Abstract
Digital trade exposes increasing tensions between cross-border data flows, personal data protection, and national security. Existing scholarship has largely addressed these issues either at the macro level, through debates on data sovereignty, or at the micro level, through the obligations of individual data controllers. This article bridges an overlooked gap by conceptualizing joint data responsibility as a meso-level governance mechanism shaping accountability in multi-actor data processing. Using a functional comparative approach, the study examines the European Union (EU), the United States, and China through a three-dimensional framework of identification criteria, liability allocation, and transparency obligations. The analysis reveals persistent regulatory divergence rather than convergence: the EU adopts a rights-based model centered on joint controllers and strong external remedies; the US relies on decentralized, contract-driven arrangements and ex post enforcement; and China has developed a state-led hybrid model characterized by risk-based differentiation, platform responsibility, and administrative oversight. The findings suggest that fragmentation in global digital trade governance reflects deeper institutional logics, underscoring the limits of substantive harmonization and the growing importance of procedural interoperability.
Plain Language Summary
Digital trade relies on data that is often processed by more than one company at the same time. When personal data is shared or jointly processed, it can be unclear who is responsible if something goes wrong. This creates legal uncertainty for individuals, businesses, and regulators. This article compares how three major economies—the European Union, the United States, and China—approach shared responsibility for data in cross-border digital trade. Instead of focusing only on high-level political debates or detailed technical rules, the study examines the practical rules that determine who is responsible, how responsibility is shared, and what information must be provided to data users. The findings show that these three systems follow different paths. The European Union emphasizes strong protection for individuals and shared legal responsibility. The United States relies more on contracts between companies and flexible market-based solutions. China combines strict data security requirements with increasing attention to platform responsibility. By comparing these approaches, the article explains why global digital trade rules are becoming more diverse rather than more unified. It also discusses how countries and regions might cooperate in the future by improving transparency and coordination, even when their legal systems remain different.
Keywords
Introduction
Digital trade is a crucial force driving the restructuring of the global economy and trade order (O’Sullivan & Maddox, 2024). Yet, as a new production factor centered on data, the economic demand for its free cross-border flow clashes with growing concerns over personal privacy and national security (Bradford, 2020). Recent high-profile incidents—from the invalidation of the EU–US Privacy Shield in Schrems II by the European Court of Justice (Rotenberg, 2020) to the ongoing scrutiny of platforms such as TikTok by the US government (Juned et al., 2023)—have brought this contradiction to the forefront of global governance debates.
Shifting from these macro-level conflicts to specific commercial practices reveals a more complex and often overlooked governance challenge. Within intricate data chains involving multiple participants—such as cross-border e-commerce platforms, payment institutions, and logistics service providers—determining who is ultimately responsible for data misuse has become a central problem of modern data protection law (Kathuria et al., 2019). This “responsibility vacuum,” caused by the absence of a clear allocation mechanism, is a systemic ailment that erodes the foundational consumer trust required for global digital trade to flourish (Acquisti et al., 2015).
This paper examines this governance dilemma as a meso-level challenge that links macro-level debates on data sovereignty and digital trade rules with micro-level doctrines on the rights and duties of individual controllers and processors (Jänicke, 2017). Through a comparative analysis of three typical models—the European Union (EU), the United States, and China, widely regarded as primary architects of the emerging global digital order (Küsters, 2023)—this paper addresses the following research questions:
How have the EU, the United States, and China developed their respective legal liability models in response to joint data processing in digital trade, and to what extent do these models mediate the core tension between national sovereignty and cross-border data flows?
How do the differences between these models reflect the underlying legal traditions, economic logics, and policy priorities of each jurisdiction at the meso-level of joint responsibility mechanisms?
What are the broader implications of these institutional differences for the future governance of global digital trade, particularly in terms of rule compatibility and interoperability?
The central argument of the paper is that the three regions represent three distinctly different models of data responsibility governance (Segal, 2016): the EU’s rights-based regulatory model, the United States’ market-driven contractual model, and China’s emerging state-led hybrid model. The enduring “regulatory divergence” among them—a key dynamic in global governance (Vogel, 2012)—is not merely a technical legal distinction but a reflection of fundamental conflicts of institutional logic (Friedland & Alford, 1991), as these actors reshape the foundational relationship between the state, the market, and individuals in the digital age (Polanyi, 1944/2001). In addition to these three principal regulatory models, the paper incorporates Singapore as a supplementary reference—an interoperability-oriented jurisdiction whose institutional innovations help illuminate emerging pathways for bridging cross-system divergences.
To elaborate on this argument, the literature review identifies the research gap. The methodology section outlines the analytical framework. The comparative analysis section applies the framework to conduct a detailed comparative analysis of the three liability models. The discussion section examines the implications of these divergent models for global digital trade governance. Finally, the conclusion summarizes the main findings.
Literature Review
Challenges in Data Governance in Digital Trade
With the rapid development of digital trade, data has emerged as a new key factor of production, fundamentally altering global value chains (United Nations Conference on Trade and Development [UNCTAD], 2019). Its cross-border flow presents significant governance challenges, particularly in balancing the inherent contradiction between the economic demand for the free flow of data and increasing concerns over personal privacy protection and national security (Chander & Lê, 2015). Consequently, data sovereignty—the assertion of state control over data within its jurisdiction—has become a focal issue in international academic discourse (Carr, 2015). Scholars largely agree that the marked differences in how countries legally control data flows not only present theoretical challenges but also complicate the practical governance of cross-border data, leading to a fragmented global landscape (Aaronson, 2021).
