analytics. Because the PIPL’s absence of a legitimate interests basis makes consent more central than under the GDPR, universities engaged in international cooperation should build consent mechanisms that meet PIPL standards — which will typically exceed GDPR requirements and thus satisfy both frameworks. | 第三,对学习分析采用"同意加"模式。由于PIPL缺乏正当利益基础使同意比GDPR下更为核心,从事国际合作的大学应建立满足PIPL标准的同意机制——这通常将超过GDPR要求,从而同时满足两个框架。 |
| Fourth, implement privacy by design in educational technology procurement and development. Lachheb and colleagues’ (2023) framework for design ethics in educational technology provides a starting point, as does the EDPB’s guidance on AI and personal data. Procurement contracts should explicitly require vendors to demonstrate compliance with both GDPR and PIPL where applicable. | 第四,在教育技术采购和开发中实施隐私设计。Lachheb及其同事(2023)关于教育技术设计伦理的框架提供了一个起点,EDPB关于人工智能和个人数据的指导也是如此。采购合同应明确要求供应商在适用时证明符合GDPR和PIPL。 |
| Fifth, invest in institutional capacity. The readiness gap documented by 7DOTS (2024) and CMS (2025) reflects not deliberate non-compliance but insufficient expertise and resources. Universities should designate data protection officers with specific expertise in educational data and international data flows, and provide regular training for faculty and administrative staff. | 第五,投资于机构能力。7DOTS(2024)和CMS(2025)记录的准备度差距反映的不是故意不合规,而是专业知识和资源不足。大学应指定具有教育数据和国际数据流专业知识的数据保护官,并为教职人员和行政人员提供定期培训。 |
| Sixth, develop bilateral data sharing agreements for joint programs with Chinese (or European) partner institutions. These agreements should go beyond standard contractual clauses to address the specific requirements of educational data: academic records, assessment data, learning analytics, and research data each present distinct compliance challenges. | 第六,为与中国(或欧洲)合作机构的联合项目制定双边数据共享协议。这些协议应超越标准合同条款,涵盖教育数据的具体要求:学术记录、评估数据、学习分析和研究数据各自面临不同的合规挑战。 |
| Seventh, monitor regulatory developments actively. Both frameworks are evolving rapidly. The EU AI Act‘s high-risk requirements for educational AI take full effect in August 2026. China‘s cross-border data certification measures took effect in January 2026. The European Commission’s adequacy decisions and the CAC’s standard contract provisions are subject to revision. Universities that treat data protection as a one-time compliance exercise rather than an ongoing governance function will inevitably fall behind. | 第七,积极监测监管发展。两个框架都在快速演变。欧盟《人工智能法》对教育人工智能的高风险要求将于2026年8月全面生效。中国的跨境数据认证办法已于2026年1月生效。欧盟委员会的充分性决定和CAC的标准合同条款均可能修订。将数据保护视为一次性合规工作而非持续治理职能的大学将不可避免地落后。 |
| 10. Conclusion | == 10. 结论 == |
| The comparison of GDPR and PIPL in the educational context reveals a paradox: two of the world’s most comprehensive data protection regimes, both claiming to protect individuals from the misuse of their personal data, diverge so fundamentally in their philosophical assumptions that compliance with one does not ensure compliance with the other. The GDPR’s emphasis on individual autonomy, independent oversight, and purpose limitation reflects European democratic traditions; the PIPL’s emphasis on state sovereignty, centralized enforcement, and national security reflects China‘s distinct governance model. Neither system has demonstrably achieved adequate data protection in practice — European enforcement data documents widespread non-compliance, while Chinese enforcement in education remains nascent. | 在教育背景下对GDPR和PIPL的比较揭示了一个悖论:两种世界上最全面的数据保护制度,都声称保护个人免受个人数据滥用,但在哲学假设上的分歧如此之大,以至于遵守一个并不能确保遵守另一个。GDPR对个人自治、独立监督和目的限制的强调反映了欧洲的民主传统;PIPL对国家主权、集中执法和国家安全的强调反映了中国独特的治理模式。两个体系都没有在实践中可证明地实现充分的数据保护——欧洲执法数据记录了广泛的不合规,而中国在教育领域的执法仍处于起步阶段。 |
| For universities, the practical challenge is to navigate these overlapping and sometimes conflicting requirements while maintaining the international cooperation that is essential to modern higher education. The dual compliance challenge is not merely a legal technicality; it reflects deeper questions about the role of data in education, the balance between institutional power and individual rights, and the possibility of meaningful privacy in an increasingly datafied learning environment. | 对于大学而言,实际挑战在于应对这些重叠且有时相互冲突的要求,同时维持对现代高等教育至关重要的国际合作。双重合规挑战不仅仅是法律技术问题;它反映了关于数据在教育中的角色、机构权力与个人权利之间的平衡,以及在日益数据化的学习环境中有意义的隐私是否可能等更深层次的问题。 |
