Difference between revisions of "Rethinking Higher Education/Chapter 3/en-zh"
Jump to navigation
Jump to search
(Realign EN-ZH Chapter 3: one row per paragraph) |
(wikicaptcha) |
||
| Line 23: | Line 23: | ||
|- | |- | ||
| style="background:#eef;" | '''Student Data Protection in the Digital University: GDPR and China‘s PIPL Compared''' | | style="background:#eef;" | '''Student Data Protection in the Digital University: GDPR and China‘s PIPL Compared''' | ||
| − | | '' | + | | ''数字大学中的学生数据保护:GDPR与中国PIPL的比较'' |
|- | |- | ||
| style="background:#eef;" | '''Martin Woesler''' | | style="background:#eef;" | '''Martin Woesler''' | ||
| Line 29: | Line 29: | ||
|- | |- | ||
| style="background:#eef;" | ''''''Abstract'''''' | | style="background:#eef;" | ''''''Abstract'''''' | ||
| − | | '' | + | | ''“摘要”'' |
|- | |- | ||
| style="background:#eef;" | '''The digital transformation of higher education generates unprecedented volumes of student data — from learning management system interactions and assessment records to biometric proctoring data and predictive analytics profiles. Two of the world’s most consequential data protection regimes now govern how universities collect, process, and transfer this data: the European Union‘s General Data Protection Regulation (GDPR, effective 2018) and China‘s Personal Information Protection Law (PIPL, effective 2021). Yet despite superficial similarities — both establish individual rights over personal data, both impose significant penalties for violations, and both restrict cross-border data transfers — the two regimes reflect fundamentally different philosophical orientations: individual autonomy versus state sovereignty. This article provides a systematic comparison of GDPR and PIPL as they apply to the specific context of higher education. Drawing on enforcement data showing that EU data protection authorities have imposed 270 fines totaling more than EUR 29.3 million on educational institutions, and on research documenting that 81 percent of UK universities fail to meet GDPR compliance standards, we demonstrate that neither system has achieved satisfactory data protection in practice. We examine learning analytics, AI-driven assessment, cross-border student recruitment, and joint EU-China academic programs as four domains where the regulatory frameworks face their most serious tests. We argue that universities operating in both jurisdictions face a dual compliance challenge that current guidance inadequately addresses, and we propose a framework for navigating these overlapping obligations.''' | | style="background:#eef;" | '''The digital transformation of higher education generates unprecedented volumes of student data — from learning management system interactions and assessment records to biometric proctoring data and predictive analytics profiles. Two of the world’s most consequential data protection regimes now govern how universities collect, process, and transfer this data: the European Union‘s General Data Protection Regulation (GDPR, effective 2018) and China‘s Personal Information Protection Law (PIPL, effective 2021). Yet despite superficial similarities — both establish individual rights over personal data, both impose significant penalties for violations, and both restrict cross-border data transfers — the two regimes reflect fundamentally different philosophical orientations: individual autonomy versus state sovereignty. This article provides a systematic comparison of GDPR and PIPL as they apply to the specific context of higher education. Drawing on enforcement data showing that EU data protection authorities have imposed 270 fines totaling more than EUR 29.3 million on educational institutions, and on research documenting that 81 percent of UK universities fail to meet GDPR compliance standards, we demonstrate that neither system has achieved satisfactory data protection in practice. We examine learning analytics, AI-driven assessment, cross-border student recruitment, and joint EU-China academic programs as four domains where the regulatory frameworks face their most serious tests. We argue that universities operating in both jurisdictions face a dual compliance challenge that current guidance inadequately addresses, and we propose a framework for navigating these overlapping obligations.''' | ||
| − | | ''( | + | | ''高等教育的数字化转型产生了前所未有的海量学生数据,从学习管理系统交互和评估记录,到生物识别监考数据和预测分析配置文件。世界上最重要的两个数据保护制度现在管理着大学如何收集、处理和传输这些数据:欧盟的《通用数据保护条例》(GDPR,2018年生效)和中国的《个人信息保护法》(PIPL,2021年生效)。然而,尽管表面上有相似之处——两者都确立了对个人数据的个人权利,都对侵犯行为施以严厉惩罚,并且都限制跨境数据传输——但这两种制度反映了根本不同的哲学取向:个人自治与国家主权。本文系统地比较了GDPR和PIPL的高等教育。执法数据显示,欧盟数据保护机构已对教育机构处以270笔罚款,总额超过2930万欧元,研究表明,81%的英国大学未能达到GDPR合规标准,根据这些数据,我们证明这两个系统在实践中都未能实现令人满意的数据保护。我们将学习分析、人工智能驱动的评估、跨境学生招聘和EU-中国联合学术项目作为监管框架面临最严峻考验的四个领域进行了研究。我们认为,在两个司法管辖区运营的大学面临双重合规挑战,当前的指南没有充分解决这一问题,我们提出了一个框架来导航这些重叠的义务。'' |
|- | |- | ||
| style="background:#eef;" | '''''Keywords: GDPR'', ''PIPL'', student data protection'', learning analytics'', higher education'', cross-border data flows'', privacy'', EU-China comparison'', AI in education''''' | | style="background:#eef;" | '''''Keywords: GDPR'', ''PIPL'', student data protection'', learning analytics'', higher education'', cross-border data flows'', privacy'', EU-China comparison'', AI in education''''' | ||
| − | | '' | + | | ''关键词:GDPR, PIPL,学生数据保护,学习分析,高等教育,跨境数据流动,隐私,中国EU-比较,人工智能在教育中'' |
|- | |- | ||
| style="background:#eef;" | ''''''1. Introduction'''''' | | style="background:#eef;" | ''''''1. Introduction'''''' | ||
| − | | '' | + | | ''1.简介'' |
|- | |- | ||
| style="background:#eef;" | '''The digital university is, at its core, a data-generating institution. Every interaction a student has with a learning management system, every submission to an automated grading platform, every login to a campus network, and every engagement with an adaptive learning tool produces data that is collected, stored, analyzed, and — increasingly — shared across institutional and national boundaries. The COVID-19 pandemic accelerated this process dramatically: the rapid shift to online and hybrid learning normalized the collection of data streams that would have been unthinkable a decade earlier, including webcam footage from remote proctoring systems, keystroke dynamics for identity verification, and engagement metrics tracking how often and how long students interact with course materials.''' | | style="background:#eef;" | '''The digital university is, at its core, a data-generating institution. Every interaction a student has with a learning management system, every submission to an automated grading platform, every login to a campus network, and every engagement with an adaptive learning tool produces data that is collected, stored, analyzed, and — increasingly — shared across institutional and national boundaries. The COVID-19 pandemic accelerated this process dramatically: the rapid shift to online and hybrid learning normalized the collection of data streams that would have been unthinkable a decade earlier, including webcam footage from remote proctoring systems, keystroke dynamics for identity verification, and engagement metrics tracking how often and how long students interact with course materials.''' | ||
| − | | '' | + | | ''数字大学的核心是一个数据生成机构。学生与学习管理系统的每一次交互、向自动评分平台的每一次提交、校园网络的每一次登录以及与适应性学习工具的每一次接触都会产生数据,这些数据被收集、存储、分析,并越来越多地跨机构和国家边界共享。新冠肺炎疫情极大地加速了这一过程:向在线和混合学习的快速转变使数据流的收集正常化,这在十年前是不可想象的,包括来自远程监督系统的网络摄像头镜头、用于身份验证的击键动力学以及跟踪学生与课程材料互动频率和时间的参与度指标。'' |
|- | |- | ||
| style="background:#eef;" | '''Two comprehensive data protection regimes now govern how universities handle this information. The European Union‘s General Data Protection Regulation, which took full effect in May 2018, established the world’s first comprehensive framework for personal data protection, with specific implications for educational institutions that process student data. China‘s Personal Information Protection Law, effective from November 2021, created a parallel framework that, while structurally similar to the GDPR in many respects, reflects fundamentally different assumptions about the relationship between individuals, institutions, and the state.''' | | style="background:#eef;" | '''Two comprehensive data protection regimes now govern how universities handle this information. The European Union‘s General Data Protection Regulation, which took full effect in May 2018, established the world’s first comprehensive framework for personal data protection, with specific implications for educational institutions that process student data. China‘s Personal Information Protection Law, effective from November 2021, created a parallel framework that, while structurally similar to the GDPR in many respects, reflects fundamentally different assumptions about the relationship between individuals, institutions, and the state.''' | ||
| − | | '' | + | | ''现在有两个全面的数据保护机制来管理大学如何处理这些信息。欧盟的《通用数据保护条例》于2018年5月全面生效,建立了世界上第一个全面的个人数据保护框架,对处理学生数据的教育机构具有具体影响。2021年11月生效的中国个人信息保护法创造了一个平行框架,尽管在结构上与GDPR在许多方面相似,但反映了关于个人、机构和国家之间关系的根本不同的假设。'' |
|- | |- | ||
| style="background:#eef;" | '''For universities engaged in international cooperation — joint degree programs, student exchange, collaborative research, cross-border recruitment — these two regimes create a dual compliance challenge of considerable complexity. A European university recruiting Chinese students must comply with the PIPL’s requirements for processing the personal information of Chinese residents; a Chinese university participating in an Erasmus+ partnership must understand GDPR obligations that may attach to data about European students. Yet the two systems diverge precisely where the compliance challenges are most acute: in their approaches to cross-border data transfer, consent requirements, enforcement mechanisms, and the treatment of minors.''' | | style="background:#eef;" | '''For universities engaged in international cooperation — joint degree programs, student exchange, collaborative research, cross-border recruitment — these two regimes create a dual compliance challenge of considerable complexity. A European university recruiting Chinese students must comply with the PIPL’s requirements for processing the personal information of Chinese residents; a Chinese university participating in an Erasmus+ partnership must understand GDPR obligations that may attach to data about European students. Yet the two systems diverge precisely where the compliance challenges are most acute: in their approaches to cross-border data transfer, consent requirements, enforcement mechanisms, and the treatment of minors.''' | ||