This global debate is primarily centered on two distinct future scenarios. On the one hand, the “Brussels Effect” argument suggests that the EU, through its robust legal framework such as the General Data Protection Regulation (GDPR), will expand its data protection standards globally, potentially leading to a convergence of regulatory approaches (Bradford, 2020). On the other hand, with rising demand for national security, the phenomenon of the “weaponization” of data is gradually becoming more apparent, particularly within the context of geopolitical competition, where data flows are increasingly becoming strategic tools for inter-state rivalry, signaling a future of persistent divergence (Farrell & Newman, 2019). This macro-level tension has led to a fragmented global digital governance system. Despite some progress in preventing data localization through frameworks like the World Trade Organization (WTO) e-commerce negotiations and the Regional Comprehensive Economic Partnership (RCEP), significant uncertainty in areas such as responsibility allocation, privacy protection, and cross-border regulatory cooperation remains (Bolatbekkyzy, 2024). Recent regulatory developments between 2023 and 2025—including China’s differentiated cross-border data transfer rules, ongoing updates to the Digital Economy Partnership Agreement (DEPA), and Organization for Economic Co-operation and Development discussions—also indicate that institutional fragmentation is likely to persist.
Micro-Level Research on Liability Mechanisms and Their Limitations
In parallel with the macro-level debate, legal research at the micro level has focused on specific liability allocation mechanisms, with the concept of “joint responsibility” becoming central to international efforts aimed at addressing the complexities of multi-party data processing scenarios (I. Gupta et al., 2024).
Existing research analyzes this model in detail, focusing on the concept of “joint controllers” under the EU’s GDPR. Scholars have noted that this system—requiring multiple actors to jointly determine the purposes and means of processing—effectively ensures the rights of data subjects by holding all parties jointly and severally liable (Finck, 2018). Simultaneously, research highlights the critical role of transparency obligations under GDPR, which mandate the public disclosure of responsibility arrangements, ensuring that data subjects can clearly understand who is processing their data and to whom they should direct their claims in cases of data misuse (Veale et al., 2018). However, existing studies also reveal the stark limitations of different models: the market-driven contractual model in the US is frequently criticized for lacking a clear legal framework and a statutory fallback mechanism for external liability, leading to significant legal uncertainty and inadequate consumer protection (Solove, 2013). These studies focusing on single legal systems are profound, invariably highlighting a deeper issue: the lack of a systematic, comparative perspective on these divergent liability models in the literature. Although few studies have examined emerging models in jurisdictions such as Singapore, India, and Brazil, their joint-responsibility mechanisms remain underexplored in comparative studies.
Research Gap and Contribution of This Paper
Existing studies implicitly recognize that liability allocation sits between macro-level principles and micro-level compliance duties. However, few have conceptualized joint responsibility as a distinct meso-level governance mechanism. Despite substantial progress in both macro-level (i.e., data sovereignty and rule conflicts) and micro-level (i.e., the duties of controllers under GDPR) research, a significant gap remains at the meso-level—namely, a systematic comparative analysis of how different legal systems design liability allocation models in multi-party joint data processing scenarios. Existing research primarily focuses on single jurisdictions or limited EU–US comparisons, lacking a truly horizontal comparison of how major, divergent legal frameworks adapt to complex international data governance contexts (Bygrave, 2001). This meso-level gap results in an explanatory dilemma for existing theories. At the macro level, without delving into the specific institutional details of liability allocation, debates on “convergence” or “divergence” risk remaining within the abstract realm, unable to gain verifiable empirical support (O’Sullivan & Maddox, 2024). At the micro level, without considering the realities of multi-party collaboration, the fine-grained, doctrinal analysis of the rights and obligations of a single controller can become detached from the actual commercial scenarios of digital trade, leading to a gap between the “law in the books” and the “law in action” (De Oliveira & Caleira, 2020). Therefore, this paper aims to bridge this gap through a systematic comparison of the meso-level mechanism of joint data responsibility, not only providing a new analytical perspective to understand the real landscape of global digital governance but also attempting to build a bridge that connects macro-level theoretical debates with micro-level legal practices.
Research Methodology and Analytical Framework
Research Methodology and Case Selection
This paper employs a functionalist comparative methodology to explore how different legal systems respond to the shared governance challenge of “liability allocation in multi-party data processing.” It selects the EU, the United States, and China as core comparative cases based on the following considerations: First, because these three major economies are the most important and influential players in global digital trade, their regulatory paths have a decisive impact on the global digital governance landscape (Bradford, 2020). Second, and more importantly, they each represent three distinct governance paradigms with “ideal types” significance: the EU’s rights-based regulatory model; the United States’ market-driven contractual model; and China’s state-led hybrid model (Hornuf et al., 2023).
Simultaneously, the analysis incorporates Singapore as a supplementary reference point given its role in the DEPA and its hybrid regulatory approach, providing a useful regional template without expanding the scope into a full multi-country study. Methodologically, the comparison proceeds by coding key legal sources—framework legislation, leading judicial decisions, regulatory guidelines, and cross-border data rules—along the three analytical dimensions of identification, liability allocation, and transparency obligations. This structured comparison ensures that the three models are evaluated on commensurable criteria rather than on descriptive summaries. The data sources for this study primarily include primary legal texts (such as the GDPR and Personal Information Protection Law [PIPL]), key judicial rulings, official policy documents, and authoritative academic secondary literature.
Analytical Framework
To ensure systematic and rigorous comparison, this paper constructs an analytical framework comprising three core dimensions, aimed at analyzing the internal logic and institutional choices of different governance models in addressing the shared challenge of “multi-party data processing.” These dimensions operationalize joint responsibility as a meso-level governance mechanism linking high-level regulatory principles with concrete controller obligations.
Criteria for Identification
The first dimension is the criteria for identification, which is the primary issue in defining liability boundaries. This dimension determines under what conditions an entity will be included in the category of “joint responsibility” and comprises two main identification paths: The formalistic criteria focus on objective, tangible factors such as whether an entity directly owns, stores, or physically processes personal data. Despite providing high legal certainty, this approach can be easily circumvented. The substantive influence criteria does not focus on whether data is physically held but instead examines whether an entity exerts joint, decisive influence over the “purpose” and “manner” of data processing (European Data Protection Board, 2021). This criterion is more adaptable to complex business models but places higher demands on judicial practice, as demonstrated in key European jurisprudence (Van Veen et al., 2024).
