Difference between revisions of "Rethinking Higher Education/Chapter 3/en-zh"

Latest revision as of 18:45, 14 May 2026

Language: EN · ZH · EN-ZH · ← Book

📌 Hinweis (Stand 8.5.2026): Diese Seite wurde strukturell überarbeitet, damit jeder Absatz seinen eigenen Tabellen-Row hat. Bisherige chinesische Übersetzungen wurden automatisch zugeordnet — die Zuordnung ist nicht in jedem Fall korrekt. Bitte prüfen Sie die rechte Spalte und verschieben/korrigieren Sie die ZH-Übersetzungen, falls sie nicht zum DE-Absatz passen. Bei nicht übersetzten Absätzen steht (zu übersetzen).

English (Source)	中文 (Übersetzung)
	(zu übersetzen)
Language: EN · ZH · EN-ZH · ← Book	(zu übersetzen)
	(zu übersetzen)
Student Data Protection in the Digital University: GDPR and China‘s PIPL Compared	数字大学中的学生数据保护:GDPR与中国PIPL的比较
Martin Woesler	Martin Woesler
'Abstract'	摘要
The digital transformation of higher education generates unprecedented volumes of student data — from learning management system interactions and assessment records to biometric proctoring data and predictive analytics profiles. Two of the world’s most consequential data protection regimes now govern how universities collect, process, and transfer this data: the European Union‘s General Data Protection Regulation (GDPR, effective 2018) and China‘s Personal Information Protection Law (PIPL, effective 2021). Yet despite superficial similarities — both establish individual rights over personal data, both impose significant penalties for violations, and both restrict cross-border data transfers — the two regimes reflect fundamentally different philosophical orientations: individual autonomy versus state sovereignty. This article provides a systematic comparison of GDPR and PIPL as they apply to the specific context of higher education. Drawing on enforcement data showing that EU data protection authorities have imposed 270 fines totaling more than EUR 29.3 million on educational institutions, and on research documenting that 81 percent of UK universities fail to meet GDPR compliance standards, we demonstrate that neither system has achieved satisfactory data protection in practice. We examine learning analytics, AI-driven assessment, cross-border student recruitment, and joint EU-China academic programs as four domains where the regulatory frameworks face their most serious tests. We argue that universities operating in both jurisdictions face a dual compliance challenge that current guidance inadequately addresses, and we propose a framework for navigating these overlapping obligations.	高等教育的数字化转型产生了前所未有的海量学生数据，从学习管理系统交互和评估记录，到生物识别监考数据和预测分析配置文件。世界上最重要的两个数据保护制度现在管理着大学如何收集、处理和传输这些数据:欧盟的《通用数据保护条例》(GDPR，2018年生效)和中国的《个人信息保护法》(PIPL，2021年生效)。然而，尽管表面上有相似之处——两者都确立了对个人数据的个人权利，都对侵犯行为施以严厉惩罚，并且都限制跨境数据传输——但这两种制度反映了根本不同的哲学取向:个人自治与国家主权。本文系统地比较了GDPR和PIPL的高等教育。执法数据显示，欧盟数据保护机构已对教育机构处以270笔罚款，总额超过2930万欧元，研究表明，81%的英国大学未能达到GDPR合规标准，根据这些数据，我们证明这两个系统在实践中都未能实现令人满意的数据保护。我们将学习分析、人工智能驱动的评估、跨境学生招聘和EU-中国联合学术项目作为监管框架面临最严峻考验的四个领域进行了研究。我们认为，在两个司法管辖区运营的大学面临双重合规挑战，当前的指南没有充分解决这一问题，我们提出了一个框架来导航这些重叠的义务。
Keywords: GDPR, PIPL, student data protection, learning analytics, higher education, cross-border data flows, privacy, EU-China comparison, AI in education	关键词:GDPR, PIPL，学生数据保护，学习分析，高等教育，跨境数据流动，隐私，中国EU-比较，人工智能在教育中
'1. Introduction'	1.简介
The digital university is, at its core, a data-generating institution. Every interaction a student has with a learning management system, every submission to an automated grading platform, every login to a campus network, and every engagement with an adaptive learning tool produces data that is collected, stored, analyzed, and — increasingly — shared across institutional and national boundaries. The COVID-19 pandemic accelerated this process dramatically: the rapid shift to online and hybrid learning normalized the collection of data streams that would have been unthinkable a decade earlier, including webcam footage from remote proctoring systems, keystroke dynamics for identity verification, and engagement metrics tracking how often and how long students interact with course materials.	数字大学的核心是一个数据生成机构。学生与学习管理系统的每一次交互、向自动评分平台的每一次提交、校园网络的每一次登录以及与适应性学习工具的每一次接触都会产生数据，这些数据被收集、存储、分析，并越来越多地跨机构和国家边界共享。新冠肺炎疫情极大地加速了这一过程:向在线和混合学习的快速转变使数据流的收集正常化，这在十年前是不可想象的，包括来自远程监督系统的网络摄像头镜头、用于身份验证的击键动力学以及跟踪学生与课程材料互动频率和时间的参与度指标。
Two comprehensive data protection regimes now govern how universities handle this information. The European Union‘s General Data Protection Regulation, which took full effect in May 2018, established the world’s first comprehensive framework for personal data protection, with specific implications for educational institutions that process student data. China‘s Personal Information Protection Law, effective from November 2021, created a parallel framework that, while structurally similar to the GDPR in many respects, reflects fundamentally different assumptions about the relationship between individuals, institutions, and the state.	现在有两个全面的数据保护机制来管理大学如何处理这些信息。欧盟的《通用数据保护条例》于2018年5月全面生效，建立了世界上第一个全面的个人数据保护框架，对处理学生数据的教育机构具有具体影响。2021年11月生效的中国个人信息保护法创造了一个平行框架，尽管在结构上与GDPR在许多方面相似，但反映了关于个人、机构和国家之间关系的根本不同的假设。
For universities engaged in international cooperation — joint degree programs, student exchange, collaborative research, cross-border recruitment — these two regimes create a dual compliance challenge of considerable complexity. A European university recruiting Chinese students must comply with the PIPL’s requirements for processing the personal information of Chinese residents; a Chinese university participating in an Erasmus+ partnership must understand GDPR obligations that may attach to data about European students. Yet the two systems diverge precisely where the compliance challenges are most acute: in their approaches to cross-border data transfer, consent requirements, enforcement mechanisms, and the treatment of minors.	对于参与国际合作的大学——联合学位项目、学生交流、合作研究、跨国招聘——这两种制度带来了相当复杂的双重合规挑战。一所欧洲大学招收中国学生，必须遵守PIPL对中国居民个人信息的处理要求；参与Erasmus+合作项目的中国大学必须了解GDPR的义务，这些义务可能与欧洲学生的数据相关。然而，这两个系统恰恰在合规挑战最严峻的地方出现了分歧:在跨境数据传输、同意要求、执行机制和未成年人待遇方面。
This article provides a systematic comparison of GDPR and PIPL as they apply to higher education, organized around four questions. First, how does each framework regulate the core data processing activities of universities — enrollment, assessment, analytics, and communication? Second, where do the two systems converge and where do they diverge in their philosophical foundations and practical requirements? Third, what specific challenges arise for institutions operating simultaneously under both regimes? Fourth, what practical strategies can universities adopt to achieve meaningful compliance with both frameworks?	本文围绕四个问题，对GDPR和PIPL的高等教育进行了系统的比较。首先，每个框架如何规范大学的核心数据处理活动——招生、评估、分析和交流？第二，这两种体系在哲学基础和实践要求上哪里趋同，哪里分歧？第三，在两种制度下同时运作的机构会面临哪些具体挑战？第四，大学可以采取哪些切实可行的策略来实现有意义地遵守这两个框架？
'2. The GDPR Framework for Education'	2.GDPR教育框架
'2.1 Legal Bases for Student Data Processing'	2.1学生数据处理的法律基础
The GDPR (Regulation 2016/679) provides six lawful bases for processing personal data, of which three are most relevant to universities: consent (Article 6(1)(a)), performance of a contract (Article 6(1)(b)), and legitimate interests (Article 6(1)(f)). European universities typically rely on a combination of these bases. Enrollment and academic administration are generally processed under contractual necessity — the student has entered into an educational contract with the institution. Research involving student data may rely on legitimate interests or, where sensitive data categories are involved, explicit consent.	GDPR(第2016/679号条例)为处理个人数据提供了六个合法依据，其中三个与大学最相关:同意(第6(1)(a)条)、履行合同(第6(1)(b)条)和合法利益(第6(1)(f)条)。欧洲大学通常依赖这些基地的组合。注册和学术管理通常是在合同需要的情况下进行的——学生已经与学校签订了教育合同。涉及学生数据的研究可能依赖于合法利益，或者在涉及敏感数据类别时，依赖于明确的同意。
The application of these legal bases to learning analytics has proven particularly contentious. Liu and Khalil (2023), in a systematic review of 47 studies published in leading educational technology journals, identify a fundamental tension: the GDPR’s principle of purpose limitation — that data collected for one purpose should not be repurposed without additional legal basis — sits uncomfortably with the open-ended, exploratory nature of learning analytics, where the value of data often emerges only through analysis that was not anticipated at the time of collection. Prinsloo, Slade, and Khalil (2022) argue from a critical data studies perspective that purely technological solutions to this tension are insufficient; the power asymmetry between institutions and students means that meaningful consent is often illusory, particularly when students feel they cannot refuse data collection without academic consequences.	这些法律基础在学习分析中的应用被证明特别有争议。Liu和Khalil（2023）在对发表于主要教育技术期刊的47项研究的系统综述中，指出了一个根本性的紧张关系：GDPR的目的限制原则——为一个目的收集的数据不应在没有额外法律基础的情况下被再利用——与学习分析开放式、探索性的本质之间存在矛盾，在学习分析中，数据的价值往往只在收集时未预见到的分析中才显现出来。Prinsloo、Slade和Khalil（2022）从批判性数据研究的角度论证，纯技术解决方案不足以应对这种紧张关系；机构与学生之间的权力不对称意味着有意义的同意往往是虚幻的，特别是当学生觉得如果拒绝数据收集就会产生学术后果时。
'2.2 Enforcement Landscape'	2.2执行情况
The enforcement of GDPR in the education sector has been uneven but increasingly significant. According to the CMS GDPR Enforcement Tracker Report for 2024/2025, data protection authorities across 25 EU member states have imposed a total of 270 fines on schools, universities, and other educational institutions, amounting to more than EUR 29.3 million. The most common violations are processing without a sufficient legal basis (90 fines) and insufficient technical and organizational measures to protect data (76 fines) (CMS 2025).	GDPR在教育领域的执法虽不均衡但日益显著。根据CMS 2024/2025年GDPR执法追踪报告，25个欧盟成员国的数据保护机构已对学校、大学和其他教育机构开出总计270张罚单，金额超过2930万欧元。最常见的违规行为是在缺乏充分法律基础的情况下进行处理（90张罚单）以及技术和组织保护措施不足（76张罚单）（CMS 2025）。
The most consequential individual case for higher education was the Italian data protection authority’s 2021 decision against Bocconi University, which imposed a EUR 200,000 fine for the use of the Respondus remote exam proctoring software. The authority found that the university had failed to obtain valid consent, had not conducted a data protection impact assessment, had provided insufficient transparency about data processing, and lacked a lawful basis for processing biometric data — violations that collectively illustrate the compliance challenges universities face when deploying surveillance-adjacent educational technologies (Garante 2021).	对高等教育影响最大的个案是意大利数据保护局2021年对博科尼大学的裁决，该裁决因使用Respondus远程考试监考软件而处以20万欧元的罚款。该机构发现，该大学未能获得有效的同意，没有进行数据保护影响评估，没有提供足够的数据处理透明度，并且缺乏处理生物识别数据的合法基础-这些违规行为共同表明了大学在部署监控邻近教育技术时面临的合规性挑战(Garante 2021)。
Yet enforcement captures only part of the picture. A 2024 study by the consultancy 7DOTS examined 335 UK universities and higher education colleges and found an 81 percent non-compliance rate with GDPR standards. Only 32 percent had implemented a Consent Management Platform, and of those, 66 percent were improperly configured (7DOTS 2024). These findings suggest that the education sector’s compliance deficit is not primarily a matter of deliberate violation but of institutional capacity: universities lack the resources, expertise, and organizational structures to implement the GDPR’s requirements effectively.	然而，执法只抓住了部分情况。咨询公司7 dots 2024年的一项研究调查了335所英国大学和高等教育学院，发现81%的学生不符合GDPR标准。只有32%实施了同意管理平台，其中66%配置不当(7DOTS 2024)。这些发现表明，教育部门的合规赤字主要不是故意违反的问题，而是机构能力的问题:大学缺乏有效实施GDPR要求的资源、专业知识和组织结构。
'2.3 Student Privacy Beyond the Classroom'	2.3课堂之外的学生隐私
The privacy challenges facing universities extend well beyond the learning management system. Giuffrida and Hall (2023) demonstrate that technology integration in higher education creates privacy risks at the enterprise level — institutional data systems, campus networks, and administrative platforms — that are distinct from the pedagogical context. Blackmon and Major (2023), in a PRISMA-based systematic review of student perspectives on privacy in technology-enhanced courses, find significant awareness gaps: students often do not understand what data is collected about them, how it is used, or what rights they have. Kumi-Yeboah and colleagues (2023) document fear and anxiety about data encroachment among diverse student populations, with particular concerns about learning management systems and social media integration. These findings collectively suggest that the GDPR’s emphasis on informed consent faces a practical obstacle: the information asymmetry between institutions and students is so large that genuine informed consent may be unattainable for many data processing activities.	大学面临的隐私挑战远远超出了学习管理系统。Giuffrida和Hall (2023)证明，高等教育中的技术集成会在企业层面(机构数据系统、校园网络和行政平台)产生隐私风险，这与教学环境截然不同。Blackmon和Major (2023年)在一项基于PRISMA的关于学生在技术增强课程中对隐私的看法的系统审查中，发现了明显的意识差距:学生往往不明白收集了关于他们的哪些数据，这些数据是如何使用的，或者他们拥有什么权利。Kumi-Yeboah及其同事(2023)记录了不同学生群体对数据侵犯的恐惧和焦虑，特别是对学习管理系统和社交媒体整合的担忧。这些发现共同表明，GDPR对知情同意的强调面临一个实际障碍:机构和学生之间的信息不对称如此之大，以至于许多数据处理活动可能无法获得真正的知情同意。
'3. China‘s PIPL: Structure and Educational Implications'	3.《中国的PIPL:结构与教育含义》
'3.1 Architectural Overview'	3.1架构概述
