Data Protection Law in Germany, the United States, and China

Abstract

This chapter examines data protection laws in Germany, the United States, and China. We describe the most important legal sources and principles of data protection and emphasize the rights of data subjects, with particular attention to personal and sensitive data. The legal frameworks for data protection on crowdsourcing platforms in the three countries show significant differences, but also some similarities. In the United States no federal omnibus regulation on the protection of personal data exists so far. The state of California recently enacted a consumer protection law similar to the GDPR. China started developing its privacy legislation after Germany and the United States, in some parts again similar to the GDPR. A characteristic of the Chinese approach is the different protection regime of personal rights with respect to private actors and to the state government. While privacy rights have expanded in the private sector, threats to privacy posed by state actors have received little attention in Chinese jurisprudence.

3.1 Data Privacy and Crowdsourcing in Germany: Legal Instruments, Aspects of Contract Law, Consumer Protection, and Competition Law

This subchapter was written by Sonja Mangold.

3.1.1 Legal Sources for Data Processing

In Germany, the EU General Data Protection Regulation (GDPR) is the central regulatory instrument for the handling of personal data by crowdsourcing businesses. Platform companies are not specifically addressed by the EU legislation, but like any other data processor, they are subject to the legal requirements (Spiecker genannt Döhmann, 2019). On May 25, 2018, the GDPR became binding and applies by priority and directly (Art. 288 para. 2 TFEU¹) in all EU member states. Its territorial scope of application is wide. According to what is called the “marketplace principle” (Art. 3 para. 2 GDPR), non-European companies offering goods and services to EU customers and website visitors must also observe the GDPR. As far as the supranational framework gives leeway for national regulations, the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG)² remains applicable as a further relevant source of law. In their role as internet service providers, crowdsourcing platforms must also consider the requirements of the German Telecommunications Act (Telekommunikationsgesetz, TKG) and the Telemedia Act (Telemediengesetz, TMG) (Hetmank, 2016).

In practice, information on data processing on crowdsourcing platforms is often integrated into general terms and conditions. Such private autonomous regulations must be measured against the abuse control provisions of the German Civil Code (Bürgerliches Gesetzbuch, BGB) for general terms and conditions (§§ 305 et seq. BGB). They must not deviate from the legal model—for example, the requirements of the GDPR—in a surprising or too far-reaching, disadvantageous manner. Insofar as platform users are consumers, particularly strict requirements apply to the pre-formulated data protection clauses (cf. § 308 et seq. BGB). Data protection violations can then also be prosecuted under civil law by consumer associations³ under the Injunctive Action Act (Unterlassungsklagengesetz, UklaG).⁴

The use of personal data and the analysis of large datasets in digital business models can bring decisive competitive advantages. On the other hand, the notable trend in the crowdsourcing market towards the concentration of economic power and data resources through some large platforms harbors the risk of distortions of competition to the detriment of customers, consumers and smaller platforms (Schweitzer et al., 2018). Competition problems associated with the “data power” of companies are addressed by the European and German antitrust law. As the much-noticed case by the German Federal Cartel Office (Bundeskartellamt) against Meta-Facebook shows,⁵ antitrust requirements can be a lever for enforcing data protection rights.

The GWB Digitization Act (GWB-Digitalisierungsgesetz),⁶ which came into force in January 2021, contains specific regulations to limit platform power (von Wallenberg, 2020). The new regulatory framework expressly names access to competition-relevant data as a criterion for determining the market power of companies, which can be combated by means of antitrust abuse control (§ 18 para. 3 No. 3 GWB). The German Federal Cartel Office can prohibit anticompetitive behavior on the part of large platforms, such as denial of data portability (§ 19a para. 2 (1) No. 5 GWB). The regulation also provides for rights to data access over the objections of powerful companies (§ 19 para. 2 No. 4, § 20 para. 1 (a) GWB) (see Schweitzer et al., 2018).⁷

German competition law also contains provisions that are relevant to issues of privacy. Platforms’ data processing practices could be problematic from an unfair competition point of view.⁸ For example, insufficient information about data collection and use can be assessed as anti-competitive and can be punished and prevented by associations and competing companies through the Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb, UWG) (Podszun & de Toma, 2016).

The EU regulation on the promotion of fairness and transparency for commercial users of online intermediation services (Regulation (EU) 1150/2019—Peer to Business (P2B) Regulation), which has been in force since summer 2020, is another important instrument that concerns platform businesses. The P2B Regulation contains contractual and competition law requirements to compensate for data-related market power asymmetries (Tribess, 2020). In particular, platforms are obliged to establish transparency towards their commercial users with regard to access to and processing of personal or other data (Art. 9 P2B Regulation). Customers can take action against non-transparent general terms and conditions through an internal complaint procedure to be created by the platforms (Art. 11 P2B Regulation). In addition, competition associations can prosecute violations of transparency obligations with regard to data processing (cf. Art. 14 P2B Regulation).⁹

The European Commission’s new proposal for a directive on improving working conditions in platform work¹⁰ deals specifically with privacy issues regarding crowdworkers. The planned legal framework contains restrictions on the processing of personal data of (self-employed and employed) platform workers in connection with algorithmic management (see Sect. 3.1.8, below).

The prospective ePrivacy Regulation¹¹ could bring new data protection standards in the EU member states with regard to the use of cookies and web tracking services. The ePrivacy regulation is expected to replace, expand and supplement the information obligations and admissibility requirements set forth by the GDPR and the German telecommunications law.¹² However, so far, no agreement has been reached on the legislative proposal by the European Commission.

3.1.2 Data Security: At the Interface Between Data Protection and IT Security Law

Cyber attacks, the use of spyware, and identity theft are risks that are particularly high in digital business models such as crowdsourcing. This results in new challenges for data security, which aims to protect against manipulation, loss or unauthorized access to data (Spiecker genannt Döhmann, 2019). Data security is legally guaranteed in Art. 5 para. 1 (f), Art. 32 GDPR. Although there are currently no regulations that specifically take into account the security situation in platform processes (Spiecker genannt Döhmann, 2019), various standards in German and European law oblige companies to ensure IT security and to protect user data from loss, destruction, theft or misuse. The general and area-specific German IT security laws (BSI law, IT Security Act 2.0,¹³ TMG, TKG) contain provisions on security measures, information obligations and reporting obligations in the event of malfunctions, which are also relevant for platforms. In addition, there are subordinate legal regulations such as DIN standards and ISO standards. There are also regulations in tax and commercial law that deal with the secure retention and storage of data.

EU data protection law also contains specific regulations on data security. According to Art. 32 GDPR, platform companies and their contract data processors are obliged to carry out a risk analysis when processing personal data and to take necessary technical and organizational security measures such as encryption. In addition, Articles 33 and 34 GDPR provide for obligations in the event of data breaches to report to authorities and those affected. Violations of data security can result in official sanctions as well as contractual and liability consequences (Riehm & Meier, 2020).

3.1.3 Protection of Personal and Sensitive Data

German and European data protection law only applies if platforms collect and process personal data. Such data are legally defined in Art. 4 para. 1 GDPR as “all information that relates to an identified or identifiable natural person.” The information therefore does not have to explicitly identify a person; it is sufficient if a person can be identified by information such as date of birth and social security number.¹⁴ Fixed and dynamic IP addresses can also represent personal data (on the latter, see ECJ, judgment of October 19, 2016—C-582/14—Breyer case).¹⁵

When processing data, platforms must consider that sensitive user information is particularly legally protected. For example, the processing of information about skin color, party and trade union membership, religious affiliation, or health data is principally prohibited according to Art. 9 para. 1 GDPR.¹⁶ Data processing is only permitted in exceptional cases, for example if users have expressly consented to the processing of sensitive information for a specific purpose (Art. 9 para. 2 (a) GDPR).¹⁷

3.1.4 Particularities of Data Protection: Company Information, Consumer and Employee Data

German and European data protection law only relates to the personal information of natural persons (cf. Art. 1 para. 1, Art. 4 para. 1 GDPR). Insofar as crowdsourcing platforms collect and process company information, the existing data protection regulations are generally inapplicable.¹⁸ Exceptions apply if business customer information allows direct conclusions to be drawn about individual natural persons (Ernst, 2021). Crowdworkers who are active as solo entrepreneurs on platforms can also rely on data protection law.

Special data protection-related requirements must be observed if users of crowdsourcing platforms are consumers.¹⁹ Website visitors and crowdworkers who occasionally work on platforms will regularly have to be classified as consumers (Däubler & Klebe, 2015). Therefore, under certain circumstances, stricter requirements apply to legitimizing consent to data processing (Ernst, 2017). Platform companies must also expect consumer associations to take legal action against possible data protection violations (see above). In the legal discussion in Germany, it is controversial whether crowdworkers are to be classified as employees (e.g., Walzer, 2019), which would interfere with regulations on employee data protection.²⁰ Most platform companies treat crowdworkers as self-employed. However, the Federal Labor Court (Bundesarbeitsgericht, BAG) recently classified a crowdworker who was active on a microtask platform as an employee in accordance with labor law (BAG, judgment of December 1, 2020–9 AZR 102/20). If crowdworkers fall under the concept of employee, the increased legality requirements for data processing in the employment relationship according to § 26 BDSG apply.²¹ Accordingly, the collection and use of personal data are only permitted if they are necessary in view of the employment context. With regard to valid consent to data processing, strict assessment and documentation obligations apply (Düwell & Brink, 2017).

3.1.5 Basic Principles of Data Processing

Crowdsourcing platforms must observe some basic data protection principles. In contrast to the United States, the central principle in German and European data protection law is the principle of prohibition with reservation of permission. Accordingly, personal data may only be collected and processed if there is valid consent or another legal basis (Spiecker genannt Döhmann, 2019). The European Court of Justice (ECJ) has consistently held that any handling of personal data must meet the requirements of legal admissibility in accordance with Art. 6 GDPR and the principles regarding the quality of processing in accordance with Art. 5 GDPR (ECJ, case C-137/17 and C-507/17-Google France).

Art. 5 GDPR regulates some general data protection principles. In the event of non-compliance, the supervisory authority can impose a fine (cf. Art. 83 para. 5 (a) GDPR). Accordingly, platforms must deal with user data lawfully, transparently and fairly (Art. 5 para. 1 (a) GDPR).²² Regarding the principle of transparency, Recital 39 GDPR states that data subjects must always be made aware of who is collecting the data, whether and to what extent personal data is being collected, and which data is stored and processed. It further states that any information and communication relating to the processing must be easily accessible and easy to understand, and that clear and plain language must be used. The principle of transparency is made more concrete in the detailed information obligations according to Art. 13 and Art. 14 GDPR. Accordingly, platforms that collect data directly or obtain data from third-party sources are obliged to specify the purposes and all legal bases of the processing, to name the recipients or recipient categories of the data, and to explain the storage period or the criteria for determining it. The data subject’s rights according to Art. 15 et seq. GDPR—such as the right to access, deletion, and data portability—must also be listed in the privacy statement.²³

Another central principle of data protection law is the requirement of purpose limitation (Art. 5 para. 1 (b) GDPR). Accordingly, personal information may only be collected and stored for specified, clear and legitimate purposes. Collection and storage of data without prior definition of the purpose is not permitted. If platforms continue to use collected data for changed purposes—such as marketing or claims management—this use requires a new justification.²⁴

The principle of data minimization (Art. 5 para. 1 (c) GDPR) provides that the personal data collected must be adequate and factually relevant for the purpose. In addition, the processing must be limited to what is necessary for the purpose. Another key concern of data protection law is the principle of data accuracy (Art. 5 para. 1 (d) GDPR). This principle states that personal data must be factually correct and up-to-date. Platforms as controllers must take all reasonable steps to correct or delete incorrect personal data (Schantz, 2020). When creating individual user and personality profiles, for example for advertising purposes, it is important to ensure that the information is correct.²⁵ The principle of storage limitation (Art. 5 para. 1 (e) GDPR) is closely linked to the principles of data minimization and data accuracy. Accordingly, platforms are required not to store data longer than necessary. Outdated or incorrect data must be deleted. For this purpose, suitable test and deletion concepts must be developed. The principle of storage limitation also means that personal data is anonymized or at least pseudonymized if possible (Schantz, 2020).

With Art. 25 GDPR, the concepts of data protection through “privacy by design” and “privacy by default” were established for the first time throughout the EU (see Baumgartner & Gausling, 2017). The rules on privacy by design and privacy by default specify the principles set out in Art. 5 GDPR, in particular the principle of data minimization. The obligation to privacy by design (Art. 25 para. 1 GDPR) means that platforms must take appropriate organizational and technical data protection measures before data processing, taking into account the state of the art and implementation costs. Thus, there is legal leeway for companies with regard to the selection of specific precautions. For example, anonymization, pseudonymization and encryption techniques come into consideration. Privacy by default (Art. 25 para. 2 GDPR) obliges companies to offer preselected privacy-friendly settings in programs, apps, and other applications. Users should thus be automatically protected against excessive data usage. If the obligations to privacy by design and privacy by default are violated, the supervisory authorities can impose fines of up to 10 million EUR or up to 2% of the company’s worldwide annual turnover in the previous financial year, whichever is higher (Art. 83 para. 4 (a) GDPR). Platform companies can use data protection certifications to demonstrate compliance with the requirements set out in Art. 25 para. 1–3 GDPR.

