Sage Journals: Discover world-class research

Abstract

Personal information security has become a critical concern in the digital era, so it is imperative to clearly delimit and define personal information. This study examines personal information legislation from a sociosemiotic perspective to identify the similarities and differences between legislation in the United States and China. It reviews the evolution of personal information in both countries, and explores their differences in the definition of privacy, the status quo of personal information legislation, the definition of personal information and cross-border personal information flow. The findings indicate that (1) personal information, noted as a social sign, has context-sensitive characteristics, i.e., spatiality and temporality; (2) the meaning-making process of personal information is a continuum; and (3) there exists an intersemiotic operation between language, law and society. Such a sociosemiotic exploration can shed light on relevant studies in the sociosemiotic analysis of legal discourse in particular as well as other context-sensitive discourses in general.

Plain Language Summary

Purpose: This research explores personal information legislation in the United States and China, using a socio-semiotic lens to illuminate the symbolic meanings of personal information in today’s digital world. Methods: Utilizing textual comparison and case analysis, the study systematically compares legal documents and precedents from both countries related to personal information, examining through the semiotic lenses of temporality and spatiality. Conclusions: The study finds that personal information, as a sign, has inherent spatial and temporal attributes. Its meaning, while continuously evolving with technology, is majorly focused on personally identifiable information in both U.S. and Chinese laws. A notable contrast is highlighted in the spatial aspect within the U.S. and China’s legal frameworks, shaped by distinct legal traditions and societal values. Implications: The research highlights the crucial role of international collaboration, like the GDPR enforcement, in addressing legal differences and conflicts across countries. Developing international standards in personal information protection is vital for advancing relevant industries and ensuring global digital ecosystem stability. Limitations: While providing a detailed analysis, the study’s focus on socio-semiotics and legal texts might overlook other essential aspects of personal information legislation and actual enforcement practices in real-world scenarios.

Keywords

sociosemiotics personal information legislation spatiality temporality

Introduction

Data is regarded as an essential resource in the digital era and is often referred to as the new “oil” of the digital economy. Digital technologies, such as Artificial intelligence (AI), Big data, Cloud computing and the Internet of things, have transformed our lives with unimaginable speed and scale, delivering immense opportunities as well as daunting challenges. The world is undergoing an information Big Bang, with the universe of data doubling every 2 years and quintillions of bytes of data being generated every day. This rapid growth in data has brought privacy and security to the forefront and is expected to continue to accelerate in the future. Almost all modern consumer and business transactions result in an electronic record of personal information. Therefore, personal information can be deemed as the “premium oil” due to its high value. The multifaceted nature of data sources, from IoT applications to social networks, demands an organized and adaptive structure to ensure the integrity and privacy of personal information. This intricate organization not only safeguards individual data but also reflects the dynamic nature of our digital engagements (Radanliev & De Roure, 2023). The protection of personal information has increasingly become a major issue in the media and has become the target of legislation around the world. In the digital era, personal information has become an essential productive factor and a core asset in the development of the digital economy. When this information falls into the wrong hands, it can lead to negative consequences, impacting both individuals and society. Individuals may face financial and emotional harm due to identity theft, fraud, and privacy invasion, while society may experience a loss of trust in digital systems and a hindrance to technological innovation. Additionally, a significant consequence is a security incident affecting the confidentiality, integrity, or availability of personal data, occurring when such information is lost, destroyed, corrupted, or disclosed. Recently, personal data scandals have growingly occurred in the world. In 2017, the consumer credit reporting agency Equifax announced a data breach that exposed the personal information of 147 million people. Additionally, the Cambridge Analytica scandal highlighted how millions of Facebook data were harvested and used as a messaging tool. In China, the Huazhu hotels group leaked nearly 500 million pieces of customer data in 2018. These events demonstrate the great significance of protecting personal information in the digital age. Despite the growing severity of personal data breaches, there is a lack of harmonized global norms and standards to guide and regulate personal data protection. To address this issue, it is imperative to delimit and define personal information. The US and China, as two powerful actors in the digital realm, provide valuable insights into personal data protection. The US is known for its advanced cyberspace regulations, policies, and strategies, while China is rapidly developing its own framework for data privacy (Cheng et al., 2021; Pernot-Leplay, 2020). In recent years, the comprehensive competition between China and the US has had a detrimental effect on the collaboration between the two countries, particularly in the realm of information and communication technologies (Cheng et al., 2023). Thus, comparing the two jurisdictions can provide fruitful thoughts for relevant studies in personal information protection. At the outset, it is critical to delimit the term “personal information” in legal settings. On the grounds that the definition of a legal term is constrained by other sign systems (Cheng et al., 2012: p. 42), the dynamicity and diversity of legal terms are clearly explained in both the definition and the characterization of the legal term (Kageura, 2002: p. 10).

This research directs its focus on the legislation concerning personal information within the US and China, employing a sociosemiotic perspective to elucidate disparities and commonalities in legal interpretations and structures between these crucial countries. By examining temporality, the study traces the evolutionary pathways of personal information protection, crafting a comprehensive chronological portrayal of the legislative advancements in each jurisdiction. It is through the analysis and synthesis of these legislative developments that this study distils and defines the quintessential characteristics of personal information within legislation, revealing the complex interrelations among language, legal constructions, and societal standards in the definition and conceptualization of personal information. The findings from this investigation are intended to serve as a foundational reference for possible international collaborations in legislation and for the ongoing assessment of technologies related to personal information, providing an enriched understanding of the layered interactions between semiotic components, legal frameworks, and societal conventions in personal information legislation. Spatially, the research delves into the core domains of personal information protection legislation in China and the US. With the aid of precedents, it critically examines the shared and divergent elements within the personal information legal frameworks of these two countries. The discoveries from this exploration underscore the imperative of integrating a sociosemiotic perspective into legal discourse, echoing the sophisticated interactions between semiotic dimensions, legislative structures, and societal norms within the realm of personal information legislation.

Literature Review

Sociosemiotics and Legal Discourse

Semiotics is a systematic study of signs, sign systems or structures, sign processes, and sign functions (Cheng & Sin, 2008: p. 38). Language is a “semiotic” or meaning-making system (Williams & Lukin, 2006: p. 1). In contrast to this general semiotic framework, social semiotics, as introduced by Halliday (1978), extends into the realm of language and discourse, articulating a more socially embedded understanding of semiotic processes. Social semiotics, representing a more nuanced and contextualized semiotic framework, delves into the representation of meaning across various forms, predominantly in text and media, emphasizing the dynamic interpretation of meaning and the evolving signifying relations of signs over time (Chandler, 2007; Cheng & Danesi, 2019; Z. Hu, 2017). Hodge and Kress (1988) further develop the concept of social semiotics as an ongoing and dynamic process. In their view, meaning is not constrained by rigid structures or predefined cultural codes. Instead, it acknowledges the fluidity of meaning-making and the role of interpretation in shaping the social power of texts within society. This perspective values any method, such as legal discourse analysis, that can illustrate the continuous semiotic processes (Z. Hu, 2017: p. 207). In summary, while semiotics provides a structural understanding of signs and meaning-making systems, social semiotics enriches this framework by introducing a dynamic, social, and contextual layer to the analysis of signification.