Liability Allocation
The second dimension—liability allocation—analyzes the distribution mechanism of liability consequences from both external and internal perspectives. External liability pertains to how the affected data subject can seek redress through two main models: joint (where any liable party is responsible for the entire damage, which benefits the user) and several liability (where each party is responsible for their respective share of the damage, making it more difficult for users to seek redress). Internal recourse pertains to the cost-sharing mechanism between joint-liable parties, that is, whether a party that initially compensates the user has the right, based on internal agreements, to seek recourse from the other liable parties.
Transparency Obligations
The third dimension is transparency obligations, which examine the extent to which the distribution of responsibility is disclosed to and supervised by external parties. This dimension comprises two distinctly different approaches. The first involves internal arrangements through which joint responsible parties allocate duties, without requiring external disclosure, as mandated by the law. This can result in severe information barriers. The second is mandatory external disclosure, where the law requires joint controllers to disclose the core elements of their responsibility allocation to data subjects, typically through privacy policies, to safeguard users’ right to know and right to supervise (Becker et al., 2022). Collectively, the three dimensions allow the EU, the United States, China, and supplementary jurisdictions to be assessed on commensurable criteria, ensuring comparability across divergent regulatory models. Although the three dimensions—identification criteria, liability allocation, and transparency obligations—do not directly model the macro-level tension between national sovereignty and cross-border data flows, they illuminate how sovereignty concerns are operationalized within concrete responsibility arrangements. In each jurisdiction, decisions about who qualifies as jointly responsible, how liability is allocated, and what forms of disclosure are required function as specific regulatory levers through which broader sovereignty claims are translated into day-to-day governance practices. The framework therefore does not replace macro-level analysis but complements it by revealing how sovereignty-driven priorities are embedded, negotiated, and instantiated at the meso level of joint responsibility design. This linkage clarifies the interaction between macro geopolitical drivers and micro controller obligations, thereby addressing a central conceptual gap in existing literature.
Divergent Models of Joint Data Responsibility in a Fragmented Governance Landscape
Joint data responsibility has become a pivotal meso-level mechanism in global digital trade, positioned between macro-level tensions over data sovereignty and micro-level controller obligations (Farrell & Newman, 2019; Kuner, 2021). As cross-border data flows expand, the “responsibility vacuum” in multi-party processing becomes more pronounced, with jurisdictions failing to converge on a unified regulatory approach. Instead, they reflect differing institutional priorities regarding state authority, market autonomy, and individual rights. The EU adopts a rights-based model featuring broad joint-controller identification, clear liability allocation, and strong user remedies. The United States maintains a decentralized, market-driven system that relies heavily on contractual arrangements and fragmented state laws, resulting in flexible but uncertain accountability structures. China’s emerging state-led hybrid model remains principled in design but is increasingly shaped by evolving cross-border transfer rules and security-oriented regulations. Meanwhile, regional actors such as Singapore—through the Personal Data Protection Act (PDPA) and its role in DEPA—offer a pragmatic, interoperability-oriented approach that bridges stricter regulatory systems and market-led frameworks. These divergent models illustrate how embedded institutional logics produce persistent fragmentation in global digital trade governance.
The EU’s Rights-Based Regulatory Model
The EU represents the most legally structured and rights-oriented model of joint data responsibility, shaped by the GDPR. According to its core regulatory logic, individuals must retain a clear and enforceable redressal path when their data is jointly processed, irrespective of technological or business-model complexity. The EU therefore treats joint responsibility as a meso-level mechanism linking fundamental rights with operational controller duties. Figure 1 illustrates how this rights-based logic is translated into concrete responsibility allocation across identification, liability, and transparency dimensions under the GDPR.
The European Union’s joint controller liability flow.
Identification Criteria: Broad and Effects-Based “Substantive Influence.”
Departing from traditional possession-based liability, the GDPR adopts an expansive, effects-based standard to determine joint controllership. Article 4(7) defines a controller by reference to joint determination of “purposes and means,” and the Court of Justice of the European Union (CJEU) has repeatedly interpreted this concept broadly. Landmark cases such as Wirtschaftsakademie (Facebook Insights) and Fashion ID establish that an entity may qualify as a joint controller even when it neither receives nor directly processes the personal data at issue, so long as it exercises meaningful influence over the processing parameters (Chen et al., 2020). Ireland’s Data Protection Commission’s (DPC’s) recent enforcement against Meta’s Facebook and Instagram services has echoed this CJEU logic by scrutinizing how platform-embedded tools and behavioral advertising arrangements shape processing purposes and means. Together, these developments create one of the most far-reaching identification standards globally, extending responsibility to actors embedded across complex digital supply chains.
Liability Allocation: Strong External Protection With Structured Internal Recourse
Liability allocation under the GDPR follows a “joint and several” model to maximize user protection. Any joint controller may be held fully liable for the totality of harm suffered by the data subject, regardless of internal responsibility arrangements. This mechanism removes the burden on individuals to disentangle multi-party accountability and ensures a single, accessible enforcement pathway. Internally, Articles 26 and 82 provide a recourse structure allowing controllers to reallocate costs according to their actual level of responsibility (Millard & Kamarinou, 2020). This dual structure—external strict liability combined with internal proportionality—not only creates legal certainty for individuals while preserving fairness among controllers but also increases the system’s preventive effect, requiring firms to anticipate potential full liability when entering joint arrangements.
Transparency Obligations: Mandatory Disclosure as a Governance Tool
Transparency is a central pillar of the EU model. Article 26 requires joint controllers to disclose the “essence” of their arrangements to data subjects and, where appropriate, to supervisory authorities. This includes specifying which entity is responsible for responding to access, erasure, and objection requests, as well as defining communication channels for rights exercise.