3.1.6 Pseudonymization and Anonymization as Data Protection Measures

Pseudonymization and anonymization are central means of the European data protection framework (e.g., Voigt & von dem Busche, 2018). In Art. 25 para. 1 GDPR, pseudonymization is expressly mentioned as a way to implement privacy by design. Art. 32 para. 1 (a) GDPR describes pseudonymization as an instrument for establishing data security. Art. 4 para. 5 GDPR defines pseudonymization as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” Successful pseudonymization thus makes it difficult to attribute data to a person; re-identification is only possible if certain additional information is known. If platforms process and use data in a pseudonymized form, for example when creating user profiles,²⁶ data protection risks can be significantly reduced. Successful pseudonymization can be taken into account when justifying data processing (Art. 6, 9 GDPR) in favor of the platforms.

The anonymization of data guarantees even greater privacy protection. In the case of anonymized data, the personal reference is removed in such a way that re-identifiability is not possible or only possible with a disproportionately large amount of time and money. If platforms use user data in anonymous, aggregated form, for example for statistics and market research purposes, the requirements of data protection law do not apply.²⁷

3.1.7 Consent as the Central Legitimation of Data Processing

In addition to legitimate business interests according to Art. 6 para. 1 (f) GDPR, crowdsourcing platforms will most often use the consent of the users (Art. 6 para. 1 (a), Art. 4 para. 11, Art. 7 et seq. GDPR) as the legal basis for their data processing. In the GDPR, consent²⁸ is a central concept of legitimizing data collection (Buchner, 2010). As a voluntary decision, it takes precedence over statutory provisions on admissibility. At the same time, statutory admissibility for platforms as responsible data processors is more legally certain (Frenzel, 2021). When obtaining consent, there are some legal requirements that must be observed. The consent must be given voluntarily, for the specific case and in an informed manner. Furthermore, platforms must be able to demonstrate that the user has consented to processing of data (Art. 7 para. 1 GDPR). If users as employees or consumers are in a power imbalance vis-à-vis the platform, the voluntary consent can be problematic (Recital 43 GDPR). In this case, consent can only freely be given if the data processing is in the interests of the user or if the user does not suffer any disadvantages by refusing to give consent (Stemmer, 2020). If platforms collect data that are not required for the provision of their services, the ban on “tying” (Art. 7 para. 4 GDPR) must also be observed. Accordingly, access to the service may not be made dependent on consent to an unnecessary use of data, in the sense of “take it or leave it.” A voluntary decision is also doubtful if a large provider with a significant market share requires its users to consent to extensive data use as a condition for using the service (Ernst, 2017). If consent is obtained, as is often the case, through general terms and conditions, the consent to data processing section should be particularly emphasized (Art. 7 para. 2 GDPR). Informed consent cannot be assumed if the information on data processing is written in “legalese” (Ernst, 2017). A consent to excessive further use of personal data can be invalid if solicited through a surprise clause under general terms and conditions law (Spiecker genannt Döhmann, 2019). Likewise, pre-ticked boxes shall not constitute consent (Recital 32 GDPR).

According to German and European case law, the use of cookies to analyze user behavior and for advertising purposes also requires active consent in the sense of an opt-in²⁹ (see most recently ECJ, judgment of October 1, 2019, Az. C-673/17; BGH, judgment of May 28, 2020-I ZR 7/16).

3.1.8 Algorithm-Based Decision-Making: Risks of Discrimination, Solution Approaches

Crowdsourcing platforms use algorithm-supported, data-driven decisions in a variety of ways (see e.g. Hannák et al., 2017; Ivanova et al., 2018). For example, crowdsourcing platforms often use algorithms to select, place and evaluate the performance of crowdworkers. In addition, algorithm-based data mining and big data analysis methods can be used to create extensive customer and visitor profiles, for example for marketing purposes.

Existing studies show that algorithm-based decision-making and evaluation on crowdsourcing platforms can be associated with unlawful disadvantages for groups at risk of discrimination, for example because of their gender or ethnic origin (Hannák et al., 2017). Algorithmic risks of discrimination have not been comprehensively and specifically addressed in German and European data protection and anti-discrimination law. However, there are some starting points for regulating algorithmic discrimination (Orwat, 2020). Particularly noteworthy is the regulation in Art. 22 para. 1 GDPR, according to which data subjects generally have the right not to be subject to a “decision based solely on automated processing—including profiling.”³⁰ If such a decision is permitted in exceptional cases (in the case of contract fulfillment or consent, Art. 22 para. 2 GDPR), affected persons have the right to contest the decision (cf. Art. 22 para. 3 GDPR). Even stricter requirements apply according to Art. 22 para. 4 GDPR if, within the framework of automated decisions, discriminatory data within the meaning of Art. 9 para. 1 GDPR are processed (Buchner, 2018).

In addition, the GDPR provides for extended information obligations and rights to information for those affected about the logic involved and the effects of automated decision-making (Art. 13 para. 2 (f), 14 para. 2 (g), 15 para. 1 (h) GDPR). Accordingly, companies must provide information about the functionality and decision-making options of the algorithm (Orwat, 2020). Furthermore, Art. 35 para. 3 (a) GDPR obliges companies to carry out a data protection impact assessment if—in the case of algorithm-based, automated decisions—personal aspects of a person are comprehensively and systematically evaluated.

In addition, the German General Act on Equal Treatment (Allgemeines Gleichbehandlungsgesetz, AGG) offers individual and collective legal redress in order to take action against discriminatory decisions using algorithms (Orwat, 2020). With its current strategy on artificial intelligence, the European Commission³¹ has proposed extensive new regulations to make algorithm-based decisions fair, transparent, and non-discriminatory. Also worth mentioning are the specifications regarding algorithmic management of the planned EU directive on improving working conditions in platform work, mentioned above. In particular, the proposed directive stipulates that platform companies shall not automatically process any personal data relating to the psychological state, health status, or private conversations of platform workers (cf. Art. 6 para. 5).

3.1.9 Rights of Data Subjects

Art. 15 et seq. GDPR delineates the rights that users can assert against platforms as responsible data processors. According to Art. 15 para. 1 GDPR³² (right of access), platform companies must provide information on processing purposes, categories of data, recipients, storage duration and rights of appeal to a supervisory authority on request. Art. 15 para. 3 sent. 1 GDPR obliges organizations to provide a free copy of the personal data that is being processed, upon request by the data subject. According to Art. 16 para. 1 GDPR, users can immediately request the correction of incorrect information concerning them. Art. 17 GDPR defines the right to erasure of the data or to be forgotten. A deletion of data must be carried out in particular if the data is no longer required or the person concerned has revoked their original consent. The question of whether companies can legally fulfill their obligation to data deletion by anonymizing the data is legally controversial (e.g., Stürmer, 2020).

A central right of data subjects in the platform economy is the right to data portability according to Art. 20 GDPR (Ciotti et al., 2021; Schweitzer, 2019). This pursues a consumer protection and antitrust law objective and is intended to prevent lock-in effects in the sense of customer retention to one provider. Users are therefore entitled to receive all of their personal data in a commonly used and machine-readable format (Art. 20 para. 1 GDPR). In addition, those affected have the right to port their data to third parties, provided that the rights and freedoms of third parties are not affected (Art. 20 para. 4 GDPR). However, the exact scope, technical design and practical significance of the right to data portability are still unclear (Schweitzer, 2019).

Art. 21 GDPR grants users the right to object to lawful data processing under certain conditions. Platforms may then no longer be allowed to process the data in question. In Art. 21 para. 1 GDPR, the right is standardized to object to individually unreasonable processing—including profiling—on the basis of Art. 6 para. 1 (f) GDPR. In addition, data processing for the purpose of direct advertising can be prevented by the affected users asserting their right to object (see Art. 21 para. 2, para. 3 GDPR). In the event of violations of the rights of users according to Art. 15 et seq. GDPR, platforms must reckon with claims for damages and fines (Art. 82, Art. 83 para. 5 (b) GDPR).

3.1.10 The Data Protection Impact Assessment: Self-Evaluation in the Case of High-Risk Data Processing

In those cases of data processing that might result in elevated risk to the rights and freedoms of natural persons, companies must carry out a data protection impact assessment (Art. 35 et seq. GDPR), evaluating the consequences of data processing in advance and then selecting and taking adequate security and data protection measures. As part of the data protection impact assessment, risks for the protection of personal data must be identified and assessed. The recommendations of the German Federal Office for Information Security on protection needs can be helpful in this regard. Furthermore, a risk treatment plan must be drawn up (Friedewald, 2017).

A self-evaluation according to Art. 35 GDPR may be necessary for crowdsourcing for various reasons. In particular, platform companies can be obliged to carry out a privacy impact assessment if they use web tracking technologies, carry out big data analyses, or otherwise engage in profiling. There is also an obligation in accordance with Art. 35 GDPR if a large amount of highly sensitive data is processed (Hansen, 2020). If the data protection impact assessment shows that there is a high risk potential, the competent data protection supervisory authority must be consulted before data processing (Art. 36 para. 1 GDPR). A violation of the requirements according to Art. 35 et seq. GDPR can be punished with fines of up to ten million EUR or up to 2% of the company’s worldwide annual turnover in the previous financial year (Art. 83 para. 4 (a) GDPR).

3.1.11 Internal and External Data Protection Controls

A central element of corporate self-monitoring in privacy issues is the company data protection officer (Art. 37 GDPR, § 38 BDSG), whose main tasks are advising, monitoring compliance with standards, training, cooperation with supervisory authorities, and responding to inquiries from those affected (cf. Art. 39 GDPR, § 7 BDSG). Platforms may be obliged to appoint a company data protection officer if they use GPS tracker apps or process large quantities of sensitive data in accordance with Art. 9 GDPR (cf. Art. 37 para. 1 (b), (c) GDPR). A designation requirement can also pertain under German law if a data protection impact assessment is required for crowdsourcing services (§ 38 para. 1 sent. 2 BDSG).³³ In addition, it may be advisable for platforms to voluntarily appoint a data protection officer in order to better meet their data protection obligations.

Private self-monitoring under data protection law within a company is flanked by state-level and national supervisory mechanisms. According to Art. 51 et seq. GDPR, each EU member state must set up one or more independent data protection authorities. In Germany, data protection supervision is organized on a federal basis with the Federal Data Protection Commissioner and the State Data Protection Commissioner. The national data protection authorities have extensive control responsibilities and powers. Their primary tasks include monitoring and enforcing the GDPR, making companies aware of their obligations under data protection law, and processing inquiries and complaints from those affected (cf. Art. 57 para. 1 GDPR). The supervisory authorities are also responsible for questions relating to employee data protection. Art. 58 GDPR regulates powers of investigation, remedial action and approval. For example, the data protection supervisory authorities can prohibit illegal data processing, have personal data deleted, and prevent data transfers to non-EU countries. According to Art. 58 para. 5 GDPR, the EU member states must grant the supervisory authorities the right to “engage in legal proceedings.” Additional powers of the federal data protection officer and the state data protection officer according to national law, such as access rights, are regulated in §§ 16, 40 BDSG.

3.1.12 Sanctions

For the prosecution and sanctioning of data protection violations, the GDPR regulates, among others, fines, claims for damages, and the right to collective actions (e.g., Körner, 2017). In the event of violations of data protection obligations, the supervisory authorities can impose fines of up to 10 million EUR or up to 2% of the company’s total worldwide annual turnover of the previous financial year, whichever is higher (Art. 83 para. 4 GDPR). In the case of particularly serious data protection violations, even more severe fines can be imposed. In the event of violations of the processing principles of the GDPR, including the conditions for lawful consent, violations of the rights of the data subjects and disregard of the instructions of the supervisory authorities, the fine can even be up to 20 million EUR or 4% of annual sales. In addition, the GDPR provides for claims for compensation for material and immaterial damages against the person responsible or the contracted data processor in the event of data protection violations (Art. 82 GDPR).

3.2 Data Privacy in Digital Business in the United States: Fragmented Rules, State Pioneers and the Prominent Role of the Federal Trade Commission

This subchapter was written by Sonja Mangold.

3.2.1 Patchwork of Privacy Regulation

The United States is home to a complicated patchwork of state and federal statutes and case law on data protection³⁴ (Barrett, 2019). Unlike in the EU, there is no general national privacy legislation.³⁵ However, numerous sector-specific laws on data use have been passed, some of which may also affect crowdsourcing platforms. For example, the Children’s Online Privacy Protection Act (COPPA)³⁶ regulates requirements for operators of websites that collect personal data from children under the age of 13 (Ritvo et al., 2013). The Electronic Communications Privacy Act,³⁷ which addresses both public and private bodies, imposes restrictions on the use of electronic communication (Determann, 2016). When crowdsourcing platforms ask for, receive, and use background checks or credit information from users and customers, the requirements of the Fair Credit Reporting Act (FCRA)³⁸ may be relevant (Hoofnagle, 2013). The FCRA contains provisions on the accuracy and disclosure of financial information and aims to protect consumers from identity theft. Accordingly, platforms can only obtain consumer reports, that is, the collections of documents that a prospective employer may use to evaluate a potential employee, for legally permissible purposes. Consumer reports include, for example, information from credit agencies about creditworthiness, general reputation, and personal characteristics of consumers. Background checks on crowdworkers can also be considered as consumer reports (Hoofnagle, 2013). If platforms have taken adverse action based on such reports, they must notify the affected persons.