Like many other types of discourse, legal discourse is performed to serve many important communicative functions (Sager, 1990: p. 102). Each legal system and jurisdiction, as well as each area of the law, has its own distinct language, shaped by its unique history and culture (Cheng & He, 2016: p. 67). This uniqueness often demands a social semiotic approach for a deeper understanding of legal discourse (Ye et al., 2019). Previous studies have demonstrated that investigating legal documents by drawing on semiotics is deeply rooted in theory and practice (Bouvier & Wu, 2021). Legal semiotics bridges interdisciplinary knowledge, integrating cognitive, linguistic, and communicative dimensions (Wagner, 2010: p. 78), illuminating the semiotic complexities within legal texts (Lukin, 2020: p. 94). Exploring the variations of a legal genre both within and across jurisdictions reveals the semiotic nature of the genre, emphasizing the temporal and spatial characteristics (Cheng, 2010; Pei & Cheng, 2022a). As such, the methodology viewing legal discourse and legal interpretation by social semiotics and exploring its characteristics of temporality and spatiality has a solid theoretical research value and practical interpretation ability (Cheng, Sun, & Li, 2020: p. 364).

In a word, the above discussion elaborates on the dynamism of social semiotics in understanding legal discourse. Social semiotics, diverging from traditional semiotic frameworks, embeds language and signification within a social and cultural milieu. This approach appreciates the fluidity of meaning-making, significantly enriched by contextual interpretations. Legal discourse, with its unique language and communicative functions across different legal systems, necessitates a social semiotic lens for a nuanced understanding. By bridging interdisciplinary knowledge, social semiotics paves the way for a comprehensive exploration of legal texts, uncovering the temporal and spatial dimensions within legal discourse, thereby affirming its theoretical and practical significance.

Previous Study on Laws Related to Personal Information

The concept of “personal information” holds great significance in the field of privacy regulation, serving as the cornerstone for various legislative endeavors and scholarly discourses (P. M. Schwartz & Solove, 2014). The multidimensional nature of personal information laws has spurred extensive scholarly exploration, rendering it a continually evolving field of study (Pelteret & Ophoff, 2016). Firstly, the evolving landscape of personal information protection is marked by multifaceted challenges stemming from the confluence of rapid technological advancements and increasing concerns over privacy. Scholars have been exploring intricate challenges in the era marked by the proliferation of big data and escalating incidents of information misuse, emphasizing the pressing need for reevaluating traditional protection mechanisms and developing robust solutions (Calo, 2011; J. E. Cohen, 2000; X. Zhang, 2022). The exploration of personal information laws has extended beyond overarching challenges, delving into laws related to specific sectors and economic aspects of personal data. Comparative studies have revealed nuanced and varied approaches across different jurisdictions, further enriching the discourse on personal information laws (Acquisti et al., 2013; Cameron, 2005; Custers et al., 2018; Samuelson, 2000; P. Schwartz & Peifer, 2017). The exploration of personal information laws has indeed branched into meticulous examinations of information management within digital realms such as the Internet of Things (IoT). These investigations illuminate the intricate dance between legislative frameworks, like GDPR, and corporate strategies, portraying the multifaceted landscape of personal information laws. The emphasis on the reliability, integrity, and security in data processing requests and transactions is a recurrent theme, symbolizing the paramount importance of safeguarding personal information in intricate digital ecosystems (Bamberger & Mulligan, 2011; Jhuang et al., 2023). Meanwhile, many scholars have explored issues related to personal information legislation from alternative perspectives, such as cyberbullying (Cheng et al., 2020; Matulewska & Gwiazdowicz, 2020), cybersecurity (Cheng & Pei, 2018), telecom and internet fraud (Ye et al., 2019). However, studies on personal information laws from socio-legal and sociosemiotic perspectives are still uncharted domains. Hence this study seeks to fill this gap by exploring personal information in legal settings through a sociosemiotic perspective. It strives to provide a comprehensive, nuanced understanding of this complex subject by synthesizing insights from various domains and perspectives, thereby contributing to the ongoing discourse on personal information protection laws.

Temporality of Personal Information

A legal term only acquires its meaning within a specific context (Cheng et al., 2014: p. 167). This is particularly true in the case of data protection legislation, which can vary dramatically from country to country and change over time with new developments in technology (Bennett, 1992: p. 193). Noted as a sign, the term “personal information” is subject to differing interpretations across different jurisdictions. In this study, the definitions of personal information in Chinese and U.S. legislation were retrieved from the data protection laws summarized by Raul (2018) and official overviews from the National People’s Congress of the People’s Republic of China and the Congressional Research Service. The statutory definitions of legal terms primarily take the following forms: “defined term means,”“defined term includes,”“defined term does not include,”“defined term means…, but does not include…” and “defined term means…, including” (Pei & Cheng, 2020: p. 165).

The Definitions of Personal Information in the Law of Mainland China

China’s legal system operates under a Civil Law system, characterized by codified and comprehensive written statutes. This system stands in contrast to the US Common Law system where laws are often developed and interpreted through judicial decisions and where decided cases do constitute binding precedents (J. A. Cohen & Lange, 1997: p. 352). Due to this difference, this study, when analyzing Chinese laws, primarily focuses on the examination of legal texts; conversely, when reviewing the US laws, a combined approach of analyzing both legal texts and precedents is adopted. Table 1 presents the definitions of personal information in Chinese law. In 2012, the National People’s Congress (NPC) adopted the Decision on Strengthening the Protection of Online Information, which is applicable to entities in both the public and private sectors in respect of the collection and processing of electronic personal information on the Internet.

Table 1.

The Definitions of Personal Information in the Law of Mainland China.