China‘s Personal Information Protection Law, effective 1 November 2021, establishes a comprehensive framework for personal data protection that is structurally parallel to the GDPR in many respects — extraterritorial scope, individual rights (access, correction, deletion, portability), requirements for data protection impact assessments, and significant penalties for violations — while reflecting fundamentally different philosophical commitments (Li and Chen 2024; Lim and Oh 2025).	中国的《个人信息保护法》自2021年11月1日起生效，建立了一个在许多方面与GDPR结构平行的全面个人数据保护框架——域外适用范围、个人权利（访问、更正、删除、可携带性）、数据保护影响评估要求以及对违规行为的重大处罚——同时反映了根本不同的哲学承诺（Li和Chen 2024; Lim和Oh 2025）。
The PIPL defines „personal information“ broadly as any information relating to an identified or identifiable natural person recorded by electronic or other means (Article 4). Like the GDPR, it establishes lawful bases for processing — consent, contractual necessity, legal obligation, public health emergencies, news reporting in the public interest, and reasonable processing of publicly available information (Article 13). Unlike the GDPR, however, the PIPL does not include „legitimate interests“ as a standalone legal basis, making consent the primary mechanism for lawful processing in most educational contexts (IAPP 2021; Zhu 2022).	PIPL将"个人信息"广泛定义为通过电子或其他方式记录的与已识别或可识别的自然人相关的任何信息（第4条）。与GDPR类似，它建立了处理的合法基础——同意、合同必要性、法律义务、公共卫生紧急事件、公共利益的新闻报道以及对公开信息的合理处理（第13条）。然而，与GDPR不同的是，PIPL不包括"正当利益"作为独立的法律基础，使同意成为大多数教育情境中合法处理的主要机制（IAPP 2021; Zhu 2022）。
'3.2 Enhanced Protection for Minors'	3.2加强保护未成年人
The PIPL’s treatment of minors represents one of its most significant divergences from the GDPR. Article 28 classifies all personal information of individuals under the age of 14 as „sensitive personal information,“ regardless of its nature, requiring parental consent for processing and a separate privacy impact assessment. Zhang and Kollnig (2024), in a study published in International Data Privacy Law, trace five legislative developments that progressively strengthened children’s protections under Chinese law, while documenting significant gaps between legal requirements and actual practice in Chinese applications.	PIPL对未成年人的待遇是其与GDPR最大的差异之一。第28条将14岁以下个人的所有个人信息归类为“敏感个人信息”，无论其性质如何，都需要父母同意才能处理，并进行单独的隐私影响评估。张和Kollnig (2024年)在《国际数据隐私法》上发表的一项研究中，追踪了逐步加强中国法律下儿童保护的五项立法发展，同时记录了法律要求和中国应用中的实际做法之间的重大差距。
For universities, the implications are indirect but important. While most university students are over 14, secondary school recruitment activities, summer programs for minors, and dual-enrollment programs all involve processing data of individuals who may fall within this protected category. The PIPL’s approach is arguably stricter than the GDPR’s in this specific area: the GDPR sets the age of digital consent at 16 (with member state discretion to lower it to 13), but does not automatically classify all data of minors as sensitive.	对大学来说，这种暗示是间接的，但却是重要的。虽然大多数大学生都超过14岁，但中学招聘活动、未成年人暑期项目和双招生项目都涉及处理可能属于此受保护类别的个人数据。在这一特定领域，PIPL的做法可以说比GDPR更严格:GDPR将数字同意的年龄定为16岁(成员国可酌情将年龄降至13岁)，但不会自动将未成年人的所有数据归类为敏感数据。
'3.3 Data Localization and Cross-Border Transfer'	3.3数据本地化和跨境传输
The PIPL’s requirements for cross-border data transfer are among its most practically consequential provisions for international universities. Article 38 establishes three mechanisms for transferring personal information outside China: passing a security assessment organized by the Cyberspace Administration of China (CAC), obtaining personal information protection certification from a specialized institution, or concluding a standard contract formulated by the CAC with the overseas recipient. In October 2025, the CAC and the State Administration for Market Regulation jointly issued the Measures for the Certification of Cross-Border Transfer of Personal Information, effective 1 January 2026, completing this three-pillar framework (CMS Law-Now 2025).	PIPL对跨境数据传输的要求是其对国际大学最实际的规定之一。第38条建立了三种将个人信息转移到中国境外的机制:通过中国网络空间管理局(CAC)组织的安全评估，从专门机构获得个人信息保护认证，或与海外接收者签订CAC制定的标准合同。2025年10月，CAC和国家市场监管局联合发布了《个人信息跨境转移认证办法》，自2026年1月1日起生效，完成了这一三支柱框架(CMS法-现为2025年)。
Additionally, the Regulations on Network Data Security Management, effective 1 January 2025, require organizations processing personal information of more than 10 million individuals to appoint a data security officer and conduct regular audits (State Council 2024). While few individual universities reach this threshold, aggregated educational platforms and national student information systems frequently do.	第五，投资于机构能力。7DOTS（2024）和CMS（2025）记录的准备度差距反映的不是故意不合规，而是专业知识和资源不足。大学应指定具有教育数据和国际数据流专业知识的数据保护官，并为教职人员和行政人员提供定期培训。
The practical implications for international academic cooperation are significant. As the MIT Office of General Counsel (2022) has noted, the PIPL is triggered whenever an institution obtains admissions applications from Chinese citizens residing in China, conducts recruitment activities there, offers online courses accessible to Chinese residents, performs human-subjects research using Chinese residents’ data, or collaborates with Chinese academic institutions that share student data. The American Association of Collegiate Registrars and Admissions Officers (AACRAO 2022) has published specific compliance guidance for admissions and registrar offices, reflecting the growing awareness that routine international student recruitment now carries data protection obligations under both GDPR and PIPL.	国际学术合作的实际意义是重大的。正如麻省理工学院总法律顾问办公室(2022)所指出的，每当一个机构获得居住在中国的中国公民的入学申请，在中国开展招聘活动，提供中国居民可以访问的在线课程，使用中国居民的数据进行人体研究，或与分享学生数据的中国学术机构合作，就会触发PIPL。美国大学注册和招生官员协会(AACRAO 2022)发布了针对招生和注册办公室的具体合规指南，反映出越来越多的人意识到，根据GDPR和PIPL的规定，常规的国际学生招聘现在都负有数据保护义务。
'4. Systematic Comparison'	4.系统比较
'4.1 Philosophical Foundations'	4.1哲学基础
The most fundamental difference between GDPR and PIPL lies not in their technical provisions but in their philosophical orientations. The GDPR emerges from a tradition of individual rights protection, rooted in the European Convention on Human Rights and the EU Charter of Fundamental Rights. Its core assumption is that personal data protection is a fundamental right of the individual, which can be limited only under specified conditions and subject to proportionality review. Li and Chen (2024), in their analysis of the „Brussels Effect„ on Chinese data protection law, introduce a „gravity assist“ model: while the GDPR’s structural influence on the PIPL is evident, China‘s adoption reflects not convergence but strategic adaptation to its distinct political, cultural, and legal context.	GDPR和PIPL之间最根本的区别不在于它们的技术条款，而在于它们的哲学取向。GDPR有保护个人权利的传统，这一传统植根于《欧洲人权公约》和《欧盟基本权利宪章》。其核心假设是，个人数据保护是个人的一项基本权利，只能在特定条件下加以限制，并接受相称性审查。李和陈(2024)在分析中国数据保护法的“布鲁塞尔效应”时，引入了一个“引力辅助”模型:虽然对的结构性影响显而易见，但中国的采用反映的不是趋同，而是对其独特的政治、文化和法律环境的战略适应。
The PIPL, by contrast, reflects what Lim and Oh (2025) describe as a „state sovereignty“ orientation. The law serves multiple objectives simultaneously: protecting individual privacy, certainly, but also safeguarding national security, promoting the digital economy, and maintaining social stability. The law’s enforcement is centralized under the CAC, which is simultaneously responsible for internet censorship, cybersecurity, and data governance — a combination that would be impermissible under the GDPR’s requirement for independent supervisory authorities (Article 52).	相比之下，PIPL反映了Lim和Oh (2025)所描述的“国家主权”取向。这部法律同时服务于多个目标:保护个人隐私，当然，也保护国家安全，促进数字经济，维护社会稳定。该法律的执行由反腐败委员会集中负责，该委员会同时负责互联网审查、网络安全和数据治理——根据GDPR对独立监督机构的要求(第52条)，这种结合是不允许的。
'4.2 Structural Differences'	4.2结构差异
Several structural differences have direct implications for universities:	几个结构性差异对大学有直接影响:
Consent. The GDPR recognizes six lawful bases for processing; the PIPL’s absence of a „legitimate interests“ basis makes consent more central, particularly for educational data processing that goes beyond contractual necessity. The PIPL additionally requires separate consent for cross-border transfers (Article 39) and for processing sensitive personal information (Article 29).	同意。GDPR承认六个合法的处理依据；PIPL缺乏“合法利益”基础，这使得同意更加重要，特别是对于超出合同必要性的教育数据处理。PIPL还要求跨境转移(第39条)和处理敏感个人信息(第29条)需要单独同意。
Penalties. The GDPR imposes maximum fines of EUR 20 million or 4 percent of global annual turnover, whichever is greater. The PIPL imposes maximum fines of RMB 50 million (approximately EUR 6.4 million) or 5 percent of the previous year’s annual revenue for grave violations, plus potential personal liability for responsible individuals — a feature without direct GDPR equivalent (IAPP 2021; DataGuidance 2022).	'处罚'。GDPR的最高罚款为2000万欧元或全球年营业额的4%，以较高者为准。PIPL对严重违规的最高罚款为5000万人民币（约640万欧元）或上一年度年收入的5%，另外还对责任个人追究个人责任——这一特征在GDPR中没有直接对应项（IAPP 2021; DataGuidance 2022）。
Enforcement. The GDPR’s enforcement is decentralized across national data protection authorities, with coordination through the European Data Protection Board. The PIPL’s enforcement is centralized under the CAC, with additional sector-specific oversight from the Ministry of Education for educational institutions. The GDPR requires supervisory authorities to be independent; the PIPL imposes no such requirement.	强制执行。在欧洲数据保护委员会的协调下，GDPR的执法工作分散在各个国家数据保护机构。PIPL的执法工作集中在反腐败委员会之下，教育部对教育机构进行额外的具体部门监督。GDPR要求监管机构独立；PIPL没有提出这样的要求。
Cross-border transfers. The GDPR permits transfers to countries with „adequate“ data protection (adequacy decisions), or through Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). The PIPL offers security assessment, standard contracts, and certification, but does not employ an adequacy mechanism — there is no list of „safe“ countries to which data may flow freely (Fernandez-Novel Escobar 2025).	跨境转移。GDPR允许向数据保护“充分”的国家/地区(充分性决定)，或通过标准合同条款(SCC)和有约束力的公司规则(bcr)进行转让。PIPL提供安全评估、标准合同和认证，但没有采用充分性机制——没有数据可以自由流动的“安全”国家的列表(Fernandez-Novel Escobar 2025)。
Data subject rights. Both frameworks provide broadly similar individual rights: access, correction, deletion, and portability. The PIPL additionally grants next-of-kin the right to exercise deceased persons’ data rights — a provision with potential relevance for universities managing the records of deceased students (DataGuidance 2022). The PIPL also includes a broader definition of „sensitive personal information“ that encompasses financial data, location data, and biometric information alongside the categories recognized by the GDPR.	数据主体权利。两个框架都提供了大体相似的个人权利:访问、修改、删除和可移植性。PIPL还授予近亲行使死者数据权的权利——这一规定可能与管理已故学生记录的大学有关(数据指导2022)。PIPL还包括“敏感个人信息”的更广泛定义，除了GDPR认可的类别外，还包括财务数据、位置数据和生物识别信息。
'4.3 Convergence and Divergence'	4.3趋同与趋异
Despite these differences, the two frameworks converge in important ways. Both require data protection impact assessments for high-risk processing. Both impose transparency obligations requiring clear, accessible privacy notices. Both provide for data portability — the right to receive one’s personal data in a structured, machine-readable format. Both establish extraterritorial scope, applying to entities outside their jurisdiction that process the data of their residents. And both impose requirements for data breach notification, though with different timelines: 72 hours under the GDPR (Article 33), versus an unspecified but prompt timeframe under the PIPL.	尽管存在这些差异，但这两个框架在一些重要方面有所融合。两者都要求对高风险处理进行数据保护影响评估。两者都规定了透明度义务，要求清晰、易获取的隐私声明。两者都提供了数据可移植性——以结构化的、机器可读的格式接收个人数据的权利。两者都确立了治外法权的范围，适用于在其管辖范围之外处理其居民数据的实体。两者都规定了数据泄露通知的要求，尽管有不同的时间表:GDPR的72小时(第33条)，而PIPL的时间表不明确但很快。
The pattern that emerges is convergence at the level of principles — both systems recognize that personal data deserves protection, that individuals should have rights over their data, and that organizations must be held accountable for their processing activities — with significant divergence at the level of implementation, philosophical justification, and enforcement culture. As Solove (2022) observes, the PIPL is often described as „China‘s GDPR,“ but this characterization obscures important structural differences that have direct practical consequences for organizations operating under both regimes.	出现的模式是原则层面的趋同——两个系统都承认个人数据值得保护，个人应该对其数据拥有权利，组织必须对其处理活动负责——但在实施、哲学论证和执行文化层面存在显著差异。正如Solove (2022)所观察到的，PIPL经常被描述为“中国的GDPR”，但这种描述掩盖了重要的结构差异，而这些差异对在两种制度下运营的组织具有直接的实际影响。
'5. Learning Analytics: The Critical Test Case'	5.学习分析:关键测试案例
Learning analytics represents the domain where the tension between data protection and educational innovation is most acute. Universities increasingly deploy predictive analytics systems that use historical student data to identify students at risk of failure, recommend interventions, and personalize learning pathways. These systems require the processing of large volumes of student data — often aggregated from multiple sources and analyzed using machine learning algorithms — in ways that challenge the fundamental principles of both GDPR and PIPL.	学习分析代表了数据保护和教育创新之间矛盾最尖锐的领域。大学越来越多地部署预测分析系统，这些系统使用历史学生数据来识别有失败风险的学生，推荐干预措施，并个性化学习途径。这些系统需要处理大量的学生数据——通常是从多个来源汇总的，并使用机器学习算法进行分析——其方式挑战了GDPR和PIPL的基本原则。
Under the GDPR, learning analytics systems face challenges on multiple fronts. Purpose limitation (Article 5(1)(b)) requires that data be collected for specified, explicit purposes and not further processed in a manner incompatible with those purposes. But the value of learning analytics often depends on precisely this kind of repurposing: data collected for course administration is analyzed for patterns that inform institutional strategy. Data minimization (Article 5(1)(c)) requires that only data adequate, relevant, and limited to what is necessary be processed — yet predictive models typically perform better with more data, creating a structural incentive toward maximal collection. Transparency (Articles 13-14) requires that individuals be informed about automated decision-making — but the complexity of machine learning models often makes meaningful explanation difficult.	在GDPR下，学习分析系统面临着多方面的挑战。目的限制(第5条第1款(b)项)要求为具体、明确的目的收集数据，并且不以不符合这些目的的方式进一步处理数据。但学习分析的价值往往恰恰取决于这种再利用:为课程管理收集的数据被分析，以获得告知机构战略的模式。数据最小化(第5(1)(c)条)要求只处理足够的、相关的数据，并且仅限于必要的数据——然而，预测模型通常在数据越多的情况下表现越好，这为最大限度地收集数据创造了结构性激励。透明度(第13-14条)要求个人被告知自动化决策——但机器学习模型的复杂性往往使有意义的解释变得困难。