As is practice in other countries, American crowdsourcing platforms often integrate privacy clauses into their general terms of use. There is no abuse control of standardized terms and conditions comparable to German law in the U.S. However, under certain circumstances, it is possible to proceed against privacy violations in terms of use under competition law (Munz, 1992).

Several antitrust bills were recently introduced in the U.S. Congress which are intended to limit the market and data power of large platform companies. The American Choice and Innovation Online Act³⁹ would prohibit data access restrictions on business users. The Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act⁴⁰ would require platforms to guarantee some minimum standard of interoperability and data portability. However, it is still uncertain whether these laws will ultimately be passed.

The Federal Trade Commission (FTC) plays a prominent role in enforcing data privacy in the U.S. (Solove & Hartzog, 2014). The FTC is an independent federal agency responsible for competition and consumer protection. Violations of consumer privacy can be pursued by the FTC as unfair competition on the basis of 15 Code of Laws of the United States of America (U.S.C.) § 45 (= Section 5 FTC Act). The FTC could take action against misleading or incorrect information in the privacy statements of crowdsourcing platforms. In the past, the FTC has repeatedly raised objections to the data protection practices of powerful digital corporations like Google or Meta-Facebook.⁴¹ Data protection violations by crowdsourcing platforms and their representatives could also be sanctioned via U.S. tort law (Determann, 2016).⁴²

Moreover, almost all U.S. states have specific data protection laws for residents that platform companies should consider. California has played a pioneering role in privacy legislation. With the California Consumer Privacy Act (CCPA) of 2018, which has been in force since January 2020, a data protection standard comparable to the GDPR has been established.⁴³ Other states are increasingly following the Californian example (Newell et al., 2021). In 2021, Virginia and Colorado passed new privacy laws, and legislation similar to the CCPA is planned in other states such as New York, Washington, Florida, and Minnesota.

Unlike in the EU, the voluntary self-regulation of companies is crucial for the U.S. data protection regime (e.g., Kranig & Peintinger, 2014). Examples of self-regulation in the internet economy are the privacy seal programs TRUSTe, BBBOnline and the Online Privacy Alliance Guidelines (Rodrigues & Papakonstantinou, 2018). Some U.S. crowdsourcing platforms expressly advertise on their website that they are TRUSTe and/or BBBOnline certified.⁴⁴ By using such privacy seals, the platforms apparently seek to stand out from the competition and create a positive image with customers and business partners.

The Privacy Shield Agreement, which was negotiated between the European Commission and the U.S. Department of Commerce, is an example of government-initiated self-regulation. Since 2016, U.S. companies have been able to participate in the Privacy Shield data protection framework and thus to be certified as recipients of legitimate data transfers from the EU. Many U.S. crowdsourcing providers still point out in their privacy policies that they have joined the Privacy Shield. With its judgment in the “Schrems II” case (ECJ judgment of July 16, 2020-C-311/18), the European Court of Justice has now declared the European Commission’s decision on the adequacy of the level of protection offered by the EU–U.S. Privacy Shield invalid. This has raised concerns that the judgment would cause legal uncertainty for companies with regard to international data transfers (Botta, 2020). This uncertainty could be remedied in the near future by the new Trans-Atlantic Data Privacy Framework, which the European Commission and U.S. President Biden have agreed on in principle.⁴⁵

3.2.2 Data Security: Numerous Legal Sources

There are numerous laws in the U.S. that impose data security obligations on private companies (Determann, 2016; McGeveran, 2019). At the federal level, the FTC, as the nation’s consumer protection agency, often takes action against inadequate data security practices. All fifty states have adopted data breach notification laws, which require companies that have exposed certain personal information to notify the affected data subjects and sometimes also a regulatory authority. Some states have passed additional standards on data security, data disposal, and cybersecurity.⁴⁶ For example, the state security-specific regulation of Massachusetts requires that companies covered by the legislation develop and implement a comprehensive information security program (McGeveran, 2019). California statutory law requires digital businesses to “implement reasonable security procedures and practices” to protect the personal data of California residents from unauthorized or illegal access, destruction, use, modification, or disclosure.⁴⁷

There are also broad voluntary industry standards for data security. One of these standards is the Cybersecurity Framework, which was established by the National Institute of Standards and Technology (NIST)⁴⁸ and has proven to be highly influential on private companies (McGeveran, 2019). The NIST Framework, which relies inter alia on the ISO/IEC 27000 family of standards for information security management systems,⁴⁹ includes concrete cybersecurity measures in five phases: “Identify, Protect, Detect, Respond, Recover.” Many statutory and private frameworks also encourage risk assessments, staff training, access controls for potentially vulnerable data, and multifactor authentication or encryption of data (McGeveran, 2019).

3.2.3 Protection of Personal and Sensitive Information: No Single Definition

Unlike in the EU, there is no single definition of the term “personal information” in the U.S. The U.S. approach to personal data includes various definitions and is rather inconsistent (e.g., Schwartz & Solove, 2014). COPPA, for example, which may be relevant for digital crowdsourcing, defines personal information as “individually identifiable information about an individual collected online,” including name, address, username, phone number, video, photograph, location data or social security number.⁵⁰ Some privacy laws define personal information as something other than publicly accessible or aggregate, statistical data. Many state-level data breach notification laws contain lists of types of data that constitute personal information (Schwartz & Solove, 2014). A more far-reaching approach adopts the standard set forth by the CCPA (Determann, 2018), whose definition even goes beyond the GDPR in some respects. Personal data are broadly defined as all information that relates to a particular consumer⁵¹ or household. In contrast to the GDPR, household and device data are also classified as personal information. Among other items, the CCPA lists as personal information⁵² name, address, account name, passport information, social security number, driver’s license and signature. Personal information also includes commercial information, data on consumption and buying behavior, biometric data, browsing history, search history, IP address and geolocation data. The CCPA may apply to U.S. American and foreign crowdsourcing platforms doing business in California.⁵³

Unlike in the EU, no legally binding concept of sensitive data that receive stronger protections than other types of data exists as a general matter of U.S. law. There is also no general express obligation to give consent for the processing of such data (King & Raja, 2012; Schwartz & Solove, 2014). However, crowdsourcing platforms that collect certain types of user information may be required to meet certain legal eligibility criteria. For example, COPPA imposes certain information privacy requirements for websites that collect personal data from children under the age of 13 years. Moreover, the FTC has provided in its guidelines and investigations clear examples for identifying sensitive consumer information (King & Raja, 2012). These include financial data, data about children, health information, precise location data and government-issued identification numbers such as social security numbers. The FTC has also advised digital businesses to obtain express consent from consumers to receive behavioral advertising before collecting or using sensitive information for this purpose.⁵⁴ At the state level, the California Privacy Rights Act (CPRA) provides a broad definition of sensitive data, which includes consumer financial information, geolocation data, the contents of a consumer’s mail, health data, union membership, racial or ethnic origin, and religious or philosophical beliefs. The CPRA stipulates special information obligations and data subject rights with regard to the processing of such data (Spies, 2020). Consumers in California will therefore have the right to decide on the collection of sensitive data beyond the contractual relationship through opt-out. This can be done, for example, by including a button on the website that says, “Limit the Use of My Sensitive Personal Information.” Other states such as Colorado also have special legal requirements for the processing of sensitive information (Spies, 2021). However, it can be stated that U.S. statutory laws, unlike Art. 9 GDPR, generally allow the processing of sensitive data and do not require affirmative express consent. As we will see later in this book (Sect. 4.1), this is evidently reflected in extensive data collection practices among U.S. platforms.

3.2.4 Protection of Consumer and Employee Data

If users purchase goods or services on platforms primarily for personal purposes, they are classified as consumers. Crowdworkers who work occasionally on platforms and who are classified as individuals rather than business entities may also fall within the broad definition of consumers under U.S. laws (Delisle & Trujillo, 2010; Solove & Schwartz, 2020). If users are consumers, platforms must observe a patchwork of specific rules at the federal level and the state level. For example, the FCRA prescribes purpose limitations for the collection of consumer financial information.⁵⁵ Meanwhile, the FTC has a broad scope of power to enforce the privacy and security of personal consumer data (Hartzog & Solove, 2015). For example, the FTC can proceed as part of an administrative procedure against deceptive privacy policies or inadequate security practices of companies. FTC proceedings are typically terminated by consent decrees specifying remedial actions such as fines, corrective actions, or third-party monitoring of data usage practices. Otherwise, the FTC can enter after a formal procedure a cease-and-desist order demanding that the recipient stop the challenged illegal activity. In addition, the FTC may seek an injunction before the ordinary courts. Consumer data protection requirements can also be enforced by means of class actions, which have a considerable risk potential of punitive damages for companies (Determann, 2016).

Similar to German and European law, the legal classification of crowdworkers either as employees or independent contractors is highly controversial in the U.S. (e.g., Cherry & Poster, 2016).⁵⁶ In cases where employee status is affirmed, platforms must consider various scattered regulations with regard to employment privacy (Kim 2019; Otto, 2016). For example, the FCRA and numerous state laws regulate background checks by requiring the consent of potential employees. The Electronic Communications Privacy Act (ECPA) and the National Labor Relations Act also contain certain standards on the protection of employees’ privacy interests. Furthermore, in the case of privacy infringements and inadmissible crowdworker surveillance, platform companies may be liable under tort law. However, it should be noted that, unlike in Germany, U.S. law does not contain any general standards that limit the collection and use of personal information of workers. There are also no regulations that correspond to the specificity of the employment context with its power asymmetries (Otto, 2016).

3.2.5 Main Principles of Data Processing: Sector-Specific and State-Specific Approaches

In contrast to Europe, the U.S. generally allows the processing of personal data. The free flow of information and its benefit to free enterprise historically plays a significant role in the U.S. (Pardau, 2018). There is no omnibus regulation on basic principles of data processing such as transparency, purpose limitation, data minimization, accuracy, and storage limitation comparable to the GDPR. Nevertheless, key privacy requirements are partly reflected in U.S. sector-specific and state-specific privacy law (Rustad & Koenig, 2019) and can thus be relevant for crowdsourcing practices. For example, the FCRA incorporates norms of transparency, accuracy, and collection limitation. At the state level, California’s privacy laws in particular have adopted principles closely resembling the European approach (Pardau, 2018; Spies, 2021). The CCPA incorporates comprehensive transparency and information duties. Accordingly, businesses are required to post in their privacy policies, inter alia, information about the categories of data collected, the purposes of processing, categories of personal information sold or disclosed, and a description of consumers’ privacy rights such as the right to opt out of the sale of data and the right to request deletion of personal information. The CPRA contains data minimization and storage limitation rules similar to the GDPR.⁵⁷ However, it must be noted that California privacy laws don’t reflect all European core privacy principles. For example, lawfulness and fairness requirements are absent from the California regulation.

As noted above, the concepts of privacy by design and privacy by default, which take a proactive approach to data privacy, are new key elements of the GDPR. U.S. regulators also have embraced the principle of privacy by design. Even before the GDPR adopted this strategy, the FTC established its privacy by design rules.⁵⁸ The FTC framework calls on companies to implement various preventive techniques like reasonable security, SSL encryption and cookie blocking by default.

Worth mentioning in this context is that the FTC has set guidelines for fair information practices regarding internet privacy.⁵⁹ The FTC has identified five core principles of data protection that should be implemented primarily by company self-regulation: “Notice/Awareness,” “Choice/Consent,” “Access/Participation,” “Integrity/Security,” and “Enforcement/Redress” (Li et al., 2012). The American Law Institute (ALI), a leading independent scientific organization in the U.S., has also recently adopted a framework of data privacy principles that are aligned with the GDPR (Rustad & Koenig, 2019).⁶⁰ These instruments, however, are characteristically non-binding recommendations.

3.2.6 Anonymization and Pseudonymization

Some U.S. crowdsourcing platforms state in their privacy policy that they anonymize or pseudonymize personal information (see Sect. 4.1). Similar to Europe, U.S. privacy laws and FTC guidelines encourage practices of anonymization or encryption of data (Brasher, 2018). The FTC has clarified that anonymized data are exempt from the data protection legislation, provided that a company: (1) takes reasonable measures to ensure that the data is de-identified; (2) publicly commits not to try to re-identify the data; and (3) contractually prohibits third parties from trying to re-identify the data.⁶¹ New state privacy laws such as the CCPA explicitly promote the pseudonymization of personal consumer information.