Year	Name of the laws	Definition
2013	Notice of the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens	Citizens’ personal information includes name, age, valid certificate number, marital status, employer, education background, resume, family address, phone number and other information or data that can identify the identities of citizens or involve the personal privacy of citizens.
2017	Cybersecurity Law of the People’s Republic of China	Article 76 “Personal information” means all kinds of information recorded in electronic or other forms, which can be used, independently or in combination with other information, to identify a natural person’s identity, including but not limited to the natural person’s name, date of birth, identity certificate number, biology-identified personal information, address and telephone number.
2020	Information Security Technology — Personal Information Security Specification	Article 3 Sensitive personal information refers to personal information that endangers the safety of people and property, personal reputation, physical and mental health damage when this information is leaked, illegally provided, or misused. Sensitive information includes ID number, personal biometric information, bank account, communication record and content, property information, credit information, whereabouts, accommodation information, health and physiological information, transaction information, and children’s information.
2020	The Notice by the People’s Bank of China Regarding Issuance of a Financial Industry Standard and Effective Technological Management of Personal Financial Information Protection	Article 4.1 Personal information includes information such as photos, voice and video collected in the process of providing products and services,
2021	Personal Information Protection Law	Article 4 “Personal information” is defined as all kinds of information related to identified or identifiable natural persons that are electronically or otherwise recorded, excluding information that has been anonymized.

Prior to 2013, there was no clear definition of personal information in the law. However, in 2013, the Chinese legal definition of personal information can be found in Notice of the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens. But the definition of personal information is located within a limited scope and only applicable in a judicial context.

Four years later, the Cybersecurity Law of the People’s Republic of China was officially issued. This law recognizes the significance of personal information recorded in electronic form in the age of digital economy where a vast amount of data is stored in websites and clouds. Cyberspace, as the first man-made space, breaks the physical boundaries and expands the space of human activities (C. Wang et al., 2020: p. 4). The critical aspect of this definition lies in the identifiability of personal information, which aims to not only secure individuals’ personal privacy but also provide a space for the development of big data industry (Gürsoy et al., 2018: p. 387). Moreover, in Article 76, the definition of biology-identified personal information first occurs in China’s legislation, marking a significant development in China’s data protection legislation and representing a noteworthy advancement in the Chinese data protection regulations. Individuals’ genomic data has recently emerged as one focus of privacy studies on privacy, as the availability of genetic information gives rise to privacy concerns (Gürsoy et al., 2018: p. 387). The inclusion of biology-identified personal information in the legislation serves as a clear indication of the expanding scope of personal information and highlights the growing importance placed on privacy concerns in this area.

In response to the rapidly expanding digital landscape and increasing concerns around privacy, China has seen a flurry of legislation related to personal information protection in specific areas. In the Provisions on the Cyber Protection of Children’s Personal Information, personal information is not defined in a direct manner, but Article 7 and Article 10 highlight the importance of informed consent and set up a higher standard for such consent than the Cybersecurity Law of China. This legislation also outlines the obligations of network operators in regard to the collection, storage, use, transfer, and disclosure of children’s personal information. In the technology area, Information Security Technology — Personal Information Security Specification was issued in 2020. This specification first advocates the definition of sensitive personal information in Article 3. In the law, it was defined as information that can identify a specific natural person through processing by personal information controllers.

In finance, The Notice by the People’s Bank of China Regarding Issuance of a Financial Industry Standard and Effective Technological Management of Personal Financial Information Protection was issued in 2020. This Notice further extends the scope of personal information by addressing the companies and network operators that process customer’s personal information, demonstrating the commitment of Chinese lawmakers to protect consumers’ privacy. In Article 4, biology-identified personal information is sent with a clear definition. It includes, but is not limited to, biometric sample data, feature values, and templates such as fingerprints, face, iris, ear prints, palm prints, veins, voiceprints, eye prints, gait, handwriting, etc. This move highlights the increasing attention being given to protecting the privacy of sensitive personal information, particularly in the financial industry.

In November 2021, China’s first comprehensive personal data protection legislation, Personal Information Protection Law (PIPL), has entered into force. This law has a broad definition of personal information, as the vague use of “related to” denotes the possibility of largely expanding the scope of personal information beyond what is traditionally considered personal information. Actually, in judicial practices, personal information is not strictly limited to information related to personal identity. This is demonstrated in a judicial case from the end of 2013, where a security breach at a company serving 450 hotels across the country led to the leak of 20 million hotel accommodation records. In this case, the provider Ding Yaguang downloaded it from an illegal website and provided the inquiry service illegally. Someone queried the website’s residence record (display name, ID number, mobile phone) number and address with the help of Ding Yaguang. Despite the fact that accommodation records do not directly fall under the definition of personal information according to the laws, they are considered to be related to personal information under the guidelines set by the PIPL.

This case reveals that the PIPL has surpassed formal judgments in defining personal information, focusing instead on whether the information is identifiable. This provides insights into the possibility of future expansions in the forms and mediums of personal data as defined in Chinese law. This case implies that in judicial practices, the assessment of the identifiability of personal information may hold more significance than its formal categorization, serving as a crucial criterion to ascertain whether a piece of information should be classified as personal information. This approach ensures that the definition is flexible and comprehensive enough to cover various forms of information that can be linked back to an individual, emphasizing the importance of protecting any information that has the potential to compromise personal information.

The Definitions of Personal Information in the US Legislation

Common law is a body of unwritten laws based on legal precedents established by the courts. As the common law jurisdictions, the concept of personal information is shaped by the common law system in the US, which may assign different signifieds to the same legal term as a signifier in law and render different interpretations in adjudication (Wagner & Bhatia, 2009: p. 188). The value of a word, its signified, varies to some extent over time, as does its signifier, in the field of law as in any field (Wagner & Gémar, 2014: p. 8). The definition of personal information in the US is not fixed and can vary across different legal contexts and jurisdictions. Thus, in this part, the study will explore the definition of personal information based on the precedents. Table 2 shows the definitions of personal information in the laws of the US. The US-related laws in Table 2 are compiled based on the “Handbook of Personal Data Protection” written by Madsen (1992) and the “Data Privacy and GDPR Handbook” authored by Sharma (2019). These sources encompass nearly all US laws related to personal information protection, making the table highly representative.

Table 2.

The Definitions of Personal Information in the US Legislation.

Year	Name of the laws	Definition
1974	Privacy Act of 1974	Section 552a “Record” is defined as any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.
1999	Gramm-Leach-Bliley Act	Section 6809 Personally identifiable financial information is provided by a consumer to a financial institution; resulting from any transaction with the consumer or any service performed for the consumer; or otherwise obtained by the financial institution.
2000	Children’s Online Privacy Protection Act	Section 6501(8) Personal information means individually identifiable information about an individual collected online, including a first and last name; a home or other physical address including street name and name of a city or town; an e-mail address; a telephone number; a social security number; any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph and verifiable parental consent.
1996	The Health Insurance Portability and Accountability Act	9 CSR 10-5.220 The individually identifiable health information refers to any information, including demographic information, collected from an individual that is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and which identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
2018	The California Consumer Privacy Act	Section 1798.140 Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
2022	American Data Privacy and Protection Act (ADPPA)	The term “personal information” means any information relating to an individual, including but not limited to name, address, email address, telephone number, social security number, passport number, driver’s license number, bank account information, credit card number, biometric information, health information, geolocation data, and internet activity information.

