Difference between revisions of "Rethinking Higher Education/Chapter 3"

Student Data Protection in the Digital University: GDPR and China‘s PIPL Compared

Martin Woesler

Hunan Normal University

Abstract

The digital transformation of higher education generates unprecedented volumes of student data — from learning management system interactions and assessment records to biometric proctoring data and predictive analytics profiles. Two of the world’s most consequential data protection regimes now govern how universities collect, process, and transfer this data: the European Union‘s General Data Protection Regulation (GDPR, effective 2018) and China‘s Personal Information Protection Law (PIPL, effective 2021). Yet despite superficial similarities — both establish individual rights over personal data, both impose significant penalties for violations, and both restrict cross-border data transfers — the two regimes reflect fundamentally different philosophical orientations: individual autonomy versus state sovereignty. This article provides a systematic comparison of GDPR and PIPL as they apply to the specific context of higher education. Drawing on enforcement data showing that EU data protection authorities have imposed 270 fines totaling more than EUR 29.3 million on educational institutions, and on research documenting that 81 percent of UK universities fail to meet GDPR compliance standards, we demonstrate that neither system has achieved satisfactory data protection in practice. We examine learning analytics, AI-driven assessment, cross-border student recruitment, and joint EU-China academic programs as four domains where the regulatory frameworks face their most serious tests. We argue that universities operating in both jurisdictions face a dual compliance challenge that current guidance inadequately addresses, and we propose a framework for navigating these overlapping obligations.

Keywords: GDPR, PIPL, student data protection, learning analytics, higher education, cross-border data flows, privacy, EU-China comparison, AI in education

1. Introduction

The digital university is, at its core, a data-generating institution. Every interaction a student has with a learning management system, every submission to an automated grading platform, every login to a campus network, and every engagement with an adaptive learning tool produces data that is collected, stored, analyzed, and — increasingly — shared across institutional and national boundaries. The COVID-19 pandemic accelerated this process dramatically: the rapid shift to online and hybrid learning normalized the collection of data streams that would have been unthinkable a decade earlier, including webcam footage from remote proctoring systems, keystroke dynamics for identity verification, and engagement metrics tracking how often and how long students interact with course materials.

Two comprehensive data protection regimes now govern how universities handle this information. The European Union‘s General Data Protection Regulation, which took full effect in May 2018, established the world’s first comprehensive framework for personal data protection, with specific implications for educational institutions that process student data. China‘s Personal Information Protection Law, effective from November 2021, created a parallel framework that, while structurally similar to the GDPR in many respects, reflects fundamentally different assumptions about the relationship between individuals, institutions, and the state.

For universities engaged in international cooperation — joint degree programs, student exchange, collaborative research, cross-border recruitment — these two regimes create a dual compliance challenge of considerable complexity. A European university recruiting Chinese students must comply with the PIPL’s requirements for processing the personal information of Chinese residents; a Chinese university participating in an Erasmus+ partnership must understand GDPR obligations that may attach to data about European students. Yet the two systems diverge precisely where the compliance challenges are most acute: in their approaches to cross-border data transfer, consent requirements, enforcement mechanisms, and the treatment of minors.

This article provides a systematic comparison of GDPR and PIPL as they apply to higher education, organized around four questions. First, how does each framework regulate the core data processing activities of universities — enrollment, assessment, analytics, and communication? Second, where do the two systems converge and where do they diverge in their philosophical foundations and practical requirements? Third, what specific challenges arise for institutions operating simultaneously under both regimes? Fourth, what practical strategies can universities adopt to achieve meaningful compliance with both frameworks?

2. The GDPR Framework for Education

2.1 Legal Bases for Student Data Processing

The GDPR (Regulation 2016/679) provides six lawful bases for processing personal data, of which three are most relevant to universities: consent (Article 6(1)(a)), performance of a contract (Article 6(1)(b)), and legitimate interests (Article 6(1)(f)). European universities typically rely on a combination of these bases. Enrollment and academic administration are generally processed under contractual necessity — the student has entered into an educational contract with the institution. Research involving student data may rely on legitimate interests or, where sensitive data categories are involved, explicit consent.