Compared to the GDPR, the U.S. approach to anonymization and pseudonymization has some shortcomings (Brasher, 2018). In Europe, only fully anonymized data falls outside the scope of data protection laws. Whereas pseudonymous data are protected by the GDPR, the U.S. law does not generally differentiate between anonymization and pseudonymization in such a way that those data categories are subject to different legal requirements based on their relative risk of re-identification. Threats to consumer privacy in the age of big data, for example through the commercial exploitation of immense amounts of behavioral data, which is also being discussed in the U.S., are thus not adequately addressed.

3.2.7 Consent for Data Processing: Limited Legal Requirements

In the U.S., unlike in the EU, there is no general need to obtain an individual’s consent for data collection and processing. There is no requirement of a legal justification for the processing of personal data. Nevertheless, the principle of consent is a relevant concept in U.S. privacy laws (Rustad & König, 2019; Schwartz & Peifer, 2017). Statutory laws make use of consent in the form of opt-in and opt-out mechanisms. In cases of opting-in, data processing cannot take place unless the person concerned gives their affirmative consent. Opt-out means that data processing takes place unless the data subject objects. These permission requirements can also affect crowdsourcing platforms. The FCRA contains one of the strongest opt-in mechanisms, requiring clear notice to and written authorization from a consumer before a potential employer can use a consumer credit report for employment purposes (Schwartz & Peifer, 2017). An example of opt-out consent can be found in the California privacy legislation. As mentioned above, the CCPA enshrines the right of consumers to object to the selling of their data. Moreover, the FTC advocates the concept of free and informed consent (“Notice and Choice”) to companies’ online data collection practices and has provided guidelines for its implementation (Sloan & Warner, 2013).

In sum, the consent requirements in U.S. law are limited and less restrictive than the EU provisions (Determann, 2016; Schwartz & Peifer, 2017). For example, U.S. statutory law does not concern itself with the possibility of power imbalances in employment or other relationships. Unlike the European context, when using web cookie technologies, implied consent is sufficient.⁶² In addition, the mere use of a website is seen as implicit consent for data processing via general terms and conditions (Determann, 2016).

3.2.8 Regulation of Algorithmic Decision-Making: Steps and Gaps

Algorithmic decision-making may be used throughout the crowdsourcing process. Matching, selection, and performance ratings of crowdworkers are often based on algorithms. Algorithms can also be used for customer profiling. Nevertheless, algorithmic decision-making in crowdsourcing can be opaque and subject to error, bias, and discrimination (Hannák et al., 2017; Kaminski, 2019).

Platforms that use algorithms in their business should consider various privacy and equal opportunity laws that may apply to such processes. For example, the FCRA comes into play in certain circumstances where an algorithm denies people employment or other benefits. Section 5 of the FTC Act may be applicable when data analytics are used in a deceptive or unfair way, such as when algorithms are gender- or racially biased (Federal Trade Commission, 2016). In a much-noticed order for violations of COPPA, the FTC recently required WW International, formerly known as Weight Watchers, to destroy any algorithms trained with illegally collected data from children.⁶³ Some privacy statutes at the state level contain accountability and transparency rights around automated decision-making and profiling, similar to the GDPR. California privacy laws call for opt-out rights with respect to the use of automated decision-making, which also includes profiling. In addition, they require businesses to disclose information about the logic underlying such decision-making processes as well as their envisaged consequences for the consumer. Similar rules can be found in Virginia’s new privacy law (Spies, 2021). Platforms that make use of algorithms should also consider U.S. anti-discrimination legislation, which primarily focuses on employment contexts, such as the Civil Rights Act of 1964 and the Genetic Information Nondiscrimination Act (FTC, 2016).

Overall, the risks of discrimination through algorithms have so far not been specifically and sufficiently addressed by U.S. laws (Ebers, 2020; Kaminski, 2019). For example, equal opportunity laws focus on human decision-makers without taking into account unintentional discrimination by algorithms. In contrast to European law, the few specific rules on algorithmic accountability and transparency in U.S. privacy laws are limited to state statutes and thus have a comparatively narrow scope.

3.2.9 Individual Rights: Scattered Rules

There is no comprehensive national regulation in the U.S. comparable to Art. 15 et seq. GDPR, which enshrines individual rights of data subjects vis-à-vis data processors. After all, the FTC’s non-binding fair information practice principles include a limited set of consumer rights, such as access provisions, and rights of correction and deletion.⁶⁴ The recently adopted ALI’s privacy recommendations additionally address data portability.⁶⁵ Sector-specific statutes that may be relevant for digital crowdsourcing such as COPPA⁶⁶ or FCRA⁶⁷ also establish certain rights such as notification or erasure rights over data. The California privacy legislation echoes individual rights from the GDPR and even goes beyond them in some respects (Determann, 2018). Other states have followed the Californian standard, but merely mimic it. The CCPA allows individuals to make access requests for personal data, providing a high degree of transparency with respect to data processing in the private sector.⁶⁸ It partially prescribes disclosures and communication channels such as toll-free phone numbers that are not required to comply with GDPR. The CCPA also gives consumers a data portability right—namely, the right to access a copy of their personal information.⁶⁹ In addition, companies must honor requests for correction and deletion of data under certain circumstances.⁷⁰ In some respects, however, the CCPA provisions fall short of the GDPR standards. For example, there are more exceptions to the right to erasure. Companies are given a long period of 45 days to respond to consumer requests. Overall, the U.S. approach to individual rights towards data processing companies is less consistent and ambitious than the European law (Barrett, 2019).

3.2.10 Requirements for Data Protection Risk Assessments

A credible privacy impact assessment can help crowdsourcing platforms to proactively assess and manage privacy risks and to reduce customer concerns in this area. The FTC has repeatedly required companies to establish risk assessment procedures in its jurisprudence (Hoofnagle, 2016). At the state level the new CPRA prescribes that businesses conduct annual cybersecurity audits and to submit to the Privacy Protection Agency regular risk assessments if the “processing of consumers’ personal information presents a significant risk to privacy or security.”⁷¹ Other state security laws also require companies to conduct periodic risk assessments (McGeveran, 2019). It is thus reasonable to conclude that the legal requirements for the implementation of a privacy impact assessment in the private sector are limited (Friedewald et al., 2016). Risk assessments are rarely required by law. Relevant regulations often only consist of recommendations and lack control and enforcement mechanisms.

3.2.11 Internal and External Enforcement

It can be useful for platforms, as part of a compliance strategy, to appoint a data protection officer or chief privacy officer who has overall internal responsibility regarding matters of data privacy and data security. In a few cases, U.S. federal privacy laws require companies to appoint dedicated data protection officers. Some state security regulations establish a duty to name an employee or an outside provider specifically responsible for the management of data security (McGeveran, 2019). However, unlike in Germany and Europe, there is no general legal obligation to appoint internal or external data privacy or security officers. The creation of such positions is nevertheless a widespread practice in the business world, and a large proportion of U.S. companies have nominated chief privacy officers assessing and ensuring privacy compliance within their organizations (Determann, 2016).

Data protection authorities are a fundamental pillar of German and European data protection law. In contrast, there are no comparable special federal enforcement authorities in the U.S. (Determann, 2016). Data protection violations are primarily punished by the FTC as unfair competition. On the state level, state attorneys general play an essential role with respect to data privacy compliance within the scope of consumer protection. The CPRA establishes the new California Privacy Protection Agency. This is the first time that an authority will have been created in the U.S. for the sole purpose of protecting the privacy rights of a state’s citizens. The California Privacy Protection Agency will have functions of rulemaking, interpretation, education, and enforcement.

3.2.12 Sanctions

U.S. privacy laws are enforced relatively rigorously by authorities and private plaintiffs, with high penalties and fines, and claims for damages often reaching millions if not billions of U.S. dollars in class actions (Determann, 2016). The FTC has already imposed high penalties against large platform companies, of a severity that is unheard of in the German legal system. For example, in 2019, in a historic settlement order the FTC issued a 5 billion USD penalty against Facebook for violating consumers’ privacy. The FTC had challenged Facebook for using misleading privacy settings and sharing data with third parties in disregard of user preferences.⁷² After Google bypassed Apple’s Safari privacy settings, the FTC fined the company more than 22 million USD (Solove & Hartzog, 2014). Apple agreed to pay more than 32 million USD to settle an FTC complaint because of in-app purchases by children without parental consent.⁷³ As mentioned above, the scope of fines under the GDPR is in the range of millions of euros. In Europe, too, high fines have recently been imposed on digital corporations such as Google for privacy violations.⁷⁴ Overall, the enforcement of privacy laws in the U.S., with penalties that can reach billions of U.S. dollars, is much stronger.

3.3 Data Privacy and Crowdsourcing in China

3.3.1 Various Sources of Law for Data Processing: A Brief Overview

Although China still lags behind the EU and U.S. in terms of data protection (Pernot-Leplay, 2020), China has seen rapid development in legislation protecting personal data.⁷⁵ Chinese legislators have recently adopted a number of legal norms to counter the increasing data abuse in the information age, drawing on relevant legal sources worldwide, most notably the GDPR.

In general, the Chinese legal framework in the field of data protection today is complex, diverse, and multi-layered.⁷⁶ Relevant legislation is defined as laws, regulations, rules, and other binding documents. Also worth mentioning are soft laws⁷⁷ such as national norms or guidelines, which are not strictly binding but have legal significance. Legislative authorities are organized hierarchically. Authorities that have passed such regulations include, for example, the National People’s Congress (NPC),⁷⁸ the Standing Committee of the National People’s Congress (SC-NPC),⁷⁹ the State Council,⁸⁰ the Ministry of Industry and Information Technology (MIIT),⁸¹ and the Cyberspace Administration of China (CAC).⁸² Chinese legislators use both cross-sectoral and unified approaches, with data protection requirements existing not only in the Personal Information Protection Law (PIPL) as a unified and comprehensive data protection instrument, but also scattered across some sectoral laws such as the Criminal Law, or the Law on Protecting Consumers’ Rights and Interests. Legislation at the national level takes precedence; local-level privacy legislation in provincial-level Chinese administrative regions must always comply with national legislation, although the former may enact more detailed regulations that apply only within the respective regions.⁸³

Crowdsourcing platforms are neither explicitly nor specifically regulated under the Chinese system. Currently, crowdsourcing platforms as defined in this book are not explicitly mentioned in any relevant legal norm. However, this does not mean that the existing provisions do not apply to platform companies. Because crowdsourcing platforms collect and process personal data, they fall within the scope of legally regulated subjects such as “personal information processors” under the PIPL, “network operators” under the Cybersecurity Law, or even more broadly, “[a]ny organization that relies on the accessing of personal data of others,” as stipulated in Art. 111 of the Civil Code.

Although privacy-related provisions can be found in the Chinese Constitution, promulgated by the NPC in 1982,⁸⁴ the first piece of legislation that explicitly established the protection of personal data was Art. 253(a), extended by the Seventh Amendment to the Criminal Law adopted by the SC-NPC in 2009.⁸⁵ Subsequently, on December 28, 2012, the SC-NPC adopted the 2012 SC-NPC Decision on Strengthening Information Protection in Networks, which focused on protecting the electronic information of individuals in networks on the internet.⁸⁶ It applies to “network service operators and other enterprises and institutions that collect or use citizens’ personal electronic information in their business activities” and prohibits these entities from illegally acquiring and disclosing the collected information. In particular, principles of legality, appropriateness, and necessity set out in this decision, as well as the requirement to obtain the consent of the data subjects, have been adopted in subsequent legal texts. One such legal text is the Provisions on Protecting the Personal Information of Telecommunications and Internet Users (2013 MIIT Provisions), adopted by the MIIT in 2013. In addition, we find three central laws in the area of civil law, which contain provisions on data privacy. The first is the Civil Code, which was promulgated by the NPC and became binding on January 1, 2021. The unified Civil Code has a separate chapter entitled “Right to privacy and protection of personal data.”⁸⁷ The second law that is central to data privacy is the Law on Protecting Consumers’ Rights and Interests (CPL).⁸⁸ Shortly after the adoption of the 2012 SC-NPC Decision, the SC-NPC amended the CPL in 2013 to include provisions to protect consumer information. Basic principles regarding the collection and use of personal data are completely consistent with the 2012 SC-NPC decision. The third law that is central to data privacy is the E-Commerce Law (ECL). To protect the rights and interests of everyone involved in e-commerce, in January 2019 the SC-NPC passed the ECL, which governs internet-based “e-commerce businesses,” including “e-commerce platform businesses.” Under the ECL, platforms are required to comply with personal information protection provisions of any law or regulation when collecting personal data from users (Art. 23 ECL).