The transparency obligation is not merely informational but regulatory: it enables supervisory authorities to audit complex ecosystems, reduces opportunities for responsibility-shifting, and forces firms to formalize internal arrangements that may otherwise remain implicit. Recent enforcement actions emphasize that failure to disclose joint-controller roles is itself a violation, even if the underlying processing is otherwise lawful.
Summary and Critical Assessment
The EU’s rights-based regime provides the most comprehensive protection for data subjects among the models examined. Its expansive identification test, strong joint and several liability, and mandatory transparency substantially narrow the responsibility vacuum in multi-party processing. However, this high standard imposes considerable compliance burdens, particularly on small and medium-sized enterprises (SMEs) and platform-dependent businesses. As joint controllership is increasingly recognized in contexts involving embedded interfaces, cloud ecosystems, and platform-based advertising, firms face rising administrative and legal costs, prompting concerns about “compliance overload” and potential market concentration and raising questions about the long-term sustainability of the EU’s model in global digital trade.
The United States’ Market-Driven Contractual Model
The United States represents the most decentralized and market-driven model among the jurisdictions examined. The US. model is built on contractual allocation, sector-specific statutes, and ex post regulatory enforcement. The absence of a comprehensive federal privacy law—even after repeated legislative attempts between 2022 and 2024, including the American Data Privacy and Protection Act and the Kids Online Safety Act—has resulted in a governance structure in which joint data responsibility is not defined as a doctrinal category but emerges indirectly through contracts, regulatory settlements, and state-level privacy laws. Although this decentralized structure provides firms substantial flexibility, it produces significant variability in rights protection and legal certainty, reflected in the US approach to responsibility allocation in multi-party data processing, as illustrated in Figure 2.
The United States’ contract-based responsibility flow.
Identification Criteria: Contractualization and Fragmented Role Classification
Unlike the EU, the United States lacks a unified doctrinal test comparable to the “joint controller” concept. The identification of responsibility in multi-party data processing, therefore, depends primarily on contractual terms and role classifications under state privacy laws. The most influential state law—the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA)—introduces a tripartite classification of “business,”“service provider,” and “contractor” that indirectly define the boundaries of responsibility, while stopping short of recognizing joint responsibility as an independent legal status. Because classification depends on contract terms rather than on the actor’s substantive influence, firms can shape their legal exposure through drafting rather than through operational behavior.
Recent enforcement has revealed the limitations of this contract-dependent approach. In People of the State of California v. Sephora (2022), the California Attorney General’s enforcement under the CCPA underscored how responsibility boundaries often turn on contractual characterization of third-party disclosures (e.g., “sale”) rather than on a substantive influence test. Although the case did not explicitly address “joint responsibility,” it demonstrates how responsibility identification in the United States hinges on contractual language rather than on factual influence—producing divergent outcomes across similar processing scenarios.
Sector-specific statutes reinforce this fragmentation. For example, the Health Insurance Portability and Accountability Act (HIPAA) differentiates between “covered entities” and “business associates,” while the Children’s Online Privacy Protection Act imposes operator-level responsibility. None of these sectoral regimes recognizes joint processing as a holistic category, further contributing to the doctrinal gap at the meso level.
Liability Allocation: Enforcement-Led Remedies Without a Joint Liability Baseline
The United States does not provide a statutory fallback mechanism comparable to the EU’s joint and several liability model. External liability is primarily shaped by the Federal Trade Commission (FTC)’s authority to police “unfair or deceptive acts or practices,” while internal liability remains governed by contract.
Recent cases illustrate this enforcement-led structure: The ongoing FTC v. Meta proceedings (2020–2023), including the proposed restrictions on data monetization for minors released in April 2023, reveal that liability arises from violations of prior consent decrees rather than from joint processing responsibilities (M. Gupta et al., 2024). Similarly, state-level enforcement under the CPRA in 2023 to 2024—targeting firms for improper classification of third-party data sharing—demonstrates how liability is triggered by failure to meet statutory disclosure or contractual requirements, not by participation in a joint processing arrangement.
This enforcement-based model provides flexibility for firms but creates high uncertainty for data subjects, who must navigate overlapping federal, state, and contractual regimes without a unified right to redress. The lack of a joint responsibility baseline limits the predictability of cross-border data governance for multinational enterprises, particularly when interfacing with more structured systems such as the EU.
The US model provides significant operational flexibility and lower compliance costs, making it attractive for innovation-oriented digital trade participants. However, the lack of a unified joint responsibility doctrine, combined with reliance on contract drafting and enforcement-led liability, creates a weak meso-level governance structure, contributing to role ambiguity, inconsistent remedies, and regulatory fragmentation, particularly in cross-border data processing. As global data governance increasingly requires interoperable responsibility frameworks, the US model’s decentralized structure remains both its comparative advantage and its principal structural limitation.
Transparency Obligations: Self-Regulation Moderated by State-Level Mandates
Transparency obligations in the United States combine corporate self-regulation with state-level statutory disclosure requirements. Unlike the GDPR, US law does not require the public disclosure of the “essence” of joint responsibility arrangements.
Under the CPRA, businesses must disclose whether they “sell” or “share” personal information and must honor Global Privacy Control signals. However, the law does not mandate that firms detail the allocation of responsibility between the business and its service providers or contractors. As demonstrated in the Sephora enforcement action, responsibility classification often remains buried within complex privacy policies or undefined in practice, limiting users’ ability to understand or exercise their rights.
Sectoral laws such as HIPAA impose more detailed transparency obligations but operate within narrow domains and do not create a cross-sectoral framework for multi-party responsibility. Consequently, transparency in the US system provides notice without structural accountability, falling short of the supervisory transparency embedded in the EU model.
Summary and Critical Assessment
The US model combines high contractual flexibility and relatively low formal compliance burdens, facilitating the rapid expansion of data-intensive services. Simultaneously, the absence of a unified joint-responsibility doctrine means that accountability in multi-party processing is largely left to contracts, sectoral rules, and enforcement discretion, rather than anchored in a clear liability baseline. This weakens the meso-level link between abstract privacy principles and concrete allocation of duties, producing role ambiguity for firms and uneven remedies for individuals. For cross-border digital trade, the result is a framework that remains attractive as an innovation environment, but fragile as a basis for predictable, interoperable responsibility allocation.