| − | | '' | + | | ''对于参与国际合作的大学——联合学位项目、学生交流、合作研究、跨国招聘——这两种制度带来了相当复杂的双重合规挑战。一所欧洲大学招收中国学生,必须遵守PIPL对中国居民个人信息的处理要求;参与Erasmus+合作项目的中国大学必须了解GDPR的义务,这些义务可能与欧洲学生的数据相关。然而,这两个系统恰恰在合规挑战最严峻的地方出现了分歧:在跨境数据传输、同意要求、执行机制和未成年人待遇方面。'' |
|- | |- | ||
| style="background:#eef;" | '''This article provides a systematic comparison of GDPR and PIPL as they apply to higher education, organized around four questions. First, how does each framework regulate the core data processing activities of universities — enrollment, assessment, analytics, and communication? Second, where do the two systems converge and where do they diverge in their philosophical foundations and practical requirements? Third, what specific challenges arise for institutions operating simultaneously under both regimes? Fourth, what practical strategies can universities adopt to achieve meaningful compliance with both frameworks?''' | | style="background:#eef;" | '''This article provides a systematic comparison of GDPR and PIPL as they apply to higher education, organized around four questions. First, how does each framework regulate the core data processing activities of universities — enrollment, assessment, analytics, and communication? Second, where do the two systems converge and where do they diverge in their philosophical foundations and practical requirements? Third, what specific challenges arise for institutions operating simultaneously under both regimes? Fourth, what practical strategies can universities adopt to achieve meaningful compliance with both frameworks?''' | ||
| − | | '' | + | | ''本文围绕四个问题,对GDPR和PIPL的高等教育进行了系统的比较。首先,每个框架如何规范大学的核心数据处理活动——招生、评估、分析和交流?第二,这两种体系在哲学基础和实践要求上哪里趋同,哪里分歧?第三,在两种制度下同时运作的机构会面临哪些具体挑战?第四,大学可以采取哪些切实可行的策略来实现有意义地遵守这两个框架?'' |
|- | |- | ||
| style="background:#eef;" | ''''''2. The GDPR Framework for Education'''''' | | style="background:#eef;" | ''''''2. The GDPR Framework for Education'''''' | ||
| − | | '' | + | | ''2.“GDPR教育框架”'' |
|- | |- | ||
| style="background:#eef;" | ''''''2.1 Legal Bases for Student Data Processing'''''' | | style="background:#eef;" | ''''''2.1 Legal Bases for Student Data Processing'''''' | ||
| − | | '' | + | | ''2.1学生数据处理的法律基础”'' |
|- | |- | ||
| style="background:#eef;" | '''The GDPR (Regulation 2016/679) provides six lawful bases for processing personal data, of which three are most relevant to universities: consent (Article 6(1)(a)), performance of a contract (Article 6(1)(b)), and legitimate interests (Article 6(1)(f)). European universities typically rely on a combination of these bases. Enrollment and academic administration are generally processed under contractual necessity — the student has entered into an educational contract with the institution. Research involving student data may rely on legitimate interests or, where sensitive data categories are involved, explicit consent.''' | | style="background:#eef;" | '''The GDPR (Regulation 2016/679) provides six lawful bases for processing personal data, of which three are most relevant to universities: consent (Article 6(1)(a)), performance of a contract (Article 6(1)(b)), and legitimate interests (Article 6(1)(f)). European universities typically rely on a combination of these bases. Enrollment and academic administration are generally processed under contractual necessity — the student has entered into an educational contract with the institution. Research involving student data may rely on legitimate interests or, where sensitive data categories are involved, explicit consent.''' | ||
| − | | ''( | + | | ''GDPR(第2016/679号条例)为处理个人数据提供了六个合法依据,其中三个与大学最相关:同意(第6(1)(a)条)、履行合同(第6(1)(b)条)和合法利益(第6(1)(f)条)。欧洲大学通常依赖这些基地的组合。注册和学术管理通常是在合同需要的情况下进行的——学生已经与学校签订了教育合同。涉及学生数据的研究可能依赖于合法利益,或者在涉及敏感数据类别时,依赖于明确的同意。'' |
|- | |- | ||
| style="background:#eef;" | '''The application of these legal bases to learning analytics has proven particularly contentious. Liu and Khalil (2023), in a systematic review of 47 studies published in leading educational technology journals, identify a fundamental tension: the GDPR’s principle of purpose limitation — that data collected for one purpose should not be repurposed without additional legal basis — sits uncomfortably with the open-ended, exploratory nature of learning analytics, where the value of data often emerges only through analysis that was not anticipated at the time of collection. Prinsloo, Slade, and Khalil (2022) argue from a critical data studies perspective that purely technological solutions to this tension are insufficient; the power asymmetry between institutions and students means that meaningful consent is often illusory, particularly when students feel they cannot refuse data collection without academic consequences.''' | | style="background:#eef;" | '''The application of these legal bases to learning analytics has proven particularly contentious. Liu and Khalil (2023), in a systematic review of 47 studies published in leading educational technology journals, identify a fundamental tension: the GDPR’s principle of purpose limitation — that data collected for one purpose should not be repurposed without additional legal basis — sits uncomfortably with the open-ended, exploratory nature of learning analytics, where the value of data often emerges only through analysis that was not anticipated at the time of collection. Prinsloo, Slade, and Khalil (2022) argue from a critical data studies perspective that purely technological solutions to this tension are insufficient; the power asymmetry between institutions and students means that meaningful consent is often illusory, particularly when students feel they cannot refuse data collection without academic consequences.''' | ||
| Line 65: | Line 65: | ||
|- | |- | ||
| style="background:#eef;" | ''''''2.2 Enforcement Landscape'''''' | | style="background:#eef;" | ''''''2.2 Enforcement Landscape'''''' | ||
| − | | '' | + | | ''2.2执行情况'' |
|- | |- | ||
| style="background:#eef;" | '''The enforcement of GDPR in the education sector has been uneven but increasingly significant. According to the CMS GDPR Enforcement Tracker Report for 2024/2025, data protection authorities across 25 EU member states have imposed a total of 270 fines on schools, universities, and other educational institutions, amounting to more than EUR 29.3 million. The most common violations are processing without a sufficient legal basis (90 fines) and insufficient technical and organizational measures to protect data (76 fines) (CMS 2025).''' | | style="background:#eef;" | '''The enforcement of GDPR in the education sector has been uneven but increasingly significant. According to the CMS GDPR Enforcement Tracker Report for 2024/2025, data protection authorities across 25 EU member states have imposed a total of 270 fines on schools, universities, and other educational institutions, amounting to more than EUR 29.3 million. The most common violations are processing without a sufficient legal basis (90 fines) and insufficient technical and organizational measures to protect data (76 fines) (CMS 2025).''' | ||
| Line 71: | Line 71: | ||
|- | |- | ||
| style="background:#eef;" | '''The most consequential individual case for higher education was the Italian data protection authority’s 2021 decision against Bocconi University, which imposed a EUR 200,000 fine for the use of the Respondus remote exam proctoring software. The authority found that the university had failed to obtain valid consent, had not conducted a data protection impact assessment, had provided insufficient transparency about data processing, and lacked a lawful basis for processing biometric data — violations that collectively illustrate the compliance challenges universities face when deploying surveillance-adjacent educational technologies (Garante 2021).''' | | style="background:#eef;" | '''The most consequential individual case for higher education was the Italian data protection authority’s 2021 decision against Bocconi University, which imposed a EUR 200,000 fine for the use of the Respondus remote exam proctoring software. The authority found that the university had failed to obtain valid consent, had not conducted a data protection impact assessment, had provided insufficient transparency about data processing, and lacked a lawful basis for processing biometric data — violations that collectively illustrate the compliance challenges universities face when deploying surveillance-adjacent educational technologies (Garante 2021).''' | ||
| − | | ''( | + | | ''对高等教育影响最大的个案是意大利数据保护局2021年对博科尼大学的裁决,该裁决因使用Respondus远程考试监考软件而处以20万欧元的罚款。该机构发现,该大学未能获得有效的同意,没有进行数据保护影响评估,没有提供足够的数据处理透明度,并且缺乏处理生物识别数据的合法基础-这些违规行为共同表明了大学在部署监控邻近教育技术时面临的合规性挑战(Garante 2021)。'' |
|- | |- | ||
| style="background:#eef;" | '''Yet enforcement captures only part of the picture. A 2024 study by the consultancy 7DOTS examined 335 UK universities and higher education colleges and found an 81 percent non-compliance rate with GDPR standards. Only 32 percent had implemented a Consent Management Platform, and of those, 66 percent were improperly configured (7DOTS 2024). These findings suggest that the education sector’s compliance deficit is not primarily a matter of deliberate violation but of institutional capacity: universities lack the resources, expertise, and organizational structures to implement the GDPR’s requirements effectively.''' | | style="background:#eef;" | '''Yet enforcement captures only part of the picture. A 2024 study by the consultancy 7DOTS examined 335 UK universities and higher education colleges and found an 81 percent non-compliance rate with GDPR standards. Only 32 percent had implemented a Consent Management Platform, and of those, 66 percent were improperly configured (7DOTS 2024). These findings suggest that the education sector’s compliance deficit is not primarily a matter of deliberate violation but of institutional capacity: universities lack the resources, expertise, and organizational structures to implement the GDPR’s requirements effectively.''' | ||
| − | | ''( | + | | ''然而,执法只抓住了部分情况。咨询公司7 dots 2024年的一项研究调查了335所英国大学和高等教育学院,发现81%的学生不符合GDPR标准。只有32%实施了同意管理平台,其中66%配置不当(7DOTS 2024)。这些发现表明,教育部门的合规赤字主要不是故意违反的问题,而是机构能力的问题:大学缺乏有效实施GDPR要求的资源、专业知识和组织结构。'' |
|- | |- | ||
| style="background:#eef;" | ''''''2.3 Student Privacy Beyond the Classroom'''''' | | style="background:#eef;" | ''''''2.3 Student Privacy Beyond the Classroom'''''' | ||
| − | | '' | + | | ''2.3课堂之外的学生隐私'' |
|- | |- | ||