| The stakes of this challenge extend beyond legal compliance. Student data protection is ultimately about trust: students must trust that their universities will handle their personal information responsibly, that their academic records will not be used against them, that their learning behaviors will not be surveilled without their knowledge, and that their data will not be shared with parties they have not authorized. When universities fail to meet these expectations — whether through GDPR violations documented in the CMS enforcement data, through opaque learning analytics systems, or through proctoring technologies deployed without adequate consent — they erode the trust that is foundational to the educational relationship. | 这一挑战的利害关系超出了法律合规的范畴。学生数据保护最终关乎信任:学生必须相信大学将负责任地处理其个人信息,学术记录不会被用来对付他们,学习行为不会在他们不知情的情况下被监控,数据不会与他们未授权的方共享。当大学未能满足这些期望——无论是通过CMS执法数据记录的GDPR违规、不透明的学习分析系统,还是在未获得充分同意的情况下部署的监考技术——它们就侵蚀了作为教育关系基础的信任。 |
| We have argued that neither the European nor the Chinese approach alone provides an adequate model. The GDPR’s emphasis on individual rights and independent oversight provides important protections against institutional overreach, but its complexity and enforcement gaps undermine its effectiveness. The PIPL’s centralized enforcement and clear compliance pathways offer practical advantages, but its subordination to state interests raises questions about the protection it affords against government surveillance. A synthesis that combines European rights-based principles with Chinese regulatory efficiency — or, more modestly, a set of practical guidelines that enables universities to satisfy both frameworks simultaneously — remains the most promising path forward. The recommendations proposed in this article represent an initial contribution to that synthesis, grounded in the specific data protection challenges that universities face in the era of digital education. | 我们认为,无论是欧洲还是中国的方法都不能单独提供充分的模式。GDPR对个人权利和独立监督的强调为防止机构越权提供了重要保护,但其复杂性和执法差距削弱了其有效性。PIPL的集中执法和明确的合规路径提供了实际优势,但其从属于国家利益引发了关于其对政府监控所提供保护的质疑。将欧洲的权利导向原则与中国的监管效率相结合的综合方案——或者更为务实地说,一套使大学能够同时满足两个框架的实用指南——仍然是最有前景的前进道路。本文提出的建议代表了对这一综合方案的初步贡献,建立在大学在数字教育时代面临的具体数据保护挑战基础之上。 |
| Acknowledgments | == 致谢 == |
| This research was conducted within the framework of the Jean Monnet Centre of Excellence „EUSC-DEC“ (EU Grant 101126782, 2023–2026). The author thanks the members of Research Group 1 (Regulation of Digitalization in China and Europe) for their contributions to the comparative legal analysis. | 本研究在让·莫内卓越中心"EUSC-DEC"(欧盟资助 101126782,2023-2026年)框架内进行。作者感谢研究组1(中欧数字化监管)的成员对比较法律分析所做的贡献。 |
| References | [REF] 参考文献 |
| 7DOTS. (2024). Report: 81% of Universities at Risk of Fines Due to Failure to Safeguard Student Data. 7DOTS. Available at: https://www.7dots.com/our-insights/81-of-universities-at-risk-of-fines-due-to-failure-to-safeguard-student-data/ | [REF] 7DOTS. (2024). Report: 81% of Universities at Risk of Fines Due to Failure to Safeguard Student Data. 7DOTS. |
| American Association of Collegiate Registrars and Admissions Officers (AACRAO). (2022). China‘s Personal Information Protection Law (PIPL). AACRAO. Available at: https://www.aacrao.org/advocacy/compliance/ | [REF] American Association of Collegiate Registrars and Admissions Officers (AACRAO). (2022). China's Personal Information Protection Law (PIPL). AACRAO. |
| Blackmon, S. J. & Major, C. H. (2023). Inclusion or infringement? A systematic research review of students’ perspectives on student privacy in technology-enhanced, hybrid and online courses. British Journal of Educational Technology, 54(6), 1542–1565. DOI: 10.1111/bjet.13362 | [REF] Blackmon, S. J. & Major, C. H. (2023). Inclusion or infringement? A systematic research review of students' perspectives on student privacy in technology-enhanced, hybrid and online courses. British Journal of Educational Technology, 54(6), 1542–1565. DOI: 10.1111/bjet.13362 |