Under the PIPL, learning analytics faces additional challenges. The absence of a legitimate interests basis means that universities must typically rely on consent for analytics that go beyond direct educational delivery. The requirement for separate consent for processing sensitive information (Article 29) may be triggered by analytics that process academic performance data in ways that reveal protected characteristics. And the data localization requirements mean that analytics platforms operated by international providers must navigate complex cross-border transfer rules.	在PIPL下，学习分析面临额外的挑战。缺乏合法的利益基础意味着大学通常必须依赖同意进行超出直接教育交付范围的分析。对处理敏感信息的单独同意的要求(第29条)可能由以揭示受保护特征的方式处理学业成绩数据的分析所触发。数据本地化要求意味着由国际提供商运营的分析平台必须遵循复杂的跨境传输规则。
Xue and colleagues (2025), in an analysis of AI privacy concerns in higher education across Chinese and English-language media, found that while both contexts identify AI-driven proctoring, student data security, and institutional governance as central concerns, the emphasis differs: Western coverage foregrounds individual privacy rights, while Chinese coverage more frequently addresses the relationship between AI-driven educational innovation and institutional governance. This divergence mirrors the broader philosophical difference between the two regulatory frameworks.	薛和他的同事(2025)在分析中英文媒体对高等教育中人工智能隐私的关注时发现，尽管两种背景都将人工智能驱动的监考、学生数据安全和机构治理确定为主要关注点，但侧重点有所不同:西方的报道强调个人隐私权利，而中国的报道更频繁地讨论人工智能驱动的教育创新和机构治理之间的关系。这种分歧反映了两种监管框架之间更广泛的哲学差异。
Lachheb and colleagues (2023) argue that maintaining student privacy in educational technology requires attention not only to policy and law but to design ethics — the principles embedded in the technological systems themselves. They propose a framework to help instructional designers evaluate whether design patterns unintentionally undermine learner agency, suggesting that compliance with either GDPR or PIPL requires intervention at the design stage, not merely at the policy level. Liu, Khalil, and colleagues (2025) explore synthetic data generation with differential privacy mechanisms as a technical approach to this challenge, enabling learning analytics research without exposing individual student records.	Lachheb及其同事（2023）认为，在教育技术中维护学生隐私不仅需要关注政策和法律，还需要关注设计伦理——嵌入技术系统本身的原则。他们提出了一个框架来帮助教学设计师评估设计模式是否无意中损害了学习者的能动性，建议无论是GDPR还是PIPL的合规都需要在设计阶段进行干预，而不仅仅是在政策层面。Liu、Khalil及其同事（2025）探索了具有差分隐私机制的合成数据生成作为这一挑战的技术方法，使学习分析研究可以在不暴露个人学生记录的情况下进行。
'6. AI-Driven Assessment and Proctoring'	6.人工智能驱动的评估和监督
The EU AI Act (Regulation 2024/1689), which entered into force on 1 August 2024, adds a further regulatory layer for European universities. The Act classifies AI systems used for educational assessment and proctoring as „high-risk“ under Annex III, Section 3, requiring conformity assessments, human oversight, and technical documentation. Article 5(1)(f) prohibits emotion recognition systems in educational settings (European Parliament and Council 2024).	2024年8月1日生效的欧盟AI法案(第2024/1689号条例)为欧洲大学增加了又一个监管层。该法案将用于教育评估和监考的人工智能系统归类为附件III第3节下的“高风险”系统，要求符合性评估、人工监督和技术文档。第5(1)(f)条禁止在教育环境中使用情绪识别系统(欧洲议会和理事会，2024年)。
The interaction between the AI Act and GDPR creates a layered compliance obligation: universities deploying AI-powered assessment tools must satisfy both the AI Act’s requirements for high-risk systems and the GDPR’s requirements for lawful data processing. The Bocconi University case demonstrates the consequences of failing to meet the latter; the AI Act will add additional requirements from August 2026 onward. A 2025 report by the Rockefeller Institute of Government recommends that universities map their AI use cases against the Act’s risk categories as a first step toward compliance, citing the governance models developed by Utrecht University and the University of Edinburgh as reference frameworks (Rockefeller Institute 2025).	人工智能法案和GDPR之间的相互作用产生了一个分层的合规义务:部署人工智能评估工具的大学必须满足人工智能法案对高风险系统的要求和GDPR对合法数据处理的要求。博科尼大学的案例表明了不满足后者的后果；AI法案将从2026年8月起增加额外的要求。洛克菲勒政府研究所(Rockefeller Institute of Government)2025年的一份报告建议，大学根据该法案的风险类别绘制其人工智能用例，作为实现合规的第一步，引用乌得勒支大学和爱丁堡大学开发的治理模型作为参考框架(洛克菲勒研究所2025)。
China‘s approach to AI in educational assessment reflects its sector-specific regulatory philosophy. Rather than a single comprehensive AI law, China governs educational AI through a combination of the 2023 Interim Measures for Generative AI Services, the PIPL’s provisions for automated decision-making, and Ministry of Education directives. The use of AI proctoring and surveillance technologies in Chinese universities, while subject to PIPL consent requirements, does not face the categorical restrictions imposed by the EU AI Act‘s emotion recognition ban. This regulatory asymmetry has practical implications for technology companies developing educational assessment tools for both markets: systems designed for China may include features that are prohibited in the EU, and vice versa.	中国在教育评估中对人工智能的做法反映了其特定部门的监管理念。中国不是单一的综合人工智能法律，而是通过结合2023年生成性人工智能服务暂行办法、PIPL自动决策规定和教育部指令来管理教育人工智能。在中国大学使用人工智能监考和监控技术，虽然需要得到PIPL的同意，但不会面临欧盟人工智能法案情感识别禁令的明确限制。这种监管不对称对为两个市场开发教育评估工具的科技公司具有实际影响:为中国设计的系统可能包含在欧盟被禁止的功能，反之亦然。
The Bocconi case illustrates a broader tension. Remote proctoring systems — which typically capture webcam footage, track eye movements, monitor keyboard and mouse activity, and may use facial recognition to verify identity — process categories of data that trigger the GDPR’s most stringent requirements: biometric data (Article 9), automated decision-making (Article 22), and profiling. Under the PIPL, biometric information is classified as sensitive personal information requiring separate consent (Article 28), but there is no categorical prohibition comparable to the AI Act’s emotion recognition ban. The result is a regulatory landscape where the same technology may be lawful in one jurisdiction and prohibited in the other, depending on its specific capabilities and the legal basis invoked.	博科尼的案例反映了一种更广泛的紧张关系。远程监督系统通常会捕捉网络摄像机镜头，跟踪眼球运动，监控键盘和鼠标活动，并可能使用面部识别来验证身份，处理触发GDPR最严格要求的数据类别:生物特征数据(第9条)，自动决策(第22条)和特征分析。根据《PIPL 》,生物特征信息被归类为需要单独同意的敏感个人信息(第28条),但没有类似于《人工智能法》情感识别禁令的明确禁止。其结果是出现了这样一种监管格局:同一种技术在一个管辖区可能是合法的，而在另一个管辖区可能是被禁止的，这取决于其具体能力和援引的法律依据。
'7. Joint EU-China Programs: Dual Compliance in Practice'	7.EU-中国联合项目:实践中的双重合规
The most acute compliance challenges arise in joint EU-China academic programs, where student data routinely crosses jurisdictional boundaries. A European university offering a joint degree with a Chinese partner institution must transfer enrollment data, academic records, and potentially learning analytics data between the two institutions — transfers that must comply simultaneously with the GDPR’s requirements for international data transfer and the PIPL’s cross-border transfer provisions.	最严峻的合规性挑战出现在EU--中国联合学术项目中，学生数据经常跨越管辖边界。与中国合作机构提供联合学位的欧洲大学必须在两个机构之间传输注册数据、学术记录和潜在的学习分析数据，这些传输必须同时符合GDPR的国际数据传输要求和PIPL的跨境传输规定。
The practical difficulties are considerable. GDPR transfers to China cannot currently rely on an adequacy decision (the European Commission has not recognized China as providing adequate data protection). Standard Contractual Clauses may be used, but must be supplemented by a transfer impact assessment that considers Chinese surveillance laws and government access provisions — an assessment whose conclusions may be unfavorable. In the other direction, PIPL transfers to Europe require one of the three mechanisms described above: CAC security assessment, standard contract, or certification.	实际困难相当大。GDPR对中国的转让目前不能依赖于充分性决定(欧洲委员会不承认中国提供了充分的数据保护)。可以使用标准合同条款，但必须辅以考虑中国监控法律和政府访问规定的转让影响评估，该评估的结论可能不利。另一方面，PIPL向欧洲的转让需要上述三种机制之一:CAC安全评估、标准合同或认证。
The Future of Privacy Forum’s guidance for US higher education institutions (Zanfir-Fortuna 2020), while not directly applicable to the EU-China context, illustrates the complexity of international academic data flows. The report identifies ten compliance steps that international universities must address, including data mapping, legal basis identification, vendor management, and breach notification procedures — each of which must be adapted for both GDPR and PIPL requirements.	隐私论坛对美国高等教育机构的未来指导(赞菲尔-福尔图娜2020)虽然不能直接适用于中国EU-的情况，但却说明了国际学术数据流的复杂性。该报告确定了国际大学必须解决的十个合规性步骤，包括数据映射、法律依据识别、供应商管理和违规通知程序，每个步骤都必须适应GDPR和PIPL的要求。
These challenges are not hypothetical. Sino-European joint programs have expanded significantly in recent decades. China hosts hundreds of Chinese-foreign cooperative education programs approved by the Ministry of Education, many of which involve European partner institutions. The EU’s Erasmus+ program supports academic exchanges with Chinese universities. The EU-China Tuning project has aligned degree structures across dozens of institutions. In each of these contexts, student data flows between jurisdictions are routine and necessary — yet the legal framework for these flows remains fragmented and uncertain.	这些挑战不是假设的。近几十年来，中欧合作项目显著扩大。中国主办了数百个经教育部批准的中外合作教育项目，其中许多涉及欧洲的合作机构。欧盟的Erasmus+计划支持与中国大学的学术交流。EU-中国调整项目已经调整了几十个机构的学位结构。在上述每一种情况下，学生数据在司法管辖区之间的流动都是常规且必要的——但这些流动的法律框架仍然支离破碎且不确定。
A specific challenge arises in the context of student recruitment. European universities actively recruit Chinese students — China was the largest source country for international students in Europe before the pandemic and has largely regained that position. Under the PIPL, a European university that collects personal information from prospective Chinese students through online application portals, recruitment events in China, or agent partnerships is processing the personal information of Chinese residents and is therefore subject to the PIPL’s requirements, including the obligation to obtain consent in Chinese, to provide a privacy notice compliant with Chinese law, and to navigate the cross-border transfer framework for transmitting application data back to Europe. Few European universities have adapted their recruitment practices to meet these requirements.	在招生方面出现了一个特殊的挑战。欧洲大学积极招收中国学生——在疫情之前，中国是欧洲最大的国际学生来源国，现在已经基本恢复了这一地位。根据PIPL，一所欧洲大学通过在线申请门户网站、在中国的招聘活动或代理合作伙伴关系收集潜在中国学生的个人信息，该大学正在处理中国居民的个人信息，因此需要遵守PIPL的要求，包括有义务获得中文同意书，提供符合中国法律的隐私声明，并通过跨境传输框架将申请数据传输回欧洲。很少有欧洲大学调整了他们的招聘实践来满足这些要求。
For universities engaged in EU-China cooperation, we identify four practical strategies for managing dual compliance. First, data minimization at the point of transfer: sharing only the minimum data necessary for the joint program, using anonymized or pseudonymized data wherever possible. Second, architectural separation: maintaining separate data systems for EU and Chinese operations, with controlled interfaces for necessary data exchange. Third, contractual frameworks: developing bilateral data sharing agreements that explicitly address both GDPR and PIPL requirements, including provisions for data subject rights, breach notification, and data retention. Fourth, institutional capacity building: investing in staff training and data protection expertise that spans both regulatory frameworks.	对于参与EU-中国合作的大学，我们确定了管理双重合规的四个实用策略。首先，在传输点尽量减少数据:只分享联合项目所需的最少数据，尽可能使用匿名或假名数据。第二，架构分离:为欧盟和中国的运营维护独立的数据系统，使用受控接口进行必要的数据交换。第三，合同框架:制定双边数据共享协议，明确解决GDPR和PIPL的要求，包括数据主体权利、违约通知和数据保留的规定。第四，机构能力建设:投资于跨越两种监管框架的员工培训和数据保护专业知识。
'8. The Readiness Gap'	8.准备差距
Despite the significance of these regulatory frameworks, empirical evidence suggests that universities in both jurisdictions face a substantial readiness gap. In the European context, the 7DOTS (2024) finding that 81 percent of UK universities fail GDPR compliance standards is consistent with the CMS Enforcement Tracker data showing persistent violations across 25 member states. The XL Law and Consulting analysis documents 45 GDPR enforcement actions against educational institutions, with an average fine of approximately EUR 32,600 — modest compared to the technology sector, but meaningful for institutions with constrained budgets (XL Law 2023).	尽管这些监管框架具有重要意义，实证证据表明两个管辖区的大学都面临着巨大的准备度差距。在欧洲背景下，7DOTS（2024）关于81%的英国大学未能通过GDPR合规标准的发现与CMS执法追踪数据一致，后者显示25个成员国存在持续的违规行为。XL Law and Consulting的分析记录了45项针对教育机构的GDPR执法行动，平均罚款约为32,600欧元——与技术行业相比属于适度水平，但对预算有限的机构来说意义重大（XL Law 2023）。
XL Law and Consulting’s analysis of GDPR enforcement actions further reveals a sectoral pattern: educational institutions account for under 3 percent of all GDPR enforcement actions, with an average fine of approximately EUR 32,600 — compared to EUR 1.8 million across all sectors. Spain, Italy, and Poland are responsible for over 65 percent of enforcement actions against higher education institutions. Notably, self-reporting data breaches did not shield institutions from substantial fines, suggesting that proactive compliance efforts must go beyond incident response (XL Law 2023).	XL Law and Consulting对GDPR执法行动的分析进一步揭示了一个部门模式:教育机构占所有GDPR执法行动的不到3 %,平均罚款约为32，600欧元，而所有部门的罚款为180万欧元。西班牙、意大利和波兰占针对高等教育机构的执法行动的65%以上。值得注意的是，自我报告数据泄露并不能保护机构免受巨额罚款，这表明主动合规努力必须超越事件响应(XL Law 2023)。