The application of these legal bases to learning analytics has proven particularly contentious. Liu and Khalil (2023), in a systematic review of 47 studies published in leading educational technology journals, identify a fundamental tension: the GDPR’s principle of purpose limitation — that data collected for one purpose should not be repurposed without additional legal basis — sits uncomfortably with the open-ended, exploratory nature of learning analytics, where the value of data often emerges only through analysis that was not anticipated at the time of collection. Prinsloo, Slade, and Khalil (2022) argue from a critical data studies perspective that purely technological solutions to this tension are insufficient; the power asymmetry between institutions and students means that meaningful consent is often illusory, particularly when students feel they cannot refuse data collection without academic consequences.

2.2 Enforcement Landscape

The enforcement of GDPR in the education sector has been uneven but increasingly significant. According to the CMS GDPR Enforcement Tracker Report for 2024/2025, data protection authorities across 25 EU member states have imposed a total of 270 fines on schools, universities, and other educational institutions, amounting to more than EUR 29.3 million. The most common violations are processing without a sufficient legal basis (90 fines) and insufficient technical and organizational measures to protect data (76 fines) (CMS 2025).

The most consequential individual case for higher education was the Italian data protection authority’s 2021 decision against Bocconi University, which imposed a EUR 200,000 fine for the use of the Respondus remote exam proctoring software. The authority found that the university had failed to obtain valid consent, had not conducted a data protection impact assessment, had provided insufficient transparency about data processing, and lacked a lawful basis for processing biometric data — violations that collectively illustrate the compliance challenges universities face when deploying surveillance-adjacent educational technologies (Garante 2021).

Yet enforcement captures only part of the picture. A 2024 study by the consultancy 7DOTS examined 335 UK universities and higher education colleges and found an 81 percent non-compliance rate with GDPR standards. Only 32 percent had implemented a Consent Management Platform, and of those, 66 percent were improperly configured (7DOTS 2024). These findings suggest that the education sector’s compliance deficit is not primarily a matter of deliberate violation but of institutional capacity: universities lack the resources, expertise, and organizational structures to implement the GDPR’s requirements effectively.

2.3 Student Privacy Beyond the Classroom

The privacy challenges facing universities extend well beyond the learning management system. Giuffrida and Hall (2023) demonstrate that technology integration in higher education creates privacy risks at the enterprise level — institutional data systems, campus networks, and administrative platforms — that are distinct from the pedagogical context. Blackmon and Major (2023), in a PRISMA-based systematic review of student perspectives on privacy in technology-enhanced courses, find significant awareness gaps: students often do not understand what data is collected about them, how it is used, or what rights they have. Kumi-Yeboah and colleagues (2023) document fear and anxiety about data encroachment among diverse student populations, with particular concerns about learning management systems and social media integration. These findings collectively suggest that the GDPR’s emphasis on informed consent faces a practical obstacle: the information asymmetry between institutions and students is so large that genuine informed consent may be unattainable for many data processing activities.

3. China‘s PIPL: Structure and Educational Implications

3.1 Architectural Overview

China‘s Personal Information Protection Law, effective 1 November 2021, establishes a comprehensive framework for personal data protection that is structurally parallel to the GDPR in many respects — extraterritorial scope, individual rights (access, correction, deletion, portability), requirements for data protection impact assessments, and significant penalties for violations — while reflecting fundamentally different philosophical commitments (Li and Chen 2024; Lim and Oh 2025).

The PIPL defines „personal information“ broadly as any information relating to an identified or identifiable natural person recorded by electronic or other means (Article 4). Like the GDPR, it establishes lawful bases for processing — consent, contractual necessity, legal obligation, public health emergencies, news reporting in the public interest, and reasonable processing of publicly available information (Article 13). Unlike the GDPR, however, the PIPL does not include „legitimate interests“ as a standalone legal basis, making consent the primary mechanism for lawful processing in most educational contexts (IAPP 2021; Zhu 2022).

3.2 Enhanced Protection for Minors

The PIPL’s treatment of minors represents one of its most significant divergences from the GDPR. Article 28 classifies all personal information of individuals under the age of 14 as „sensitive personal information,“ regardless of its nature, requiring parental consent for processing and a separate privacy impact assessment. Zhang and Kollnig (2024), in a study published in International Data Privacy Law, trace five legislative developments that progressively strengthened children’s protections under Chinese law, while documenting significant gaps between legal requirements and actual practice in Chinese applications.