| CMS Law. (2025). GDPR Enforcement Tracker Report 2024/2025: Public Sector and Education. CMS International Law Firm. Available at: https://cms.law/en/int/publication/gdpr-enforcement-tracker-report/public-sector-and-education | [REF] CMS Law. (2025). GDPR Enforcement Tracker Report 2024/2025: Public Sector and Education. CMS International Law Firm. |
| CMS Law-Now. (2025). China issues Measures for the Certification of the Cross-Border Transfer of Personal Information. CMS e-Alert, November 2025. Available at: https://cms-lawnow.com/en/ealerts/2025/11/ | [REF] CMS Law-Now. (2025). China issues Measures for the Certification of the Cross-Border Transfer of Personal Information. CMS e-Alert, November 2025. |
| DataGuidance. (2022). Comparing Privacy Laws: GDPR v. PIPL. DataGuidance. Available at: https://www.dataguidance.com/sites/default/files/gdpr_v_pipl_.pdf | [REF] DataGuidance. (2022). Comparing Privacy Laws: GDPR v. PIPL. DataGuidance. |
| European Data Protection Board (EDPB). (2024). Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. Adopted 17 December 2024. Available at: https://www.edpb.europa.eu/ | [REF] European Data Protection Board (EDPB). (2024). Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. Adopted 17 December 2024. |
| European Parliament and Council. (2024). Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L series. | [REF] European Parliament and Council. (2024). Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union. |
| Fernandez-Novel Escobar, E. (2025). How do the European Union‘s GDPR and China‘s PIPL regulate cross-border data flows? International Policy Review, IE University, 27 January 2025. | [REF] Fernandez-Novel Escobar, E. (2025). How do the European Union's GDPR and China's PIPL regulate cross-border data flows? International Policy Review, IE University. |
| Garante per la protezione dei dati personali (Italy). (2021). Decision 9703988 — Fine against Università Commerciale Luigi Bocconi, 16 September 2021. Reported by EDPB. Available at: https://edpb.europa.eu/ | [REF] Garante per la protezione dei dati personali (Italy). (2021). Decision 9703988 — Fine against Università Commerciale Luigi Bocconi. |
| Giuffrida, I. & Hall, A. (2023). Technology integration in higher education and student privacy beyond learning environments — A comparison of the UK and US perspective. British Journal of Educational Technology, 54(6), 1587–1603. DOI: 10.1111/bjet.13375 | [REF] Giuffrida, I. & Hall, A. (2023). Technology integration in higher education and student privacy beyond learning environments. British Journal of Educational Technology, 54(6), 1587–1603. |
| International Association of Privacy Professionals (IAPP). (2021). Analyzing China‘s PIPL and how it compares to the EU’s GDPR. IAPP. Available at: https://iapp.org/news/a/analyzing-chinas-pipl-and-how-it-compares-to-the-eus-gdpr | [REF] International Association of Privacy Professionals (IAPP). (2021). Analyzing China's PIPL and how it compares to the EU's GDPR. |
| Kumi-Yeboah, A., Kim, Y., Yankson, B., Aikins, S. & Dadson, Y. A. (2023). Diverse students’ perspectives on privacy and technology integration in higher education. British Journal of Educational Technology, 54(6), 1671–1692. DOI: 10.1111/bjet.13386 | [REF] Kumi-Yeboah, A., Kim, Y., Yankson, B., Aikins, S. & Dadson, Y. A. (2023). Diverse students' perspectives on privacy and technology integration in higher education. British Journal of Educational Technology, 54(6), 1671–1692. |
| Lachheb, A. et al. (2023). The role of design ethics in maintaining students’ privacy: A call to action to learning designers in higher education. British Journal of Educational Technology, 54(6), 1653–1670. DOI: 10.1111/bjet.13382 | [REF] Lachheb, A. et al. (2023). The role of design ethics in maintaining students' privacy. British Journal of Educational Technology, 54(6), 1653–1670. |
| Li, W. & Chen, J. (2024). From Brussels Effect to Gravity Assists: Understanding the Evolution of the GDPR-Inspired Personal Information Protection Law in China. Computer Law and Security Review, 54, 105994. DOI: 10.1016/j.clsr.2024.105994 | [REF] Li, W. & Chen, J. (2024). From Brussels Effect to Gravity Assists. Computer Law and Security Review, 54, 105994. |