In addition, there are three comprehensive and specialized data protection laws. First, the Cybersecurity Law (CSL) became binding on November 7, 2016, and is the first law that comprehensively regulates cyberspace data security in China for the purpose of “guaranteeing cybersecurity, safeguarding cyberspace sovereignty, national security and public interest, protecting the lawful rights and interests of citizens, legal persons and other organizations, and promoting the sound development of economic and social informationization.” Accordingly, “network operators,” including “owners, administrators of the network and network service providers” are obliged to “not collect personal information irrelevant to the services provided by them” and “strictly keep their users’ information confidential.” Second, the Data Security Law (DSL) was passed in June 2021, and aims to “regulate the handling of data, ensure data security, promote the development and exploitation of data, protect the legitimate rights and interests of individuals and organizations, and preserve state sovereignty, security and development interests.” According to Art. 2 of the DSL, it applies to both “data processing activities within the territory of PRC” and “extraterritorial data processing activities that would be detrimental to PRC’s national interests, public interests or the legitimate rights and interests of individuals and organizations.” Third and most important is the PIPL, which was promulgated on August 20, 2021, and went into effect on November 1, 2021. The PIPL is the first unified, comprehensive, and systematic data protection law in China and marks the establishment of the basic legal framework in the field of personal information protection (Jiang, 2021). It is therefore often referred to as the “Chinese GDPR.” The purpose of the PIPL is to “protect the rights and interests of personal information, regulate the processing of personal information and promote the reasonable use of personal information.” It prohibits “any organization or individual” from infringing upon rights and interests of natural persons’ information.

Aside from the legal documents mentioned above, there exist several soft laws that—while legally unenforceable—still guide the behavior of crowdsourcing platforms. In 2013, the National Information Security Standardization Technical Committee (NISSTC)⁸⁹ released the Information Security Technology-Guidelines for Personal Information Protection within Public and Commercial Services Information Systems (2013 NISSTC Guidelines). This is the first national standard for the protection of personal information, and contains basic principles for handling personal data.⁹⁰ Another important national standard formulated by the NISSTC is the GB/T 35273-2020 Information Security Technology-Personal Information Security Specification (GB/T 35273-2020 PI Specification), which applies to “personal information activities carried out by all kinds of organizations” and specifies many aspects of the PIPL in a very detailed way.⁹¹ In addition, there are self-regulatory codes in online commerce that have been adopted by the Internet Society of China (ISC).⁹² Some of these codes are related to the protection of platform users’ personal information, such as the T/ISC-0011-2021 Evaluation Method of Data Security Governance Capability. Such legally unenforceable standards can nevertheless provide detailed data protection guidelines for crowdsourcing platform companies.

As a unique approach, the Supreme People’s Court (SPC) and the Supreme People’s Procuratorate (SPP) are entitled to issue judicial interpretations for the consistent application of legal provisions.⁹³ Such interpretations have a quasi-legislative function as courts at all levels must refer to them when deciding cases (Chen, 2011). With regard to data protection, at least two judicial interpretations are applicable. One is the interpretations of the SPC and the SPP on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement for Citizens’ Personal Information (2017). The other interpretation is the Provisions of the SPC on Several Issues concerning the Application of Law in the Trial of Cases Involving Civil Disputes over Infringements upon Personal Rights and Interests through the Information Networks (2021).⁹⁴ Both interpretations play an important role in ensuring data subjects’ right to privacy in civil and criminal judicial practice.

Another relevant field for data protection is competition law. Platform companies that have collected large datasets can have competitive advantages and acquire a dominant market position (Li, 2021). In the age of big data, the competition problems caused by data monopolies among companies pose challenges to traditional Chinese competition law (Ding, 2021b). In 2021, the State Council issued the Anti-Monopoly Guidelines of the Anti-Monopoly Committee of the State Council on the Platform Economy (2021 Anti-Monopoly Guidelines). Accordingly, “the ability to control and process relevant data” is one of the factors determining whether a platform has a dominant market position. Meanwhile, in response to some data breach cases and other issues relating to the platform economy, China published a draft amendment (Draft) to the Anti-Monopoly Law (AML) in October 2021. Art. 10 of the AML Draft explicitly provides that “operators shall not eliminate or restrict competition by abusing data and algorithms, technology, capital advantages or platform rules etc.” Art. 22 para. 2 of the AML Draft specifies that “it will be an abuse of a dominant market position for an operator with a dominant market position to set up obstacles or impose unreasonable restrictions on other business operators by using data and algorithms, technology, or platform rules etc.” The data processing activities of Chinese platform companies are expected to be further regulated by the forthcoming updated AML (Ren, 2021).

In summary, the most relevant and comprehensive data privacy law that regulates crowdsourcing platforms in China is the PIPL, although data protection provisions can also be found in other legal sources. A more detailed introduction to the PIPL, other relevant legal norms, and non-mandatory national standards related to crowdsourcing platforms is provided below. In particular, some aspects of the PIPL that deviate from the GDPR are highlighted.⁹⁵

3.3.2 Data Security

Data security is closely linked to data privacy, although they are fundamentally two different concepts. Data security mainly refers to protection of data from unauthorized accesses, modifications, or users. If data collected by platforms is not well protected against cyber attacks, the privacy of data subjects cannot be guaranteed (Bertino, 2016). As “processors of personal information” under the PIPL, crowdsourcing platforms are obliged to “take necessary measures to ensure the security of the processed personal information” (Art. 9 PIPL) and “prevent unauthorized access, leakage, alteration, and loss of personal information” (Art. 51 PIPL). In addition, the CSL prohibits internet platforms—deemed network operators under the CSL—from disclosing, manipulating or destroying collected personal data (Art. 42 para. 1 CSL). In the case that personal information has been or is likely to be disclosed, destroyed or lost, crowdsourcing platforms shall remedy the situation immediately, promptly inform users, and report to the competent departments (Art. 42 para. 2 CSL). In addition, the DSL is a unified and comprehensive law to safeguard data security, which has an independent chapter setting forth the data security protection obligations of data processors (Chap. 4, DSL).

The specific measures taken by platform companies to ensure data security can be divided into technical measures and management measures (Liu, 2021a, pp. 25–26). The former include data encryption and de-identification. The latter measures include designing internal management systems and operating procedures, implementing categorical management of personal information, reasonably determining the operational authority of processing personal information and periodically conducting security education and training for workers, and formulating and organizing the implementation of emergency plans for cyber security incidents related to personal information (Art. 51 PIPL).

To clarify the provisions on data security under the PIPL, CSL and DSL, the Online Data Security Management Regulation was drafted by the CAC and published for comment in November 2021.

3.3.3 Protection of Personal Identifiable Information and Sensitive Data

In a legal sense, personal data is the information that directly or indirectly identifies a specific natural person (Xie, 2019, p. 138; Gao, 2019, p. 94; Zhang & Han, 2016, p. 128). A definition of personal data can be found not only in the recently published PIPL, but also in some earlier pieces of legislation. Art. 4 para. 1 of the PIPL defines personal information as “all kinds of information that identifies or can identify natural persons recorded electronically or by other means, but does not include anonymized information.” This definition is almost identical to that under the CSL adopted in 2016, with the exception of two aspects: (1) the definition under the CSL does not specifically mention that the anonymized information is exempt from protection; and (2) several examples of personal identifiable information are available in the CSL, including “names, dates of birth, identification numbers, biometrics, addresses, and telephone numbers” (Art. 76 para. 5 CSL). Besides the examples given by the CSL, the Civil Code also lists “e-mail addresses, health information, and location tracking” (Art. 1034 para. 2 Civil Code) as examples of personal identifiable information. Further examples of personal identifiable information are available in the GB/T 35273-2020 PI Specification.

The PIPL has a specific section—(Section 2, Chapter 2), referred to as “Rules for Processing Sensitive Personal Information”—wherein sensitive personal data is legally defined as “personal data which, once leaked or used illegally, could easily lead to the detriment of an individual’s dignity or damage to his person or property, including information on biometric identities, religious beliefs, specific identities and medical data, care and health, financial accounts and location tracking, and the personal data of minors under the age of 14” (Art. 28 para. 1 PIPL). The CSL, DSL and Civil Code do not address the definition of sensitive personal information; however, a similar definition of sensitive personal information can be found in the GB/T 35273-2020 PI Specification (also the 2017 version). In addition, the 2013 NISSTC Guidelines expressly state that personal information can be divided into sensitive personal information and general personal information. The former refers to “the information that once leaked or tampered with can cause adverse effects of data subjects, including identification numbers, telephone numbers, races, political opinions, religious beliefs, genes, fingerprints, etc.” Apart from these examples, data on conversation records and content, property, credit, accommodation, sexual orientation and so forth are also listed as sensitive personal information in the GB/T 35273-2020 PI Specification. Unlike the GDPR, some information such as philosophical beliefs, trade union membership or data relating to a natural person’s sex life (Art. 9 para. 1 GDPR) are not explicitly listed as sensitive personal data in either the PIPL or the relevant self-regulatory documents. By contrast, examples of sensitive personal data such as “financial accounts” and “location tracking” are found in Chinese law but not in the GDPR. In general, sensitive personal data are more strictly protected. According to Art 28, para. 29 of the PIPL, crowdsourcing platform enterprises as processors of personal information are only allowed to process sensitive personal data for specific purposes, but only when strictly necessary, and when strict safeguards are in place.

There is a related term for sensitive data in Chinese law, “important data,” which is not addressed in the GDPR (Chen et al., 2020). The CSL requires platform companies to explicitly secure the important data they collect (Art. 21 para. 3 CSL). The DSL emphasizes that the relevant competent authority shall formulate a catalogue of important data and enhance its protection (Art. 21 para. 1 DSL). However, there is no definition of important data in these laws.

The obligations of platforms in terms of data protection run through all the activities of data processing, including the “collection, storage, processing, transmission, provision, disclosure, deletion, etc.” of personal information (Art. 4 para. 2 PIPL).

3.3.4 Particularities of Data Protection: Company, Consumer, and Employee Data

Crowdsourcing platforms process not only personal data but also company data, especially that of crowdsourcers. This raises the question of whether Chinese data protection law also protects the data of the companies concerned. Like the GDPR, the PIPL only applies to the personal data of natural persons (Art. 2 PIPL), which means that company data collected by platforms is not protected by the PIPL. However, the DSL protects a broader range of data than the PIPL. The former defines data as “any record of information in electronic or other means” (Art. 3 DSL). Furthermore, Art. 7 of the DSL explicitly provides that “the State protects the rights and interests of individuals and organizations in relation to data.” Accordingly, platforms seem to be obliged to fulfill corresponding obligations from the DSL if they process data from crowdsourcers. However, because the DSL is more relevant to data security than privacy, even where corporate data falls within the scope of the DSL, how and to what extent corporate data can be legally protected may well differ from that of personal information.

A related question is whether users of crowdsourcing platforms are consumers under the CPL. If platform users can be categorized as consumers, platforms as processors of personal information are obliged to protect current and potential users’ data privacy and are, for example, not allowed to send them commercial messages without their consent (Art. 29 CPL). Furthermore, both the CPL and PIPL empower competent consumer associations to file lawsuits against violators of the rights and interests of consumers (Art. 47 CPL; Art. 70 PIPL). Although no specific study on this issue can be found in Chinese scholarly literature, we argue based on doctrinal legal research (McConville & Chui, 2007) that users of crowdsourcing platforms should be considered consumers for the purposes of the CPL. Even though the CPL does not provide a definition of the term “consumer,” it states that the rights and interests of consumers who “buy or use commodities or receive services for daily needs” must be protected by the law (Art. 2 CPL) (Binding, 2014a). Users do utilize the services provided by the platforms, which allows them to meet their daily needs and to making a living. Thus, platform companies might also be confronted with lawsuits from consumer associations when they infringe on the rights and interests of platform users.

Finally, as in many other jurisdictions, the employment status of crowdworkers is disputed. Although the question of whether internet-based gig workers such as delivery drivers or ride-hailing drivers are “employees” protected by Chinese labor law⁹⁶ has been hotly debated in recent years, scant literature discusses the employment status of crowdworkers in China. Neither Chinese labor law nor labor contract law contain an explicit definition of employees. In practice, judges often use strict criteria to determine whether a worker is an employee, relying on the Notice on Issues Relating to the Determination of Employment Relations adopted by the Ministry of Labor and Social Security, which has been known as the Ministry of Human Resources and Social Security since 2005.⁹⁷ However, to our knowledge, there is not a single case in which a crowdworker has complained about not being recognized as an employee on a Chinese crowdsourcing platform. If a crowdworker were considered an employee in China, several special provisions regarding their data protection would theoretically apply.⁹⁸

Some Chinese legal scholars have also pointed out that the protection of workers’ personal information has its specificities and that the requirements of the PIPL are too general to achieve adequate protection for them (Wang, 2022; Xie, 2021). In particular, compared to the first and second drafts of the PIPL, its final version adds a provision as the legal basis for the processing of employee information: “necessary for the conduct of human resources management in accordance with lawfully formulated work regulation systems and lawfully concluded collective agreements” (Art. 13 para. 1(2) PIPL). Although these developments indicate advances in terms of data protection, they fall short of achieving the protection of workers’ personal data in some important aspects. For example, in the context of the structurally weaker workforce, the requirement for informed consent often does not adequately address the position of powerful companies. In addition, the risk of monitoring and manipulating employees in the digitized workplace must be regulated more specifically (Wang, 2022).