For universities, the implications are indirect but important. While most university students are over 14, secondary school recruitment activities, summer programs for minors, and dual-enrollment programs all involve processing data of individuals who may fall within this protected category. The PIPL’s approach is arguably stricter than the GDPR’s in this specific area: the GDPR sets the age of digital consent at 16 (with member state discretion to lower it to 13), but does not automatically classify all data of minors as sensitive.

3.3 Data Localization and Cross-Border Transfer

The PIPL’s requirements for cross-border data transfer are among its most practically consequential provisions for international universities. Article 38 establishes three mechanisms for transferring personal information outside China: passing a security assessment organized by the Cyberspace Administration of China (CAC), obtaining personal information protection certification from a specialized institution, or concluding a standard contract formulated by the CAC with the overseas recipient. In October 2025, the CAC and the State Administration for Market Regulation jointly issued the Measures for the Certification of Cross-Border Transfer of Personal Information, effective 1 January 2026, completing this three-pillar framework (CMS Law-Now 2025).

Additionally, the Regulations on Network Data Security Management, effective 1 January 2025, require organizations processing personal information of more than 10 million individuals to appoint a data security officer and conduct regular audits (State Council 2024). While few individual universities reach this threshold, aggregated educational platforms and national student information systems frequently do.

The practical implications for international academic cooperation are significant. As the MIT Office of General Counsel (2022) has noted, the PIPL is triggered whenever an institution obtains admissions applications from Chinese citizens residing in China, conducts recruitment activities there, offers online courses accessible to Chinese residents, performs human-subjects research using Chinese residents’ data, or collaborates with Chinese academic institutions that share student data. The American Association of Collegiate Registrars and Admissions Officers (AACRAO 2022) has published specific compliance guidance for admissions and registrar offices, reflecting the growing awareness that routine international student recruitment now carries data protection obligations under both GDPR and PIPL.

4. Systematic Comparison

4.1 Philosophical Foundations

The most fundamental difference between GDPR and PIPL lies not in their technical provisions but in their philosophical orientations. The GDPR emerges from a tradition of individual rights protection, rooted in the European Convention on Human Rights and the EU Charter of Fundamental Rights. Its core assumption is that personal data protection is a fundamental right of the individual, which can be limited only under specified conditions and subject to proportionality review. Li and Chen (2024), in their analysis of the „Brussels Effect„ on Chinese data protection law, introduce a „gravity assist“ model: while the GDPR’s structural influence on the PIPL is evident, China‘s adoption reflects not convergence but strategic adaptation to its distinct political, cultural, and legal context.

The PIPL, by contrast, reflects what Lim and Oh (2025) describe as a „state sovereignty“ orientation. The law serves multiple objectives simultaneously: protecting individual privacy, certainly, but also safeguarding national security, promoting the digital economy, and maintaining social stability. The law’s enforcement is centralized under the CAC, which is simultaneously responsible for internet censorship, cybersecurity, and data governance — a combination that would be impermissible under the GDPR’s requirement for independent supervisory authorities (Article 52).

4.2 Structural Differences

Several structural differences have direct implications for universities:

Consent. The GDPR recognizes six lawful bases for processing; the PIPL’s absence of a „legitimate interests“ basis makes consent more central, particularly for educational data processing that goes beyond contractual necessity. The PIPL additionally requires separate consent for cross-border transfers (Article 39) and for processing sensitive personal information (Article 29).

Penalties. The GDPR imposes maximum fines of EUR 20 million or 4 percent of global annual turnover, whichever is greater. The PIPL imposes maximum fines of RMB 50 million (approximately EUR 6.4 million) or 5 percent of the previous year’s annual revenue for grave violations, plus potential personal liability for responsible individuals — a feature without direct GDPR equivalent (IAPP 2021; DataGuidance 2022).

Enforcement. The GDPR’s enforcement is decentralized across national data protection authorities, with coordination through the European Data Protection Board. The PIPL’s enforcement is centralized under the CAC, with additional sector-specific oversight from the Ministry of Education for educational institutions. The GDPR requires supervisory authorities to be independent; the PIPL imposes no such requirement.