In the Chinese context, the readiness gap manifests differently. While the PIPL has been in force since November 2021, enforcement in the education sector has been less visible than in the technology and financial sectors. The emphasis has been on platform companies processing data at scale rather than on individual educational institutions. However, the Regulations on Network Data Security Management (effective January 2025) and the Certification Measures for cross-border transfers (effective January 2026) signal an increasing regulatory attention to data governance practices across all sectors, including education.	在中国的背景下，准备程度的差距有不同的表现。虽然《PIPL》自2021年11月生效，但教育部门的执法不如科技和金融部门明显。重点是平台公司大规模处理数据，而不是单个教育机构。然而,《网络数据安全管理条例》( 2025年1月生效)和《跨境传输认证办法》( 2026年1月生效)标志着监管机构越来越关注包括教育在内的所有部门的数据治理实践。
The European Data Protection Board’s Opinion 28/2024, adopted in December 2024, addresses data protection aspects of AI model training and deployment, noting that GDPR applies to AI models trained on personal data because of their memorization capabilities (EDPB 2024). For universities developing or deploying AI-based educational tools, this opinion has significant implications: even AI models that do not store personal data in recognizable form may be subject to GDPR requirements if they can be prompted to produce personal information.	2024年12月通过的欧洲数据保护委员会第28/2024号意见解决了人工智能模型训练和部署的数据保护方面，指出GDPR适用于根据个人数据训练的人工智能模型，因为它们具有记忆能力(EDPB 2024)。对于开发或部署基于人工智能的教育工具的大学来说，这一观点具有重大意义:即使是不以可识别的形式存储个人数据的人工智能模型，如果可以被提示提供个人信息，也可能受到GDPR要求的约束。
'9. Recommendations for Universities'	9.给大学的建议
Based on our comparative analysis, we propose seven recommendations for universities seeking to navigate the overlapping requirements of GDPR and PIPL:	基于我们的比较分析，我们为寻求应对GDPR和PIPL重叠要求的大学提出了七条建议:
First, conduct a comprehensive data mapping exercise that identifies all personal data processing activities, their legal bases under both GDPR and PIPL, and all cross-border data flows. This mapping should cover not only formal academic processes but also ancillary systems: campus Wi-Fi analytics, library databases, career services platforms, and alumni management systems.	首先，开展全面的数据摸底工作，确定所有个人数据处理活动、它们在GDPR和PIPL的法律依据以及所有跨境数据流动。这种映射不仅应该涵盖正式的学术流程，还应该涵盖辅助系统:校园Wi-Fi分析、图书馆数据库、职业服务平台和校友管理系统。
Second, establish a unified data governance framework that addresses both GDPR and PIPL requirements. While the two laws differ in their philosophical orientations, their practical requirements overlap substantially. A framework designed to meet the stricter of the two requirements in each area will generally achieve compliance with both.	其次，建立统一的数据治理框架，以满足GDPR和PIPL的要求。虽然这两个法律在哲学方向上有所不同，但它们的实际要求基本上是重叠的。为满足每个领域中两个要求中更严格的一个而设计的框架通常会同时满足这两个要求。
Third, adopt a consent-plus model for learning analytics. Because the PIPL’s absence of a legitimate interests basis makes consent more central than under the GDPR, universities engaged in international cooperation should build consent mechanisms that meet PIPL standards — which will typically exceed GDPR requirements and thus satisfy both frameworks.	第三，采用同意+模型进行学习分析。由于PIPL缺乏合法利益基础，使得同意比GDPR更重要，参与国际合作的大学应该建立符合PIPL标准的同意机制——这通常会超过GDPR的要求，从而满足两个框架。
Fourth, implement privacy by design in educational technology procurement and development. Lachheb and colleagues’ (2023) framework for design ethics in educational technology provides a starting point, as does the EDPB’s guidance on AI and personal data. Procurement contracts should explicitly require vendors to demonstrate compliance with both GDPR and PIPL where applicable.	第四，在教育技术采购和开发中通过设计实现隐私。拉赫伯及其同事(2023)的教育技术设计伦理框架提供了一个起点，正如EDPB对人工智能和个人数据的指导一样。采购合同应明确要求供应商证明符合GDPR和PIPL的要求。
Fifth, invest in institutional capacity. The readiness gap documented by 7DOTS (2024) and CMS (2025) reflects not deliberate non-compliance but insufficient expertise and resources. Universities should designate data protection officers with specific expertise in educational data and international data flows, and provide regular training for faculty and administrative staff.	第五，投资于机构能力。7DOTS (2024年)和CMS (2025年)记录的准备差距并不反映故意的不遵守，而是专业知识和资源不足。大学应指定在教育数据和国际数据流方面具有特定专业知识的数据保护官员，并为教职员工和行政人员提供定期培训。
Sixth, develop bilateral data sharing agreements for joint programs with Chinese (or European) partner institutions. These agreements should go beyond standard contractual clauses to address the specific requirements of educational data: academic records, assessment data, learning analytics, and research data each present distinct compliance challenges.	第六，为与中国(或欧洲)伙伴机构的联合项目制定双边数据共享协议。这些协议应该超越标准合同条款，以解决教育数据的具体要求:学术记录、评估数据、学习分析和研究数据都存在不同的合规性挑战。
Seventh, monitor regulatory developments actively. Both frameworks are evolving rapidly. The EU AI Act‘s high-risk requirements for educational AI take full effect in August 2026. China‘s cross-border data certification measures took effect in January 2026. The European Commission’s adequacy decisions and the CAC’s standard contract provisions are subject to revision. Universities that treat data protection as a one-time compliance exercise rather than an ongoing governance function will inevitably fall behind.	第七，积极监控监管动态。这两个框架都在快速发展。欧盟AI法案对教育AI的高风险要求于2026年8月全面生效。中国的跨境数据认证措施于2026年1月生效。欧洲委员会的充足性决定和CAC的标准合同条款可能会被修订。将数据保护视为一次性合规工作而非持续治理职能的大学将不可避免地落后。
'10. Conclusion'	10.结论
The comparison of GDPR and PIPL in the educational context reveals a paradox: two of the world’s most comprehensive data protection regimes, both claiming to protect individuals from the misuse of their personal data, diverge so fundamentally in their philosophical assumptions that compliance with one does not ensure compliance with the other. The GDPR’s emphasis on individual autonomy, independent oversight, and purpose limitation reflects European democratic traditions; the PIPL’s emphasis on state sovereignty, centralized enforcement, and national security reflects China‘s distinct governance model. Neither system has demonstrably achieved adequate data protection in practice — European enforcement data documents widespread non-compliance, while Chinese enforcement in education remains nascent.	GDPR和PIPL在教育方面的比较揭示了一个悖论:两个世界上最全面的数据保护制度都声称要保护个人的个人数据不被滥用，但它们的哲学假设却大相径庭，遵守一个制度并不能确保遵守另一个制度。GDPR对个人自主、独立监督和目的限制的强调反映了欧洲的民主传统；PIPL对国家主权、集中执法和国家安全的强调反映了中国独特的治理模式。这两个系统都没有在实践中明显实现足够的数据保护——欧洲的执法数据记录了广泛的违规行为，而中国在教育领域的执法仍处于萌芽状态。
For universities, the practical challenge is to navigate these overlapping and sometimes conflicting requirements while maintaining the international cooperation that is essential to modern higher education. The dual compliance challenge is not merely a legal technicality; it reflects deeper questions about the role of data in education, the balance between institutional power and individual rights, and the possibility of meaningful privacy in an increasingly datafied learning environment.	对于大学来说，实际的挑战是在保持对现代高等教育至关重要的国际合作的同时，应对这些重叠且有时相互冲突的要求。双重合规挑战不仅仅是一个法律技术问题；它反映了关于数据在教育中的作用、机构权力和个人权利之间的平衡以及在日益数据化的学习环境中有意义的隐私的可能性等更深层次的问题。
The stakes of this challenge extend beyond legal compliance. Student data protection is ultimately about trust: students must trust that their universities will handle their personal information responsibly, that their academic records will not be used against them, that their learning behaviors will not be surveilled without their knowledge, and that their data will not be shared with parties they have not authorized. When universities fail to meet these expectations — whether through GDPR violations documented in the CMS enforcement data, through opaque learning analytics systems, or through proctoring technologies deployed without adequate consent — they erode the trust that is foundational to the educational relationship.	这一挑战的利害关系不仅限于法律合规性。学生数据保护最终与信任有关:学生必须相信他们的大学将负责任地处理他们的个人信息，他们的学业记录不会被用来对付他们，他们的学习行为不会在他们不知情的情况下受到监控，他们的数据不会与他们未授权的人共享。当大学无法满足这些期望时——无论是通过CMS执行数据中记录的GDPR违规，还是通过不透明的学习分析系统，或者是通过未经充分同意部署的监督技术——它们都会侵蚀作为教育关系基础的信任。
We have argued that neither the European nor the Chinese approach alone provides an adequate model. The GDPR’s emphasis on individual rights and independent oversight provides important protections against institutional overreach, but its complexity and enforcement gaps undermine its effectiveness. The PIPL’s centralized enforcement and clear compliance pathways offer practical advantages, but its subordination to state interests raises questions about the protection it affords against government surveillance. A synthesis that combines European rights-based principles with Chinese regulatory efficiency — or, more modestly, a set of practical guidelines that enables universities to satisfy both frameworks simultaneously — remains the most promising path forward. The recommendations proposed in this article represent an initial contribution to that synthesis, grounded in the specific data protection challenges that universities face in the era of digital education.	我们认为，无论是欧洲还是中国的方法都不能单独提供一个合适的模型。GDPR对个人权利和独立监督的强调为防止机构越权提供了重要保护，但其复杂性和执法差距削弱了其有效性。PIPL的集中执法和明确的合规途径提供了实际优势，但它对国家利益的服从引发了对其提供免受政府监控的保护的质疑。将欧洲基于权利的原则与中国监管效率结合起来的综合体——或者更谦虚地说，一套让大学能够同时满足这两个框架的实用指导方针——仍然是最有希望的前进道路。本文中提出的建议是对这一综合的初步贡献，基于大学在数字教育时代面临的具体数据保护挑战。
'Acknowledgments'	致谢
This research was conducted within the framework of the Jean Monnet Centre of Excellence „EUSC-DEC“ (EU Grant 101126782, 2023–2026). The author thanks the members of Research Group 1 (Regulation of Digitalization in China and Europe) for their contributions to the comparative legal analysis.	这项研究是在让·莫内卓越中心“EUSC-DEC”的框架内进行的(欧盟赠款101126782，2023–2026)。作者感谢第一研究小组(中国和欧洲数字化法规)成员对比较法律分析的贡献。
'References'	参考文献
7DOTS. (2024). Report: 81% of Universities at Risk of Fines Due to Failure to Safeguard Student Data. 7DOTS. Available at: https://www.7dots.com/our-insights/81-of-universities-at-risk-of-fines-due-to-failure-to-safeguard-student-data/	7DOTS. (2024). Report: 81% of Universities at Risk of Fines Due to Failure to Safeguard Student Data. 7DOTS. Available at: https://www.7dots.com/our-insights/81-of-universities-at-risk-of-fines-due-to-failure-to-safeguard-student-data/
American Association of Collegiate Registrars and Admissions Officers (AACRAO). (2022). China‘s Personal Information Protection Law (PIPL). AACRAO. Available at: https://www.aacrao.org/advocacy/compliance/	American Association of Collegiate Registrars and Admissions Officers (AACRAO). (2022). China‘s Personal Information Protection Law (PIPL). AACRAO. Available at: https://www.aacrao.org/advocacy/compliance/
Blackmon, S. J. & Major, C. H. (2023). Inclusion or infringement? A systematic research review of students’ perspectives on student privacy in technology-enhanced, hybrid and online courses. British Journal of Educational Technology, 54(6), 1542–1565. DOI: 10.1111/bjet.13362	Blackmon, S. J. & Major, C. H. (2023). Inclusion or infringement? A systematic research review of students’ perspectives on student privacy in technology-enhanced, hybrid and online courses. British Journal of Educational Technology, 54(6), 1542–1565. DOI: 10.1111/bjet.13362
CMS Law. (2025). GDPR Enforcement Tracker Report 2024/2025: Public Sector and Education. CMS International Law Firm. Available at: https://cms.law/en/int/publication/gdpr-enforcement-tracker-report/public-sector-and-education	CMS Law. (2025). GDPR Enforcement Tracker Report 2024/2025: Public Sector and Education. CMS International Law Firm. Available at: https://cms.law/en/int/publication/gdpr-enforcement-tracker-report/public-sector-and-education
CMS Law-Now. (2025). China issues Measures for the Certification of the Cross-Border Transfer of Personal Information. CMS e-Alert, November 2025. Available at: https://cms-lawnow.com/en/ealerts/2025/11/	CMS Law-Now. (2025). China issues Measures for the Certification of the Cross-Border Transfer of Personal Information. CMS e-Alert, November 2025. Available at: https://cms-lawnow.com/en/ealerts/2025/11/
DataGuidance. (2022). Comparing Privacy Laws: GDPR v. PIPL. DataGuidance. Available at: https://www.dataguidance.com/sites/default/files/gdpr_v_pipl_.pdf	DataGuidance. (2022). Comparing Privacy Laws: GDPR v. PIPL. DataGuidance. Available at: https://www.dataguidance.com/sites/default/files/gdpr_v_pipl_.pdf
European Data Protection Board (EDPB). (2024). Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. Adopted 17 December 2024. Available at: https://www.edpb.europa.eu/	European Data Protection Board (EDPB). (2024). Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. Adopted 17 December 2024. Available at: https://www.edpb.europa.eu/
European Parliament and Council. (2024). Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L series.	European Parliament and Council. (2024). Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L series.
Fernandez-Novel Escobar, E. (2025). How do the European Union‘s GDPR and China‘s PIPL regulate cross-border data flows? International Policy Review, IE University, 27 January 2025.	Fernandez-Novel Escobar, E. (2025). How do the European Union‘s GDPR and China‘s PIPL regulate cross-border data flows? International Policy Review, IE University, 27 January 2025.