In contrast to other countries, the US lacks a centralized federal law on personal information protection. Instead, it is governed by a patchwork of federal and state laws and regulations that cover various industries and business operations. This fragmented system presents unique challenges for defining and protecting personal information in the country.

In the Privacy Act of 1974, there is no clear definition of personal information, but the term “record” in the Act is closely related to personal information. This Act aims to protect records about individuals that can be retrieved using personal identifiers. For instance, in the case of Doe v. Chao, Secretary of labor, the petitioner filed a claim for black lung benefits with the Department of Labor, and the agency used his social security number to identify the claim in official documents. Doe then sued the department claiming that such disclosures violated the Privacy Act of 1974. The court accepted Doe’s testimony about his distress caused by the improper disclosure and granted him summary judgment under 5 U. S. C. §552a .

In the field of finance, the Gramm-Leach-Bliley Act is related to the definition of personally identifiable financial information, and sets guidelines for protecting personal financial information. In judicial practices, the Act expressly applies only to a “financial institution.” It does not provide a private cause of action. In the case of “In re Chubb,” the accused, Consumers Energy Company, argued that it is not a financial institution, and therefore, the Gramm-Leach-Bliley Act does not apply to it. This case clearly reveals the limitations of the Act, indicating its applicability strictly to financial institutions. . Furthermore, this Act requires financial institutions to provide a privacy policy to customers and implement measures to protect the information they collect.

In the area of children’s protection, the Children’s Online Privacy Protection Act defines personal information in Section 6501_(8). It is worth noting that the term “verifiable parental consent” requires reasonable efforts to ensure that parents are notified and give their consent before any personal information is collected from their children. A notable case of this is the settlement parent consent between Google LLC and its subsidiary, YouTube LLC, who paid a record $170 million to settle allegations after being accused of violating the COPPA rule by collecting personal information from child-directed channels without obtaining prior parental consent.

In the realm of healthcare, individually identifiable health information is defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The privacy regulations under HIPAA generally prohibit covered entities from using personal health information or disclosing it with third parties without the patient’s consent, unless the information is being used or shared for treatment, payment, or healthcare operations. In the case of Smith v. New York presbyterian hospital, the court emphasized that the privacy rule governs the “uses and disclosures of protected health information” by “covered entities,” including healthcare providers such as treating physicians. To ensure against unauthorized disclosure of protected health information, covered entities must develop policies, implement procedures, and maintain compliance with the privacy rule. Failure to comply with the privacy rule can result in penalties including fines and even imprisonment.

In addition to sectoral laws, the states of New York and California have enacted data privacy legislation. For example, California Consumer Privacy Act (CCPA) gives California residents new rights in determining how their personal information is collected and used. The CCPA not only provides a general definition of personal information, but also specifies the different types of personal information, such as biometric information and commercial information, and includes children’s information, among others. Furthermore, this Act extends the definition of personal information largely, and creates a new classification, “sensitive data,” with specific requirements for its treatment. This underscores the importance of consumer rights in the handling of personal information and the responsibilities of businesses and operators in the processing of such data. In the case of Atkinson et al. v. Minted, Inc, plaintiffs brought a lawsuit against Minted.com as a result of a data breach that resulted in the unauthorized release of 73.2 million records, including passwords, names, email addresses, and other information. The plaintiffs claimed that the personal information disclosed met the heightened definition of personal information under CCPA, as the records included first and last name in connection with an email address and a hashed or salted password.

However, the CCPA features certain concessions that are favorable to businesses. For instance, the definition of a “business” covered by the law has been revised to encompass companies with a gross annual revenue of over $25 million, or those that purchase, receive, or sell personal information of 50,000 or more California residents, or derive over 50% of their annual revenue from selling Californian residents’ personal information. Furthermore, the case of McCoy v. Alphabet is the first case to decide regarding the absence of a general private right of action under the CCPA.

In the midst of a complex and varied landscape of state-level privacy laws, federal lawmakers in Washington, D.C. have demonstrated a level of alacrity in introducing and revising a pioneering federal privacy legislation, known as the American Data Privacy and Protection Act (ADPPA). This legislative proposal has garnered significant bipartisan and bicameral support, reflecting a growing recognition of the importance of protecting consumers’ personal data. The ADPPA seeks to enhance individuals’ control over their personal data by providing them with the right to access, correct, delete, or transfer their covered data. But the bill’s progress was hindered by former Speaker of the House Nancy Pelosi, who raised concerns about its preemptive impact on existing privacy laws in California and other states. This impasse ultimately contributed to the continuing absence of a comprehensive federal privacy law in the US.

One of the key features of ADPPA is its definition of “covered data,” which is broader than the definition of “personal information” used in the CCPA. The ADPPA’s definition of covered data encompasses information that identifies or is linked, or reasonably linkable, to an individual or a device that identifies an individual. Additionally, the ADPPA introduces a category of “Sensitive Data” that is not present in the CCPA. This category includes certain types of information, such as biometric data, genetic data, precise geolocation data, and financial account numbers, among others.

In summary, although both ADPPA and CCPA address personal data protection, the ADPPA’s definition of “covered data” is more comprehensive and includes a “Sensitive Data” category absent in the CCPA. This highlights the need for policymakers to consider the merits and challenges of different approaches to privacy regulation, as well as the importance of balancing the interests of consumers, businesses, and other stakeholders.

From the aforementioned chronological review, it is discernible that there are substantial differences between China and the US in the legal definitions of personal information, primarily due to the distinctive legal frameworks in each country, characterized by their unique forms of legislation, legislative traditions, and focal points of legislation (Bhatia et al., 2008). Additionally, variances in the political, economic, and cultural contexts of the two countries further contribute to these differences (Cheng & Cheng, 2012), rendering the proposition of a universally applicable legal definition for personal information impractical.

However, this study also uncovers shared attributes and central concerns within the legal definitions of personal information in both countries, suggesting the possibility of fostering international cooperation within a global governance framework. Firstly, the research emphasizes the adaptability of legal definitions of personal information, which are in a state of flux, adjusting in response to technological advancements. The definition of personal information has undergone substantial alterations, and its scope has expanded significantly in both U.S. and Chinese legislations. This broadening is attributable to advancements in digital technologies, such as AI, big data, and cloud computing, and the emergence of new economic models, which have revolutionized the generation and processing of personal information. Concurrently, digital recognition technologies have enabled the acquisition and identification of previously unattainable sensitive personal information, like biologically-identified information. Thus, from a legislative perspective, it is pivotal to reserve adaptability for technological progress, aligning laws with advancements to regulate the use of personal information and promote orderly development in related industries.