Cross-border transfers. The GDPR permits transfers to countries with „adequate“ data protection (adequacy decisions), or through Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). The PIPL offers security assessment, standard contracts, and certification, but does not employ an adequacy mechanism — there is no list of „safe“ countries to which data may flow freely (Fernandez-Novel Escobar 2025).

Data subject rights. Both frameworks provide broadly similar individual rights: access, correction, deletion, and portability. The PIPL additionally grants next-of-kin the right to exercise deceased persons’ data rights — a provision with potential relevance for universities managing the records of deceased students (DataGuidance 2022). The PIPL also includes a broader definition of „sensitive personal information“ that encompasses financial data, location data, and biometric information alongside the categories recognized by the GDPR.

4.3 Convergence and Divergence

Despite these differences, the two frameworks converge in important ways. Both require data protection impact assessments for high-risk processing. Both impose transparency obligations requiring clear, accessible privacy notices. Both provide for data portability — the right to receive one’s personal data in a structured, machine-readable format. Both establish extraterritorial scope, applying to entities outside their jurisdiction that process the data of their residents. And both impose requirements for data breach notification, though with different timelines: 72 hours under the GDPR (Article 33), versus an unspecified but prompt timeframe under the PIPL.

The pattern that emerges is convergence at the level of principles — both systems recognize that personal data deserves protection, that individuals should have rights over their data, and that organizations must be held accountable for their processing activities — with significant divergence at the level of implementation, philosophical justification, and enforcement culture. As Solove (2022) observes, the PIPL is often described as „China‘s GDPR,“ but this characterization obscures important structural differences that have direct practical consequences for organizations operating under both regimes.

5. Learning Analytics: The Critical Test Case

Learning analytics represents the domain where the tension between data protection and educational innovation is most acute. Universities increasingly deploy predictive analytics systems that use historical student data to identify students at risk of failure, recommend interventions, and personalize learning pathways. These systems require the processing of large volumes of student data — often aggregated from multiple sources and analyzed using machine learning algorithms — in ways that challenge the fundamental principles of both GDPR and PIPL.

Under the GDPR, learning analytics systems face challenges on multiple fronts. Purpose limitation (Article 5(1)(b)) requires that data be collected for specified, explicit purposes and not further processed in a manner incompatible with those purposes. But the value of learning analytics often depends on precisely this kind of repurposing: data collected for course administration is analyzed for patterns that inform institutional strategy. Data minimization (Article 5(1)(c)) requires that only data adequate, relevant, and limited to what is necessary be processed — yet predictive models typically perform better with more data, creating a structural incentive toward maximal collection. Transparency (Articles 13-14) requires that individuals be informed about automated decision-making — but the complexity of machine learning models often makes meaningful explanation difficult.

Under the PIPL, learning analytics faces additional challenges. The absence of a legitimate interests basis means that universities must typically rely on consent for analytics that go beyond direct educational delivery. The requirement for separate consent for processing sensitive information (Article 29) may be triggered by analytics that process academic performance data in ways that reveal protected characteristics. And the data localization requirements mean that analytics platforms operated by international providers must navigate complex cross-border transfer rules.

Xue and colleagues (2025), in an analysis of AI privacy concerns in higher education across Chinese and English-language media, found that while both contexts identify AI-driven proctoring, student data security, and institutional governance as central concerns, the emphasis differs: Western coverage foregrounds individual privacy rights, while Chinese coverage more frequently addresses the relationship between AI-driven educational innovation and institutional governance. This divergence mirrors the broader philosophical difference between the two regulatory frameworks.

Lachheb and colleagues (2023) argue that maintaining student privacy in educational technology requires attention not only to policy and law but to design ethics — the principles embedded in the technological systems themselves. They propose a framework to help instructional designers evaluate whether design patterns unintentionally undermine learner agency, suggesting that compliance with either GDPR or PIPL requires intervention at the design stage, not merely at the policy level. Liu, Khalil, and colleagues (2025) explore synthetic data generation with differential privacy mechanisms as a technical approach to this challenge, enabling learning analytics research without exposing individual student records.

6. AI-Driven Assessment and Proctoring

The EU AI Act (Regulation 2024/1689), which entered into force on 1 August 2024, adds a further regulatory layer for European universities. The Act classifies AI systems used for educational assessment and proctoring as „high-risk“ under Annex III, Section 3, requiring conformity assessments, human oversight, and technical documentation. Article 5(1)(f) prohibits emotion recognition systems in educational settings (European Parliament and Council 2024).