Garante per la protezione dei dati personali (Italy). (2021). Decision 9703988 — Fine against Università Commerciale Luigi Bocconi, 16 September 2021. Reported by EDPB. Available at: https://edpb.europa.eu/	Garante per la protezione dei dati personali (Italy). (2021). Decision 9703988 — Fine against Università Commerciale Luigi Bocconi, 16 September 2021. Reported by EDPB. Available at: https://edpb.europa.eu/
Giuffrida, I. & Hall, A. (2023). Technology integration in higher education and student privacy beyond learning environments — A comparison of the UK and US perspective. British Journal of Educational Technology, 54(6), 1587–1603. DOI: 10.1111/bjet.13375	Giuffrida, I. & Hall, A. (2023). Technology integration in higher education and student privacy beyond learning environments — A comparison of the UK and US perspective. British Journal of Educational Technology, 54(6), 1587–1603. DOI: 10.1111/bjet.13375
International Association of Privacy Professionals (IAPP). (2021). Analyzing China‘s PIPL and how it compares to the EU’s GDPR. IAPP. Available at: https://iapp.org/news/a/analyzing-chinas-pipl-and-how-it-compares-to-the-eus-gdpr	International Association of Privacy Professionals (IAPP). (2021). Analyzing China‘s PIPL and how it compares to the EU’s GDPR. IAPP. Available at: https://iapp.org/news/a/analyzing-chinas-pipl-and-how-it-compares-to-the-eus-gdpr
Kumi-Yeboah, A., Kim, Y., Yankson, B., Aikins, S. & Dadson, Y. A. (2023). Diverse students’ perspectives on privacy and technology integration in higher education. British Journal of Educational Technology, 54(6), 1671–1692. DOI: 10.1111/bjet.13386	Kumi-Yeboah, A., Kim, Y., Yankson, B., Aikins, S. & Dadson, Y. A. (2023). Diverse students’ perspectives on privacy and technology integration in higher education. British Journal of Educational Technology, 54(6), 1671–1692. DOI: 10.1111/bjet.13386
Lachheb, A. et al. (2023). The role of design ethics in maintaining students’ privacy: A call to action to learning designers in higher education. British Journal of Educational Technology, 54(6), 1653–1670. DOI: 10.1111/bjet.13382	Lachheb, A. et al. (2023). The role of design ethics in maintaining students’ privacy: A call to action to learning designers in higher education. British Journal of Educational Technology, 54(6), 1653–1670. DOI: 10.1111/bjet.13382
Li, W. & Chen, J. (2024). From Brussels Effect to Gravity Assists: Understanding the Evolution of the GDPR-Inspired Personal Information Protection Law in China. Computer Law and Security Review, 54, 105994. DOI: 10.1016/j.clsr.2024.105994	Li, W. & Chen, J. (2024). From Brussels Effect to Gravity Assists: Understanding the Evolution of the GDPR-Inspired Personal Information Protection Law in China. Computer Law and Security Review, 54, 105994. DOI: 10.1016/j.clsr.2024.105994
Lim, S. & Oh, J. (2025). Navigating Privacy: A Global Comparative Analysis of Data Protection Laws. IET Information Security, 2025(1). DOI: 10.1049/ise2/5536763	Lim, S. & Oh, J. (2025). Navigating Privacy: A Global Comparative Analysis of Data Protection Laws. IET Information Security, 2025(1). DOI: 10.1049/ise2/5536763
Liu, Q. & Khalil, M. (2023). Understanding privacy and data protection issues in learning analytics using a systematic review. British Journal of Educational Technology, 54(6), 1466–1485. DOI: 10.1111/bjet.13388	Liu, Q. & Khalil, M. (2023). Understanding privacy and data protection issues in learning analytics using a systematic review. British Journal of Educational Technology, 54(6), 1466–1485. DOI: 10.1111/bjet.13388
Liu, Q., Khalil, M., Shakya, R., Jovanovic, J. & de la Hoz-Ruiz, J. (2025). Ensuring privacy through synthetic data generation in education. British Journal of Educational Technology. DOI: 10.1111/bjet.13576	Liu, Q., Khalil, M., Shakya, R., Jovanovic, J. & de la Hoz-Ruiz, J. (2025). Ensuring privacy through synthetic data generation in education. British Journal of Educational Technology. DOI: 10.1111/bjet.13576
MIT Office of General Counsel. (2022). China and the PIPL: New Protections and Rights for Personal Information. MIT. Available at: https://ogc.mit.edu/latest/china-and-pipl-new-protections-and-rights-personal-information	MIT Office of General Counsel. (2022). China and the PIPL: New Protections and Rights for Personal Information. MIT. Available at: https://ogc.mit.edu/latest/china-and-pipl-new-protections-and-rights-personal-information
Prinsloo, P., Slade, S. & Khalil, M. (2022). The answer is (not only) technological: Considering student data privacy in learning analytics. British Journal of Educational Technology, 53(4), 876–893. DOI: 10.1111/bjet.13216	Prinsloo, P., Slade, S. & Khalil, M. (2022). The answer is (not only) technological: Considering student data privacy in learning analytics. British Journal of Educational Technology, 53(4), 876–893. DOI: 10.1111/bjet.13216
Rockefeller Institute of Government. (2025). The European AI Act and Its Implications for New York State Higher Education. November 2025. Available at: https://rockinst.org/	Rockefeller Institute of Government. (2025). The European AI Act and Its Implications for New York State Higher Education. November 2025. Available at: https://rockinst.org/
State Council of the People’s Republic of China. (2024). Regulations on Network Data Security Management (effective 1 January 2025). Published 30 September 2024.	State Council of the People’s Republic of China. (2024). Regulations on Network Data Security Management (effective 1 January 2025). Published 30 September 2024.
XL Law and Consulting. (2023). GDPR Enforcement Actions: Lessons Learned for Colleges and Universities. XL Law and Consulting. Available at: https://www.xllawconsulting.com/	XL Law and Consulting. (2023). GDPR Enforcement Actions: Lessons Learned for Colleges and Universities. XL Law and Consulting. Available at: https://www.xllawconsulting.com/
Xue, Y., Chinapah, V., & Zhu, C. (2025). A Comparative Analysis of AI Privacy Concerns in Higher Education: News Coverage in China and Western Countries. Education Sciences, 15(6), 650. DOI: 10.3390/educsci15060650	Xue, Y., Chinapah, V., & Zhu, C. (2025). A Comparative Analysis of AI Privacy Concerns in Higher Education: News Coverage in China and Western Countries. Education Sciences, 15(6), 650. DOI: 10.3390/educsci15060650
Zanfir-Fortuna, G. (2020). The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions. Future of Privacy Forum. Available at: https://fpf.org/blog/gdprhighered/	Zanfir-Fortuna, G. (2020). The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions. Future of Privacy Forum. Available at: https://fpf.org/blog/gdprhighered/
Zhang, L. & Kollnig, K. (2024). Theory and practice: the protection of children’s personal information in China. International Data Privacy Law, 14(1), 37–52. DOI: 10.1093/idpl/ipad017	Zhang, L. & Kollnig, K. (2024). Theory and practice: the protection of children’s personal information in China. International Data Privacy Law, 14(1), 37–52. DOI: 10.1093/idpl/ipad017
Zhu, J. (2022). The Personal Information Protection Law: China‘s Version of the GDPR? Columbia Journal of Transnational Law: The Bulletin. Available at: https://www.jtl.columbia.edu/	Zhu, J. (2022). The Personal Information Protection Law: China‘s Version of the GDPR? Columbia Journal of Transnational Law: The Bulletin. Available at: https://www.jtl.columbia.edu/
'Part II: Teaching and Learning in Transformation'	第二部分:变革中的教与学
	(zu übersetzen)

Difference between revisions of "Rethinking Higher Education/Chapter 3/en-zh"

Latest revision as of 18:45, 14 May 2026

Navigation menu

Search

@@ Line 26: / Line 26: @@
 |-
 | style="background:#eef;" | '''Martin Woesler'''
-| ''(zu übersetzen)''
+| ''Martin Woesler''
 |-
 | style="background:#eef;" | ''''''Abstract''''''
-| ''“摘要”''
+| ''摘要''
 |-
 | style="background:#eef;" | '''The digital transformation of higher education generates unprecedented volumes of student data — from learning management system interactions and assessment records to biometric proctoring data and predictive analytics profiles. Two of the world’s most consequential data protection regimes now govern how universities collect, process, and transfer this data: the European Union‘s General Data Protection Regulation (GDPR, effective 2018) and China‘s Personal Information Protection Law (PIPL, effective 2021). Yet despite superficial similarities — both establish individual rights over personal data, both impose significant penalties for violations, and both restrict cross-border data transfers — the two regimes reflect fundamentally different philosophical orientations: individual autonomy versus state sovereignty. This article provides a systematic comparison of GDPR and PIPL as they apply to the specific context of higher education. Drawing on enforcement data showing that EU data protection authorities have imposed 270 fines totaling more than EUR 29.3 million on educational institutions, and on research documenting that 81 percent of UK universities fail to meet GDPR compliance standards, we demonstrate that neither system has achieved satisfactory data protection in practice. We examine learning analytics, AI-driven assessment, cross-border student recruitment, and joint EU-China academic programs as four domains where the regulatory frameworks face their most serious tests. We argue that universities operating in both jurisdictions face a dual compliance challenge that current guidance inadequately addresses, and we propose a framework for navigating these overlapping obligations.'''
@@ Line 53: / Line 53: @@
 |-
 | style="background:#eef;" | ''''''2. The GDPR Framework for Education''''''
-| ''2.“GDPR教育框架”''
+| ''2.GDPR教育框架''
 |-
 | style="background:#eef;" | ''''''2.1 Legal Bases for Student Data Processing''''''
-| ''2.1学生数据处理的法律基础”''
+| ''2.1学生数据处理的法律基础''
 |-
 | style="background:#eef;" | '''The GDPR (Regulation 2016/679) provides six lawful bases for processing personal data, of which three are most relevant to universities: consent (Article 6(1)(a)), performance of a contract (Article 6(1)(b)), and legitimate interests (Article 6(1)(f)). European universities typically rely on a combination of these bases. Enrollment and academic administration are generally processed under contractual necessity — the student has entered into an educational contract with the institution. Research involving student data may rely on legitimate interests or, where sensitive data categories are involved, explicit consent.'''
@@ Line 113: / Line 113: @@
 |-
 | style="background:#eef;" | '''The practical implications for international academic cooperation are significant. As the MIT Office of General Counsel (2022) has noted, the PIPL is triggered whenever an institution obtains admissions applications from Chinese citizens residing in China, conducts recruitment activities there, offers online courses accessible to Chinese residents, performs human-subjects research using Chinese residents’ data, or collaborates with Chinese academic institutions that share student data. The American Association of Collegiate Registrars and Admissions Officers (AACRAO 2022) has published specific compliance guidance for admissions and registrar offices, reflecting the growing awareness that routine international student recruitment now carries data protection obligations under both GDPR and PIPL.'''
-| ''(zu übersetzen)''
+| ''国际学术合作的实际意义是重大的。正如麻省理工学院总法律顾问办公室(2022)所指出的，每当一个机构获得居住在中国的中国公民的入学申请，在中国开展招聘活动，提供中国居民可以访问的在线课程，使用中国居民的数据进行人体研究，或与分享学生数据的中国学术机构合作，就会触发PIPL。美国大学注册和招生官员协会(AACRAO 2022)发布了针对招生和注册办公室的具体合规指南，反映出越来越多的人意识到，根据GDPR和PIPL的规定，常规的国际学生招聘现在都负有数据保护义务。''
 |-
 | style="background:#eef;" | ''''''4. Systematic Comparison''''''
-| ''(zu übersetzen)''
+| ''4.系统比较''
 |-
 | style="background:#eef;" | ''''''4.1 Philosophical Foundations''''''
-| ''(zu übersetzen)''
+| ''4.1哲学基础''
 |-
 | style="background:#eef;" | '''The most fundamental difference between GDPR and PIPL lies not in their technical provisions but in their philosophical orientations. The GDPR emerges from a tradition of individual rights protection, rooted in the European Convention on Human Rights and the EU Charter of Fundamental Rights. Its core assumption is that personal data protection is a fundamental right of the individual, which can be limited only under specified conditions and subject to proportionality review. Li and Chen (2024), in their analysis of the „Brussels Effect„ on Chinese data protection law, introduce a „gravity assist“ model: while the GDPR’s structural influence on the PIPL is evident, China‘s adoption reflects not convergence but strategic adaptation to its distinct political, cultural, and legal context.'''
-| ''(zu übersetzen)''
+| ''GDPR和PIPL之间最根本的区别不在于它们的技术条款，而在于它们的哲学取向。GDPR有保护个人权利的传统，这一传统植根于《欧洲人权公约》和《欧盟基本权利宪章》。其核心假设是，个人数据保护是个人的一项基本权利，只能在特定条件下加以限制，并接受相称性审查。李和陈(2024)在分析中国数据保护法的“布鲁塞尔效应”时，引入了一个“引力辅助”模型:虽然对的结构性影响显而易见，但中国的采用反映的不是趋同，而是对其独特的政治、文化和法律环境的战略适应。''
 |-
 | style="background:#eef;" | '''The PIPL, by contrast, reflects what Lim and Oh (2025) describe as a „state sovereignty“ orientation. The law serves multiple objectives simultaneously: protecting individual privacy, certainly, but also safeguarding national security, promoting the digital economy, and maintaining social stability. The law’s enforcement is centralized under the CAC, which is simultaneously responsible for internet censorship, cybersecurity, and data governance — a combination that would be impermissible under the GDPR’s requirement for independent supervisory authorities (Article 52).'''
-| ''(zu übersetzen)''
+| ''相比之下，PIPL反映了Lim和Oh (2025)所描述的“国家主权”取向。这部法律同时服务于多个目标:保护个人隐私，当然，也保护国家安全，促进数字经济，维护社会稳定。该法律的执行由反腐败委员会集中负责，该委员会同时负责互联网审查、网络安全和数据治理——根据GDPR对独立监督机构的要求(第52条)，这种结合是不允许的。''
 |-
 | style="background:#eef;" | ''''''4.2 Structural Differences''''''
-| ''(zu übersetzen)''
+| ''4.2结构差异''
 |-
 | style="background:#eef;" | '''Several structural differences have direct implications for universities:'''
-| ''(zu übersetzen)''
+| ''几个结构性差异对大学有直接影响:''
 |-
 | style="background:#eef;" | '''Consent. The GDPR recognizes six lawful bases for processing; the PIPL’s absence of a „legitimate interests“ basis makes consent more central, particularly for educational data processing that goes beyond contractual necessity. The PIPL additionally requires separate consent for cross-border transfers (Article 39) and for processing sensitive personal information (Article 29).'''
-| ''(zu übersetzen)''
+| ''同意。GDPR承认六个合法的处理依据；PIPL缺乏“合法利益”基础，这使得同意更加重要，特别是对于超出合同必要性的教育数据处理。PIPL还要求跨境转移(第39条)和处理敏感个人信息(第29条)需要单独同意。''
 |-
 | style="background:#eef;" | '''Penalties. The GDPR imposes maximum fines of EUR 20 million or 4 percent of global annual turnover, whichever is greater. The PIPL imposes maximum fines of RMB 50 million (approximately EUR 6.4 million) or 5 percent of the previous year’s annual revenue for grave violations, plus potential personal liability for responsible individuals — a feature without direct GDPR equivalent (IAPP 2021; DataGuidance 2022).'''
@@ Line 140: / Line 140: @@
 |-
 | style="background:#eef;" | '''Enforcement. The GDPR’s enforcement is decentralized across national data protection authorities, with coordination through the European Data Protection Board. The PIPL’s enforcement is centralized under the CAC, with additional sector-specific oversight from the Ministry of Education for educational institutions. The GDPR requires supervisory authorities to be independent; the PIPL imposes no such requirement.'''
-| ''(zu übersetzen)''
+| ''强制执行。在欧洲数据保护委员会的协调下，GDPR的执法工作分散在各个国家数据保护机构。PIPL的执法工作集中在反腐败委员会之下，教育部对教育机构进行额外的具体部门监督。GDPR要求监管机构独立；PIPL没有提出这样的要求。''
 |-
 | style="background:#eef;" | '''Cross-border transfers. The GDPR permits transfers to countries with „adequate“ data protection (adequacy decisions), or through Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). The PIPL offers security assessment, standard contracts, and certification, but does not employ an adequacy mechanism — there is no list of „safe“ countries to which data may flow freely (Fernandez-Novel Escobar 2025).'''
-| ''(zu übersetzen)''
+| ''跨境转移。GDPR允许向数据保护“充分”的国家/地区(充分性决定)，或通过标准合同条款(SCC)和有约束力的公司规则(bcr)进行转让。PIPL提供安全评估、标准合同和认证，但没有采用充分性机制——没有数据可以自由流动的“安全”国家的列表(Fernandez-Novel Escobar 2025)。''
 |-
 | style="background:#eef;" | '''Data subject rights. Both frameworks provide broadly similar individual rights: access, correction, deletion, and portability. The PIPL additionally grants next-of-kin the right to exercise deceased persons’ data rights — a provision with potential relevance for universities managing the records of deceased students (DataGuidance 2022). The PIPL also includes a broader definition of „sensitive personal information“ that encompasses financial data, location data, and biometric information alongside the categories recognized by the GDPR.'''