Secondly, the study asserts that the definition of standards for identifiability has become a core concern for both countries in defining and delimiting personal information, emphasizing that the central object of legislation in both countries is personally identifiable information. For instance, both the 2013 “Notice of the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens” and the 2018 “Cybersecurity Law of the People’s Republic of China” stipulate that personal information should be able to “identify the identities of citizens or involve the personal privacy of citizens or to identify a natural person’s identity.” In PIPL, it is not only required to include “all kinds of information related to identified or identifiable natural persons,” but it also explicitly states “excluding information that has been anonymized.” In contrast, the Privacy Act of 1974 defines personal information to include “other identifying particulars assigned to the individual,” emphasizing identifiability. In sector-specific laws like the GLBA, COPPA, and HIPAA terms such as “personally identifiable financial information” and “personal information means individually identifiable information,”“individually identifiable health information” are used in place of the expression “personal information,” reflecting a focus on the identifiability of personal information. In the CCPA, “personal information means information that identifies…. with a particular consumer or household,” directly establishing the identifiability of personal information. In the most recent the US legislation, ADPPA, the term “personal information” means any information relating to an individual, encompassing all relevant information, which expands the scope of identifiable information. This demonstrates that both countries essentially establish the boundaries of personal information based on its identifiability, facilitating the flow of anonymized data while protecting sensitive personal information. However, with the progression of technology, seemingly secure anonymization techniques today may be deciphered in the future. Therefore, continuous attention to technological advancements in this domain and corresponding adjustments in laws and policies is imperative, considering that the definition of standards for identifiability plays a crucial role in the governance of personal information in both China and the US.

Spatiality of Personal Information

Comparison of the Definition Between “Personal Information” and “Privacy” in the US and China

Personal information and privacy, while seemingly two interrelated concepts, are distinguished differently within the legislative frameworks of the US and China. The US views personal information as a subset of privacy, and has adopted a uniform approach to protecting personal information through privacy laws, such as the Privacy Act of 1974. Although this Act includes various provisions related to the protection of personal information, it is still referred to as the “Privacy Act” rather than the “Personal Information Act.” This is reflective of the US legal system’s broad interpretation of privacy, encompassing not only personal information but also other facets of individual freedom and autonomy. In this context, privacy is seen as a wider concept that includes personal information as one of its components. This broader conceptualization of privacy over personal information in the US may also be attributed to the absence of a codified concept of “personality rights” in its legal system, focusing more extensively on the protection of individual liberties and personal freedoms as integral components of privacy. Personality rights refer to the right of an individual to control the commercial use of his or her name, image, likeness, or other identifiable aspects of his or her personality. While there are some legal protections in the US that address aspects of personality rights, there is no federal law that specifically codifies personality rights (L. Wang, 2013: p. 63). The absence of specific codification of personality rights in federal law implies that privacy needs to serve as an encompassing term, including a variety of rights and interests related to an individual’s personal life, information, reputation, and dignity (Kosseff, 2015). In this context, privacy is interpreted to be more comprehensive in the US, acting as an overarching term that includes personal information, among other aspects, thus highlighting the extensive scope of privacy in comparison to personal information within the US legal framework.

Meanwhile, personal information in the US is often seen as the amalgamation of privacy and public information, which can be voluntarily disclosed and obtained through public channels. For instance, Solove (2008) indicates that the law should be more actively involved when individuals violate others’ privacy. For example, in the case of Arons v. Jutkowitz, the HIPAA has hindered the defense counsel’s attempts to privately communicate with nonparty treating physicians, since the plaintiffs will not execute HIPAA-compliant authorizations that specifically permit such communications. However, the law should be less involved when people are merely self-disclosing personal information. If the law becomes too strict and prevents individuals from voluntarily revealing their personal information, it can lead to negative consequences. In China, the scope of personal information is far larger than that of privacy due to the many differences between privacy and personal information (L. Wang, 2013: p. 64).

In contrast, China interprets privacy as a component within the broader concept of personal information. The Civil Code of the People’s Republic of China (Article 1034, paragraph 2) indicates that “Private information in personal information shall be subject to regulations concerning the right to privacy; if there is no regulation, regulations concerning the protection of personal information shall apply.” This legislative approach demonstrates China’s comprehensive and detailed framework for the protection of personal information, wherein privacy is considered a specific aspect of personal information protection.

In this regard, the differences in defining and interpreting personal information and privacy between the US and China reflect the respective legislative focus and value orientations of the two countries in the realm of individual rights protection.

Comparison of the Status Quo of Personal Information Laws Between the US and China

According to the above review of the definition of personal information in the US and China, it is evident that there are several disparities in the legislation of personal information in the two countries.

Firstly, regarding the status quo of personal information laws, the US has a longer history of protecting personal information through the Privacy Act of 1974. The Chinese legislation on personal information starts late, and the definition of personal information was first proposed in the laws in the 2010s. Nevertheless, China has been making rapid strides in the field of personal information protection. From 2012 to now, many legislations have been adopted on data protection. Especially in 2017 and 2021, Chinese lawmakers issued respectively Cybersecurity Law of the People’s Republic of China and PIPL. These two laws will establish a broader regulatory architecture governing cybersecurity and data privacy protection.

Moreover, at the local level, numerous provinces and cities, particularly in well-developed regions and metropolises like Zhejiang Province and Shenzhen, have been issuing their own data regulations for special economic zones one after the other.

Furthermore, it is noteworthy that numerous provinces and cities throughout China, particularly in well-developed regions like Zhejiang Province and Shenzhen, have introduced their own tailored regulations on economic zone data. Zhejiang’s regulations prioritize the secure and lawful management of public and personal data throughout its lifecycle, focusing on unified responsibility, prevention, security education, and risk monitoring. It emphasizes respect for individuals’ data rights, outline clear processing requirements, and ensure accuracy and security, providing provisions on consent, anonymization, and access to personal data. Conversely, Shenzhen’s regulations address public data security and personal data protection, specifying penalties and corrective actions for violations and outlining legal responsibilities for damage to state, public interest, and individuals. These regulations focus on data security, lawful processing, individual rights protection, and legal accountability for violations. The sequential implementation of these regulations is indicative of a significant shift toward more comprehensive protection of personal information, as well as the utilization of personal data to drive local economic growth and digital industry revitalization. This shift also mirrors the policy trajectory of the Chinese government amidst the backdrop of technological advancements in the digital landscape.