The interaction between the AI Act and GDPR creates a layered compliance obligation: universities deploying AI-powered assessment tools must satisfy both the AI Act’s requirements for high-risk systems and the GDPR’s requirements for lawful data processing. The Bocconi University case demonstrates the consequences of failing to meet the latter; the AI Act will add additional requirements from August 2026 onward. A 2025 report by the Rockefeller Institute of Government recommends that universities map their AI use cases against the Act’s risk categories as a first step toward compliance, citing the governance models developed by Utrecht University and the University of Edinburgh as reference frameworks (Rockefeller Institute 2025).

China‘s approach to AI in educational assessment reflects its sector-specific regulatory philosophy. Rather than a single comprehensive AI law, China governs educational AI through a combination of the 2023 Interim Measures for Generative AI Services, the PIPL’s provisions for automated decision-making, and Ministry of Education directives. The use of AI proctoring and surveillance technologies in Chinese universities, while subject to PIPL consent requirements, does not face the categorical restrictions imposed by the EU AI Act‘s emotion recognition ban. This regulatory asymmetry has practical implications for technology companies developing educational assessment tools for both markets: systems designed for China may include features that are prohibited in the EU, and vice versa.

The Bocconi case illustrates a broader tension. Remote proctoring systems — which typically capture webcam footage, track eye movements, monitor keyboard and mouse activity, and may use facial recognition to verify identity — process categories of data that trigger the GDPR’s most stringent requirements: biometric data (Article 9), automated decision-making (Article 22), and profiling. Under the PIPL, biometric information is classified as sensitive personal information requiring separate consent (Article 28), but there is no categorical prohibition comparable to the AI Act’s emotion recognition ban. The result is a regulatory landscape where the same technology may be lawful in one jurisdiction and prohibited in the other, depending on its specific capabilities and the legal basis invoked.

7. Joint EU-China Programs: Dual Compliance in Practice

The most acute compliance challenges arise in joint EU-China academic programs, where student data routinely crosses jurisdictional boundaries. A European university offering a joint degree with a Chinese partner institution must transfer enrollment data, academic records, and potentially learning analytics data between the two institutions — transfers that must comply simultaneously with the GDPR’s requirements for international data transfer and the PIPL’s cross-border transfer provisions.

The practical difficulties are considerable. GDPR transfers to China cannot currently rely on an adequacy decision (the European Commission has not recognized China as providing adequate data protection). Standard Contractual Clauses may be used, but must be supplemented by a transfer impact assessment that considers Chinese surveillance laws and government access provisions — an assessment whose conclusions may be unfavorable. In the other direction, PIPL transfers to Europe require one of the three mechanisms described above: CAC security assessment, standard contract, or certification.

The Future of Privacy Forum’s guidance for US higher education institutions (Zanfir-Fortuna 2020), while not directly applicable to the EU-China context, illustrates the complexity of international academic data flows. The report identifies ten compliance steps that international universities must address, including data mapping, legal basis identification, vendor management, and breach notification procedures — each of which must be adapted for both GDPR and PIPL requirements.

These challenges are not hypothetical. Sino-European joint programs have expanded significantly in recent decades. China hosts hundreds of Chinese-foreign cooperative education programs approved by the Ministry of Education, many of which involve European partner institutions. The EU’s Erasmus+ program supports academic exchanges with Chinese universities. The EU-China Tuning project has aligned degree structures across dozens of institutions. In each of these contexts, student data flows between jurisdictions are routine and necessary — yet the legal framework for these flows remains fragmented and uncertain.

A specific challenge arises in the context of student recruitment. European universities actively recruit Chinese students — China was the largest source country for international students in Europe before the pandemic and has largely regained that position. Under the PIPL, a European university that collects personal information from prospective Chinese students through online application portals, recruitment events in China, or agent partnerships is processing the personal information of Chinese residents and is therefore subject to the PIPL’s requirements, including the obligation to obtain consent in Chinese, to provide a privacy notice compliant with Chinese law, and to navigate the cross-border transfer framework for transmitting application data back to Europe. Few European universities have adapted their recruitment practices to meet these requirements.