3.3.5 Basic Principles of Data Processing

Crowdsourcing platforms as processors of personal information must observe some basic principles of data handling. These principles are currently set out primarily in the PIPL. Some can also be found in separate legal instruments that preceded the promulgation of the PIPL. However, the PIPL has integrated these previous provisions in a systematic and comprehensive manner.

The principles of the PIPL are broadly similar to those of the GDPR. First, crowdsourcing platforms must follow “the principles of lawfulness, reasonableness, necessity and creditworthiness” to process personal data, and methods that can be perceived as “misleading, fraudulent or coercive” may not be used (Art. 5 PIPL). Except for the principle of creditworthiness, which was added as part of the Civil Code reform, the principles of lawfulness, reasonableness and necessity had been introduced prior to the PIPL (Chen, 2021). They were first put forward in Art. 2 of the 2012 SC-NPC Decision and subsequently laid down in other laws such as the CSL, CPL, and the Civil Code.

The principle of purpose limitation also applies in the PIPL. The processing of personal information must “have a clear and reasonable purpose, be directly related to that purpose and use means that affect the rights and interests of the individual as little as possible” (Art. 6 para. 1 PIPL). This principle is not available in laws such as the CSL or the Civil Code. However, the principle of necessity could, to a certain extent, already include the requirement of purpose limitation (Chen, 2021, pp. 9–13). Additionally, the principle of data minimization is set forth in Art. 6 of the PIPL. The collection of personal data must be “limited to the minimum necessary to achieve the purpose of the processing and excessive personal data shall not be collected” (Art. 6 para. 2 PIPL).

The principles of openness and transparency must also be considered by data processors. Crowdsourcing platforms are therefore obliged to disclose rules governing the processing of personal data and to clarify the purposes, methods and scope of processing (Art. 7 PIPL). These principles are based on the data subject’s right to information under Art. 44 of the PIPL. Accordingly, users of platforms have the right to know the processing activities of their personal information and to decide to either accept or refuse the processing. The specific requirements of the principles of openness and transparency can also be founded in Art. 41 of the CSL and Art. 1035 of the Civil Code.

The principle of data correctness is also important for data processing. Data processors must ensure the quality of personal data in order to avoid negative impacts on the rights and interests of data subjects due to inaccurate or incomplete personal information (Art. 8 PIPL). If platform users, as data subjects, determine that the information they have provided is incorrect or incomplete, they have the right to demand corrections and additions from platforms in a timely manner (Art. 46 PIPL). Similarly, according to Art. 1037 of the Civil Code, natural persons are entitled to petition data processors to take necessary measures to correct or delete their inaccurate information. A similar requirement can also be found in Art. 24 of the ECL.

Crowdsourcing platforms must also take the principle of storage limitation into account. Art. 19 of the PIPL provides that that “the period of retention of personal data shall be the shortest time necessary to achieve the purposes of the processing, unless laws and regulations provide otherwise.” This principle can also be found in Art. 6.1 (a) of the GB/T 35273-2020 PI Specification (also the 2017 version). Normally, platforms are required to delete or anonymize collected personal data after the specified retention period (Art. 6.1 (b) GB/T 35273-2020 PI specification). Although the PIPL does not provide a specific deadline, it lists several conditions under which platform companies are obliged to delete the relevant data (Art. 47 PIPL). By contrast, for reasons of data security, under certain circumstances it may be necessary for personal data to be available for a minimum period of time. For example, the CSL requires platform companies to retain the log files they collect for a minimum of 6 months (Art. 21 para. 3 CSL).

As noted above, data processors must take necessary measures such as encryption and de-identification to ensure data security and to protect personal information from unauthorized access, leaking, alteration, and loss (Art. 9 and Art. 51 PIPL). Such requirements can also be found in laws prior to the PIPL. For example, both the CSL and the ECL explicitly provide that the “integrity, confidentiality and availability” of network data must be maintained (Art. 10 CSL; Art. 31 ECL) and platforms are obliged to prevent personal information processed by them from being unduly disclosed, manipulated, or destroyed (Art. 42, para. 2 CSL).

Although the basic principles of data processing mentioned above under the PIPL correspond to those in Art. 5 of the GDPR, the Chinese PIPL does not maintain the concepts of privacy by design or privacy by default as under the GDPR.

3.3.6 Anonymization and de-Identification as Data Protection Instruments

Anonymization and pseudonymization are two important privacy protection measures. The latter term is called “de-identification” in Chinese legal texts.⁹⁹

According to Art. 73, para. 4 of the PIPL, “anonymization” refers to “the process by which personal data is processed so that it cannot be used to identify a specific natural person and cannot be recovered after such processing.” As mentioned above, anonymized data is not protected personal data under the PIPL (Art. 4 para. 1 PIPL). For example, if platforms use anonymized data for market research, the provisions of the PIPL do not apply.

Anonymizing personal data is also a way to protect the privacy of data subjects. Art. 73 para. 3 of the PIPL defines de-identification as “the operation of processing personal data that makes it impossible to identify a specific natural person without the help of additional information.” De-identification as a technical measure to ensure data security is explicitly mentioned in Art. 51 of the PIPL. In contrast to anonymized data, however, de-identification cannot fully guarantee data protection, since the de-identified data could be re-identified with additional information. This means that the risk of identifying a specific data subject can only be ruled out to a certain extent. Thus, the PIPL does not fully exclude de-identified data from its scope. Even if platforms process users’ information by de-identification, they still have to comply with the obligations under the PIPL.

The terms anonymization and de-identification and related rules are not found in other data protection laws but are available in the soft law document GB/T 35273-2020 PI Specification (also the 2017 version).

3.3.7 Consent as the Standard for Legitimation of Data Processing

As in the GDPR, the informed consent rule is at the heart of China’s data protection laws. The importance of data subject consent is evident under many provisions of the PIPL. Although the relevant provisions do not specifically relate to crowdsourcing platforms, they are applicable as the platforms collect and process personal data of their users and are therefore “processors of personal information” within the scope of the PIPL.

Crowdsourcing platforms are only allowed to process users’ personal data if they obtain their consent or certain exceptional conditions are met (Art. 13 para. 2 PIPL). According to Art. 13 para. 1 of the PIPL, these conditions include:

1. 1.

   that the processing of personal data is necessary for the conclusion or performance of a contract to which the person is a party, or that it is necessary for the implementation of human resources management in accordance with lawfully formulated labor regulations and lawfully concluded collective agreements;

2. 2.

   that it is necessary for the fulfillment of any legal obligation or obligations;

3. 3.

   as necessary to respond to a public health incident or to protect the safety of life, health and property of individuals in an emergency;

4. 4.

   to process personal data to a reasonable extent to carry out actions in the public interest, such as news reporting and public opinion monitoring;

5. 5.

   for an appropriate level of processing of personal data disclosed by individuals or otherwise already lawfully disclosed under this law; and

6. 6.

   other situations provided by laws or administrative regulations.

Accordingly, the consent of the persons concerned and the legal circumstances listed are the legal basis for platforms to process personal data of their users.

Unlike the GDPR, the PIPL does not provide a definition of the term “consent.” However, it requires that consent from fully informed data subjects be voluntary and explicit (Art. 14 para. 1 PIPL). If the purposes or methods of processing personal data or the type of personal data to be processed change, platforms must again seek consent from data subjects (Art. 14 para. 2 PIPL).

Data subjects also have the right to withdraw their consent in a convenient and simple manner (Art. 15 para. 1 PIPL). Except where the processing of personal data is necessary for the provision of the services, platforms shall not refuse to provide services on the grounds that data subjects do not consent to the processing of their personal data or withdraw their consent (Art. 16 PIPL). In the event of, for example, a merger, demerger, dissolution or bankruptcy, users’ personal data must be transferred to a third party, and the recipient party is obliged to continue to fulfill the obligations of the platform company. If the recipient changes the original purposes or methods of data processing, the consent of the data subjects must be obtained again (Art. 22 PIPL).

Unlike the GDPR, separate consent is an important term under the PIPL, although there is no legal definition for it. According to the PIPL, there are five situations in which processors of personal information need to obtain separate consent from data subjects (Liu, 2021b, p. 40). Among them are four cases related to crowdsourcing platforms¹⁰⁰:

1. 1.

   If platforms pass on the personal data they process to other processors of personal data, they must obtain the separate consent of the data subjects (Art. 23 PIPL).

2. 2.

   Platforms are not allowed to publish personal data unless they have obtained the separate consent of the users (Art. 25 PIPL).

3. 3.

   The processing of sensitive personal data must be based on the separate consent of the data subjects (Art. 29 PIPL).

4. 4.

   If platforms transfer personal data to a foreign recipient outside the territory of the PRC, they are required to obtain separate consent from their users (Art. 39 PIPL).

In addition to the provisions of PIPL mentioned above, the requirement for informed consent was included in other laws that were in force before PIPL. The CSL stipulates that platforms must inform data subjects about the purpose, means and scope of the collection and use of personal data and obtain their consent (Part. 41 CSL), and platforms are not allowed to share personal data with others without the consent of the data subjects (Art. 42 CSL).

3.3.8 Automated Decision-Making

Algorithmic risks existed in practice even before the PIPL was passed. For example, automated decision-making might have violated platform users’ right to privacy (Li, 2017). To respond to the fact that the algorithms used by a platform are supplanting human decision-making and putting pressure on them, leading to problems in human autonomy and masking platform culpability (Zhang, 2020, 2021), the PIPL restricts automated decision-making. Although the relevant provisions do not specifically relate to crowdsourcing platforms, they can be applied to them as the platforms are the processors of personal information regulated by the PIPL.

Platforms that use personal data for automated decision-making must ensure transparency of decision-making so that the results are fair and equitable, and shall not unreasonably discriminate between individuals on transaction terms such as price (Art. 24 para. 1 PIPL). With this provision, price discrimination based on algorithms can be countered, especially since pricing consumers differently for the same product or service has been a common economic phenomenon in practice in China (Zhao, 2020; Li, 2021, pp. 64–67). For example, there was a scandal involving Chinese food delivery platform Meituan, which charged its paying members higher delivery fees than its free users (for more details, see Wang, 2020).

When decisions that significantly affect the rights and interests of platform users are made through automated decision-making, users have the right to request an explanation from the platforms and the right to oppose the decisions made by the platforms solely through algorithms (Art. 24 para. 3 PIPL). When information delivery and commercial marketing are carried out through algorithm-based decision-making, platforms are also obliged to offer users options that do not target their specific personal characteristics or to provide convenient means of opting out (Art. 24 para. 2 PIPL).

There are no automated decision-making provisions in other laws prior to the PIPL. However, relevant rules are available in the non-mandatory GB/T 35273-2020 PI Specification (also the 2017 version).

One way to reduce the algorithmic risks could be to conduct the data protection impact assessment before using automated decision-making (Liu, 2021b, p. 66). These are introduced in Sect. 3.3.10.

3.3.9 Rights of Data Subjects

The rights of data subjects are explicitly stated not only in the PIPL, but also in previously passed laws such as the CSL and the Civil Code. Compared to the previous legal instruments, the PIPL adds some new rights such as the right to data portability, and presents the rights of data subjects in a more comprehensive and systematic way. The PIPL has an independent chapter (Chap. 4) entitled “Rights of Individuals with Regard to the Processing of Personal Data,” under which there are seven articles (Art. 44–Art. 50). In general, the specific data subject rights provided by the PIPL are very similar to those of the GDPR, although the wording is slightly different.

Platform users, as data subjects, generally have the right to know about the processing of their personal data and to make decisions about it, and have the right to restrict or refuse the processing of their data by others (Art. 44 PIPL). In particular, the PIPL requires platforms to inform data subjects “truthfully, accurately, and completely” about matters such as the name of the processing organization, the purposes and methods of processing personal data, the types of personal data processed, and the period for which data will be stored before it may be processed. The notice must be clearly visible and in clear and understandable language (Art. 17 para. 1 PIPL). If platforms draw attention to such issues by formulating rules for the processing of personal data, the rules must be made public and easy to read and store (Art. 17 para. 2 PIPL). Accordingly, crowdsourcing platforms are required to post their privacy statement, if they have one, on their websites to ensure that website visitors or users can know what data is being processed and how, and can opt in or opt out of the processing of their data.

Platform users also have the right to access and reproduce their personal data from platforms, except for some special cases¹⁰¹ (Art. 45 para. 1 PIPL). If users exercise this right, platforms must provide them with relevant data in a timely manner (Art. 45 para. 2 PIPL). The right to access and reproduce is also found in Art. 1037 of the Civil Code, but not in the CSL before the promulgation of the PIPL.