China’s State-Led Hybrid Model: From Principle-Based Design to Risk-Differentiated Governance
China represents a distinct trajectory in the evolution of joint data responsibility, shaped by its dual policy objectives of security protection and digital-economic growth. While its PIPL initially introduced a broad and principle-based notion of “joint processing,” the regulatory landscape between 2023 and 2025 has shifted toward a more risk-differentiated and scenario-specific framework. This state-led hybrid model attempts to manage multi-party responsibility through stratified regulatory tools rather than through a unified doctrinal test, positioning China between the EU’s rights-based model and the United States’ market-led approach, as illustrated in Figure 3.
China’s risk differentiated responsibility flow.
Identification Criteria: From Conceptual Ambiguity to Risk-Based Differentiation
Article 20 of the PIPL outlines the basic concept of “joint processing” but does not specify a clear operational test comparable to the EU’s “substantive influence” standard. Consequently, responsibility identification—particularly in platform ecosystems, app ecosystems, and merchant–platform collaborations—remains highly context-dependent.
Recent regulatory developments, particularly the Provisions on Promoting and Regulating Cross-Border Data Flows (March 2024), introduce new regulations indirectly affecting joint processing: risk quantification and tiered thresholds (Guo & Li, 2025). These regulations distinguish between high-risk and low-risk scenarios through numerical criteria (e.g., fewer than 100,000 individuals’ personal information; fewer than 10,000 individuals’ sensitive personal information), carving out exemptions for low-risk commercial practices such as human resource management or necessary contract fulfillment.
Although these measures do not directly resolve the ambiguities of “joint processing,” they indicate a shift toward scenario-based identification, in which the regulatory burden depends on the scale and sensitivity of processing rather than on the doctrinal classification of controller relationships.
Liability Allocation: Dual-Track Responsibility Within a “Negative List” Architecture
China’s liability mechanism reflects a dual-track structure. PIPL Although Article 69 provides for joint civil liability in cases of joint processing, in practice, the difficulty of proving joint determination has limited the application of this provision.
To address this, the 2024 regulatory reforms introduce a “negative list” model in Free Trade Zones, which reshapes liability exposure along two differentiated pathways:
High-risk scenarios (on the negative list)
These cases require government-led security assessments and typically involve “Important Data” or large-scale processing. Liability combines administrative sanctions with civil joint liability, with the state exercising a decisive ex ante gatekeeping function.
Low-risk scenarios (outside the negative list)
These cases bypass administrative assessments. Liability allocation is governed primarily by contractual arrangements and the Standard Contractual Clauses (SCC) filing system, creating a quasi “safe harbor,” reducing the uncertainty associated with proving joint processing in ordinary commercial collaborations.
This dual-track approach does not eliminate the doctrinal ambiguity surrounding joint processing, but it does reduce practical uncertainty by targeting strict liability toward high-risk domains while lowering the compliance burden for routine digital-trade activities.
Transparency Obligations: Regulatory Visibility Rather Than Public Disclosure
China’s transparency obligations remain more limited than the EU’s. The PIPL does not require joint processors to publicly disclose the allocation of responsibilities. However, since the implementation of the Measures for the Standard Contract for Outbound Transfer of Personal Information (June 2023), transparency has shifted toward regulatory visibility.
Joint processors must submit their agreements to the Cyberspace Administration of China (CAC), detailing the division of responsibilities, individual rights mechanisms, and security measures. This model establishes “supervised autonomy,” wherein responsibility arrangements are not disclosed to data subjects but remain fully reviewable by regulators. Compared with the early PIPL stage—where such arrangements were entirely internal—this represents a move toward greater accountability without compromising commercial confidentiality.
Summary and Critical Assessment
China’s model has evolved from security-first, principle-driven regulation to a more nuanced hybrid system characterized by risk thresholds, exemption mechanisms, and scenario-based governance. Although the doctrinal definition of “joint processing” remains less precise than in the EU, the emerging governance architecture provides differentiated compliance pathways for multi-party processing, delineating a governance trajectory that is neither fully rights-driven nor fully market-driven, reflecting China’s broader effort to balance data security with digital-economic openness. In this context, high-profile controversies surrounding TikTok’s data governance—particularly in relation to cross-border data flows and platform accountability—underscore how China’s security-oriented regulatory logic is increasingly operationalized through platform-level responsibility and state-led oversight mechanisms, rather than through detailed ex ante doctrines of joint processing.
A Supplementary Reference: Singapore’s Interoperability-Oriented Model
Situated between the regulatory poles of the EU, the United States, and China, Singapore represents a fourth, pragmatic model grounded in accountability, proportionality, and interoperability. Rather than adopting a “joint responsibility” doctrine, it collapses responsibility toward a single legally accountable actor—the organization—while imposing targeted statutory duties on data intermediaries. This design minimizes role ambiguity in multi-party data processing and supports Singapore’s broader objective of facilitating trusted cross-border digital trade, reflected in its leadership role in the DEPA.
Identification Criteria: Functional Distinction Between Organization and Data Intermediary
The PDPA, as amended in 2020, adopts a functional two-tier framework that distinguishes between organizations and data intermediaries (Chin & Zhao, 2022). An “organization” is any individual or entity that collects, uses, or discloses personal data other than solely as a data intermediary. In practice, this broadly corresponds to the actor that determines the purposes and, to a significant extent, the means of processing. A “data intermediary,” by contrast, is an organization that processes personal data on behalf of another organization and only for that organization’s purposes, typically pursuant to a written contract. Where a vendor departs from those instructions and begins to process data for its own independent purposes, it ceases to act merely as a data intermediary and assumes the full set of obligations attaching to an organization.