| style="background:#eef;" | '''The privacy challenges facing universities extend well beyond the learning management system. Giuffrida and Hall (2023) demonstrate that technology integration in higher education creates privacy risks at the enterprise level — institutional data systems, campus networks, and administrative platforms — that are distinct from the pedagogical context. Blackmon and Major (2023), in a PRISMA-based systematic review of student perspectives on privacy in technology-enhanced courses, find significant awareness gaps: students often do not understand what data is collected about them, how it is used, or what rights they have. Kumi-Yeboah and colleagues (2023) document fear and anxiety about data encroachment among diverse student populations, with particular concerns about learning management systems and social media integration. These findings collectively suggest that the GDPR’s emphasis on informed consent faces a practical obstacle: the information asymmetry between institutions and students is so large that genuine informed consent may be unattainable for many data processing activities.''' | | style="background:#eef;" | '''The privacy challenges facing universities extend well beyond the learning management system. Giuffrida and Hall (2023) demonstrate that technology integration in higher education creates privacy risks at the enterprise level — institutional data systems, campus networks, and administrative platforms — that are distinct from the pedagogical context. Blackmon and Major (2023), in a PRISMA-based systematic review of student perspectives on privacy in technology-enhanced courses, find significant awareness gaps: students often do not understand what data is collected about them, how it is used, or what rights they have. Kumi-Yeboah and colleagues (2023) document fear and anxiety about data encroachment among diverse student populations, with particular concerns about learning management systems and social media integration. These findings collectively suggest that the GDPR’s emphasis on informed consent faces a practical obstacle: the information asymmetry between institutions and students is so large that genuine informed consent may be unattainable for many data processing activities.''' | ||
| − | | ''( | + | | ''大学面临的隐私挑战远远超出了学习管理系统。Giuffrida和Hall (2023)证明,高等教育中的技术集成会在企业层面(机构数据系统、校园网络和行政平台)产生隐私风险,这与教学环境截然不同。Blackmon和Major (2023年)在一项基于PRISMA的关于学生在技术增强课程中对隐私的看法的系统审查中,发现了明显的意识差距:学生往往不明白收集了关于他们的哪些数据,这些数据是如何使用的,或者他们拥有什么权利。Kumi-Yeboah及其同事(2023)记录了不同学生群体对数据侵犯的恐惧和焦虑,特别是对学习管理系统和社交媒体整合的担忧。这些发现共同表明,GDPR对知情同意的强调面临一个实际障碍:机构和学生之间的信息不对称如此之大,以至于许多数据处理活动可能无法获得真正的知情同意。'' |
|- | |- | ||
| style="background:#eef;" | ''''''3. China‘s PIPL: Structure and Educational Implications'''''' | | style="background:#eef;" | ''''''3. China‘s PIPL: Structure and Educational Implications'''''' | ||
| − | | '' | + | | ''3.《中国的PIPL:结构与教育含义》'' |
|- | |- | ||
| style="background:#eef;" | ''''''3.1 Architectural Overview'''''' | | style="background:#eef;" | ''''''3.1 Architectural Overview'''''' | ||
| − | | '' | + | | ''3.1架构概述'' |
|- | |- | ||
| style="background:#eef;" | '''China‘s Personal Information Protection Law, effective 1 November 2021, establishes a comprehensive framework for personal data protection that is structurally parallel to the GDPR in many respects — extraterritorial scope, individual rights (access, correction, deletion, portability), requirements for data protection impact assessments, and significant penalties for violations — while reflecting fundamentally different philosophical commitments (Li and Chen 2024; Lim and Oh 2025).''' | | style="background:#eef;" | '''China‘s Personal Information Protection Law, effective 1 November 2021, establishes a comprehensive framework for personal data protection that is structurally parallel to the GDPR in many respects — extraterritorial scope, individual rights (access, correction, deletion, portability), requirements for data protection impact assessments, and significant penalties for violations — while reflecting fundamentally different philosophical commitments (Li and Chen 2024; Lim and Oh 2025).''' | ||
| Line 95: | Line 95: | ||
|- | |- | ||
| style="background:#eef;" | ''''''3.2 Enhanced Protection for Minors'''''' | | style="background:#eef;" | ''''''3.2 Enhanced Protection for Minors'''''' | ||
| − | | '' | + | | ''3.2加强保护未成年人'' |
|- | |- | ||
| style="background:#eef;" | '''The PIPL’s treatment of minors represents one of its most significant divergences from the GDPR. Article 28 classifies all personal information of individuals under the age of 14 as „sensitive personal information,“ regardless of its nature, requiring parental consent for processing and a separate privacy impact assessment. Zhang and Kollnig (2024), in a study published in International Data Privacy Law, trace five legislative developments that progressively strengthened children’s protections under Chinese law, while documenting significant gaps between legal requirements and actual practice in Chinese applications.''' | | style="background:#eef;" | '''The PIPL’s treatment of minors represents one of its most significant divergences from the GDPR. Article 28 classifies all personal information of individuals under the age of 14 as „sensitive personal information,“ regardless of its nature, requiring parental consent for processing and a separate privacy impact assessment. Zhang and Kollnig (2024), in a study published in International Data Privacy Law, trace five legislative developments that progressively strengthened children’s protections under Chinese law, while documenting significant gaps between legal requirements and actual practice in Chinese applications.''' | ||
| − | | ''( | + | | ''PIPL对未成年人的待遇是其与GDPR最大的差异之一。第28条将14岁以下个人的所有个人信息归类为“敏感个人信息”,无论其性质如何,都需要父母同意才能处理,并进行单独的隐私影响评估。张和Kollnig (2024年)在《国际数据隐私法》上发表的一项研究中,追踪了逐步加强中国法律下儿童保护的五项立法发展,同时记录了法律要求和中国应用中的实际做法之间的重大差距。'' |
|- | |- | ||
| style="background:#eef;" | '''For universities, the implications are indirect but important. While most university students are over 14, secondary school recruitment activities, summer programs for minors, and dual-enrollment programs all involve processing data of individuals who may fall within this protected category. The PIPL’s approach is arguably stricter than the GDPR’s in this specific area: the GDPR sets the age of digital consent at 16 (with member state discretion to lower it to 13), but does not automatically classify all data of minors as sensitive.''' | | style="background:#eef;" | '''For universities, the implications are indirect but important. While most university students are over 14, secondary school recruitment activities, summer programs for minors, and dual-enrollment programs all involve processing data of individuals who may fall within this protected category. The PIPL’s approach is arguably stricter than the GDPR’s in this specific area: the GDPR sets the age of digital consent at 16 (with member state discretion to lower it to 13), but does not automatically classify all data of minors as sensitive.''' | ||
| − | | ''( | + | | ''对大学来说,这种暗示是间接的,但却是重要的。虽然大多数大学生都超过14岁,但中学招聘活动、未成年人暑期项目和双招生项目都涉及处理可能属于此受保护类别的个人数据。在这一特定领域,PIPL的做法可以说比GDPR更严格:GDPR将数字同意的年龄定为16岁(成员国可酌情将年龄降至13岁),但不会自动将未成年人的所有数据归类为敏感数据。'' |
|- | |- | ||
| style="background:#eef;" | ''''''3.3 Data Localization and Cross-Border Transfer'''''' | | style="background:#eef;" | ''''''3.3 Data Localization and Cross-Border Transfer'''''' | ||
| − | | '' | + | | ''3.3数据本地化和跨境传输'' |
|- | |- | ||
| style="background:#eef;" | '''The PIPL’s requirements for cross-border data transfer are among its most practically consequential provisions for international universities. Article 38 establishes three mechanisms for transferring personal information outside China: passing a security assessment organized by the Cyberspace Administration of China (CAC), obtaining personal information protection certification from a specialized institution, or concluding a standard contract formulated by the CAC with the overseas recipient. In October 2025, the CAC and the State Administration for Market Regulation jointly issued the Measures for the Certification of Cross-Border Transfer of Personal Information, effective 1 January 2026, completing this three-pillar framework (CMS Law-Now 2025).''' | | style="background:#eef;" | '''The PIPL’s requirements for cross-border data transfer are among its most practically consequential provisions for international universities. Article 38 establishes three mechanisms for transferring personal information outside China: passing a security assessment organized by the Cyberspace Administration of China (CAC), obtaining personal information protection certification from a specialized institution, or concluding a standard contract formulated by the CAC with the overseas recipient. In October 2025, the CAC and the State Administration for Market Regulation jointly issued the Measures for the Certification of Cross-Border Transfer of Personal Information, effective 1 January 2026, completing this three-pillar framework (CMS Law-Now 2025).''' | ||
| − | | ''( | + | | ''PIPL对跨境数据传输的要求是其对国际大学最实际的规定之一。第38条建立了三种将个人信息转移到中国境外的机制:通过中国网络空间管理局(CAC)组织的安全评估,从专门机构获得个人信息保护认证,或与海外接收者签订CAC制定的标准合同。2025年10月,CAC和国家市场监管局联合发布了《个人信息跨境转移认证办法》,自2026年1月1日起生效,完成了这一三支柱框架(CMS法-现为2025年)。'' |
|- | |- | ||
| style="background:#eef;" | '''Additionally, the Regulations on Network Data Security Management, effective 1 January 2025, require organizations processing personal information of more than 10 million individuals to appoint a data security officer and conduct regular audits (State Council 2024). While few individual universities reach this threshold, aggregated educational platforms and national student information systems frequently do.''' | | style="background:#eef;" | '''Additionally, the Regulations on Network Data Security Management, effective 1 January 2025, require organizations processing personal information of more than 10 million individuals to appoint a data security officer and conduct regular audits (State Council 2024). While few individual universities reach this threshold, aggregated educational platforms and national student information systems frequently do.''' | ||
Revision as of 17:55, 14 May 2026
📌 Hinweis (Stand 8.5.2026): Diese Seite wurde strukturell überarbeitet, damit jeder Absatz seinen eigenen Tabellen-Row hat. Bisherige chinesische Übersetzungen wurden automatisch zugeordnet — die Zuordnung ist nicht in jedem Fall korrekt. Bitte prüfen Sie die rechte Spalte und verschieben/korrigieren Sie die ZH-Übersetzungen, falls sie nicht zum DE-Absatz passen. Bei nicht übersetzten Absätzen steht (zu übersetzen).