-| ''(zu übersetzen)''
+| ''数据主体权利。两个框架都提供了大体相似的个人权利:访问、修改、删除和可移植性。PIPL还授予近亲行使死者数据权的权利——这一规定可能与管理已故学生记录的大学有关(数据指导2022)。PIPL还包括“敏感个人信息”的更广泛定义，除了GDPR认可的类别外，还包括财务数据、位置数据和生物识别信息。''
 |-
 | style="background:#eef;" | ''''''4.3 Convergence and Divergence''''''
-| ''(zu übersetzen)''
+| ''4.3趋同与趋异''
 |-
 | style="background:#eef;" | '''Despite these differences, the two frameworks converge in important ways. Both require data protection impact assessments for high-risk processing. Both impose transparency obligations requiring clear, accessible privacy notices. Both provide for data portability — the right to receive one’s personal data in a structured, machine-readable format. Both establish extraterritorial scope, applying to entities outside their jurisdiction that process the data of their residents. And both impose requirements for data breach notification, though with different timelines: 72 hours under the GDPR (Article 33), versus an unspecified but prompt timeframe under the PIPL.'''
-| ''(zu übersetzen)''
+| ''尽管存在这些差异，但这两个框架在一些重要方面有所融合。两者都要求对高风险处理进行数据保护影响评估。两者都规定了透明度义务，要求清晰、易获取的隐私声明。两者都提供了数据可移植性——以结构化的、机器可读的格式接收个人数据的权利。两者都确立了治外法权的范围，适用于在其管辖范围之外处理其居民数据的实体。两者都规定了数据泄露通知的要求，尽管有不同的时间表:GDPR的72小时(第33条)，而PIPL的时间表不明确但很快。''
 |-
 | style="background:#eef;" | '''The pattern that emerges is convergence at the level of principles — both systems recognize that personal data deserves protection, that individuals should have rights over their data, and that organizations must be held accountable for their processing activities — with significant divergence at the level of implementation, philosophical justification, and enforcement culture. As Solove (2022) observes, the PIPL is often described as „China‘s GDPR,“ but this characterization obscures important structural differences that have direct practical consequences for organizations operating under both regimes.'''
-| ''(zu übersetzen)''
+| ''出现的模式是原则层面的趋同——两个系统都承认个人数据值得保护，个人应该对其数据拥有权利，组织必须对其处理活动负责——但在实施、哲学论证和执行文化层面存在显著差异。正如Solove (2022)所观察到的，PIPL经常被描述为“中国的GDPR”，但这种描述掩盖了重要的结构差异，而这些差异对在两种制度下运营的组织具有直接的实际影响。''
 |-
 | style="background:#eef;" | ''''''5. Learning Analytics: The Critical Test Case''''''
-| ''(zu übersetzen)''
+| ''5.学习分析:关键测试案例''
 |-
 | style="background:#eef;" | '''Learning analytics represents the domain where the tension between data protection and educational innovation is most acute. Universities increasingly deploy predictive analytics systems that use historical student data to identify students at risk of failure, recommend interventions, and personalize learning pathways. These systems require the processing of large volumes of student data — often aggregated from multiple sources and analyzed using machine learning algorithms — in ways that challenge the fundamental principles of both GDPR and PIPL.'''
-| ''(zu übersetzen)''
+| ''学习分析代表了数据保护和教育创新之间矛盾最尖锐的领域。大学越来越多地部署预测分析系统，这些系统使用历史学生数据来识别有失败风险的学生，推荐干预措施，并个性化学习途径。这些系统需要处理大量的学生数据——通常是从多个来源汇总的，并使用机器学习算法进行分析——其方式挑战了GDPR和PIPL的基本原则。''
 |-
 | style="background:#eef;" | '''Under the GDPR, learning analytics systems face challenges on multiple fronts. Purpose limitation (Article 5(1)(b)) requires that data be collected for specified, explicit purposes and not further processed in a manner incompatible with those purposes. But the value of learning analytics often depends on precisely this kind of repurposing: data collected for course administration is analyzed for patterns that inform institutional strategy. Data minimization (Article 5(1)(c)) requires that only data adequate, relevant, and limited to what is necessary be processed — yet predictive models typically perform better with more data, creating a structural incentive toward maximal collection. Transparency (Articles 13-14) requires that individuals be informed about automated decision-making — but the complexity of machine learning models often makes meaningful explanation difficult.'''
-| ''(zu übersetzen)''
+| ''在GDPR下，学习分析系统面临着多方面的挑战。目的限制(第5条第1款(b)项)要求为具体、明确的目的收集数据，并且不以不符合这些目的的方式进一步处理数据。但学习分析的价值往往恰恰取决于这种再利用:为课程管理收集的数据被分析，以获得告知机构战略的模式。数据最小化(第5(1)(c)条)要求只处理足够的、相关的数据，并且仅限于必要的数据——然而，预测模型通常在数据越多的情况下表现越好，这为最大限度地收集数据创造了结构性激励。透明度(第13-14条)要求个人被告知自动化决策——但机器学习模型的复杂性往往使有意义的解释变得困难。''
 |-
 | style="background:#eef;" | '''Under the PIPL, learning analytics faces additional challenges. The absence of a legitimate interests basis means that universities must typically rely on consent for analytics that go beyond direct educational delivery. The requirement for separate consent for processing sensitive information (Article 29) may be triggered by analytics that process academic performance data in ways that reveal protected characteristics. And the data localization requirements mean that analytics platforms operated by international providers must navigate complex cross-border transfer rules.'''
-| ''(zu übersetzen)''
+| ''在PIPL下，学习分析面临额外的挑战。缺乏合法的利益基础意味着大学通常必须依赖同意进行超出直接教育交付范围的分析。对处理敏感信息的单独同意的要求(第29条)可能由以揭示受保护特征的方式处理学业成绩数据的分析所触发。数据本地化要求意味着由国际提供商运营的分析平台必须遵循复杂的跨境传输规则。''
 |-
 | style="background:#eef;" | '''Xue and colleagues (2025), in an analysis of AI privacy concerns in higher education across Chinese and English-language media, found that while both contexts identify AI-driven proctoring, student data security, and institutional governance as central concerns, the emphasis differs: Western coverage foregrounds individual privacy rights, while Chinese coverage more frequently addresses the relationship between AI-driven educational innovation and institutional governance. This divergence mirrors the broader philosophical difference between the two regulatory frameworks.'''
-| ''(zu übersetzen)''
+| ''薛和他的同事(2025)在分析中英文媒体对高等教育中人工智能隐私的关注时发现，尽管两种背景都将人工智能驱动的监考、学生数据安全和机构治理确定为主要关注点，但侧重点有所不同:西方的报道强调个人隐私权利，而中国的报道更频繁地讨论人工智能驱动的教育创新和机构治理之间的关系。这种分歧反映了两种监管框架之间更广泛的哲学差异。''
 |-
 | style="background:#eef;" | '''Lachheb and colleagues (2023) argue that maintaining student privacy in educational technology requires attention not only to policy and law but to design ethics — the principles embedded in the technological systems themselves. They propose a framework to help instructional designers evaluate whether design patterns unintentionally undermine learner agency, suggesting that compliance with either GDPR or PIPL requires intervention at the design stage, not merely at the policy level. Liu, Khalil, and colleagues (2025) explore synthetic data generation with differential privacy mechanisms as a technical approach to this challenge, enabling learning analytics research without exposing individual student records.'''
@@ Line 176: / Line 176: @@
 |-
 | style="background:#eef;" | ''''''6. AI-Driven Assessment and Proctoring''''''
-| ''(zu übersetzen)''
+| ''6.人工智能驱动的评估和监督''
 |-
 | style="background:#eef;" | '''The EU AI Act (Regulation 2024/1689), which entered into force on 1 August 2024, adds a further regulatory layer for European universities. The Act classifies AI systems used for educational assessment and proctoring as „high-risk“ under Annex III, Section 3, requiring conformity assessments, human oversight, and technical documentation. Article 5(1)(f) prohibits emotion recognition systems in educational settings (European Parliament and Council 2024).'''
-| ''(zu übersetzen)''
+| ''2024年8月1日生效的欧盟AI法案(第2024/1689号条例)为欧洲大学增加了又一个监管层。该法案将用于教育评估和监考的人工智能系统归类为附件III第3节下的“高风险”系统，要求符合性评估、人工监督和技术文档。第5(1)(f)条禁止在教育环境中使用情绪识别系统(欧洲议会和理事会，2024年)。''
 |-
 | style="background:#eef;" | '''The interaction between the AI Act and GDPR creates a layered compliance obligation: universities deploying AI-powered assessment tools must satisfy both the AI Act’s requirements for high-risk systems and the GDPR’s requirements for lawful data processing. The Bocconi University case demonstrates the consequences of failing to meet the latter; the AI Act will add additional requirements from August 2026 onward. A 2025 report by the Rockefeller Institute of Government recommends that universities map their AI use cases against the Act’s risk categories as a first step toward compliance, citing the governance models developed by Utrecht University and the University of Edinburgh as reference frameworks (Rockefeller Institute 2025).'''
-| ''(zu übersetzen)''
+| ''人工智能法案和GDPR之间的相互作用产生了一个分层的合规义务:部署人工智能评估工具的大学必须满足人工智能法案对高风险系统的要求和GDPR对合法数据处理的要求。博科尼大学的案例表明了不满足后者的后果；AI法案将从2026年8月起增加额外的要求。洛克菲勒政府研究所(Rockefeller Institute of Government)2025年的一份报告建议，大学根据该法案的风险类别绘制其人工智能用例，作为实现合规的第一步，引用乌得勒支大学和爱丁堡大学开发的治理模型作为参考框架(洛克菲勒研究所2025)。''
 |-
 | style="background:#eef;" | '''China‘s approach to AI in educational assessment reflects its sector-specific regulatory philosophy. Rather than a single comprehensive AI law, China governs educational AI through a combination of the 2023 Interim Measures for Generative AI Services, the PIPL’s provisions for automated decision-making, and Ministry of Education directives. The use of AI proctoring and surveillance technologies in Chinese universities, while subject to PIPL consent requirements, does not face the categorical restrictions imposed by the EU AI Act‘s emotion recognition ban. This regulatory asymmetry has practical implications for technology companies developing educational assessment tools for both markets: systems designed for China may include features that are prohibited in the EU, and vice versa.'''
-| ''(zu übersetzen)''
+| ''中国在教育评估中对人工智能的做法反映了其特定部门的监管理念。中国不是单一的综合人工智能法律，而是通过结合2023年生成性人工智能服务暂行办法、PIPL自动决策规定和教育部指令来管理教育人工智能。在中国大学使用人工智能监考和监控技术，虽然需要得到PIPL的同意，但不会面临欧盟人工智能法案情感识别禁令的明确限制。这种监管不对称对为两个市场开发教育评估工具的科技公司具有实际影响:为中国设计的系统可能包含在欧盟被禁止的功能，反之亦然。''
 |-
 | style="background:#eef;" | '''The Bocconi case illustrates a broader tension. Remote proctoring systems — which typically capture webcam footage, track eye movements, monitor keyboard and mouse activity, and may use facial recognition to verify identity — process categories of data that trigger the GDPR’s most stringent requirements: biometric data (Article 9), automated decision-making (Article 22), and profiling. Under the PIPL, biometric information is classified as sensitive personal information requiring separate consent (Article 28), but there is no categorical prohibition comparable to the AI Act’s emotion recognition ban. The result is a regulatory landscape where the same technology may be lawful in one jurisdiction and prohibited in the other, depending on its specific capabilities and the legal basis invoked.'''
-| ''(zu übersetzen)''
+| ''博科尼的案例反映了一种更广泛的紧张关系。远程监督系统通常会捕捉网络摄像机镜头，跟踪眼球运动，监控键盘和鼠标活动，并可能使用面部识别来验证身份，处理触发GDPR最严格要求的数据类别:生物特征数据(第9条)，自动决策(第22条)和特征分析。根据《PIPL 》,生物特征信息被归类为需要单独同意的敏感个人信息(第28条),但没有类似于《人工智能法》情感识别禁令的明确禁止。其结果是出现了这样一种监管格局:同一种技术在一个管辖区可能是合法的，而在另一个管辖区可能是被禁止的，这取决于其具体能力和援引的法律依据。''
 |-
 | style="background:#eef;" | ''''''7. Joint EU-China Programs: Dual Compliance in Practice''''''
-| ''(zu übersetzen)''
+| ''7.EU-中国联合项目:实践中的双重合规''
 |-
 | style="background:#eef;" | '''The most acute compliance challenges arise in joint EU-China academic programs, where student data routinely crosses jurisdictional boundaries. A European university offering a joint degree with a Chinese partner institution must transfer enrollment data, academic records, and potentially learning analytics data between the two institutions — transfers that must comply simultaneously with the GDPR’s requirements for international data transfer and the PIPL’s cross-border transfer provisions.'''
-| ''(zu übersetzen)''
+| ''最严峻的合规性挑战出现在EU--中国联合学术项目中，学生数据经常跨越管辖边界。与中国合作机构提供联合学位的欧洲大学必须在两个机构之间传输注册数据、学术记录和潜在的学习分析数据，这些传输必须同时符合GDPR的国际数据传输要求和PIPL的跨境传输规定。''
 |-
 | style="background:#eef;" | '''The practical difficulties are considerable. GDPR transfers to China cannot currently rely on an adequacy decision (the European Commission has not recognized China as providing adequate data protection). Standard Contractual Clauses may be used, but must be supplemented by a transfer impact assessment that considers Chinese surveillance laws and government access provisions — an assessment whose conclusions may be unfavorable. In the other direction, PIPL transfers to Europe require one of the three mechanisms described above: CAC security assessment, standard contract, or certification.'''
-| ''(zu übersetzen)''
+| ''实际困难相当大。GDPR对中国的转让目前不能依赖于充分性决定(欧洲委员会不承认中国提供了充分的数据保护)。可以使用标准合同条款，但必须辅以考虑中国监控法律和政府访问规定的转让影响评估，该评估的结论可能不利。另一方面，PIPL向欧洲的转让需要上述三种机制之一:CAC安全评估、标准合同或认证。''
 |-
 | style="background:#eef;" | '''The Future of Privacy Forum’s guidance for US higher education institutions (Zanfir-Fortuna 2020), while not directly applicable to the EU-China context, illustrates the complexity of international academic data flows. The report identifies ten compliance steps that international universities must address, including data mapping, legal basis identification, vendor management, and breach notification procedures — each of which must be adapted for both GDPR and PIPL requirements.'''
-| ''(zu übersetzen)''
+| ''隐私论坛对美国高等教育机构的未来指导(赞菲尔-福尔图娜2020)虽然不能直接适用于中国EU-的情况，但却说明了国际学术数据流的复杂性。该报告确定了国际大学必须解决的十个合规性步骤，包括数据映射、法律依据识别、供应商管理和违规通知程序，每个步骤都必须适应GDPR和PIPL的要求。''
 |-
 | style="background:#eef;" | '''These challenges are not hypothetical. Sino-European joint programs have expanded significantly in recent decades. China hosts hundreds of Chinese-foreign cooperative education programs approved by the Ministry of Education, many of which involve European partner institutions. The EU’s Erasmus+ program supports academic exchanges with Chinese universities. The EU-China Tuning project has aligned degree structures across dozens of institutions. In each of these contexts, student data flows between jurisdictions are routine and necessary — yet the legal framework for these flows remains fragmented and uncertain.'''