Because the PDPA does not recognize a separate category of “joint controllers,” the allocation of responsibility in multi-party chains turns on this functional role-based inquiry rather than on a distinct “joint control” doctrine as under the GDPR. Actors in digital supply chains—including cloud service providers, logistics partners, or software-as-a-service vendors—remain in a data-intermediary role, beyond the primary line of accountability vis-à-vis individuals, so long as they do not independently determine processing purposes or means. This role-based structure reduces doctrinal complexity, providing firms operating in regional e-commerce, cloud, and platform ecosystems a relatively clear ex ante view of where PDPA responsibility will attach.
Liability Allocation: Primary Responsibility With Direct Statutory Duties for Intermediaries
Singapore adopts what may be described as a primary responsibility model. Under section 4(3) of the PDPA, an organization that engages a data intermediary to process personal data on its behalf “has the same obligation in respect of such personal data as if it had processed the personal data itself.” In other words, outsourcing does not dilute the organization’s full suite of statutory duties, including consent, notification, access and correction, purpose and transfer limitation, and accountability.
Simultaneously, the post-2020 regime imposes direct statutory duties on data intermediaries in a narrow set of operational areas. In particular, data intermediaries are directly subject to:
the protection obligation, requiring reasonable security arrangements against unauthorized access, use, disclosure, or loss;
the retention limitation obligation, requiring intermediaries to cease retention or irreversibly de-identify personal data once it is they are no longer needed for business or legal purposes; and
a specific duty within the data breach notification framework, namely to notify, without undue delay, the engaging organization of any data breach relating to personal data processed on its behalf, even though the outward notifications to the Personal Data Protection Commission (PDPC) and affected individuals remain the organization’s responsibility.
This hybrid structure balances accountability and operational feasibility, preventing intermediaries from sheltering behind purely contractual disclaimers, while preserving a single primary addressee—the organization—for most data subject-facing rights and for regulatory enforcement in relation to the overall processing activity.
The Singapore Health Services/Integrated Health Information Systems (SingHealth/IHiS) decision illustrates this allocation in practice. In the aftermath of the 2018 cyberattack on SingHealth’s patient database, the PDPC held that SingHealth, as the organization, retained primary responsibility for ensuring reasonable security safeguards, notwithstanding its engagement of IHiS as an information technology vendor. Simultaneously, IHiS was found to be a data intermediary subject to its own protection obligation, and both entities were fined for failing to implement adequate security measures (Chin & Zhao, 2022). The case exemplifies how the PDPA can attach liability to both the organization and its intermediary without resorting to a joint-controller doctrine, instead relying on non-delegable primary responsibility coupled with targeted direct duties for the processor-like entity.
Transparency Obligations: Notification-Based Disclosure and Certification-Driven Trust
Singapore’s transparency framework is built around the notification of purposes rather than the detailed disclosure of internal allocation of responsibilities. Organizations must not only inform individuals, on or before collection, of the purposes for which their personal data will be collected, used, and disclosed but also provide the business contact information of a person who can respond to data protection queries. In practice, many organizations also describe third-party recipients (e.g., cloud service providers or logistics partners), but the PDPA does not mandate disclosure of the “essence” of contractual arrangements with data intermediaries in the way that Article 26 GDPR does for joint controllers. This allows firms to preserve commercially sensitive allocation of risk and responsibility, while still notifying individuals of how and for what purposes their data will move through the ecosystem.
Transparency and trust are further reinforced through market-driven mechanisms. The Data Protection Trustmark (DPTM) provides a voluntary, PDPC-administered certification indicating that an organization’s data protection practices meet a prescribed benchmark. At the cross-border level, Singapore’s participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems enables organizations to signal adherence to interoperable standards when transferring data across jurisdictions. These certification-based trust signals complement the statutory framework and play a central role in Singapore’s broader digital-trade strategy, including instruments such as the DEPA, by supporting “trusted data flows” even in the absence of strict GDPR-style adequacy findings.
Summary and Evaluation
Singapore’s model offers a functional alternative to both the EU’s rights-centered but conceptually dense joint-controller doctrine and the United States’ largely contractual allocation of risk. By consolidating primary accountability in a single organization, imposing narrowly-tailored statutory duties on data intermediaries, and leveraging certification schemes to support cross-border interoperability, the PDPA reduces frictions in multi-party processing while maintaining a credible accountability framework. For small, open economies embedded in Asia-Pacific value chains, this meso-level responsibility design illustrates how regulatory architectures can simultaneously sustain innovation, preserve individual protection, and facilitate convergence with heterogeneous foreign regimes (Table 1).
Comparative Framework of Joint Data Responsibility Models.
Discussion and Policy Implications: Implications for Global Digital Trade Governance
The comparative analysis clearly reveals that, in addressing the responsibility issues of “joint data processing” in digital trade, the EU, the United States, and China have not converged on a single regulatory framework, with each instead developing distinct legal paths according to their own historical trajectories. This finding not only reflects objective institutional differences but also entails profound implications for the future governance of global digital trade, the compliance practices of multinational enterprises, and the evolution of international rules. Figure 4 provides a visual overview of the relative positioning of the EU, the United States, and China to synthesize these comparative findings across the three analytical dimensions.
Comparative radar chart of joint data responsibility models.
From Regulatory Convergence to Ongoing Divergence: A Theoretical Response
The future of global digital governance has long been a topic of intense academic debate. In the context of joint data responsibility, the comparative findings of this study demonstrate not convergence but a persistent, deepening “regulatory divergence” among the three major regulatory poles, while smaller but strategically positioned jurisdictions such as Singapore are developing interoperability-oriented mechanisms that mediate rather than replace this tripolar structure. This divergence challenges theories based on a single determining factor and supports those predicting an increasingly fragmented digital world (Farrell & Newman, 2019). More importantly, this study argues that such divergence is not a mere technical legal difference but stems from fundamental institutional logical conflicts among the three major players in the digital age as they reshape the relationship between the state, the market, and the individual.