| English (Source) | 中文 (Übersetzung) |
|---|---|
| (zu übersetzen) | |
| Language: EN · ZH · EN-ZH · ← Book | (zu übersetzen) |
| (zu übersetzen) | |
| Student Data Protection in the Digital University: GDPR and China‘s PIPL Compared | 数字大学中的学生数据保护:GDPR与中国PIPL的比较 |
| Martin Woesler | (zu übersetzen) |
| 'Abstract' | “摘要” |
| The digital transformation of higher education generates unprecedented volumes of student data — from learning management system interactions and assessment records to biometric proctoring data and predictive analytics profiles. Two of the world’s most consequential data protection regimes now govern how universities collect, process, and transfer this data: the European Union‘s General Data Protection Regulation (GDPR, effective 2018) and China‘s Personal Information Protection Law (PIPL, effective 2021). Yet despite superficial similarities — both establish individual rights over personal data, both impose significant penalties for violations, and both restrict cross-border data transfers — the two regimes reflect fundamentally different philosophical orientations: individual autonomy versus state sovereignty. This article provides a systematic comparison of GDPR and PIPL as they apply to the specific context of higher education. Drawing on enforcement data showing that EU data protection authorities have imposed 270 fines totaling more than EUR 29.3 million on educational institutions, and on research documenting that 81 percent of UK universities fail to meet GDPR compliance standards, we demonstrate that neither system has achieved satisfactory data protection in practice. We examine learning analytics, AI-driven assessment, cross-border student recruitment, and joint EU-China academic programs as four domains where the regulatory frameworks face their most serious tests. We argue that universities operating in both jurisdictions face a dual compliance challenge that current guidance inadequately addresses, and we propose a framework for navigating these overlapping obligations. | 高等教育的数字化转型产生了前所未有的海量学生数据,从学习管理系统交互和评估记录,到生物识别监考数据和预测分析配置文件。世界上最重要的两个数据保护制度现在管理着大学如何收集、处理和传输这些数据:欧盟的《通用数据保护条例》(GDPR,2018年生效)和中国的《个人信息保护法》(PIPL,2021年生效)。然而,尽管表面上有相似之处——两者都确立了对个人数据的个人权利,都对侵犯行为施以严厉惩罚,并且都限制跨境数据传输——但这两种制度反映了根本不同的哲学取向:个人自治与国家主权。本文系统地比较了GDPR和PIPL的高等教育。执法数据显示,欧盟数据保护机构已对教育机构处以270笔罚款,总额超过2930万欧元,研究表明,81%的英国大学未能达到GDPR合规标准,根据这些数据,我们证明这两个系统在实践中都未能实现令人满意的数据保护。我们将学习分析、人工智能驱动的评估、跨境学生招聘和EU-中国联合学术项目作为监管框架面临最严峻考验的四个领域进行了研究。我们认为,在两个司法管辖区运营的大学面临双重合规挑战,当前的指南没有充分解决这一问题,我们提出了一个框架来导航这些重叠的义务。 |
| Keywords: GDPR, PIPL, student data protection, learning analytics, higher education, cross-border data flows, privacy, EU-China comparison, AI in education | 关键词:GDPR, PIPL,学生数据保护,学习分析,高等教育,跨境数据流动,隐私,中国EU-比较,人工智能在教育中 |
| '1. Introduction' | 1.简介 |
| The digital university is, at its core, a data-generating institution. Every interaction a student has with a learning management system, every submission to an automated grading platform, every login to a campus network, and every engagement with an adaptive learning tool produces data that is collected, stored, analyzed, and — increasingly — shared across institutional and national boundaries. The COVID-19 pandemic accelerated this process dramatically: the rapid shift to online and hybrid learning normalized the collection of data streams that would have been unthinkable a decade earlier, including webcam footage from remote proctoring systems, keystroke dynamics for identity verification, and engagement metrics tracking how often and how long students interact with course materials. | 数字大学的核心是一个数据生成机构。学生与学习管理系统的每一次交互、向自动评分平台的每一次提交、校园网络的每一次登录以及与适应性学习工具的每一次接触都会产生数据,这些数据被收集、存储、分析,并越来越多地跨机构和国家边界共享。新冠肺炎疫情极大地加速了这一过程:向在线和混合学习的快速转变使数据流的收集正常化,这在十年前是不可想象的,包括来自远程监督系统的网络摄像头镜头、用于身份验证的击键动力学以及跟踪学生与课程材料互动频率和时间的参与度指标。 |
| Two comprehensive data protection regimes now govern how universities handle this information. The European Union‘s General Data Protection Regulation, which took full effect in May 2018, established the world’s first comprehensive framework for personal data protection, with specific implications for educational institutions that process student data. China‘s Personal Information Protection Law, effective from November 2021, created a parallel framework that, while structurally similar to the GDPR in many respects, reflects fundamentally different assumptions about the relationship between individuals, institutions, and the state. | 现在有两个全面的数据保护机制来管理大学如何处理这些信息。欧盟的《通用数据保护条例》于2018年5月全面生效,建立了世界上第一个全面的个人数据保护框架,对处理学生数据的教育机构具有具体影响。2021年11月生效的中国个人信息保护法创造了一个平行框架,尽管在结构上与GDPR在许多方面相似,但反映了关于个人、机构和国家之间关系的根本不同的假设。 |
| For universities engaged in international cooperation — joint degree programs, student exchange, collaborative research, cross-border recruitment — these two regimes create a dual compliance challenge of considerable complexity. A European university recruiting Chinese students must comply with the PIPL’s requirements for processing the personal information of Chinese residents; a Chinese university participating in an Erasmus+ partnership must understand GDPR obligations that may attach to data about European students. Yet the two systems diverge precisely where the compliance challenges are most acute: in their approaches to cross-border data transfer, consent requirements, enforcement mechanisms, and the treatment of minors. | 对于参与国际合作的大学——联合学位项目、学生交流、合作研究、跨国招聘——这两种制度带来了相当复杂的双重合规挑战。一所欧洲大学招收中国学生,必须遵守PIPL对中国居民个人信息的处理要求;参与Erasmus+合作项目的中国大学必须了解GDPR的义务,这些义务可能与欧洲学生的数据相关。然而,这两个系统恰恰在合规挑战最严峻的地方出现了分歧:在跨境数据传输、同意要求、执行机制和未成年人待遇方面。 |
| This article provides a systematic comparison of GDPR and PIPL as they apply to higher education, organized around four questions. First, how does each framework regulate the core data processing activities of universities — enrollment, assessment, analytics, and communication? Second, where do the two systems converge and where do they diverge in their philosophical foundations and practical requirements? Third, what specific challenges arise for institutions operating simultaneously under both regimes? Fourth, what practical strategies can universities adopt to achieve meaningful compliance with both frameworks? | 本文围绕四个问题,对GDPR和PIPL的高等教育进行了系统的比较。首先,每个框架如何规范大学的核心数据处理活动——招生、评估、分析和交流?第二,这两种体系在哲学基础和实践要求上哪里趋同,哪里分歧?第三,在两种制度下同时运作的机构会面临哪些具体挑战?第四,大学可以采取哪些切实可行的策略来实现有意义地遵守这两个框架? |
| '2. The GDPR Framework for Education' | 2.“GDPR教育框架” |
| '2.1 Legal Bases for Student Data Processing' | 2.1学生数据处理的法律基础” |
| The GDPR (Regulation 2016/679) provides six lawful bases for processing personal data, of which three are most relevant to universities: consent (Article 6(1)(a)), performance of a contract (Article 6(1)(b)), and legitimate interests (Article 6(1)(f)). European universities typically rely on a combination of these bases. Enrollment and academic administration are generally processed under contractual necessity — the student has entered into an educational contract with the institution. Research involving student data may rely on legitimate interests or, where sensitive data categories are involved, explicit consent. | GDPR(第2016/679号条例)为处理个人数据提供了六个合法依据,其中三个与大学最相关:同意(第6(1)(a)条)、履行合同(第6(1)(b)条)和合法利益(第6(1)(f)条)。欧洲大学通常依赖这些基地的组合。注册和学术管理通常是在合同需要的情况下进行的——学生已经与学校签订了教育合同。涉及学生数据的研究可能依赖于合法利益,或者在涉及敏感数据类别时,依赖于明确的同意。 |
| The application of these legal bases to learning analytics has proven particularly contentious. Liu and Khalil (2023), in a systematic review of 47 studies published in leading educational technology journals, identify a fundamental tension: the GDPR’s principle of purpose limitation — that data collected for one purpose should not be repurposed without additional legal basis — sits uncomfortably with the open-ended, exploratory nature of learning analytics, where the value of data often emerges only through analysis that was not anticipated at the time of collection. Prinsloo, Slade, and Khalil (2022) argue from a critical data studies perspective that purely technological solutions to this tension are insufficient; the power asymmetry between institutions and students means that meaningful consent is often illusory, particularly when students feel they cannot refuse data collection without academic consequences. | 这些法律基础在学习分析中的应用被证明特别有争议。Liu和Khalil(2023)在对发表于主要教育技术期刊的47项研究的系统综述中,指出了一个根本性的紧张关系:GDPR的目的限制原则——为一个目的收集的数据不应在没有额外法律基础的情况下被再利用——与学习分析开放式、探索性的本质之间存在矛盾,在学习分析中,数据的价值往往只在收集时未预见到的分析中才显现出来。Prinsloo、Slade和Khalil(2022)从批判性数据研究的角度论证,纯技术解决方案不足以应对这种紧张关系;机构与学生之间的权力不对称意味着有意义的同意往往是虚幻的,特别是当学生觉得如果拒绝数据收集就会产生学术后果时。 |
| '2.2 Enforcement Landscape' | 2.2执行情况 |
| The enforcement of GDPR in the education sector has been uneven but increasingly significant. According to the CMS GDPR Enforcement Tracker Report for 2024/2025, data protection authorities across 25 EU member states have imposed a total of 270 fines on schools, universities, and other educational institutions, amounting to more than EUR 29.3 million. The most common violations are processing without a sufficient legal basis (90 fines) and insufficient technical and organizational measures to protect data (76 fines) (CMS 2025). | GDPR在教育领域的执法虽不均衡但日益显著。根据CMS 2024/2025年GDPR执法追踪报告,25个欧盟成员国的数据保护机构已对学校、大学和其他教育机构开出总计270张罚单,金额超过2930万欧元。最常见的违规行为是在缺乏充分法律基础的情况下进行处理(90张罚单)以及技术和组织保护措施不足(76张罚单)(CMS 2025)。 |
| The most consequential individual case for higher education was the Italian data protection authority’s 2021 decision against Bocconi University, which imposed a EUR 200,000 fine for the use of the Respondus remote exam proctoring software. The authority found that the university had failed to obtain valid consent, had not conducted a data protection impact assessment, had provided insufficient transparency about data processing, and lacked a lawful basis for processing biometric data — violations that collectively illustrate the compliance challenges universities face when deploying surveillance-adjacent educational technologies (Garante 2021). | 对高等教育影响最大的个案是意大利数据保护局2021年对博科尼大学的裁决,该裁决因使用Respondus远程考试监考软件而处以20万欧元的罚款。该机构发现,该大学未能获得有效的同意,没有进行数据保护影响评估,没有提供足够的数据处理透明度,并且缺乏处理生物识别数据的合法基础-这些违规行为共同表明了大学在部署监控邻近教育技术时面临的合规性挑战(Garante 2021)。 |