-| ''(zu übersetzen)''
+| ''这些挑战不是假设的。近几十年来，中欧合作项目显著扩大。中国主办了数百个经教育部批准的中外合作教育项目，其中许多涉及欧洲的合作机构。欧盟的Erasmus+计划支持与中国大学的学术交流。EU-中国调整项目已经调整了几十个机构的学位结构。在上述每一种情况下，学生数据在司法管辖区之间的流动都是常规且必要的——但这些流动的法律框架仍然支离破碎且不确定。''
 |-
 | style="background:#eef;" | '''A specific challenge arises in the context of student recruitment. European universities actively recruit Chinese students — China was the largest source country for international students in Europe before the pandemic and has largely regained that position. Under the PIPL, a European university that collects personal information from prospective Chinese students through online application portals, recruitment events in China, or agent partnerships is processing the personal information of Chinese residents and is therefore subject to the PIPL’s requirements, including the obligation to obtain consent in Chinese, to provide a privacy notice compliant with Chinese law, and to navigate the cross-border transfer framework for transmitting application data back to Europe. Few European universities have adapted their recruitment practices to meet these requirements.'''
-| ''(zu übersetzen)''
+| ''在招生方面出现了一个特殊的挑战。欧洲大学积极招收中国学生——在疫情之前，中国是欧洲最大的国际学生来源国，现在已经基本恢复了这一地位。根据PIPL，一所欧洲大学通过在线申请门户网站、在中国的招聘活动或代理合作伙伴关系收集潜在中国学生的个人信息，该大学正在处理中国居民的个人信息，因此需要遵守PIPL的要求，包括有义务获得中文同意书，提供符合中国法律的隐私声明，并通过跨境传输框架将申请数据传输回欧洲。很少有欧洲大学调整了他们的招聘实践来满足这些要求。''
 |-
 | style="background:#eef;" | '''For universities engaged in EU-China cooperation, we identify four practical strategies for managing dual compliance. First, data minimization at the point of transfer: sharing only the minimum data necessary for the joint program, using anonymized or pseudonymized data wherever possible. Second, architectural separation: maintaining separate data systems for EU and Chinese operations, with controlled interfaces for necessary data exchange. Third, contractual frameworks: developing bilateral data sharing agreements that explicitly address both GDPR and PIPL requirements, including provisions for data subject rights, breach notification, and data retention. Fourth, institutional capacity building: investing in staff training and data protection expertise that spans both regulatory frameworks.'''
-| ''(zu übersetzen)''
+| ''对于参与EU-中国合作的大学，我们确定了管理双重合规的四个实用策略。首先，在传输点尽量减少数据:只分享联合项目所需的最少数据，尽可能使用匿名或假名数据。第二，架构分离:为欧盟和中国的运营维护独立的数据系统，使用受控接口进行必要的数据交换。第三，合同框架:制定双边数据共享协议，明确解决GDPR和PIPL的要求，包括数据主体权利、违约通知和数据保留的规定。第四，机构能力建设:投资于跨越两种监管框架的员工培训和数据保护专业知识。''
 |-
 | style="background:#eef;" | ''''''8. The Readiness Gap''''''
-| ''(zu übersetzen)''
+| ''8.准备差距''
 |-
 | style="background:#eef;" | '''Despite the significance of these regulatory frameworks, empirical evidence suggests that universities in both jurisdictions face a substantial readiness gap. In the European context, the 7DOTS (2024) finding that 81 percent of UK universities fail GDPR compliance standards is consistent with the CMS Enforcement Tracker data showing persistent violations across 25 member states. The XL Law and Consulting analysis documents 45 GDPR enforcement actions against educational institutions, with an average fine of approximately EUR 32,600 — modest compared to the technology sector, but meaningful for institutions with constrained budgets (XL Law 2023).'''
@@ Line 218: / Line 218: @@
 |-
 | style="background:#eef;" | '''XL Law and Consulting’s analysis of GDPR enforcement actions further reveals a sectoral pattern: educational institutions account for under 3 percent of all GDPR enforcement actions, with an average fine of approximately EUR 32,600 — compared to EUR 1.8 million across all sectors. Spain, Italy, and Poland are responsible for over 65 percent of enforcement actions against higher education institutions. Notably, self-reporting data breaches did not shield institutions from substantial fines, suggesting that proactive compliance efforts must go beyond incident response (XL Law 2023).'''
-| ''(zu übersetzen)''
+| ''XL Law and Consulting对GDPR执法行动的分析进一步揭示了一个部门模式:教育机构占所有GDPR执法行动的不到3 %,平均罚款约为32，600欧元，而所有部门的罚款为180万欧元。西班牙、意大利和波兰占针对高等教育机构的执法行动的65%以上。值得注意的是，自我报告数据泄露并不能保护机构免受巨额罚款，这表明主动合规努力必须超越事件响应(XL Law 2023)。''
 |-
 | style="background:#eef;" | '''In the Chinese context, the readiness gap manifests differently. While the PIPL has been in force since November 2021, enforcement in the education sector has been less visible than in the technology and financial sectors. The emphasis has been on platform companies processing data at scale rather than on individual educational institutions. However, the Regulations on Network Data Security Management (effective January 2025) and the Certification Measures for cross-border transfers (effective January 2026) signal an increasing regulatory attention to data governance practices across all sectors, including education.'''
-| ''(zu übersetzen)''
+| ''在中国的背景下，准备程度的差距有不同的表现。虽然《PIPL》自2021年11月生效，但教育部门的执法不如科技和金融部门明显。重点是平台公司大规模处理数据，而不是单个教育机构。然而,《网络数据安全管理条例》( 2025年1月生效)和《跨境传输认证办法》( 2026年1月生效)标志着监管机构越来越关注包括教育在内的所有部门的数据治理实践。''
 |-
 | style="background:#eef;" | '''The European Data Protection Board’s Opinion 28/2024, adopted in December 2024, addresses data protection aspects of AI model training and deployment, noting that GDPR applies to AI models trained on personal data because of their memorization capabilities (EDPB 2024). For universities developing or deploying AI-based educational tools, this opinion has significant implications: even AI models that do not store personal data in recognizable form may be subject to GDPR requirements if they can be prompted to produce personal information.'''
-| ''(zu übersetzen)''
+| ''2024年12月通过的欧洲数据保护委员会第28/2024号意见解决了人工智能模型训练和部署的数据保护方面，指出GDPR适用于根据个人数据训练的人工智能模型，因为它们具有记忆能力(EDPB 2024)。对于开发或部署基于人工智能的教育工具的大学来说，这一观点具有重大意义:即使是不以可识别的形式存储个人数据的人工智能模型，如果可以被提示提供个人信息，也可能受到GDPR要求的约束。''
 |-
 | style="background:#eef;" | ''''''9. Recommendations for Universities''''''
-| ''(zu übersetzen)''
+| ''9.给大学的建议''
 |-
 | style="background:#eef;" | '''Based on our comparative analysis, we propose seven recommendations for universities seeking to navigate the overlapping requirements of GDPR and PIPL:'''
-| ''(zu übersetzen)''
+| ''基于我们的比较分析，我们为寻求应对GDPR和PIPL重叠要求的大学提出了七条建议:''
 |-
 | style="background:#eef;" | '''First, conduct a comprehensive data mapping exercise that identifies all personal data processing activities, their legal bases under both GDPR and PIPL, and all cross-border data flows. This mapping should cover not only formal academic processes but also ancillary systems: campus Wi-Fi analytics, library databases, career services platforms, and alumni management systems.'''
-| ''(zu übersetzen)''
+| ''首先，开展全面的数据摸底工作，确定所有个人数据处理活动、它们在GDPR和PIPL的法律依据以及所有跨境数据流动。这种映射不仅应该涵盖正式的学术流程，还应该涵盖辅助系统:校园Wi-Fi分析、图书馆数据库、职业服务平台和校友管理系统。''
 |-
 | style="background:#eef;" | '''Second, establish a unified data governance framework that addresses both GDPR and PIPL requirements. While the two laws differ in their philosophical orientations, their practical requirements overlap substantially. A framework designed to meet the stricter of the two requirements in each area will generally achieve compliance with both.'''
-| ''(zu übersetzen)''
+| ''其次，建立统一的数据治理框架，以满足GDPR和PIPL的要求。虽然这两个法律在哲学方向上有所不同，但它们的实际要求基本上是重叠的。为满足每个领域中两个要求中更严格的一个而设计的框架通常会同时满足这两个要求。''
 |-
 | style="background:#eef;" | '''Third, adopt a consent-plus model for learning analytics. Because the PIPL’s absence of a legitimate interests basis makes consent more central than under the GDPR, universities engaged in international cooperation should build consent mechanisms that meet PIPL standards — which will typically exceed GDPR requirements and thus satisfy both frameworks.'''
-| ''(zu übersetzen)''
+| ''第三，采用同意+模型进行学习分析。由于PIPL缺乏合法利益基础，使得同意比GDPR更重要，参与国际合作的大学应该建立符合PIPL标准的同意机制——这通常会超过GDPR的要求，从而满足两个框架。''
 |-
 | style="background:#eef;" | '''Fourth, implement privacy by design in educational technology procurement and development. Lachheb and colleagues’ (2023) framework for design ethics in educational technology provides a starting point, as does the EDPB’s guidance on AI and personal data. Procurement contracts should explicitly require vendors to demonstrate compliance with both GDPR and PIPL where applicable.'''
-| ''(zu übersetzen)''
+| ''第四，在教育技术采购和开发中通过设计实现隐私。拉赫伯及其同事(2023)的教育技术设计伦理框架提供了一个起点，正如EDPB对人工智能和个人数据的指导一样。采购合同应明确要求供应商证明符合GDPR和PIPL的要求。''
 |-
 | style="background:#eef;" | '''Fifth, invest in institutional capacity. The readiness gap documented by 7DOTS (2024) and CMS (2025) reflects not deliberate non-compliance but insufficient expertise and resources. Universities should designate data protection officers with specific expertise in educational data and international data flows, and provide regular training for faculty and administrative staff.'''
-| ''(zu übersetzen)''
+| ''第五，投资于机构能力。7DOTS (2024年)和CMS (2025年)记录的准备差距并不反映故意的不遵守，而是专业知识和资源不足。大学应指定在教育数据和国际数据流方面具有特定专业知识的数据保护官员，并为教职员工和行政人员提供定期培训。''
 |-
 | style="background:#eef;" | '''Sixth, develop bilateral data sharing agreements for joint programs with Chinese (or European) partner institutions. These agreements should go beyond standard contractual clauses to address the specific requirements of educational data: academic records, assessment data, learning analytics, and research data each present distinct compliance challenges.'''
-| ''(zu übersetzen)''
+| ''第六，为与中国(或欧洲)伙伴机构的联合项目制定双边数据共享协议。这些协议应该超越标准合同条款，以解决教育数据的具体要求:学术记录、评估数据、学习分析和研究数据都存在不同的合规性挑战。''
 |-
 | style="background:#eef;" | '''Seventh, monitor regulatory developments actively. Both frameworks are evolving rapidly. The EU AI Act‘s high-risk requirements for educational AI take full effect in August 2026. China‘s cross-border data certification measures took effect in January 2026. The European Commission’s adequacy decisions and the CAC’s standard contract provisions are subject to revision. Universities that treat data protection as a one-time compliance exercise rather than an ongoing governance function will inevitably fall behind.'''
-| ''(zu übersetzen)''
+| ''第七，积极监控监管动态。这两个框架都在快速发展。欧盟AI法案对教育AI的高风险要求于2026年8月全面生效。中国的跨境数据认证措施于2026年1月生效。欧洲委员会的充足性决定和CAC的标准合同条款可能会被修订。将数据保护视为一次性合规工作而非持续治理职能的大学将不可避免地落后。''
 |-
 | style="background:#eef;" | ''''''10. Conclusion''''''
-| ''(zu übersetzen)''
+| ''10.结论''
 |-
 | style="background:#eef;" | '''The comparison of GDPR and PIPL in the educational context reveals a paradox: two of the world’s most comprehensive data protection regimes, both claiming to protect individuals from the misuse of their personal data, diverge so fundamentally in their philosophical assumptions that compliance with one does not ensure compliance with the other. The GDPR’s emphasis on individual autonomy, independent oversight, and purpose limitation reflects European democratic traditions; the PIPL’s emphasis on state sovereignty, centralized enforcement, and national security reflects China‘s distinct governance model. Neither system has demonstrably achieved adequate data protection in practice — European enforcement data documents widespread non-compliance, while Chinese enforcement in education remains nascent.'''
-| ''(zu übersetzen)''
+| ''GDPR和PIPL在教育方面的比较揭示了一个悖论:两个世界上最全面的数据保护制度都声称要保护个人的个人数据不被滥用，但它们的哲学假设却大相径庭，遵守一个制度并不能确保遵守另一个制度。GDPR对个人自主、独立监督和目的限制的强调反映了欧洲的民主传统；PIPL对国家主权、集中执法和国家安全的强调反映了中国独特的治理模式。这两个系统都没有在实践中明显实现足够的数据保护——欧洲的执法数据记录了广泛的违规行为，而中国在教育领域的执法仍处于萌芽状态。''
 |-
 | style="background:#eef;" | '''For universities, the practical challenge is to navigate these overlapping and sometimes conflicting requirements while maintaining the international cooperation that is essential to modern higher education. The dual compliance challenge is not merely a legal technicality; it reflects deeper questions about the role of data in education, the balance between institutional power and individual rights, and the possibility of meaningful privacy in an increasingly datafied learning environment.'''
-| ''(zu übersetzen)''
+| ''对于大学来说，实际的挑战是在保持对现代高等教育至关重要的国际合作的同时，应对这些重叠且有时相互冲突的要求。双重合规挑战不仅仅是一个法律技术问题；它反映了关于数据在教育中的作用、机构权力和个人权利之间的平衡以及在日益数据化的学习环境中有意义的隐私的可能性等更深层次的问题。''
 |-
 | style="background:#eef;" | '''The stakes of this challenge extend beyond legal compliance. Student data protection is ultimately about trust: students must trust that their universities will handle their personal information responsibly, that their academic records will not be used against them, that their learning behaviors will not be surveilled without their knowledge, and that their data will not be shared with parties they have not authorized. When universities fail to meet these expectations — whether through GDPR violations documented in the CMS enforcement data, through opaque learning analytics systems, or through proctoring technologies deployed without adequate consent — they erode the trust that is foundational to the educational relationship.'''
-| ''(zu übersetzen)''
+| ''这一挑战的利害关系不仅限于法律合规性。学生数据保护最终与信任有关:学生必须相信他们的大学将负责任地处理他们的个人信息，他们的学业记录不会被用来对付他们，他们的学习行为不会在他们不知情的情况下受到监控，他们的数据不会与他们未授权的人共享。当大学无法满足这些期望时——无论是通过CMS执行数据中记录的GDPR违规，还是通过不透明的学习分析系统，或者是通过未经充分同意部署的监督技术——它们都会侵蚀作为教育关系基础的信任。''
 |-
 | style="background:#eef;" | '''We have argued that neither the European nor the Chinese approach alone provides an adequate model. The GDPR’s emphasis on individual rights and independent oversight provides important protections against institutional overreach, but its complexity and enforcement gaps undermine its effectiveness. The PIPL’s centralized enforcement and clear compliance pathways offer practical advantages, but its subordination to state interests raises questions about the protection it affords against government surveillance. A synthesis that combines European rights-based principles with Chinese regulatory efficiency — or, more modestly, a set of practical guidelines that enables universities to satisfy both frameworks simultaneously — remains the most promising path forward. The recommendations proposed in this article represent an initial contribution to that synthesis, grounded in the specific data protection challenges that universities face in the era of digital education.'''