For universities engaged in EU-China cooperation, we identify four practical strategies for managing dual compliance. First, data minimization at the point of transfer: sharing only the minimum data necessary for the joint program, using anonymized or pseudonymized data wherever possible. Second, architectural separation: maintaining separate data systems for EU and Chinese operations, with controlled interfaces for necessary data exchange. Third, contractual frameworks: developing bilateral data sharing agreements that explicitly address both GDPR and PIPL requirements, including provisions for data subject rights, breach notification, and data retention. Fourth, institutional capacity building: investing in staff training and data protection expertise that spans both regulatory frameworks.

8. The Readiness Gap

Despite the significance of these regulatory frameworks, empirical evidence suggests that universities in both jurisdictions face a substantial readiness gap. In the European context, the 7DOTS (2024) finding that 81 percent of UK universities fail GDPR compliance standards is consistent with the CMS Enforcement Tracker data showing persistent violations across 25 member states. The XL Law and Consulting analysis documents 45 GDPR enforcement actions against educational institutions, with an average fine of approximately EUR 32,600 — modest compared to the technology sector, but meaningful for institutions with constrained budgets (XL Law 2023).

XL Law and Consulting’s analysis of GDPR enforcement actions further reveals a sectoral pattern: educational institutions account for under 3 percent of all GDPR enforcement actions, with an average fine of approximately EUR 32,600 — compared to EUR 1.8 million across all sectors. Spain, Italy, and Poland are responsible for over 65 percent of enforcement actions against higher education institutions. Notably, self-reporting data breaches did not shield institutions from substantial fines, suggesting that proactive compliance efforts must go beyond incident response (XL Law 2023).

In the Chinese context, the readiness gap manifests differently. While the PIPL has been in force since November 2021, enforcement in the education sector has been less visible than in the technology and financial sectors. The emphasis has been on platform companies processing data at scale rather than on individual educational institutions. However, the Regulations on Network Data Security Management (effective January 2025) and the Certification Measures for cross-border transfers (effective January 2026) signal an increasing regulatory attention to data governance practices across all sectors, including education.

The European Data Protection Board’s Opinion 28/2024, adopted in December 2024, addresses data protection aspects of AI model training and deployment, noting that GDPR applies to AI models trained on personal data because of their memorization capabilities (EDPB 2024). For universities developing or deploying AI-based educational tools, this opinion has significant implications: even AI models that do not store personal data in recognizable form may be subject to GDPR requirements if they can be prompted to produce personal information.

9. Recommendations for Universities

Based on our comparative analysis, we propose seven recommendations for universities seeking to navigate the overlapping requirements of GDPR and PIPL:

First, conduct a comprehensive data mapping exercise that identifies all personal data processing activities, their legal bases under both GDPR and PIPL, and all cross-border data flows. This mapping should cover not only formal academic processes but also ancillary systems: campus Wi-Fi analytics, library databases, career services platforms, and alumni management systems.

Second, establish a unified data governance framework that addresses both GDPR and PIPL requirements. While the two laws differ in their philosophical orientations, their practical requirements overlap substantially. A framework designed to meet the stricter of the two requirements in each area will generally achieve compliance with both.

Third, adopt a consent-plus model for learning analytics. Because the PIPL’s absence of a legitimate interests basis makes consent more central than under the GDPR, universities engaged in international cooperation should build consent mechanisms that meet PIPL standards — which will typically exceed GDPR requirements and thus satisfy both frameworks.

Fourth, implement privacy by design in educational technology procurement and development. Lachheb and colleagues’ (2023) framework for design ethics in educational technology provides a starting point, as does the EDPB’s guidance on AI and personal data. Procurement contracts should explicitly require vendors to demonstrate compliance with both GDPR and PIPL where applicable.

Fifth, invest in institutional capacity. The readiness gap documented by 7DOTS (2024) and CMS (2025) reflects not deliberate non-compliance but insufficient expertise and resources. Universities should designate data protection officers with specific expertise in educational data and international data flows, and provide regular training for faculty and administrative staff.

Sixth, develop bilateral data sharing agreements for joint programs with Chinese (or European) partner institutions. These agreements should go beyond standard contractual clauses to address the specific requirements of educational data: academic records, assessment data, learning analytics, and research data each present distinct compliance challenges.