| Yet enforcement captures only part of the picture. A 2024 study by the consultancy 7DOTS examined 335 UK universities and higher education colleges and found an 81 percent non-compliance rate with GDPR standards. Only 32 percent had implemented a Consent Management Platform, and of those, 66 percent were improperly configured (7DOTS 2024). These findings suggest that the education sector’s compliance deficit is not primarily a matter of deliberate violation but of institutional capacity: universities lack the resources, expertise, and organizational structures to implement the GDPR’s requirements effectively. | 然而,执法只抓住了部分情况。咨询公司7 dots 2024年的一项研究调查了335所英国大学和高等教育学院,发现81%的学生不符合GDPR标准。只有32%实施了同意管理平台,其中66%配置不当(7DOTS 2024)。这些发现表明,教育部门的合规赤字主要不是故意违反的问题,而是机构能力的问题:大学缺乏有效实施GDPR要求的资源、专业知识和组织结构。 |
| '2.3 Student Privacy Beyond the Classroom' | 2.3课堂之外的学生隐私 |
| The privacy challenges facing universities extend well beyond the learning management system. Giuffrida and Hall (2023) demonstrate that technology integration in higher education creates privacy risks at the enterprise level — institutional data systems, campus networks, and administrative platforms — that are distinct from the pedagogical context. Blackmon and Major (2023), in a PRISMA-based systematic review of student perspectives on privacy in technology-enhanced courses, find significant awareness gaps: students often do not understand what data is collected about them, how it is used, or what rights they have. Kumi-Yeboah and colleagues (2023) document fear and anxiety about data encroachment among diverse student populations, with particular concerns about learning management systems and social media integration. These findings collectively suggest that the GDPR’s emphasis on informed consent faces a practical obstacle: the information asymmetry between institutions and students is so large that genuine informed consent may be unattainable for many data processing activities. | 大学面临的隐私挑战远远超出了学习管理系统。Giuffrida和Hall (2023)证明,高等教育中的技术集成会在企业层面(机构数据系统、校园网络和行政平台)产生隐私风险,这与教学环境截然不同。Blackmon和Major (2023年)在一项基于PRISMA的关于学生在技术增强课程中对隐私的看法的系统审查中,发现了明显的意识差距:学生往往不明白收集了关于他们的哪些数据,这些数据是如何使用的,或者他们拥有什么权利。Kumi-Yeboah及其同事(2023)记录了不同学生群体对数据侵犯的恐惧和焦虑,特别是对学习管理系统和社交媒体整合的担忧。这些发现共同表明,GDPR对知情同意的强调面临一个实际障碍:机构和学生之间的信息不对称如此之大,以至于许多数据处理活动可能无法获得真正的知情同意。 |
| '3. China‘s PIPL: Structure and Educational Implications' | 3.《中国的PIPL:结构与教育含义》 |
| '3.1 Architectural Overview' | 3.1架构概述 |
| China‘s Personal Information Protection Law, effective 1 November 2021, establishes a comprehensive framework for personal data protection that is structurally parallel to the GDPR in many respects — extraterritorial scope, individual rights (access, correction, deletion, portability), requirements for data protection impact assessments, and significant penalties for violations — while reflecting fundamentally different philosophical commitments (Li and Chen 2024; Lim and Oh 2025). | 中国的《个人信息保护法》自2021年11月1日起生效,建立了一个在许多方面与GDPR结构平行的全面个人数据保护框架——域外适用范围、个人权利(访问、更正、删除、可携带性)、数据保护影响评估要求以及对违规行为的重大处罚——同时反映了根本不同的哲学承诺(Li和Chen 2024; Lim和Oh 2025)。 |
| The PIPL defines „personal information“ broadly as any information relating to an identified or identifiable natural person recorded by electronic or other means (Article 4). Like the GDPR, it establishes lawful bases for processing — consent, contractual necessity, legal obligation, public health emergencies, news reporting in the public interest, and reasonable processing of publicly available information (Article 13). Unlike the GDPR, however, the PIPL does not include „legitimate interests“ as a standalone legal basis, making consent the primary mechanism for lawful processing in most educational contexts (IAPP 2021; Zhu 2022). | PIPL将"个人信息"广泛定义为通过电子或其他方式记录的与已识别或可识别的自然人相关的任何信息(第4条)。与GDPR类似,它建立了处理的合法基础——同意、合同必要性、法律义务、公共卫生紧急事件、公共利益的新闻报道以及对公开信息的合理处理(第13条)。然而,与GDPR不同的是,PIPL不包括"正当利益"作为独立的法律基础,使同意成为大多数教育情境中合法处理的主要机制(IAPP 2021; Zhu 2022)。 |
| '3.2 Enhanced Protection for Minors' | 3.2加强保护未成年人 |
| The PIPL’s treatment of minors represents one of its most significant divergences from the GDPR. Article 28 classifies all personal information of individuals under the age of 14 as „sensitive personal information,“ regardless of its nature, requiring parental consent for processing and a separate privacy impact assessment. Zhang and Kollnig (2024), in a study published in International Data Privacy Law, trace five legislative developments that progressively strengthened children’s protections under Chinese law, while documenting significant gaps between legal requirements and actual practice in Chinese applications. | PIPL对未成年人的待遇是其与GDPR最大的差异之一。第28条将14岁以下个人的所有个人信息归类为“敏感个人信息”,无论其性质如何,都需要父母同意才能处理,并进行单独的隐私影响评估。张和Kollnig (2024年)在《国际数据隐私法》上发表的一项研究中,追踪了逐步加强中国法律下儿童保护的五项立法发展,同时记录了法律要求和中国应用中的实际做法之间的重大差距。 |
| For universities, the implications are indirect but important. While most university students are over 14, secondary school recruitment activities, summer programs for minors, and dual-enrollment programs all involve processing data of individuals who may fall within this protected category. The PIPL’s approach is arguably stricter than the GDPR’s in this specific area: the GDPR sets the age of digital consent at 16 (with member state discretion to lower it to 13), but does not automatically classify all data of minors as sensitive. | 对大学来说,这种暗示是间接的,但却是重要的。虽然大多数大学生都超过14岁,但中学招聘活动、未成年人暑期项目和双招生项目都涉及处理可能属于此受保护类别的个人数据。在这一特定领域,PIPL的做法可以说比GDPR更严格:GDPR将数字同意的年龄定为16岁(成员国可酌情将年龄降至13岁),但不会自动将未成年人的所有数据归类为敏感数据。 |
| '3.3 Data Localization and Cross-Border Transfer' | 3.3数据本地化和跨境传输 |
| The PIPL’s requirements for cross-border data transfer are among its most practically consequential provisions for international universities. Article 38 establishes three mechanisms for transferring personal information outside China: passing a security assessment organized by the Cyberspace Administration of China (CAC), obtaining personal information protection certification from a specialized institution, or concluding a standard contract formulated by the CAC with the overseas recipient. In October 2025, the CAC and the State Administration for Market Regulation jointly issued the Measures for the Certification of Cross-Border Transfer of Personal Information, effective 1 January 2026, completing this three-pillar framework (CMS Law-Now 2025). | PIPL对跨境数据传输的要求是其对国际大学最实际的规定之一。第38条建立了三种将个人信息转移到中国境外的机制:通过中国网络空间管理局(CAC)组织的安全评估,从专门机构获得个人信息保护认证,或与海外接收者签订CAC制定的标准合同。2025年10月,CAC和国家市场监管局联合发布了《个人信息跨境转移认证办法》,自2026年1月1日起生效,完成了这一三支柱框架(CMS法-现为2025年)。 |
| Additionally, the Regulations on Network Data Security Management, effective 1 January 2025, require organizations processing personal information of more than 10 million individuals to appoint a data security officer and conduct regular audits (State Council 2024). While few individual universities reach this threshold, aggregated educational platforms and national student information systems frequently do. | 第五,投资于机构能力。7DOTS(2024)和CMS(2025)记录的准备度差距反映的不是故意不合规,而是专业知识和资源不足。大学应指定具有教育数据和国际数据流专业知识的数据保护官,并为教职人员和行政人员提供定期培训。 |
| The practical implications for international academic cooperation are significant. As the MIT Office of General Counsel (2022) has noted, the PIPL is triggered whenever an institution obtains admissions applications from Chinese citizens residing in China, conducts recruitment activities there, offers online courses accessible to Chinese residents, performs human-subjects research using Chinese residents’ data, or collaborates with Chinese academic institutions that share student data. The American Association of Collegiate Registrars and Admissions Officers (AACRAO 2022) has published specific compliance guidance for admissions and registrar offices, reflecting the growing awareness that routine international student recruitment now carries data protection obligations under both GDPR and PIPL. | (zu übersetzen) |
| '4. Systematic Comparison' | (zu übersetzen) |
| '4.1 Philosophical Foundations' | (zu übersetzen) |
| The most fundamental difference between GDPR and PIPL lies not in their technical provisions but in their philosophical orientations. The GDPR emerges from a tradition of individual rights protection, rooted in the European Convention on Human Rights and the EU Charter of Fundamental Rights. Its core assumption is that personal data protection is a fundamental right of the individual, which can be limited only under specified conditions and subject to proportionality review. Li and Chen (2024), in their analysis of the „Brussels Effect„ on Chinese data protection law, introduce a „gravity assist“ model: while the GDPR’s structural influence on the PIPL is evident, China‘s adoption reflects not convergence but strategic adaptation to its distinct political, cultural, and legal context. | (zu übersetzen) |
| The PIPL, by contrast, reflects what Lim and Oh (2025) describe as a „state sovereignty“ orientation. The law serves multiple objectives simultaneously: protecting individual privacy, certainly, but also safeguarding national security, promoting the digital economy, and maintaining social stability. The law’s enforcement is centralized under the CAC, which is simultaneously responsible for internet censorship, cybersecurity, and data governance — a combination that would be impermissible under the GDPR’s requirement for independent supervisory authorities (Article 52). | (zu übersetzen) |
| '4.2 Structural Differences' | (zu übersetzen) |
| Several structural differences have direct implications for universities: | (zu übersetzen) |