The data protection laws in the US are “sectorial in nature” (Weber & Staiger, 2017: p. 39), rather than having overarching federal legislation to regulate data-related issues, and legislation at the state level varies dramatically. In contrast to the situation in China, ADPPA has made some progress in the US. The proposed legislation received an overwhelmingly positive vote of 53-2 from the House Committee on Energy and Commerce in October 2022. However, the ADPPA is currently pending further action by the House of Representatives. It is worth noting that unlike China, there is currently no federal-level definition of “personal information” in the US. Instead, the US data protection law is comprised of a patchwork of federal and state laws and regulations, which govern the treatment of data across various industries and business operations. Furthermore, the legislation of the US in data protection is complex and highly technical, and there are specific laws to protect personal information in different areas, such as the HIPPA in healthcare, Gramm-Leach-Bliley Act in finance, COPPA in children protection and so on. The regulation of the private sector is minimal in the US, with some business-friendly concessions to promote the development of the information industry.

Furthermore, in the US, some states have no legislation regulating the private sector, while others, such as California, are on the other end of the spectrum, having passed far-reaching consumer protection legislations. The CCPA, as a state law relating to personal information, plays an important role in this area and applies to any entity, anywhere in the US. Although the US Congress is developing comprehensive data protection legislation at the federal level, the acts still face challenges on several contentious issues, including the preemption of state privacy laws and a lack of a private right of action. The adoption of ADPPA may encounter resistance from legislators and stakeholders, particularly those in the technology industry, as it would impose certain limitations and constraints on the way companies collect and process data. Additionally, some are concerned that the legislation may impact law enforcement efforts.

Comparison of the Definition of Personal Information in China and the US Legislations

By comparing Chinese and the US definitions of personal information in relevant laws, this study highlights similarities and differences between the two jurisdictions.

First, there are many definitions of personal information in both country’s legislation, indicating that defining personal information is an essential and intricate issue in the two jurisdictions, as evidenced by the numerous definitions in their respective legislation. Furthermore, the uniform legal definition can enable people to understand legislation and then improve the clarity and specialization of the law. Moreover, legislation of the two countries distinguishes between “personal information” and “sensitive personal information.” In the PIPL Article 28, “sensitive personal information” is defined as a special type of personal information, which has special rules of processing. In CCPA Section 1798.140, “sensitive data” has specific processing requirements. Conclusively, it is essential to note that both Chinese and the US legislations have delineated special provisions and regulatory frameworks for the processing of sensitive personal information. Both legal systems recognize the critical nature of sensitive information and have developed specific requirements and protective measures to govern its processing. Chinese legislation, with its emphasis on consumer consent and stringent processing conditions, and the US legislation, with its specified processing requirements, reflect their respective jurisdictions’ values and approaches to data protection.

Second, for the processing of personal information, Chinese legislation and the US legislation define different processing activities of personal information. In PIPL Article 4, the processing of personal information refers to “includes, but is not limited to, the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.” But in CCPA section 1798.145, the activities of processing personal information include “collecting, using, retaining, selling, sharing, or disclosing consumers’ personal information that is de-identified or aggregate consumer information.” Thus, there are more types of processing personal information ways defined in PIPL than in CCPA. It is noteworthy that the definition of personal information processing in PIPL is broader than that in CCPA, as it covers a wider range of activities. However, the Chinese legislation does not specifically define the term “sharing.” In section 1798.140, sharing refers to renting, releasing, disclosing, disseminating, making available, transferring a consumer’s personal information by the business to a third party for cross-context behavioral advertising in CCPA.

Third, the US legislation in specific areas or industries is highly technical and systematic. For example, “covered information” and “covered entity” were proposed in HIPPA to regulate the handling of patients’ information. Only entities that meet the HIPAA definition of “covered entity” are obliged to comply with the privacy rule. However, there is no equivalent concept in China to protect patients’ information. Furthermore, the expression of the US legislation is clear and practical. For instance, the CCPA legislator has chosen to use the expression “any information that is linked to” rather than the expression “include, but are not limited to” as used in PIPL. In COPPA section 6501, entities are required to provide direct notice to parents and obtain verifiable parental consent before collecting children’s personal information online. The ways of providing direct notice to parents are explicitly listed. . In contrast, China’s Cyberspace Administration has issued the Provisions on Online Protection of Children’s Personal Information, which also requires “any entity shall obtain the express consent of the guardian to collect and use the information when collecting and using children’s personal information.” But it does not specify the form or manner of informing the guardian in a prominent and clear way.

Comparison of the Regulation of Cross-Border Personal Information Flow in the US and China

“Cross-border data flow” refers to the movement or transfer of information between computer servers across national borders. The US has a more liberal approach toward cross-border personal information flow, driven by its commercial interests and the dominance of American Internet companies (W. Hu, 2018: p. 97). However, it regulates privacy on a sectoral level for specific data, such as health and financial records.

Different from the US, China adopts stricter cross-border personal information flow controls to protect the safety of the country and consumers. For example, the Cyberspace Administration of China imposed substantial penalties on Didi Global Inc., stemming from severe and malicious violations of several Chinese laws, including the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. The infringement was notably linked to Didi’s unlawful disclosure of substantial personal and geographic data during its the US capital market listing processes. This incident is emblematic of China’s more stringent stance and meticulous controls on cross-border personal information flows, reflecting its commitment to safeguarding national and consumer security in the digital era.

The case of Didi Company led to the issuance of the Cybersecurity Review Measures (Draft) by the Cyberspace Administration of China. Article (6) states that operators who store personal information of over 1 million users and plan to list abroad must undergo a cybersecurity review by the Cybersecurity Review Office, under the supervision of the Central Cyberspace Affairs Commission. So the US and China hold distinct positions and attitudes toward the cross-border personal information flow.

The preceding analysis explores the spatiality of personal information by contrasting the definition of personal information in Chinese and U.S. legislation. It delves into how personal information, noted as a sign, has been constructed by agents of the Chinese and the US judicial institutions. Although the definitions of personal information in China and the US have common stances in some areas, significant differences exist. This can be attributed to the fact that a legal term or a legal definition can be subject to multiple interpretations, focusing on the approaches to legal interpretation in the process of meaning-making and intent seeking (Cheng & Cheng, 2012: p. 428). Meanings in legal discourse, if not always, are often hidden (Cheng, 2016: p. 527). Thus, the construction and interpretation of legislative discourse is not only “a matter of selecting particular linguistic features as a means of communicating legislative intentions” (Bhatia et al., 2008: p. 128), but a dialog demonstrated in various forms, such as power negotiation and interest weighing (Cheng & Cheng, 2012: p. 360) and affected by many factors, such as social and political processes, legal systems, cultural backgrounds, geographical factors as well as particular contexts (Cheng et al., 2019: p. 288).