As a newly added right in the final version of the PIPL (Greenleaf, 2021, p. 21; Liu, 2021a, b, p. 113), the right to data portability not only facilitates the transfer and reuse of personal information, but also places new demands on platforms (Wu, 2021). The right to transfer data is set out in Art. 45 para. 3 of the PIPL, which specifies that “when individuals request the transfer of personal data to other processors of personal information nominated by them and the conditions provided for by the CAC are met, the processors of personal information must provide channels for the transfer.” In contrast to the right to data portability under the GDPR, the same right in the PIPL is much more general in two respects. First, the PIPL does not mention that the personal data requested must be in “a structured, commonly used and machine-readable format.” Second, the PIPL does not specify exceptional cases, like under the GDPR, in which the exercise of this right could be restricted, for example when the transfer is not technically feasible or the rights and freedoms of others are affected. Instead, the PIPL only states that “conditions provided by the state Internet information departments” must be met. Chinese legislators tend to let the CAC or other competent authorities formulate departmental rules that may include specific conditions for the right to data portability. In fact, before the PIPL was passed, some Chinese legal scholars explicitly demanded that China’s data protection law not duplicate the right to data portability under the GDPR.¹⁰²

Platform users also have the right to correction. If users find that their personal information is inaccurate or incomplete, they have the right to request platforms to correct or supplement it (Art. 46 para. 1 PIPL). When users exercise this right, platforms are obliged to check the personal data and make corrections or additions in a timely manner (Art. 46 para. 2 PIPL). The right of correction can also be found in Art. 43 of the CSL and Art. 1037 of the Civil Code.

Another important user right is the right to have data deleted. This right is referred to in the GDPR as the right to erasure and the right to be forgotten.¹⁰³ Prior to the enactment of the PIPL, such a right had long been advocated by legal scholars (e.g., Yang & Han, 2015), although some scholars have noted that it is impossible to completely erase personal data once it has been disclosed (e.g., Ju & Ling, 2016; Wan, 2016). Art. 47 para. 1 of the PIPL provides for several circumstances in which platforms are obliged to delete personal data proactively:

1. 1.

   the purpose of the processing has already been achieved or cannot be achieved, or the data is no longer necessary to achieve the purpose of the processing;

2. 2.

   platforms stop providing services or the retention period has expired;

3. 3.

   users withdraw their consent;

4. 4.

   platforms violate laws, administrative regulations or agreements when processing personal data; and

5. 5.

   other situations provided for by laws or administrative regulations.

If platforms fail to delete information in the stated case, their users have the right to request its deletion. Compared to the provisions in place before the PIPL, such as Art. 43 of the CSL and Art. 1037 of the Civil Code, the content of the right to delete data under the PIPL has been expanded (Liu, 2021b, pp. 117–121). Art. 48 of the PIPL recognizes the right of users to ask platforms to explain their rules on the processing of personal information, for example, in their privacy statements. If a platform user is deceased, their close relatives¹⁰⁴ may exercise the rights to access, copy, correct and delete the personal data of the deceased, unless otherwise agreed by the deceased user during his lifetime (Art. 49 PIPL).

Finally, platform users have the procedural right to exercise their right and seek redress when their rights have been violated. The PIPL requires platforms to set up convenient mechanisms for accepting and addressing requests from users to exercise their rights (Art. 50 para. 1 PIPL). A similar requirement is also established in Art. 49 of the CSL. If platforms reject users’ requests to exercise their rights, they must explain the reasons (Art. 50 para. 1 PIPL), and platform users can sue in court against the rejection (Art. 50 para. 2 PIPL).

3.3.10 Data Protection Impact Assessment

Assessing the impact that certain actions have on the protection of personal data is important for reducing or eliminating potential data privacy risks. Prior to the promulgation of the PIPL, no law or regulation required platforms as processors of personal data to conduct a data protection impact assessment. However, such a requirement and related detailed norms can be found in some non-mandatory national standards, such as the GB/T 35273-2020 PI Specification (also the 2017 version) and the GB/T 39335-2020 Information Security Technology-Guidelines for Personal Information Security Impact Assessment (GB/T 39335-2020 IA Guidelines). Without mentioning whether a personal data security impact assessment should only be carried out in specific situations, the GB/T 39335-2020 IA Guidelines, for example, outline the value, purposes, responsible subjects, factors to be considered, and the content of the assessment reports when carrying out an impact assessment on the security of personal data.

With the adoption of the PIPL, conducting such an assessment in certain cases has become a legally enforceable requirement of a self-regulatory rule in China. According to Art. 55 of the PIPL, platforms must first carry out an assessment of the impact on the protection of personal data and record the circumstances of the processing in the following situations:

1. 1.

   the processing of sensitive personal information;

2. 2.

   the use of personal information for automated decision-making;

3. 3.

   entrusting third parties to process personal data, sharing personal data with other processors of personal information and publishing personal data;

4. 4.

   providing personal information abroad; and

5. 5.

   other personal data processing activities that have a major impact on the rights and interests of users.

The PIPL further clarifies the content of the data protection impact assessment. The assessment must cover three aspects: first, whether the purposes and methods of processing personal data are lawful, adequate and necessary; second, the implications and security risks for the rights and interests of individuals; and third, whether the protective measures used are legal, effective, and appropriate to the degree of risk (Art. 56, para. 1 PIPL). The personal data protection impact assessment reports and processing records must be stored for at least three years (Art. 56 para. 2 PIPL).

3.3.11 Internal and External Data Protection Supervision

Before the PIPL was adopted, some provisions regarding internal and external supervision of data protection could be found in laws such as the CSL. However, the previous provisions are much less specific, comprehensive, and systematic, and appear to be more relevant to data security than data privacy.

As processors of personal information, platform companies are obliged to self-regulate to ensure users’ data privacy. When platforms process personal data to the extent specified by the CAC,¹⁰⁵ they must designate a person in charge of personal data protection who is responsible for overseeing the processing of personal data and any protection measures taken (Art. 52 para. 1 PIPL). The contact information of the nominated person must be made public and their names and contact information must be communicated to the competent authorities responsible for the protection of personal data (Art. 52 para. 2 PIPL). The designated person is thus very similar to the data protection officer under the GDPR. Furthermore, foreign platforms that process personal data within the territory of the PRC must set up special institutions or designated representatives in China responsible for handling privacy matters and report their names and contact information to the relevant authorities (Art. 53 PIPL). Finally, the PIPL requires platforms to regularly check whether their personal data processing activities comply with laws and administrative regulations (Art. 54 PIPL).

In addition to internal monitoring, external monitoring is required to protect the privacy of data subjects. In general, administrative departments of the government play an important role in data protection as supervisory authorities (Jiang, 2021). The PIPL has a separate chapter (Chap. 6) entitled “Departments that Perform Personal Data Protection Obligations,” which contains 6 articles (Art. 60–Art. 65). The PIPL specifies what “departments performing personal information protection duties” refers to (Art. 60 para. 3 PIPL). These include the CAC and relevant departments of the State Council (Art. 60 para. 1 PIPL), and relevant departments of local governments at or above the county level (Art. 60 para. 2 PIPL). All these departments are obliged to perform duties such as carrying out public relations and education on personal data protection, directing and monitoring platforms to protect personal information, receiving and processing complaints and reports relating to personal information protection, the organization of personal data protection assessments and publication of the results, and investigating and combating illegal personal data processing activities (Art. 61 PIPL). In particular, the CAC, as the national internet information office, is responsible for planning and coordinating relevant departments to promote work on personal information protection, such as formulating specific rules and standards for the protection of personal information (Art. 62 PIPL). The PIPL empowers regulators to take certain actions to carry out their duties, including:

1. 1.

   questioning the relevant parties and investigating the circumstances relating to the processing of personal data;

2. 2.

   accessing and reproducing contracts, records, business books and other relevant materials relating to the processing of personal data;

3. 3.

   conducting on-site inspections and investigations into suspected illegal personal information processing activities;

4. 4.

   checking the equipment and objects relating to personal data processing activities and, for the equipment and objects for which there is evidence of use in illegal personal data processing activities, making a written report to the person in charge of the department and, after approval, ensuring that the materials are sealed or confiscated (Art. 63 para. 1 PIPL).

Platforms must provide support and cooperate, rather than preventing or impeding a competent authority from fulfilling its tasks (Art. 63 para. 2 PIPL). If the relevant departments determine that the processing of personal information poses a relatively high risk or that incidents related to the security of personal data have occurred, they can speak to the legal representative or the person responsible for the platform or request that the platform appoint a professional to conduct a compliance audit (Art. 64 para. 1 PIPL). To facilitate the supervisory authorities in receiving complaints or reports of illegal activities related to the processing of personal data from organizations and individuals (Art. 65 para. 1 PIPL), these authorities must publish their contact information (Art. 65 para. 2 PIPL).

As in the EU, the supervisory authorities are given the opportunity under the PIPL to take legal action against illegal activities involving the processing of personal data. According to Art. 70 para. 1 of the PIPL, should crowdsourcing platform companies violate relevant regulations when processing personal data and harm the rights and interests of a large number of individuals, the organizations designated by the CAC can file a lawsuit in court.¹⁰⁶

Finally, the PIPL potentially exposes some platforms to public oversight. According to Art. 58 para. 4 of the PIPL, if platforms provide important internet platform services and have a large number of users or a complex business model,¹⁰⁷ they are obliged to publish regular social responsibility reports on the protection of personal data and accept social oversight. Accordingly, the crowdsourcing platforms concerned are obliged to include matters of data protection in their corporate social responsibility (CSR) reports or to publish independent data protection CSR reports.¹⁰⁸ Before the adoption of the PIPL, the T/ISC 003-2020 Guidelines on Compiling CSR Reports of Internet Enterprises issued by the ISC merely suggested that internet-based platform companies include the data protection and data security measures they have taken in the CSR reports.

3.3.12 Sanctions

When a platform company unlawfully processes the personal information of its users, it is legally liable for its actions. Prior to the promulgation of the PIPL, various laws such as the CSL, the Civil Code and the Criminal Code already regulated platforms’ liability for data breaches. However, compared to the previous provision, the PIPL provides for stricter, more specific, and more comprehensive sanctions.

Three types of liability for data breaches can be distinguished, namely administrative, civil and criminal liability. Regarding administrative penalties, the PIPL introduced three innovative regimes. First, platform applications that process unlawful personal data will be sentenced to suspend or discontinue their services and a fine will be imposed (Art. 66 para. 1 PIPL). Although in practice there are some cases where platforms have been ordered to suspend services due to data breaches, the PIPL provides for such a sanction in law for the first time (Liu, 2021b, p. 171). Second, the size of the fines is much greater. If the illegal personal information processing activities carried out by platform companies are serious, they can be fined up to 50 million CNY¹⁰⁹ or up to 5% of the previous year’s business income (Art. 66 para. 2 PIPL). The maximum fine under the CSL is only 1 million CNY¹¹⁰ (Art. 64 CSL). Notably, this penalty is even higher than under the GDPR, which has a limit of 2%. Third, the PIPL provides that the platform companies’ directly liable managers and other directly liable persons may also be prohibited from serving as directors, supervisors, officers or persons responsible for the protection of personal data in relevant companies for a specified period of time (Art. 66 para. 2 PIPL) (Liu, 2021b, pp. 170–175). Apart from the three new sanctions, the PIPL, like the CSL, provides that if platform companies violate the provisions of the PIPL, the supervisory authorities are authorized to order corrections, issue warnings, confiscate unlawful profits, and report to the responsible supervisory authorities for the lifting of business permits or licenses (Art. 66 PIPL). Privacy violations by platforms can also be recorded in the credit register and may be publicly disclosed (Art. 67 PIPL). A similar provision can also be found in Art. 71 of the CSL. Thus, the violation of personal rights can seriously affect the business of the liable platforms.

The platforms that violate the data protection rights of their users can also be held liable for damages under civil law, more precisely in tort, if they cannot prove that they are not at fault (Art. 69 para. 1 PIPL). Liability for damages should be based on the damage suffered by the persons concerned or the benefits obtained from the liable platforms (Art. 69 para. 2 PIPL). As mentioned earlier, when platforms violate the provisions of the PIPL when processing personal data and harm the rights and interests of a large number of data subjects, the People’s Procuratorate, consumer protection organizations designated by law, and organizations designated by the CAC can file a lawsuit in the courts (Art. 70 PIPL). In practice, there are many cases in which the public prosecutor’s office has sued internet-based platforms that have unlawfully processed personal data of users in order to protect the personal rights of data subjects (Liu, 2021b, pp. 185–186). As a result, some platforms have effectively been sanctioned for their data privacy violations. For example, in Shanghai Baoshan District People’s Procuratorate v. H Technology Ltd. and Han et al., the court held that the platform company, as the defendant, illegally sold users’ personal information; the liable company and several managers directly responsible had to pay damages, the affected website had to be closed, and the personal information collected had to be deleted.¹¹¹

Finally, Art. 71 of the PIPL mentions that if violations of this law constitute a criminal offence, criminal liability must be pursued under the law. This provision relates to Art. 253(a) of the Criminal Law. Accordingly, any organization or individual that illegally sells or provides to others the personal information of citizens will be subject to fines, detention, or up to seven years in prison if the circumstances are serious. As organizations, crowdsourcing platforms are subject to this provision.

3.4 Similarities and Differences in Regulatory Approaches

This subchapter¹¹² summarizes results from the above analysis of the data protection laws in Germany, the United States and China. As the following synoptic overview demonstrates, the legal frameworks for data protection on crowdsourcing platforms in the three countries show considerable differences, but also some similarities.