At the meso-level, this divergence functions as a structural hinge that links macro-level struggles over data sovereignty with micro-level controller obligations, demonstrating that joint responsibility mechanisms play a decisive connective role in translating geopolitical tensions into operational compliance burdens.
The EU’s logic is based on fundamental rights, using legal certainty to constrain market disorder and potential state interference. Its “joint controller” system ensures that regardless of how commercial models evolve, the right to remedy for individuals must be paramount and unobstructed. The United States, in contrast, prioritizes market innovation, with the state acting as a “watchdog” intervening through ex post enforcement. Its reliance on contractual autonomy maximizes flexibility for enterprises but shifts the cost and uncertainty of rights protection onto individuals. By contrast, China prioritizes national security and development, framing market innovation and personal rights within a broader top-down structure. Its “joint processing” framework, still in its nascent stages, reflects a legislative caution while reserving significant space for future dynamic interpretation and intervention by the state. These deep institutional logical differences, rooted in different legal traditions, political systems, and economic philosophies, determine the divergent paths these three actors will take regarding data responsibility, leading to sustained fragmentation. Singapore therefore functions not as a fourth regulatory pole but as an institutional laboratory offering practical tools for soft-connecting otherwise divergent responsibility models.
Real-World Challenges in a Fragmented Landscape: Compliance Dilemmas for Multinational Enterprises
This regulatory divergence poses significant real-world challenges for market participants, particularly multinational corporations. Global e-commerce platforms operating across the three major markets face a structural compliance trilemma, characterized by conflicting regulatory imperatives across jurisdictions:
In Europe, companies must conduct complex “Data Transfer Impact Assessments (DTIA)” under the GDPR, dedicating substantial resources to navigating relationships with thousands of commercial partners to mitigate the risks of joint controller liability. In the United States, the absence of a unified federal law means that legal teams must negotiate with each partner under uncertain legal frameworks, drafting data processing agreements and creating fragile “liability barriers” through contracts. In China, companies face not only the ambiguity of the PIPL but also stringent national security reviews and data exit assessments to comply with national regulatory requirements.
These dilemmas have intensified following high-profile enforcement actions, such as the €1.2 billion fine imposed on Meta by the Irish DPC in 2023 for unlawful cross-border transfers, as well as China’s 2023 to 2024 CAC-led rectification campaigns, which significantly tightened scrutiny over outbound data flows and expanded the scope of security assessments.
These challenges are not just theoretical but tangible business dilemmas. For example, Meta has repeatedly indicated it may be forced to withdraw from its core services in Europe owing to the ongoing conflict between the EU and the United States over data transfer responsibilities and government access rights (as highlighted by the Schrems II case). These practical challenges exemplify the direct impact of regulatory divergence on global digital trade. The fragmented regulatory environment significantly increases the compliance costs and legal risks of global digital trade, hinders the free flow of data as a key production factor, and creates market entry barriers disadvantageous to SMEs. This exacerbates the “winner-takes-all” phenomenon in the digital economy.
Seeking Interoperability: The Limitations of International Frameworks and the Future
Faced with deeply fragmented domestic regulations, the question arises: Can international frameworks such as RCEP, DEPA, or the WTO mitigate these divides? The answer remains uncertain. Most agreements operate at the macro-principle level—prohibiting unjustified data localization or promoting data flows—while avoiding the politically sensitive issue of allocating liability in multi-party processing.
RCEP Article 12.15, for example, protects cross-border information flows but allows broad “public policy” exceptions, providing limited guidance on responsibility allocation. However, DEPA—reflecting Singapore’s accountability-based and interoperability-oriented model described in Section 4.4—follows a different approach. Rather than harmonizing substantive legal rules, it promotes functional interoperability through digital identity cooperation, trusted data-sharing frameworks, and mutual recognition of certification schemes such as the DPTM and APEC CBPR/PRP, which serve as partial bridges between strict rights-based regimes like the EU and more decentralized or risk-differentiated models like those of the United States and China. However, they still do not resolve the meso-level issue of the responsibility allocation in joint data processing.
The absence of this meso-level coordination is not accidental. Responsibility allocation directly implicates judicial sovereignty, consumer protection standards, and industry regulatory philosophies—areas where states rarely compromise. Accordingly, a unified global “joint responsibility framework” remains unlikely in the near term. Still, progress may be made through flexible governance innovations. A regional responsibility registration mechanism could require firms engaged in cross-border collaboration to file internal responsibility arrangements with a regional platform accessible to regulators and users. Smart contracts for responsibility, encoded through distributed technologies such as blockchain, could automate compensation or regulatory notifications upon detecting contractual breaches.
Crucially, both mechanisms operate at a procedural rather than substantive level, standardizing how responsibility arrangements are recorded, disclosed, and enforced without imposing a uniform liability rule on participating states. Because they do not pre-determine which party is liable under domestic law, they can function across borders as an interoperability layer that overlays rather than replaces heterogeneous national regimes.
In this context, Singapore’s role is best understood as an institutional laboratory experimenting with interoperability mechanisms capable of soft-connecting divergent systems.
China as a “Rule Shaper”: The Possibility of a Third Path
If Singapore illustrates how interoperability can be engineered from the margins, China—by virtue of its regulatory capacity and market scale—represents a different trajectory in which a major actor may evolve from a “rule taker” into a “rule shaper.” Its “joint processing” framework is undoubtedly the most recent in development, with the least detailed institutional design. However, simply labeling it as “backward” or “inadequate” overlooks its broader institutional aspirations and evolutionary potential. China’s model does not merely oscillate between the EU’s rights-oriented approach and the United States market-oriented structure but embodies a distinctive blend of nationalism and developmentalism. Legislative ambiguity can be interpreted as a strategic arrangement allowing the state to retain maximum policy space amid fast-changing technological conditions and geopolitical uncertainty rather than as indicative of normative weakness.