Seventh, monitor regulatory developments actively. Both frameworks are evolving rapidly. The EU AI Act‘s high-risk requirements for educational AI take full effect in August 2026. China‘s cross-border data certification measures took effect in January 2026. The European Commission’s adequacy decisions and the CAC’s standard contract provisions are subject to revision. Universities that treat data protection as a one-time compliance exercise rather than an ongoing governance function will inevitably fall behind.

10. Conclusion

The comparison of GDPR and PIPL in the educational context reveals a paradox: two of the world’s most comprehensive data protection regimes, both claiming to protect individuals from the misuse of their personal data, diverge so fundamentally in their philosophical assumptions that compliance with one does not ensure compliance with the other. The GDPR’s emphasis on individual autonomy, independent oversight, and purpose limitation reflects European democratic traditions; the PIPL’s emphasis on state sovereignty, centralized enforcement, and national security reflects China‘s distinct governance model. Neither system has demonstrably achieved adequate data protection in practice — European enforcement data documents widespread non-compliance, while Chinese enforcement in education remains nascent.

For universities, the practical challenge is to navigate these overlapping and sometimes conflicting requirements while maintaining the international cooperation that is essential to modern higher education. The dual compliance challenge is not merely a legal technicality; it reflects deeper questions about the role of data in education, the balance between institutional power and individual rights, and the possibility of meaningful privacy in an increasingly datafied learning environment.

The stakes of this challenge extend beyond legal compliance. Student data protection is ultimately about trust: students must trust that their universities will handle their personal information responsibly, that their academic records will not be used against them, that their learning behaviors will not be surveilled without their knowledge, and that their data will not be shared with parties they have not authorized. When universities fail to meet these expectations — whether through GDPR violations documented in the CMS enforcement data, through opaque learning analytics systems, or through proctoring technologies deployed without adequate consent — they erode the trust that is foundational to the educational relationship.

We have argued that neither the European nor the Chinese approach alone provides an adequate model. The GDPR’s emphasis on individual rights and independent oversight provides important protections against institutional overreach, but its complexity and enforcement gaps undermine its effectiveness. The PIPL’s centralized enforcement and clear compliance pathways offer practical advantages, but its subordination to state interests raises questions about the protection it affords against government surveillance. A synthesis that combines European rights-based principles with Chinese regulatory efficiency — or, more modestly, a set of practical guidelines that enables universities to satisfy both frameworks simultaneously — remains the most promising path forward. The recommendations proposed in this article represent an initial contribution to that synthesis, grounded in the specific data protection challenges that universities face in the era of digital education.

Acknowledgments

This research was conducted within the framework of the Jean Monnet Centre of Excellence „EUSC-DEC“ (EU Grant 101126782, 2023–2026). The author thanks the members of Research Group 1 (Regulation of Digitalization in China and Europe) for their contributions to the comparative legal analysis.

References

7DOTS. (2024). Report: 81% of Universities at Risk of Fines Due to Failure to Safeguard Student Data. 7DOTS. Available at: https://www.7dots.com/our-insights/81-of-universities-at-risk-of-fines-due-to-failure-to-safeguard-student-data/

American Association of Collegiate Registrars and Admissions Officers (AACRAO). (2022). China‘s Personal Information Protection Law (PIPL). AACRAO. Available at: https://www.aacrao.org/advocacy/compliance/

Blackmon, S. J. & Major, C. H. (2023). Inclusion or infringement? A systematic research review of students’ perspectives on student privacy in technology-enhanced, hybrid and online courses. British Journal of Educational Technology, 54(6), 1542–1565. DOI: 10.1111/bjet.13362

CMS Law. (2025). GDPR Enforcement Tracker Report 2024/2025: Public Sector and Education. CMS International Law Firm. Available at: https://cms.law/en/int/publication/gdpr-enforcement-tracker-report/public-sector-and-education

CMS Law-Now. (2025). China issues Measures for the Certification of the Cross-Border Transfer of Personal Information. CMS e-Alert, November 2025. Available at: https://cms-lawnow.com/en/ealerts/2025/11/

DataGuidance. (2022). Comparing Privacy Laws: GDPR v. PIPL. DataGuidance. Available at: https://www.dataguidance.com/sites/default/files/gdpr_v_pipl_.pdf

European Data Protection Board (EDPB). (2024). Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. Adopted 17 December 2024. Available at: https://www.edpb.europa.eu/

European Parliament and Council. (2024). Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L series.