-| ''(zu übersetzen)''
+| ''我们认为，无论是欧洲还是中国的方法都不能单独提供一个合适的模型。GDPR对个人权利和独立监督的强调为防止机构越权提供了重要保护，但其复杂性和执法差距削弱了其有效性。PIPL的集中执法和明确的合规途径提供了实际优势，但它对国家利益的服从引发了对其提供免受政府监控的保护的质疑。将欧洲基于权利的原则与中国监管效率结合起来的综合体——或者更谦虚地说，一套让大学能够同时满足这两个框架的实用指导方针——仍然是最有希望的前进道路。本文中提出的建议是对这一综合的初步贡献，基于大学在数字教育时代面临的具体数据保护挑战。''
 |-
 | style="background:#eef;" | ''''''Acknowledgments''''''
-| ''(zu übersetzen)''
+| ''致谢''
 |-
 | style="background:#eef;" | '''This research was conducted within the framework of the Jean Monnet Centre of Excellence „EUSC-DEC“ (EU Grant 101126782, 2023–2026). The author thanks the members of Research Group 1 (Regulation of Digitalization in China and Europe) for their contributions to the comparative legal analysis.'''
-| ''(zu übersetzen)''
+| ''这项研究是在让·莫内卓越中心“EUSC-DEC”的框架内进行的(欧盟赠款101126782，2023–2026)。作者感谢第一研究小组(中国和欧洲数字化法规)成员对比较法律分析的贡献。''
 |-
 | style="background:#eef;" | ''''''References''''''
-| ''(zu übersetzen)''
+| ''参考文献''
 |-
 | style="background:#eef;" | '''7DOTS. (2024). Report: 81% of Universities at Risk of Fines Due to Failure to Safeguard Student Data. 7DOTS. Available at: https://www.7dots.com/our-insights/81-of-universities-at-risk-of-fines-due-to-failure-to-safeguard-student-data/'''
-| ''(zu übersetzen)''
+| ''7DOTS. (2024). Report: 81% of Universities at Risk of Fines Due to Failure to Safeguard Student Data. 7DOTS. Available at: https://www.7dots.com/our-insights/81-of-universities-at-risk-of-fines-due-to-failure-to-safeguard-student-data/''
 |-
 | style="background:#eef;" | '''American Association of Collegiate Registrars and Admissions Officers (AACRAO). (2022). China‘s Personal Information Protection Law (PIPL). AACRAO. Available at: https://www.aacrao.org/advocacy/compliance/'''
-| ''(zu übersetzen)''
+| ''American Association of Collegiate Registrars and Admissions Officers (AACRAO). (2022). China‘s Personal Information Protection Law (PIPL). AACRAO. Available at: https://www.aacrao.org/advocacy/compliance/''
 |-
 | style="background:#eef;" | '''Blackmon, S. J. & Major, C. H. (2023). Inclusion or infringement? A systematic research review of students’ perspectives on student privacy in technology-enhanced, hybrid and online courses. British Journal of Educational Technology, 54(6), 1542–1565. DOI: 10.1111/bjet.13362'''
-| ''(zu übersetzen)''
+| ''Blackmon, S. J. & Major, C. H. (2023). Inclusion or infringement? A systematic research review of students’ perspectives on student privacy in technology-enhanced, hybrid and online courses. British Journal of Educational Technology, 54(6), 1542–1565. DOI: 10.1111/bjet.13362''
 |-
 | style="background:#eef;" | '''CMS Law. (2025). GDPR Enforcement Tracker Report 2024/2025: Public Sector and Education. CMS International Law Firm. Available at: https://cms.law/en/int/publication/gdpr-enforcement-tracker-report/public-sector-and-education'''
-| ''(zu übersetzen)''
+| ''CMS Law. (2025). GDPR Enforcement Tracker Report 2024/2025: Public Sector and Education. CMS International Law Firm. Available at: https://cms.law/en/int/publication/gdpr-enforcement-tracker-report/public-sector-and-education''
 |-
 | style="background:#eef;" | '''CMS Law-Now. (2025). China issues Measures for the Certification of the Cross-Border Transfer of Personal Information. CMS e-Alert, November 2025. Available at: https://cms-lawnow.com/en/ealerts/2025/11/'''
-| ''(zu übersetzen)''
+| ''CMS Law-Now. (2025). China issues Measures for the Certification of the Cross-Border Transfer of Personal Information. CMS e-Alert, November 2025. Available at: https://cms-lawnow.com/en/ealerts/2025/11/''
 |-
 | style="background:#eef;" | '''DataGuidance. (2022). Comparing Privacy Laws: GDPR v. PIPL. DataGuidance. Available at: https://www.dataguidance.com/sites/default/files/gdpr_v_pipl_.pdf'''
-| ''(zu übersetzen)''
+| ''DataGuidance. (2022). Comparing Privacy Laws: GDPR v. PIPL. DataGuidance. Available at: https://www.dataguidance.com/sites/default/files/gdpr_v_pipl_.pdf''
 |-
 | style="background:#eef;" | '''European Data Protection Board (EDPB). (2024). Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. Adopted 17 December 2024. Available at: https://www.edpb.europa.eu/'''
-| ''(zu übersetzen)''
+| ''European Data Protection Board (EDPB). (2024). Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. Adopted 17 December 2024. Available at: https://www.edpb.europa.eu/''
 |-
 | style="background:#eef;" | '''European Parliament and Council. (2024). Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L series.'''
-| ''(zu übersetzen)''
+| ''European Parliament and Council. (2024). Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L series.''
 |-
 | style="background:#eef;" | '''Fernandez-Novel Escobar, E. (2025). How do the European Union‘s GDPR and China‘s PIPL regulate cross-border data flows? International Policy Review, IE University, 27 January 2025.'''
-| ''(zu übersetzen)''
+| ''Fernandez-Novel Escobar, E. (2025). How do the European Union‘s GDPR and China‘s PIPL regulate cross-border data flows? International Policy Review, IE University, 27 January 2025.''
 |-
 | style="background:#eef;" | '''Garante per la protezione dei dati personali (Italy). (2021). Decision 9703988 — Fine against Università Commerciale Luigi Bocconi, 16 September 2021. Reported by EDPB. Available at: https://edpb.europa.eu/'''
-| ''(zu übersetzen)''
+| ''Garante per la protezione dei dati personali (Italy). (2021). Decision 9703988 — Fine against Università Commerciale Luigi Bocconi, 16 September 2021. Reported by EDPB. Available at: https://edpb.europa.eu/''
 |-
 | style="background:#eef;" | '''Giuffrida, I. & Hall, A. (2023). Technology integration in higher education and student privacy beyond learning environments — A comparison of the UK and US perspective. British Journal of Educational Technology, 54(6), 1587–1603. DOI: 10.1111/bjet.13375'''
-| ''(zu übersetzen)''
+| ''Giuffrida, I. & Hall, A. (2023). Technology integration in higher education and student privacy beyond learning environments — A comparison of the UK and US perspective. British Journal of Educational Technology, 54(6), 1587–1603. DOI: 10.1111/bjet.13375''
 |-
 | style="background:#eef;" | '''International Association of Privacy Professionals (IAPP). (2021). Analyzing China‘s PIPL and how it compares to the EU’s GDPR. IAPP. Available at: https://iapp.org/news/a/analyzing-chinas-pipl-and-how-it-compares-to-the-eus-gdpr'''
-| ''(zu übersetzen)''
+| ''International Association of Privacy Professionals (IAPP). (2021). Analyzing China‘s PIPL and how it compares to the EU’s GDPR. IAPP. Available at: https://iapp.org/news/a/analyzing-chinas-pipl-and-how-it-compares-to-the-eus-gdpr''
 |-
 | style="background:#eef;" | '''Kumi-Yeboah, A., Kim, Y., Yankson, B., Aikins, S. & Dadson, Y. A. (2023). Diverse students’ perspectives on privacy and technology integration in higher education. British Journal of Educational Technology, 54(6), 1671–1692. DOI: 10.1111/bjet.13386'''
-| ''(zu übersetzen)''
+| ''Kumi-Yeboah, A., Kim, Y., Yankson, B., Aikins, S. & Dadson, Y. A. (2023). Diverse students’ perspectives on privacy and technology integration in higher education. British Journal of Educational Technology, 54(6), 1671–1692. DOI: 10.1111/bjet.13386''
 |-
 | style="background:#eef;" | '''Lachheb, A. et al. (2023). The role of design ethics in maintaining students’ privacy: A call to action to learning designers in higher education. British Journal of Educational Technology, 54(6), 1653–1670. DOI: 10.1111/bjet.13382'''
-| ''(zu übersetzen)''
+| ''Lachheb, A. et al. (2023). The role of design ethics in maintaining students’ privacy: A call to action to learning designers in higher education. British Journal of Educational Technology, 54(6), 1653–1670. DOI: 10.1111/bjet.13382''
 |-
 | style="background:#eef;" | '''Li, W. & Chen, J. (2024). From Brussels Effect to Gravity Assists: Understanding the Evolution of the GDPR-Inspired Personal Information Protection Law in China. Computer Law and Security Review, 54, 105994. DOI: 10.1016/j.clsr.2024.105994'''
-| ''(zu übersetzen)''
+| ''Li, W. & Chen, J. (2024). From Brussels Effect to Gravity Assists: Understanding the Evolution of the GDPR-Inspired Personal Information Protection Law in China. Computer Law and Security Review, 54, 105994. DOI: 10.1016/j.clsr.2024.105994''
 |-
 | style="background:#eef;" | '''Lim, S. & Oh, J. (2025). Navigating Privacy: A Global Comparative Analysis of Data Protection Laws. IET Information Security, 2025(1). DOI: 10.1049/ise2/5536763'''
-| ''(zu übersetzen)''
+| ''Lim, S. & Oh, J. (2025). Navigating Privacy: A Global Comparative Analysis of Data Protection Laws. IET Information Security, 2025(1). DOI: 10.1049/ise2/5536763''
 |-
 | style="background:#eef;" | '''Liu, Q. & Khalil, M. (2023). Understanding privacy and data protection issues in learning analytics using a systematic review. British Journal of Educational Technology, 54(6), 1466–1485. DOI: 10.1111/bjet.13388'''
-| ''(zu übersetzen)''
+| ''Liu, Q. & Khalil, M. (2023). Understanding privacy and data protection issues in learning analytics using a systematic review. British Journal of Educational Technology, 54(6), 1466–1485. DOI: 10.1111/bjet.13388''
 |-
 | style="background:#eef;" | '''Liu, Q., Khalil, M., Shakya, R., Jovanovic, J. & de la Hoz-Ruiz, J. (2025). Ensuring privacy through synthetic data generation in education. British Journal of Educational Technology. DOI: 10.1111/bjet.13576'''
-| ''(zu übersetzen)''
+| ''Liu, Q., Khalil, M., Shakya, R., Jovanovic, J. & de la Hoz-Ruiz, J. (2025). Ensuring privacy through synthetic data generation in education. British Journal of Educational Technology. DOI: 10.1111/bjet.13576''
 |-
 | style="background:#eef;" | '''MIT Office of General Counsel. (2022). China and the PIPL: New Protections and Rights for Personal Information. MIT. Available at: https://ogc.mit.edu/latest/china-and-pipl-new-protections-and-rights-personal-information'''
-| ''(zu übersetzen)''
+| ''MIT Office of General Counsel. (2022). China and the PIPL: New Protections and Rights for Personal Information. MIT. Available at: https://ogc.mit.edu/latest/china-and-pipl-new-protections-and-rights-personal-information''
 |-
 | style="background:#eef;" | '''Prinsloo, P., Slade, S. & Khalil, M. (2022). The answer is (not only) technological: Considering student data privacy in learning analytics. British Journal of Educational Technology, 53(4), 876–893. DOI: 10.1111/bjet.13216'''
-| ''(zu übersetzen)''
+| ''Prinsloo, P., Slade, S. & Khalil, M. (2022). The answer is (not only) technological: Considering student data privacy in learning analytics. British Journal of Educational Technology, 53(4), 876–893. DOI: 10.1111/bjet.13216''
 |-
 | style="background:#eef;" | '''Rockefeller Institute of Government. (2025). The European AI Act and Its Implications for New York State Higher Education. November 2025. Available at: https://rockinst.org/'''
-| ''(zu übersetzen)''
+| ''Rockefeller Institute of Government. (2025). The European AI Act and Its Implications for New York State Higher Education. November 2025. Available at: https://rockinst.org/''
 |-
 | style="background:#eef;" | '''State Council of the People’s Republic of China. (2024). Regulations on Network Data Security Management (effective 1 January 2025). Published 30 September 2024.'''
-| ''(zu übersetzen)''
+| ''State Council of the People’s Republic of China. (2024). Regulations on Network Data Security Management (effective 1 January 2025). Published 30 September 2024.''
 |-
 | style="background:#eef;" | '''XL Law and Consulting. (2023). GDPR Enforcement Actions: Lessons Learned for Colleges and Universities. XL Law and Consulting. Available at: https://www.xllawconsulting.com/'''
-| ''(zu übersetzen)''
+| ''XL Law and Consulting. (2023). GDPR Enforcement Actions: Lessons Learned for Colleges and Universities. XL Law and Consulting. Available at: https://www.xllawconsulting.com/''
 |-
 | style="background:#eef;" | '''Xue, Y., Chinapah, V., & Zhu, C. (2025). A Comparative Analysis of AI Privacy Concerns in Higher Education: News Coverage in China and Western Countries. Education Sciences, 15(6), 650. DOI: 10.3390/educsci15060650'''
-| ''(zu übersetzen)''
+| ''Xue, Y., Chinapah, V., & Zhu, C. (2025). A Comparative Analysis of AI Privacy Concerns in Higher Education: News Coverage in China and Western Countries. Education Sciences, 15(6), 650. DOI: 10.3390/educsci15060650''
 |-
 | style="background:#eef;" | '''Zanfir-Fortuna, G. (2020). The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions. Future of Privacy Forum. Available at: https://fpf.org/blog/gdprhighered/'''
-| ''(zu übersetzen)''
+| ''Zanfir-Fortuna, G. (2020). The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions. Future of Privacy Forum. Available at: https://fpf.org/blog/gdprhighered/''
 |-
 | style="background:#eef;" | '''Zhang, L. & Kollnig, K. (2024). Theory and practice: the protection of children’s personal information in China. International Data Privacy Law, 14(1), 37–52. DOI: 10.1093/idpl/ipad017'''
-| ''(zu übersetzen)''
+| ''Zhang, L. & Kollnig, K. (2024). Theory and practice: the protection of children’s personal information in China. International Data Privacy Law, 14(1), 37–52. DOI: 10.1093/idpl/ipad017''
 |-
 | style="background:#eef;" | '''Zhu, J. (2022). The Personal Information Protection Law: China‘s Version of the GDPR? Columbia Journal of Transnational Law: The Bulletin. Available at: https://www.jtl.columbia.edu/'''
-| ''(zu übersetzen)''
+| ''Zhu, J. (2022). The Personal Information Protection Law: China‘s Version of the GDPR? Columbia Journal of Transnational Law: The Bulletin. Available at: https://www.jtl.columbia.edu/''
 |-
 | style="background:#eef;" | ''''''Part II: Teaching and Learning in Transformation''''''
-| ''(zu übersetzen)''
+| ''第二部分:变革中的教与学''
 |-
 | style="background:#eef;" | '''<references />'''