| Consent. The GDPR recognizes six lawful bases for processing; the PIPL’s absence of a „legitimate interests“ basis makes consent more central, particularly for educational data processing that goes beyond contractual necessity. The PIPL additionally requires separate consent for cross-border transfers (Article 39) and for processing sensitive personal information (Article 29). | (zu übersetzen) |
| Penalties. The GDPR imposes maximum fines of EUR 20 million or 4 percent of global annual turnover, whichever is greater. The PIPL imposes maximum fines of RMB 50 million (approximately EUR 6.4 million) or 5 percent of the previous year’s annual revenue for grave violations, plus potential personal liability for responsible individuals — a feature without direct GDPR equivalent (IAPP 2021; DataGuidance 2022). | '处罚'。GDPR的最高罚款为2000万欧元或全球年营业额的4%,以较高者为准。PIPL对严重违规的最高罚款为5000万人民币(约640万欧元)或上一年度年收入的5%,另外还对责任个人追究个人责任——这一特征在GDPR中没有直接对应项(IAPP 2021; DataGuidance 2022)。 |
| Enforcement. The GDPR’s enforcement is decentralized across national data protection authorities, with coordination through the European Data Protection Board. The PIPL’s enforcement is centralized under the CAC, with additional sector-specific oversight from the Ministry of Education for educational institutions. The GDPR requires supervisory authorities to be independent; the PIPL imposes no such requirement. | (zu übersetzen) |
| Cross-border transfers. The GDPR permits transfers to countries with „adequate“ data protection (adequacy decisions), or through Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). The PIPL offers security assessment, standard contracts, and certification, but does not employ an adequacy mechanism — there is no list of „safe“ countries to which data may flow freely (Fernandez-Novel Escobar 2025). | (zu übersetzen) |
| Data subject rights. Both frameworks provide broadly similar individual rights: access, correction, deletion, and portability. The PIPL additionally grants next-of-kin the right to exercise deceased persons’ data rights — a provision with potential relevance for universities managing the records of deceased students (DataGuidance 2022). The PIPL also includes a broader definition of „sensitive personal information“ that encompasses financial data, location data, and biometric information alongside the categories recognized by the GDPR. | (zu übersetzen) |
| '4.3 Convergence and Divergence' | (zu übersetzen) |
| Despite these differences, the two frameworks converge in important ways. Both require data protection impact assessments for high-risk processing. Both impose transparency obligations requiring clear, accessible privacy notices. Both provide for data portability — the right to receive one’s personal data in a structured, machine-readable format. Both establish extraterritorial scope, applying to entities outside their jurisdiction that process the data of their residents. And both impose requirements for data breach notification, though with different timelines: 72 hours under the GDPR (Article 33), versus an unspecified but prompt timeframe under the PIPL. | (zu übersetzen) |
| The pattern that emerges is convergence at the level of principles — both systems recognize that personal data deserves protection, that individuals should have rights over their data, and that organizations must be held accountable for their processing activities — with significant divergence at the level of implementation, philosophical justification, and enforcement culture. As Solove (2022) observes, the PIPL is often described as „China‘s GDPR,“ but this characterization obscures important structural differences that have direct practical consequences for organizations operating under both regimes. | (zu übersetzen) |
| '5. Learning Analytics: The Critical Test Case' | (zu übersetzen) |
| Learning analytics represents the domain where the tension between data protection and educational innovation is most acute. Universities increasingly deploy predictive analytics systems that use historical student data to identify students at risk of failure, recommend interventions, and personalize learning pathways. These systems require the processing of large volumes of student data — often aggregated from multiple sources and analyzed using machine learning algorithms — in ways that challenge the fundamental principles of both GDPR and PIPL. | (zu übersetzen) |
| Under the GDPR, learning analytics systems face challenges on multiple fronts. Purpose limitation (Article 5(1)(b)) requires that data be collected for specified, explicit purposes and not further processed in a manner incompatible with those purposes. But the value of learning analytics often depends on precisely this kind of repurposing: data collected for course administration is analyzed for patterns that inform institutional strategy. Data minimization (Article 5(1)(c)) requires that only data adequate, relevant, and limited to what is necessary be processed — yet predictive models typically perform better with more data, creating a structural incentive toward maximal collection. Transparency (Articles 13-14) requires that individuals be informed about automated decision-making — but the complexity of machine learning models often makes meaningful explanation difficult. | (zu übersetzen) |
| Under the PIPL, learning analytics faces additional challenges. The absence of a legitimate interests basis means that universities must typically rely on consent for analytics that go beyond direct educational delivery. The requirement for separate consent for processing sensitive information (Article 29) may be triggered by analytics that process academic performance data in ways that reveal protected characteristics. And the data localization requirements mean that analytics platforms operated by international providers must navigate complex cross-border transfer rules. | (zu übersetzen) |
| Xue and colleagues (2025), in an analysis of AI privacy concerns in higher education across Chinese and English-language media, found that while both contexts identify AI-driven proctoring, student data security, and institutional governance as central concerns, the emphasis differs: Western coverage foregrounds individual privacy rights, while Chinese coverage more frequently addresses the relationship between AI-driven educational innovation and institutional governance. This divergence mirrors the broader philosophical difference between the two regulatory frameworks. | (zu übersetzen) |
| Lachheb and colleagues (2023) argue that maintaining student privacy in educational technology requires attention not only to policy and law but to design ethics — the principles embedded in the technological systems themselves. They propose a framework to help instructional designers evaluate whether design patterns unintentionally undermine learner agency, suggesting that compliance with either GDPR or PIPL requires intervention at the design stage, not merely at the policy level. Liu, Khalil, and colleagues (2025) explore synthetic data generation with differential privacy mechanisms as a technical approach to this challenge, enabling learning analytics research without exposing individual student records. | Lachheb及其同事(2023)认为,在教育技术中维护学生隐私不仅需要关注政策和法律,还需要关注设计伦理——嵌入技术系统本身的原则。他们提出了一个框架来帮助教学设计师评估设计模式是否无意中损害了学习者的能动性,建议无论是GDPR还是PIPL的合规都需要在设计阶段进行干预,而不仅仅是在政策层面。Liu、Khalil及其同事(2025)探索了具有差分隐私机制的合成数据生成作为这一挑战的技术方法,使学习分析研究可以在不暴露个人学生记录的情况下进行。 |
| '6. AI-Driven Assessment and Proctoring' | (zu übersetzen) |
| The EU AI Act (Regulation 2024/1689), which entered into force on 1 August 2024, adds a further regulatory layer for European universities. The Act classifies AI systems used for educational assessment and proctoring as „high-risk“ under Annex III, Section 3, requiring conformity assessments, human oversight, and technical documentation. Article 5(1)(f) prohibits emotion recognition systems in educational settings (European Parliament and Council 2024). | (zu übersetzen) |
| The interaction between the AI Act and GDPR creates a layered compliance obligation: universities deploying AI-powered assessment tools must satisfy both the AI Act’s requirements for high-risk systems and the GDPR’s requirements for lawful data processing. The Bocconi University case demonstrates the consequences of failing to meet the latter; the AI Act will add additional requirements from August 2026 onward. A 2025 report by the Rockefeller Institute of Government recommends that universities map their AI use cases against the Act’s risk categories as a first step toward compliance, citing the governance models developed by Utrecht University and the University of Edinburgh as reference frameworks (Rockefeller Institute 2025). | (zu übersetzen) |
| China‘s approach to AI in educational assessment reflects its sector-specific regulatory philosophy. Rather than a single comprehensive AI law, China governs educational AI through a combination of the 2023 Interim Measures for Generative AI Services, the PIPL’s provisions for automated decision-making, and Ministry of Education directives. The use of AI proctoring and surveillance technologies in Chinese universities, while subject to PIPL consent requirements, does not face the categorical restrictions imposed by the EU AI Act‘s emotion recognition ban. This regulatory asymmetry has practical implications for technology companies developing educational assessment tools for both markets: systems designed for China may include features that are prohibited in the EU, and vice versa. | (zu übersetzen) |
| The Bocconi case illustrates a broader tension. Remote proctoring systems — which typically capture webcam footage, track eye movements, monitor keyboard and mouse activity, and may use facial recognition to verify identity — process categories of data that trigger the GDPR’s most stringent requirements: biometric data (Article 9), automated decision-making (Article 22), and profiling. Under the PIPL, biometric information is classified as sensitive personal information requiring separate consent (Article 28), but there is no categorical prohibition comparable to the AI Act’s emotion recognition ban. The result is a regulatory landscape where the same technology may be lawful in one jurisdiction and prohibited in the other, depending on its specific capabilities and the legal basis invoked. | (zu übersetzen) |