Fernandez-Novel Escobar, E. (2025). How do the European Union‘s GDPR and China‘s PIPL regulate cross-border data flows? International Policy Review, IE University, 27 January 2025.

Garante per la protezione dei dati personali (Italy). (2021). Decision 9703988 — Fine against Università Commerciale Luigi Bocconi, 16 September 2021. Reported by EDPB. Available at: https://edpb.europa.eu/

Giuffrida, I. & Hall, A. (2023). Technology integration in higher education and student privacy beyond learning environments — A comparison of the UK and US perspective. British Journal of Educational Technology, 54(6), 1587–1603. DOI: 10.1111/bjet.13375

International Association of Privacy Professionals (IAPP). (2021). Analyzing China‘s PIPL and how it compares to the EU’s GDPR. IAPP. Available at: https://iapp.org/news/a/analyzing-chinas-pipl-and-how-it-compares-to-the-eus-gdpr

Kumi-Yeboah, A., Kim, Y., Yankson, B., Aikins, S. & Dadson, Y. A. (2023). Diverse students’ perspectives on privacy and technology integration in higher education. British Journal of Educational Technology, 54(6), 1671–1692. DOI: 10.1111/bjet.13386

Lachheb, A. et al. (2023). The role of design ethics in maintaining students’ privacy: A call to action to learning designers in higher education. British Journal of Educational Technology, 54(6), 1653–1670. DOI: 10.1111/bjet.13382

Li, W. & Chen, J. (2024). From Brussels Effect to Gravity Assists: Understanding the Evolution of the GDPR-Inspired Personal Information Protection Law in China. Computer Law and Security Review, 54, 105994. DOI: 10.1016/j.clsr.2024.105994

Lim, S. & Oh, J. (2025). Navigating Privacy: A Global Comparative Analysis of Data Protection Laws. IET Information Security, 2025(1). DOI: 10.1049/ise2/5536763

Liu, Q. & Khalil, M. (2023). Understanding privacy and data protection issues in learning analytics using a systematic review. British Journal of Educational Technology, 54(6), 1466–1485. DOI: 10.1111/bjet.13388

Liu, Q., Khalil, M., Shakya, R., Jovanovic, J. & de la Hoz-Ruiz, J. (2025). Ensuring privacy through synthetic data generation in education. British Journal of Educational Technology. DOI: 10.1111/bjet.13576

MIT Office of General Counsel. (2022). China and the PIPL: New Protections and Rights for Personal Information. MIT. Available at: https://ogc.mit.edu/latest/china-and-pipl-new-protections-and-rights-personal-information

Prinsloo, P., Slade, S. & Khalil, M. (2022). The answer is (not only) technological: Considering student data privacy in learning analytics. British Journal of Educational Technology, 53(4), 876–893. DOI: 10.1111/bjet.13216

Rockefeller Institute of Government. (2025). The European AI Act and Its Implications for New York State Higher Education. November 2025. Available at: https://rockinst.org/

State Council of the People’s Republic of China. (2024). Regulations on Network Data Security Management (effective 1 January 2025). Published 30 September 2024.

XL Law and Consulting. (2023). GDPR Enforcement Actions: Lessons Learned for Colleges and Universities. XL Law and Consulting. Available at: https://www.xllawconsulting.com/

Xue, Y., Chinapah, V., & Zhu, C. (2025). A Comparative Analysis of AI Privacy Concerns in Higher Education: News Coverage in China and Western Countries. Education Sciences, 15(6), 650. DOI: 10.3390/educsci15060650

Zanfir-Fortuna, G. (2020). The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions. Future of Privacy Forum. Available at: https://fpf.org/blog/gdprhighered/

Zhang, L. & Kollnig, K. (2024). Theory and practice: the protection of children’s personal information in China. International Data Privacy Law, 14(1), 37–52. DOI: 10.1093/idpl/ipad017

Zhu, J. (2022). The Personal Information Protection Law: China‘s Version of the GDPR? Columbia Journal of Transnational Law: The Bulletin. Available at: https://www.jtl.columbia.edu/

Part II: Teaching and Learning in Transformation