A key dimension of this emerging model is the growing emphasis on platform responsibility. Recent regulatory developments in algorithmic governance, data security obligations, and the graded management of “Important Data” signal that platforms are increasingly expected to assume quasi-regulatory roles. This suggests an attempt to distribute responsibility in a structured manner without replicating the rigidities of the GDPR. Simultaneously, risk-differentiated tools, such as negative lists, tiered thresholds, and differentiated outbound-transfer requirements, point to a governance logic that is less doctrinal and more functional, reflecting China’s prioritization of national security and digital-economic development.
Looking ahead, China is unlikely to fully replicate the EU’s high-standard compliance model, as this could conflict with its goal of fostering the digital industry. It also cannot fully embrace the US model of leaving data governance entirely to the market. In all likelihood, it will leverage its strong state capacity and large domestic market to explore a “third path” that emphasizes platform responsibility, strengthens preemptive national security assessments, and categorizes and classifies data. In this path, personal rights protection will be integrated into the broader framework of national data security and economic development.
Once this “third path” is established, China’s immense presence in the global digital economy is likely to extend its regulatory influence beyond its borders. It could offer a governance model distinct from the EU and US paradigms that some developing countries may find attractive, thereby gradually reshaping the governance landscape of global digital trade (Erie & Streinz, 2021). In this sense, China may move from primarily a “rule taker” toward a more active “rule shaper” in global digital governance.
Conclusion
This paper provided a systematic, meso-level comparison of the joint data responsibility models adopted by the EU, the United States, and China—three regulatory poles that continue to shape the architecture of global digital trade. The analysis demonstrates that, contrary to expectations of regulatory convergence, the governance of joint data processing is progressing along a path of sustained and structural divergence. The core challenge lies not in differing legal techniques but in the deeper institutional logics through which each jurisdiction balances the triad of state power, market autonomy, and individual rights.
A key contribution of this study is the development of an analytical framework comprising three dimensions—identification criteria, liability allocation, and transparency obligations. This framework bridges macro-level debates on data sovereignty and micro-level models of controller obligations, offering a meso-level explanatory lens that captures how geopolitical tensions translate into operational governance mechanisms. Through this lens, the EU emerges as a rights-based system prioritizing legal certainty and strong external remedies; the US, as a market-driven system relying on contractual risk allocation; and China, as an evolving state-led hybrid model that increasingly differentiates between high-risk data and ordinary commercial flows through quantitative thresholds and negative-list governance. This analysis also reveals that institutional divergence is not a contingent outcome but a predictable reflection of deeper variation in legal traditions, regulatory philosophies, and national development priorities.
The findings have significant practical implications. For multinational enterprises, the fragmentation mapped in this study reveals that global compliance cannot rely on a single governance template. Instead, firms must navigate three fundamentally different responsibility logics, each generating distinct forms of uncertainty: expansive joint liability in the EU, contractual indeterminacy in the United States, and security-oriented administrative assessment in China. For policymakers and international institutions, the analysis highlights a critical blind spot in current digital trade agreements. While frameworks such as RCEP and DEPA facilitate cross-border data transfers at a macro level, the meso-level question of how responsibility should be allocated among multiple actors is left unresolved—a gap that directly undermines accountability and regulatory trust. Future governance experimentation may therefore increasingly rely on softer, modular tools—such as certification regimes, responsibility registries, or technologically embedded accountability mechanisms—that enhance interoperability without forcing substantive legal harmonization. Singapore’s interoperability-oriented model offers an important institutional laboratory for experimenting with modular mechanisms that help ease cross-system divergence.
Collectively, these findings suggest that the global governance of joint data responsibility is entering a stage of structural pluralism rather than convergence. The coexistence of rights-based, market-driven, and security-oriented models appears unlikely to be temporary, instead reflecting durable political–economic commitments that may not easily be reconciled through substantive harmonization alone. This also implies that future international coordination will depend less on uniform liability rules and more on procedural interoperability—shared responsibility registries, auditable certification mechanisms, and technologically embedded accountability tools capable of overlaying heterogeneous domestic regimes. For developing economies, the divergent models mapped in this study highlight not only constraints but also strategic room to selectively align with, hybridize, or adapt these emerging frameworks. These dynamics suggest that joint responsibility is emerging as a foundational axis along which the future digital order will be negotiated.
This study also some limitations. China’s PIPL and its accompanying regulatory instruments remain in a dynamic stage of development, and empirical patterns of enforcement are still emerging. Moreover, no quantitative analysis of compliance costs or firm-level economic impacts were conducted, as these would require dedicated datasets beyond the scope of this doctrinal and institutional comparison. The analysis presented here should therefore be understood as preliminary. Despite these limitations, the analytical framework provides a transferable tool that can be applied to other large emerging jurisdictions—such as India, Brazil, and economies of the Association of Southeast Asian Nations—to refine the comparative landscape and enhance the global applicability of this meso-level approach.
The question this study raises is larger than the allocation of liability itself. In a digitally integrated yet institutionally fragmented world, understanding why legal systems diverge may be more important than attempting to engineer an overly ambitious global convergence. The governance of joint data responsibility is not simply a technical matter of compliance but a window into how different political-economic systems imagine the ordering of the digital future. Who bears responsibility in a global data economy, and according to whose rules, is likely to become a defining issue for the next phase of digital trade governance. Ultimately, the governance of joint data responsibility is likely to shape not only how data moves across borders but also how power, accountability, and trust are distributed in the emerging global digital order.
Footnotes
Ethical Considerations
This article does not involve any studies with human participants or animals performed by the author. Therefore, ethical approval was not required for this study.
Consent to Participate
This article does not involve any studies with human participants or animals performed by the author. Therefore, informed consent was not required for this study.
Author Contributions
The author solely conceptualized the study, conducted the comparative legal analysis, and drafted the manuscript.
Funding
The author disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This research was supported by the Doctoral Research Start-up Fund of Xinzhou Normal University.
Declaration of Conflicting Interests
The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Data Availability Statement
Data sharing not applicable to this article as no datasets were generated or analyzed during the current study.