| '7. Joint EU-China Programs: Dual Compliance in Practice' | (zu übersetzen) |
| The most acute compliance challenges arise in joint EU-China academic programs, where student data routinely crosses jurisdictional boundaries. A European university offering a joint degree with a Chinese partner institution must transfer enrollment data, academic records, and potentially learning analytics data between the two institutions — transfers that must comply simultaneously with the GDPR’s requirements for international data transfer and the PIPL’s cross-border transfer provisions. | (zu übersetzen) |
| The practical difficulties are considerable. GDPR transfers to China cannot currently rely on an adequacy decision (the European Commission has not recognized China as providing adequate data protection). Standard Contractual Clauses may be used, but must be supplemented by a transfer impact assessment that considers Chinese surveillance laws and government access provisions — an assessment whose conclusions may be unfavorable. In the other direction, PIPL transfers to Europe require one of the three mechanisms described above: CAC security assessment, standard contract, or certification. | (zu übersetzen) |
| The Future of Privacy Forum’s guidance for US higher education institutions (Zanfir-Fortuna 2020), while not directly applicable to the EU-China context, illustrates the complexity of international academic data flows. The report identifies ten compliance steps that international universities must address, including data mapping, legal basis identification, vendor management, and breach notification procedures — each of which must be adapted for both GDPR and PIPL requirements. | (zu übersetzen) |
| These challenges are not hypothetical. Sino-European joint programs have expanded significantly in recent decades. China hosts hundreds of Chinese-foreign cooperative education programs approved by the Ministry of Education, many of which involve European partner institutions. The EU’s Erasmus+ program supports academic exchanges with Chinese universities. The EU-China Tuning project has aligned degree structures across dozens of institutions. In each of these contexts, student data flows between jurisdictions are routine and necessary — yet the legal framework for these flows remains fragmented and uncertain. | (zu übersetzen) |
| A specific challenge arises in the context of student recruitment. European universities actively recruit Chinese students — China was the largest source country for international students in Europe before the pandemic and has largely regained that position. Under the PIPL, a European university that collects personal information from prospective Chinese students through online application portals, recruitment events in China, or agent partnerships is processing the personal information of Chinese residents and is therefore subject to the PIPL’s requirements, including the obligation to obtain consent in Chinese, to provide a privacy notice compliant with Chinese law, and to navigate the cross-border transfer framework for transmitting application data back to Europe. Few European universities have adapted their recruitment practices to meet these requirements. | (zu übersetzen) |
| For universities engaged in EU-China cooperation, we identify four practical strategies for managing dual compliance. First, data minimization at the point of transfer: sharing only the minimum data necessary for the joint program, using anonymized or pseudonymized data wherever possible. Second, architectural separation: maintaining separate data systems for EU and Chinese operations, with controlled interfaces for necessary data exchange. Third, contractual frameworks: developing bilateral data sharing agreements that explicitly address both GDPR and PIPL requirements, including provisions for data subject rights, breach notification, and data retention. Fourth, institutional capacity building: investing in staff training and data protection expertise that spans both regulatory frameworks. | (zu übersetzen) |
| '8. The Readiness Gap' | (zu übersetzen) |
| Despite the significance of these regulatory frameworks, empirical evidence suggests that universities in both jurisdictions face a substantial readiness gap. In the European context, the 7DOTS (2024) finding that 81 percent of UK universities fail GDPR compliance standards is consistent with the CMS Enforcement Tracker data showing persistent violations across 25 member states. The XL Law and Consulting analysis documents 45 GDPR enforcement actions against educational institutions, with an average fine of approximately EUR 32,600 — modest compared to the technology sector, but meaningful for institutions with constrained budgets (XL Law 2023). | 尽管这些监管框架具有重要意义,实证证据表明两个管辖区的大学都面临着巨大的准备度差距。在欧洲背景下,7DOTS(2024)关于81%的英国大学未能通过GDPR合规标准的发现与CMS执法追踪数据一致,后者显示25个成员国存在持续的违规行为。XL Law and Consulting的分析记录了45项针对教育机构的GDPR执法行动,平均罚款约为32,600欧元——与技术行业相比属于适度水平,但对预算有限的机构来说意义重大(XL Law 2023)。 |
| XL Law and Consulting’s analysis of GDPR enforcement actions further reveals a sectoral pattern: educational institutions account for under 3 percent of all GDPR enforcement actions, with an average fine of approximately EUR 32,600 — compared to EUR 1.8 million across all sectors. Spain, Italy, and Poland are responsible for over 65 percent of enforcement actions against higher education institutions. Notably, self-reporting data breaches did not shield institutions from substantial fines, suggesting that proactive compliance efforts must go beyond incident response (XL Law 2023). | (zu übersetzen) |
| In the Chinese context, the readiness gap manifests differently. While the PIPL has been in force since November 2021, enforcement in the education sector has been less visible than in the technology and financial sectors. The emphasis has been on platform companies processing data at scale rather than on individual educational institutions. However, the Regulations on Network Data Security Management (effective January 2025) and the Certification Measures for cross-border transfers (effective January 2026) signal an increasing regulatory attention to data governance practices across all sectors, including education. | (zu übersetzen) |
| The European Data Protection Board’s Opinion 28/2024, adopted in December 2024, addresses data protection aspects of AI model training and deployment, noting that GDPR applies to AI models trained on personal data because of their memorization capabilities (EDPB 2024). For universities developing or deploying AI-based educational tools, this opinion has significant implications: even AI models that do not store personal data in recognizable form may be subject to GDPR requirements if they can be prompted to produce personal information. | (zu übersetzen) |
| '9. Recommendations for Universities' | (zu übersetzen) |
| Based on our comparative analysis, we propose seven recommendations for universities seeking to navigate the overlapping requirements of GDPR and PIPL: | (zu übersetzen) |
| First, conduct a comprehensive data mapping exercise that identifies all personal data processing activities, their legal bases under both GDPR and PIPL, and all cross-border data flows. This mapping should cover not only formal academic processes but also ancillary systems: campus Wi-Fi analytics, library databases, career services platforms, and alumni management systems. | (zu übersetzen) |
| Second, establish a unified data governance framework that addresses both GDPR and PIPL requirements. While the two laws differ in their philosophical orientations, their practical requirements overlap substantially. A framework designed to meet the stricter of the two requirements in each area will generally achieve compliance with both. | (zu übersetzen) |
| Third, adopt a consent-plus model for learning analytics. Because the PIPL’s absence of a legitimate interests basis makes consent more central than under the GDPR, universities engaged in international cooperation should build consent mechanisms that meet PIPL standards — which will typically exceed GDPR requirements and thus satisfy both frameworks. | (zu übersetzen) |
| Fourth, implement privacy by design in educational technology procurement and development. Lachheb and colleagues’ (2023) framework for design ethics in educational technology provides a starting point, as does the EDPB’s guidance on AI and personal data. Procurement contracts should explicitly require vendors to demonstrate compliance with both GDPR and PIPL where applicable. | (zu übersetzen) |
| Fifth, invest in institutional capacity. The readiness gap documented by 7DOTS (2024) and CMS (2025) reflects not deliberate non-compliance but insufficient expertise and resources. Universities should designate data protection officers with specific expertise in educational data and international data flows, and provide regular training for faculty and administrative staff. | (zu übersetzen) |
| Sixth, develop bilateral data sharing agreements for joint programs with Chinese (or European) partner institutions. These agreements should go beyond standard contractual clauses to address the specific requirements of educational data: academic records, assessment data, learning analytics, and research data each present distinct compliance challenges. | (zu übersetzen) |