Conclusions

This study explores personal information legislation from a sociosemiotic perspective. The legal definitions, in this context, are considered to be semiotic resources. As a social sign, personal information is characterized by spatiality and temporality. With regard to temporality, the definition of personal information is constantly evolving and expanding over time both in the US and Chinese legislations, and the key components predominantly revolve around personally identifiable information, with the establishment of identifiability criteria emerging as a critical legislative focus in both countries, outlining the boundaries of personal information. For the spatiality, this study meticulously unravels the interplay between “privacy” and “personal information” within the legal frameworks of the US and China, revealing notable contrasts shaped by unique legal traditions, societal values, and legislative perspectives. The exploration of prevailing personal information laws unveils the US’s decentralized and adaptable legislative approach, juxtaposed against China’s more consolidated and uniform stance. These divergences extend to the conceptualization and characterization of personal information, reflecting the intricate intersection of linguistic nuances, legal constructs, and societal conventions, each requiring contextualized interpretation aligned with distinct legal and cultural milieus. Moreover, the research into the strategies guiding international personal information flow uncovers diverging legal philosophies, with the US advocating for liberal and cooperative mechanisms and China accentuating national sovereignty and security.

Meanwhile, law-making practices can achieve a consensus on harmonized global norms and standards, promoting the growth of related industries. Legal texts are never absolute and have to adapt to societal developments (Cheng et al., 2020). Drawing upon the preceding discussion, it becomes evident that the risks and challenges in the realm of personal information are both global and multi-layered. Moreover, varying legal frameworks for the protection of personal information exist among different countries, such as the US and China. This variation can lead to gaps or contradictions in the safeguarding of personal information across borders (Bharti & Aryal, 2023). However, international cooperation can offer a new pathway to address these gaps or contradictions. A great example is the General Data Protection Regulation (GDPR), a landmark regulation enacted by the European Union (EU) to protect the privacy and personal data of individuals within the EU, illustrates how legislative initiatives can harmonize divergent norms, facilitate interoperability, and spur industry innovation and growth by providing a clear and unified framework (McCarthy, 2023). Such harmonization not only mitigates legal discrepancies across jurisdictions but also creates a conducive environment for international trade and data flows, enhancing the overall stability and resilience of the global digital ecosystem. It is therefore vital that policymakers, together with stakeholders, engage in a proactive dialog between developed and developing countries, taking into account the global challenges and emerging trends in the field (Pei & Cheng, 2022b). The US and China also should compromise and collaborate as a balancing of interests, which is surely one step to achieve a general consensus (M. Hu et al., 2021). Transnational corporations, and individuals should pay attention to the development in different jurisdictions and deal with the challenges brought about by the different compliance requirements between the US and China.

Footnotes

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the project of National Social Science Foundation (Grant No. 24BYY151) and major project of National Social Science Foundation (Grant No. 20ZDA062).

Ethical Approval

This article does not contain any studies requiring ethical approval.

Informed Consent

This article does not contain any studies with human participants performed by any of the authors.

ORCID iD

Xitao Hu

Data Availability

The datasets analyzed are available in the PKULAW [https://www.pkulaw.com/] and Cornell Law School database [].

References

Acquisti

John

L. K.

Loewenstein

(2013). What is privacy worth? Journal of Legal Studies, 42(2), 249–274.

Bamberger

K. A.

Mulligan

D. K.

(2011). Privacy on the books and on the ground. Stanford Law Review, 63, 247–315.

Bennett

C. J.

(1992). Regulating privacy: Data protection and public policy in Europe and the United States. Cornell University Press.

Bharti

S. S.

Aryal

S. K.

(2023). The right to privacy and an implication of the EU General Data Protection Regulation (GDPR) in Europe: Challenges to the companies. The Journal of Contemporary European Studies, 31(4), 1391–1402.

Bhatia

Candlin

Engberg

(2008). Concepts, contexts and procedures in arbitration discourse. In V. Bhatia, C. Candlin, & J. Engberg (Eds.), Legal discourse cultures and systems (pp. 1–33). Hong Kong University Press.

Bouvier

(2021). A sociosemiotic interpretation of cultural heritage in UNESCO legal instruments: A corpus-based study. International Journal of Legal Discourse, 6(2), 229–250.

Calo

(2011). The boundaries of privacy harm. IND LJ, 86(3), 1131–1162.

Cameron

(2005). The laws of identity. Microsoft Corp, 12, 8–11.

Chandler

(2007). Semiotics: The basics. Routledge.

10.

Cheng

(2010). A semiotic interpretation of genre: Judgments as an example. Semiotica, 2010(182), 89–113.

11.

Cheng

(2016). Introduction: Hidden meanings in legal discourse. Semiotica, 2016(209), 1–3.

12.

Cheng

(2012). Legal interpretation: Meaning as social construction. Semiotica, 2012(192), 427–448.

13.

Cheng

Sin

K. K.

(2014). Revisiting legal terms: A semiotic perspective. Semiotica, 2014(202), 167–182.

14.

Cheng

Danesi

(2019). Exploring legal discourse: A sociosemiotic (re)construction. Social Semiotics, 29(3), 279–285.

15.

Cheng

(2016). Revisiting judgment translation in Hong Kong. Semiotica, 2016(209), 59–75.

16.

Cheng

Matulewska

Wagner

(2020). Exploring cyberbullying: A socio-semiotic perspective. International Journal of Legal Discourse, 5(2), 359–378.

17.

Cheng

Liu

Zhao

(2021). Exploring the US institutional discourse about critical information infrastructure protection (CIIP): A corpus-based analysis. International Journal of Legal Discourse, 6(2), 323–347.

18.

Cheng

Sin

K. K.

Cheng

(2012). A sociosemiotic approach to fundamental rights in China. Semiotica, 2012(190), 41–55.

19.

Cheng

Pei

(2018). Interpreting cybersecurity law: A semiotic perspective. Journal of Zhejiang University (Humanities and Social Sciences), 48(6), 121–139.

20.

Cheng

Pei

Danesi

(2019). A sociosemiotic interpretation of cybersecurity in US legislative discourse. Social Semiotics, 29(3), 286–302.

21.

Cheng

Sin

K. K.

(2008). Terminological equivalence in legal translation: A semiotic approach. Semiotica, 2008(172), 33–45.

22.

Cheng

Sun

(2020). Aggressiveness of emojis before the court: A sociosemiotic interpretation. Social Semiotics, 30(3), 365–378.

23.

Cheng

Matulewska

Wagner

(2020). Exploring cyberbullying: A socio-semiotic perspective. International Journal of Legal Discourse, 5(2), 359–378.

24.