| Lim, S. & Oh, J. (2025). Navigating Privacy: A Global Comparative Analysis of Data Protection Laws. IET Information Security, 2025(1). DOI: 10.1049/ise2/5536763 | [REF] Lim, S. & Oh, J. (2025). Navigating Privacy: A Global Comparative Analysis of Data Protection Laws. IET Information Security. |
| Liu, Q. & Khalil, M. (2023). Understanding privacy and data protection issues in learning analytics using a systematic review. British Journal of Educational Technology, 54(6), 1466–1485. DOI: 10.1111/bjet.13388 | [REF] Liu, Q. & Khalil, M. (2023). Understanding privacy and data protection issues in learning analytics. British Journal of Educational Technology, 54(6), 1466–1485. |
| Liu, Q., Khalil, M., Shakya, R., Jovanovic, J. & de la Hoz-Ruiz, J. (2025). Ensuring privacy through synthetic data generation in education. British Journal of Educational Technology. DOI: 10.1111/bjet.13576 | [REF] Liu, Q., Khalil, M., Shakya, R., Jovanovic, J. & de la Hoz-Ruiz, J. (2025). Ensuring privacy through synthetic data generation in education. British Journal of Educational Technology. |
| MIT Office of General Counsel. (2022). China and the PIPL: New Protections and Rights for Personal Information. MIT. Available at: https://ogc.mit.edu/latest/china-and-pipl-new-protections-and-rights-personal-information | [REF] MIT Office of General Counsel. (2022). China and the PIPL: New Protections and Rights for Personal Information. |
| Prinsloo, P., Slade, S. & Khalil, M. (2022). The answer is (not only) technological: Considering student data privacy in learning analytics. British Journal of Educational Technology, 53(4), 876–893. DOI: 10.1111/bjet.13216 | [REF] Prinsloo, P., Slade, S. & Khalil, M. (2022). The answer is (not only) technological. British Journal of Educational Technology, 53(4), 876–893. |
| Rockefeller Institute of Government. (2025). The European AI Act and Its Implications for New York State Higher Education. November 2025. Available at: https://rockinst.org/ | [REF] Rockefeller Institute of Government. (2025). The European AI Act and Its Implications for New York State Higher Education. |
| State Council of the People’s Republic of China. (2024). Regulations on Network Data Security Management (effective 1 January 2025). Published 30 September 2024. | [REF] Solove, D. J. (2022). Comparing Privacy Laws: GDPR vs. PIPL. TeachPrivacy. |
| XL Law and Consulting. (2023). GDPR Enforcement Actions: Lessons Learned for Colleges and Universities. XL Law and Consulting. Available at: https://www.xllawconsulting.com/ | [REF] State Council of the People's Republic of China. (2024). Regulations on Network Data Security Management. |
| Xue, Y., Chinapah, V., & Zhu, C. (2025). A Comparative Analysis of AI Privacy Concerns in Higher Education: News Coverage in China and Western Countries. Education Sciences, 15(6), 650. DOI: 10.3390/educsci15060650 | [REF] XL Law and Consulting. (2023). GDPR Enforcement Actions: Lessons Learned for Colleges and Universities. |
| Zanfir-Fortuna, G. (2020). The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions. Future of Privacy Forum. Available at: https://fpf.org/blog/gdprhighered/ | [REF] Xue, Y., Chinapah, V., & Zhu, C. (2025). A Comparative Analysis of AI Privacy Concerns in Higher Education: News Coverage in China and Western Countries. Education Sciences, 15(6), 650. DOI: 10.3390/educsci15060650 |
| Zhang, L. & Kollnig, K. (2024). Theory and practice: the protection of children’s personal information in China. International Data Privacy Law, 14(1), 37–52. DOI: 10.1093/idpl/ipad017 | [REF] Zanfir-Fortuna, G. (2020). The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions. |
| Zhu, J. (2022). The Personal Information Protection Law: China‘s Version of the GDPR? Columbia Journal of Transnational Law: The Bulletin. Available at: https://www.jtl.columbia.edu/ | [REF] Zhang, L. & Kollnig, K. (2024). Theory and practice: the protection of children's personal information in China. International Data Privacy Law, 14(1), 37–52. |
| Part II: Teaching and Learning in Transformation | [REF] Zhu, J. (2022). The Personal Information Protection Law: China's Version of the GDPR? Columbia Journal of Transnational Law. |
| 第二部分:教与学的转型 |