| Seventh, monitor regulatory developments actively. Both frameworks are evolving rapidly. The EU AI Act‘s high-risk requirements for educational AI take full effect in August 2026. China‘s cross-border data certification measures took effect in January 2026. The European Commission’s adequacy decisions and the CAC’s standard contract provisions are subject to revision. Universities that treat data protection as a one-time compliance exercise rather than an ongoing governance function will inevitably fall behind. | (zu übersetzen) |
| '10. Conclusion' | (zu übersetzen) |
| The comparison of GDPR and PIPL in the educational context reveals a paradox: two of the world’s most comprehensive data protection regimes, both claiming to protect individuals from the misuse of their personal data, diverge so fundamentally in their philosophical assumptions that compliance with one does not ensure compliance with the other. The GDPR’s emphasis on individual autonomy, independent oversight, and purpose limitation reflects European democratic traditions; the PIPL’s emphasis on state sovereignty, centralized enforcement, and national security reflects China‘s distinct governance model. Neither system has demonstrably achieved adequate data protection in practice — European enforcement data documents widespread non-compliance, while Chinese enforcement in education remains nascent. | (zu übersetzen) |
| For universities, the practical challenge is to navigate these overlapping and sometimes conflicting requirements while maintaining the international cooperation that is essential to modern higher education. The dual compliance challenge is not merely a legal technicality; it reflects deeper questions about the role of data in education, the balance between institutional power and individual rights, and the possibility of meaningful privacy in an increasingly datafied learning environment. | (zu übersetzen) |
| The stakes of this challenge extend beyond legal compliance. Student data protection is ultimately about trust: students must trust that their universities will handle their personal information responsibly, that their academic records will not be used against them, that their learning behaviors will not be surveilled without their knowledge, and that their data will not be shared with parties they have not authorized. When universities fail to meet these expectations — whether through GDPR violations documented in the CMS enforcement data, through opaque learning analytics systems, or through proctoring technologies deployed without adequate consent — they erode the trust that is foundational to the educational relationship. | (zu übersetzen) |
| We have argued that neither the European nor the Chinese approach alone provides an adequate model. The GDPR’s emphasis on individual rights and independent oversight provides important protections against institutional overreach, but its complexity and enforcement gaps undermine its effectiveness. The PIPL’s centralized enforcement and clear compliance pathways offer practical advantages, but its subordination to state interests raises questions about the protection it affords against government surveillance. A synthesis that combines European rights-based principles with Chinese regulatory efficiency — or, more modestly, a set of practical guidelines that enables universities to satisfy both frameworks simultaneously — remains the most promising path forward. The recommendations proposed in this article represent an initial contribution to that synthesis, grounded in the specific data protection challenges that universities face in the era of digital education. | (zu übersetzen) |
| 'Acknowledgments' | (zu übersetzen) |
| This research was conducted within the framework of the Jean Monnet Centre of Excellence „EUSC-DEC“ (EU Grant 101126782, 2023–2026). The author thanks the members of Research Group 1 (Regulation of Digitalization in China and Europe) for their contributions to the comparative legal analysis. | (zu übersetzen) |
| 'References' | (zu übersetzen) |
| 7DOTS. (2024). Report: 81% of Universities at Risk of Fines Due to Failure to Safeguard Student Data. 7DOTS. Available at: https://www.7dots.com/our-insights/81-of-universities-at-risk-of-fines-due-to-failure-to-safeguard-student-data/ | (zu übersetzen) |
| American Association of Collegiate Registrars and Admissions Officers (AACRAO). (2022). China‘s Personal Information Protection Law (PIPL). AACRAO. Available at: https://www.aacrao.org/advocacy/compliance/ | (zu übersetzen) |
| Blackmon, S. J. & Major, C. H. (2023). Inclusion or infringement? A systematic research review of students’ perspectives on student privacy in technology-enhanced, hybrid and online courses. British Journal of Educational Technology, 54(6), 1542–1565. DOI: 10.1111/bjet.13362 | (zu übersetzen) |
| CMS Law. (2025). GDPR Enforcement Tracker Report 2024/2025: Public Sector and Education. CMS International Law Firm. Available at: https://cms.law/en/int/publication/gdpr-enforcement-tracker-report/public-sector-and-education | (zu übersetzen) |
| CMS Law-Now. (2025). China issues Measures for the Certification of the Cross-Border Transfer of Personal Information. CMS e-Alert, November 2025. Available at: https://cms-lawnow.com/en/ealerts/2025/11/ | (zu übersetzen) |
| DataGuidance. (2022). Comparing Privacy Laws: GDPR v. PIPL. DataGuidance. Available at: https://www.dataguidance.com/sites/default/files/gdpr_v_pipl_.pdf | (zu übersetzen) |
| European Data Protection Board (EDPB). (2024). Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. Adopted 17 December 2024. Available at: https://www.edpb.europa.eu/ | (zu übersetzen) |
| European Parliament and Council. (2024). Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L series. | (zu übersetzen) |
| Fernandez-Novel Escobar, E. (2025). How do the European Union‘s GDPR and China‘s PIPL regulate cross-border data flows? International Policy Review, IE University, 27 January 2025. | (zu übersetzen) |
| Garante per la protezione dei dati personali (Italy). (2021). Decision 9703988 — Fine against Università Commerciale Luigi Bocconi, 16 September 2021. Reported by EDPB. Available at: https://edpb.europa.eu/ | (zu übersetzen) |
| Giuffrida, I. & Hall, A. (2023). Technology integration in higher education and student privacy beyond learning environments — A comparison of the UK and US perspective. British Journal of Educational Technology, 54(6), 1587–1603. DOI: 10.1111/bjet.13375 | (zu übersetzen) |
| International Association of Privacy Professionals (IAPP). (2021). Analyzing China‘s PIPL and how it compares to the EU’s GDPR. IAPP. Available at: https://iapp.org/news/a/analyzing-chinas-pipl-and-how-it-compares-to-the-eus-gdpr | (zu übersetzen) |
| Kumi-Yeboah, A., Kim, Y., Yankson, B., Aikins, S. & Dadson, Y. A. (2023). Diverse students’ perspectives on privacy and technology integration in higher education. British Journal of Educational Technology, 54(6), 1671–1692. DOI: 10.1111/bjet.13386 | (zu übersetzen) |
| Lachheb, A. et al. (2023). The role of design ethics in maintaining students’ privacy: A call to action to learning designers in higher education. British Journal of Educational Technology, 54(6), 1653–1670. DOI: 10.1111/bjet.13382 | (zu übersetzen) |
| Li, W. & Chen, J. (2024). From Brussels Effect to Gravity Assists: Understanding the Evolution of the GDPR-Inspired Personal Information Protection Law in China. Computer Law and Security Review, 54, 105994. DOI: 10.1016/j.clsr.2024.105994 | (zu übersetzen) |
| Lim, S. & Oh, J. (2025). Navigating Privacy: A Global Comparative Analysis of Data Protection Laws. IET Information Security, 2025(1). DOI: 10.1049/ise2/5536763 | (zu übersetzen) |
| Liu, Q. & Khalil, M. (2023). Understanding privacy and data protection issues in learning analytics using a systematic review. British Journal of Educational Technology, 54(6), 1466–1485. DOI: 10.1111/bjet.13388 | (zu übersetzen) |
| Liu, Q., Khalil, M., Shakya, R., Jovanovic, J. & de la Hoz-Ruiz, J. (2025). Ensuring privacy through synthetic data generation in education. British Journal of Educational Technology. DOI: 10.1111/bjet.13576 | (zu übersetzen) |
| MIT Office of General Counsel. (2022). China and the PIPL: New Protections and Rights for Personal Information. MIT. Available at: https://ogc.mit.edu/latest/china-and-pipl-new-protections-and-rights-personal-information | (zu übersetzen) |
| Prinsloo, P., Slade, S. & Khalil, M. (2022). The answer is (not only) technological: Considering student data privacy in learning analytics. British Journal of Educational Technology, 53(4), 876–893. DOI: 10.1111/bjet.13216 | (zu übersetzen) |
| Rockefeller Institute of Government. (2025). The European AI Act and Its Implications for New York State Higher Education. November 2025. Available at: https://rockinst.org/ | (zu übersetzen) |
| State Council of the People’s Republic of China. (2024). Regulations on Network Data Security Management (effective 1 January 2025). Published 30 September 2024. | (zu übersetzen) |
| XL Law and Consulting. (2023). GDPR Enforcement Actions: Lessons Learned for Colleges and Universities. XL Law and Consulting. Available at: https://www.xllawconsulting.com/ | (zu übersetzen) |
| Xue, Y., Chinapah, V., & Zhu, C. (2025). A Comparative Analysis of AI Privacy Concerns in Higher Education: News Coverage in China and Western Countries. Education Sciences, 15(6), 650. DOI: 10.3390/educsci15060650 | (zu übersetzen) |
| Zanfir-Fortuna, G. (2020). The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions. Future of Privacy Forum. Available at: https://fpf.org/blog/gdprhighered/ | (zu übersetzen) |
| Zhang, L. & Kollnig, K. (2024). Theory and practice: the protection of children’s personal information in China. International Data Privacy Law, 14(1), 37–52. DOI: 10.1093/idpl/ipad017 | (zu übersetzen) |
| Zhu, J. (2022). The Personal Information Protection Law: China‘s Version of the GDPR? Columbia Journal of Transnational Law: The Bulletin. Available at: https://www.jtl.columbia.edu/ | (zu übersetzen) |
| 'Part II: Teaching and Learning in Transformation' | (zu übersetzen) |
| (zu übersetzen) |