Cheng

Zhu

Machin

(2023). The depoliticization of law in the news: BBC reporting on US use of extraterritorial or ‘long-arm’ law against China. Critical Discourse Studies, 20(3), 306–319.

25.

Cohen

J. A.

Lange

J. E.

(1997). The Chinese legal system: a primer for investors. New York Law School Journal of International and Comparative Law, 17(4), 345.

26.

Cohen

J. E.

(2000). Examined lives: Informational privacy and the subject as object. Stanford Law Review, 52(5), 1373–1396.

27.

Custers

Dechesne

Sears

A. M.

Tani

van der Hof

(2018). A comparison of data protection legislation and policies across the EU. Computer Law & Security Review, 34(2), 234–243.

28.

Gürsoy

Harmanci

Tang

Ayday

Brenner

S. E.

(2018). When biology gets personal: hidden challenges of privacy and ethics in biological big data. In BIOCOMPUTING 2019: Proceedings of the Pacific Symposium (pp. 386–390).

29.

Halliday

M. A. K.

(1978). Language as social semiotic: The social interpretation of language and meaning (Vol. 42). Edward Arnold.

30.

Hodge

R. I. V.

Kress

G. R.

(1988). Social semiotics. Cornell University Press.

31.

Cheng

(2021). Exploring digital economy: A sociosemiotic perspective. International Journal of Legal Discourse, 6(2), 181–202.

32.

(2018). The value orientation of cross-border data flow legislation and China’s choice. Indian Journal of Social Psychiatry, 2018(04), 95–102.

33.

(2017). Issues concerning the disciplinary status of semiotics. In J. J. Webster & X. Peng (Eds.), Applying systemic functional linguistics: The state of the art in China today (pp. 35–40). Bloomsbury Publishing.

34.

Jhuang

Y. Y.

Yan

Y. H.

Horng

G. J.

(2023). GDPR personal privacy security mechanism for smart home system. Electronics, 12(4), 831.

35.

Kageura

(2002). The dynamics of terminology- A descriptive theory of term formation and terminological growth. John Benjamins Publishing Company.

36.

Kosseff

(2015). A new legal framework for online anonymity: California’s privacy-based approach. IEEE Security & Privacy, 13(6), 66–70.

37.

Lukin

(2020). How international war law makes violence legal: A case study of the Rome Statute. Language, Context and Text, 2(1), 91–120.

38.

Madsen

(1992). Handbook of personal data protection. Springer.

39.

Matulewska

Gwiazdowicz

D. J.

(2020). Cyberbullying in Poland: A case study of aggressive messages with emojis targeted at the community of hunters in urbanized society. Social Semiotics, 30(3), 379–395.

40.

McCarthy

(2023). The regulation of RegTech and SupTech in finance: ensuring consistency in principle and in practice. Journal of Financial Regulation and Compliance, 31(2), 186–199.

41.

Pei

Cheng

(2020). Mapping terminological variation and ideology in data protection laws. Terminology, 26(2), 159–183.

42.

Pei

Cheng

(2022a). Discursive profile of international telecommunication regulations as institutional dialogue: A sociosemiotic perspective. Social Semiotics, 32(1), 17–34.

43.

Pei

Cheng

(2022b). Deciphering emoji variation in courts: A social semiotic perspective. Humanities and Social Sciences Communications, 9(1), 1–8.

44.

Pelteret

Ophoff

(2016). A review of information privacy and its importance to consumers and organizations. Informing Science: The International Journal of an Emerging Transdiscipline, 19, 277–301.

45.

Pernot-Leplay

(2020). China’s approach on data privacy law: a third way between the US and the EU?. Penn St. JL & Int’l Aff., 8, 49.

46.

Radanliev

De Roure

(2023). New and emerging forms of data and technologies: Literature and bibliometric review. Multimedia Tools and Applications, 82(2), 2887–2911.

47.

Raul

A. C.

(2018). The privacy, data protection and cybersecurity law review. Law Business Research Limited.

48.

Sager

J. C.

(1990). A practical course in terminology processing. John Benjamins Publishing Company.

49.

Samuelson

(2000). Privacy as intellectual property? Stanford Law Review, 52(5), 1125–1173.

50.

Schwartz

Peifer

(2017). Transatlantic data privacy law. International Journal of Constitutional Law, 106(1), 115–179.

51.

Schwartz

P. M.

Solove

D. J.

(2014). Reconciling personal information in the United States and European Union. SSRN Electronic Journal, 2014(102), 877.

52.

Sharma

(2019). Data privacy and GDPR handbook. John Wiley & Sons.

53.

Solove

D. J.

(2008). The future of reputation. Yale University Press.

54.

Wagner

(2010). Mapping legal semiotics. International Journal for the Semiotics of Law-Revue internationale de Sémiotique juridique, 23(1), 77–82.

55.

Wagner

Bhatia

eds (2009). Diversity and tolerance in socio-legal contexts: Explorations in the semiotics of law. Ashgate Publishing, Ltd.

56.

Wagner

Gémar

J. C.

(2014). Communication and culture mediation techniques in jurilinguistics. Semiotica, 2014(201), 1–15.

57.

Wang

Cheng

Pei

(2020). Exploring the cyber governance discourse: A perspective from China. International Journal of Legal Discourse, 5(1), 1–15.

58.

Wang

(2013). Legal protection of personal information: centered on the line between personal information and privacy. Modern Law Science, 4, 62–72.

59.

Weber

R. H.

Staiger

(2017). Transatlantic data protection in practice. Springer.

60.

Williams

Lukin

(2006). The development of language: Functional perspectives on species and individuals. Bloomsbury Publishing.

61.

Cheng

Zhao

(2019). Identity construction of suspects in telecom and internet fraud discourse: From a sociosemiotic perspective. Social Semiotics, 29(3), 319–335.

62.

Zhang

(2022). Decoding China’s COVID-19 health code apps: The legal challenges. Healthcare, 10(8), 1479.

A Sociosemiotic Exploration of Personal Information Legislation in the United States and China

Abstract

Plain Language Summary

Keywords

Introduction

Literature Review

Sociosemiotics and Legal Discourse

Previous Study on Laws Related to Personal Information

Temporality of Personal Information

The Definitions of Personal Information in the Law of Mainland China

The Definitions of Personal Information in the US Legislation

Spatiality of Personal Information

Comparison of the Definition Between “Personal Information” and “Privacy” in the US and China

Comparison of the Status Quo of Personal Information Laws Between the US and China

Comparison of the Definition of Personal Information in China and the US Legislations

Comparison of the Regulation of Cross-Border Personal Information Flow in the US and China

Conclusions

Footnotes

Declaration of Conflicting Interests

Funding

Ethical Approval

Informed Consent

ORCID iD

Data Availability

References