3.4.1 Particularities of Norm-Setting in the Field of Data Privacy

In Germany, the EU GDPR provides a comprehensive mandatory framework for handling of personal data by crowdsourcing businesses. Since going into effect in 2018, the GDPR applies automatically to EU member states without needing to be transposed into national laws. As far as the EU regulation gives national legislators leeway, platform companies must also obey the Federal Data Protection Act and sector-specific privacy regulations. New rules in German and European competition and antitrust law address the market and data power of large platforms. The proposed EU directive on improving working conditions in platform work specifically deals with privacy issues pertaining to crowdworkers.

China started developing its privacy legislation much later than Germany and the U.S. The Chinese approach is characterized by the different protection regime of privacy rights vis-à-vis private actors and privacy rights vis-à-vis the state government. While data protection rights in the private sector have been expanded, threats to privacy from state actors remain relatively neglected in Chinese law (Pernot-Leplay, 2020). The creation of China’s Social Credit System, which uses digital technology to monitor and assess the behavior of citizens and companies, has raised serious concerns about negative privacy implications among Western scholars and commentators (e.g., Karpa et al., 2022; Calzada, 2022). It is argued that Chinese data protection vis-à-vis private actors could further increase data access and surveillance by the state. For the purpose of this book, we have limited ourselves to describing data protection legislation relevant to platforms.

Legal requirements for data protection and data security in crowdsourcing actually exist under Chinese law. Relevant privacy provisions which may affect platform businesses are found in various acts, sector-specific laws and executive rules. As formal norm-setting bodies, China’s National People’s Congress, its Standing Committee and Local People’s Congresses are active in the field of data privacy. In addition, administrative regulations by the State Council and other executive bodies are of great importance (Binding, 2014b). In recent years, the Chinese legislature has made efforts to unify the incoherent, fragmented legal framework for data protection and data security. The new PIPL, which came into effect in 2021, lays out for the first time a comprehensive set of rules for the protection of personal data in the digital economy. The PIPL is seen to have many similarities with the GDPR. Furthermore, similar to Europe, antimonopoly reforms have recently been undertaken to limit market power due to data control by big tech platforms.

In the United States, there isn’t (yet) a federal omnibus regulation regarding personal data protection. U.S. legislatures traditionally tend to emphasize the benefits of the free flow of information and of free enterprise over individuals’ privacy rights. Privacy provisions relevant to crowdsourcing businesses are scattered across numerous sectoral and state privacy laws. The state of California has recently passed consumer protection legislation that is comparable to the GDPR. Unlike in Germany and Europe, voluntary industry self-regulation (e.g., through privacy seals or the spontaneous adoption of privacy-enhancing technologies) plays an important role in the U.S. data protection regime. U.S. lawmakers generally tend to favor rather minimal regulation in the field of data privacy. However, compliance with consumer privacy rules is backed by strong public enforcement. The FTC as the nation’s principal consumer protection agency has already taken legal action against powerful digital platforms. Additionally, the threat of class actions in the U.S. implies high financial risks for platform businesses.

3.4.2 Data Security Standards

Various norms in German and European law oblige platform companies to ensure IT security and to protect user data from loss, destruction, theft or misuse. According to Art. 32 GDPR, platform companies are expected to implement appropriate technical and organizational security measures such as encryption. Furthermore, the GDPR contains rules for notifying victims and authorities in the event of data breaches.

In China, provisions relating to data security are found in the Cybersecurity Law (CSL), in the Data Security Law (DSL) and in the Personal Information Protection Law (PIPL). Accordingly, platform companies “shall adopt the necessary measures to safeguard the security of the personal information they handle” (Art. 9 PIPL) and “prevent unauthorized access as well as personal information leaks, distortion, or loss” (Art. 51 PIPL). Chinese law promotes a variety of concrete data security measures, including encryption, staff training and personal information security incident response plans.

In the United States, all fifty states have enacted data breach notification laws. These laws require companies to notify customers when their personal information has been exposed. Some states, like California, have passed additional prescriptive data security regulations. At the federal level, consumer protection regulation plays a dominant role in the data security framework. The FTC has taken a number of enforcement actions against companies for failure to adopt reasonable security practices. In addition, voluntary industry standards such as the Cybersecurity Framework released by the National Institute of Standards and Technology (NIST) have proven to be highly influential on business practice.

3.4.3 Protection of Personal and Sensitive Data

The GDPR broadly protects all data related to an identified or identifiable natural person. The new Chinese data protection legislation contains a definition of personal information that is similar to that in the GDPR. In contrast, the U.S. approach to personal information is rather inconsistent, differing between sector-specific and state-specific laws and lacking in overarching definitions.

European data protection law contains specific requirements as additional safeguards to protect sensitive data. The main legal basis for the processing of such data is express consent. Sensitive data are clearly listed. China’s PIPL also requires higher protection for sensitive information. Platforms must obtain separate explicit consent from internet users before handling such information. In contrast to the GDPR, the PIPL contains a non-exhaustive list of sensitive data. The Chinese definition is comparatively broad. For example, financial data and location tracking data are also classified as sensitive information. The U.S. law does not have an overarching principle providing higher protection for sensitive data. However, it should be noted that California privacy law advances a broad concept of sensitive information. Additional safeguards are provided to protect consumers’ financial information, email contents or geolocation data.

3.4.4 Collection of Company Information and Consumer and Employee Data in the GDPR Broadly

When crowdsourcing platforms collect business information from their customers, the data protection regimes in Germany, China and the U.S. generally do not apply. German and European data protection law only pertain to natural persons, not corporate entities. Similarly, company data collected by platforms are not protected under China’s PIPL. However, when platforms process information about a small company that enables conclusions about natural persons, this information falls within the data protection regime. Crowdworkers active as solo entrepreneurs can thus rely on data protection law.

When platforms collect information about consumers, they must comply with specific legal requirements. The European, Chinese and U.S. privacy laws all provide specific provisions for protecting consumer data. Under German and Chinese law, consumer associations can take legal action against violations of consumer privacy rights. In the United States, class actions and proceedings of the FTC are powerful tools for protecting consumer privacy.

When platforms collect and use personal information of crowdworkers, specific rules on employee data protection may apply. Whether crowdworkers are self-employed or employees is a highly controversial issue. German, Chinese and U.S. laws all contain specific privacy provisions in the employment context. However, only German law contains adequate rules and strict consent requirements that address power imbalances between platform companies and workers.

3.4.5 General Principles of Data Processing, Privacy by Design and by Default

The key feature of the European data protection framework is the principle “prohibition unless permission.” Art. 5 GDPR contains a number of core data protection principles such as lawfulness, purpose limitation, transparency of processing, data minimization and data accuracy. Platform companies must observe these general requirements of data processing. If they don’t comply with the principles laid down in Art. 5 GDPR they can be fined. Some of these principles and requirements also exist in U.S. sectoral and state-specific privacy laws, but some principles are simply absent. In contrast to the GDPR, U.S. laws generally allow the processing of personal data. The European approach is therefore stricter and more stringent. China’s PIPL includes several core data protection principles similar to the GDPR such as legality, necessity, purpose limitation, transparency of processing and data accuracy. With regard to fundamental data protection principles that apply to private actors and companies, China thus appears to be moving closer to European law.

According to Art. 25 GDPR, platform companies must comply with the principles of privacy by design and default. For example, anonymization, pseudonymization, and encryption techniques are protective measures that fall under privacy by design. Privacy by default means that data processors pre-select the least privacy-invasive choice. China’s PIPL lacks provisions for data protection by design and default. In the United States, privacy by design is not a binding rule and is limited to consumer privacy protection.

3.4.6 Anonymization and Pseudonymization

The data protection laws in all three countries encourage companies and crowdsourcing platforms to anonymize and pseudonymize personal data of their users. Anonymization and pseudonymization are central instruments of the European data protection framework. The GDPR clearly defines anonymous and pseudonymous data. Pseudonymization techniques are expressly mentioned by the EU legislator as a way to implement data security and privacy by design. The concepts of anonymization and pseudonymization are also anchored in Chinese and U.S. privacy laws. Compared to the GDPR, however, the Chinese and the U.S. approaches show some shortcomings. Chinese law does not put forward any ways in which anonymization of personal information can be achieved. U.S. law does not impose any additional requirements for pseudonymization, where the risk of re-identification is much higher than with anonymization.

3.4.7 Consent for Legitimizing Data Processing

Informed consent represents the prime legal basis for processing personal data under the GDPR. The European law requires that consent must be freely given, explicit, specific, unambiguous and properly documented. If users are employees or consumers and therefore face a power imbalance vis-à-vis the platforms, voluntary consent can be doubtful. In China, the concept of data subject consent also exists. However, the requirements of Chinese law are relatively vague. China’s PIPL does not contain a clear definition of “consent.” In the United States, there is a rather liberal understanding of what constitutes consent. For example, implied consent is often considered to be a sufficient legal basis for the processing of personal data. Under U.S. privacy laws, visiting a website or the mere use of a platform service constitutes valid consent.

3.4.8 Regulation of Algorithmic Decision-Making

A coherent, special legal framework that addresses the risks of algorithmic management on crowdsourcing platforms is currently still lacking in all three countries. However, in Germany as well as in China and the United States there are accountability and transparency requirements and individual rights with regard to automated decisions including profiling. Art. 22 GDPR allows automated decision-making determined solely by machines only in exceptional cases. Furthermore, the GDPR severely restricts automated decision-making based on sensitive data. The proposed EU directive on platform work requires platform companies to inform workers about automated monitoring and decision-making systems (Art. 6). China’s PIPL follows the GDPR in the restrictions on automated decisions, including profiling. In the United States, the FTC has already taken action against corporations for violations of consumers’ and children’s privacy in the context of algorithms.

3.4.9 Individual Rights

The GDPR codifies a number of individual rights which users and consumers can assert against crowdsourcing platforms. These include rights of access and correction and the right to delete data. The right to data portability (Art. 20 GDPR) pursues a consumer protection and antitrust law objective and is intended to prevent lock-in effects in the sense of customer retention to one platform. The new Chinese data protection legislation echoes the GDPR in terms of individual rights. However, a major difference from Germany and Europe is that, according to the Chinese understanding, individual data protection rights can primarily be asserted in the private sector and not against the state (Pernot-Leplay, 2020). In the United States, there is no comprehensive national legislation that enshrines individual rights of users against platforms. The U.S. approach to individual rights is less consistent and offers less protection than the GDPR.

3.4.10 Data Protection Impact Assessment

Crowdsourcing platforms may be required under the GDPR to carry out a formal data protection impact assessment. An obligation exists in high-risk cases such as the use of big data analytics and web tracking technologies. The data protection impact assessment can be divided into two different stages: prior analysis of the risks and consequences of data processing, and definition of the measures envisaged to address these risks. China’s PIPL also requires a data protection impact assessment in certain defined high-risk situations, such as the processing of sensitive information or the use of personal information for automated decisions. In the United States, some state privacy laws require companies to carry out periodic risk assessments or cybersecurity audits. Taken together, however, U.S. laws are rather lax. Risk assessments are rarely required by law, and relevant provisions often only consist of non-binding recommendations.

3.4.11 Enforcement Mechanisms

Under European and German data protection law, platforms may be obliged to appoint a data protection officer responsible for compliance issues. The designation of a data protection officer is required of platforms if, for example, they process sensitive data to a large extent or use GPS trackers. Similarly, the Chinese PIPL requires that companies shall have data protection officers in cases of extensive processing of personal data. In the United States, on the other hand, there is no general legal obligation to appoint internal or external data privacy officers. The existence of data protection officers in companies is often on a purely voluntary basis. In all three countries, state data protection authorities can impose severe fines and penalties on platform companies for data protection violations. Overall, it can be said that U.S. privacy laws are enforced comparatively rigorously by authorities and private plaintiffs, with high penalties, fines and claims for damages often reaching millions, if not billions, of U.S. dollars in class actions. The FTC has already imposed high penalties against digital corporations such as Google and Meta-Facebook.

3.5 Interim Result and the Aspect of Regulatory Competition

Our comparative legal analysis has shown that there is currently no specific legal framework for the collection of personal data on crowdsourcing platforms in Germany, the United States and China. However, in all three countries, legal changes can be observed that selectively address privacy issues on the platform market. Problem-oriented norm-setting in this area has increased in recent years. In Germany, the EU GDPR provides comparatively strict legal standards to protect platform users’ privacy. China recently adopted the PIPL, whose provisions are close to the requirements of the GDPR. In the United States, California can be considered a pioneer in privacy regulation in the digital era.

A much-discussed concept in the development of the globalized and digitalized economy is that of regulatory competition (Eidenmüller, 2011; Çapar, 2022). The far-reaching debate on this topic can only be touched upon here. Regulatory competition can be generally defined as the activity of public or private norm-setters who intend to produce novel legislation or alter existing legislation in response to competitive pressure from other norm-setters (Gödker & Hornuf, 2019). There have been extensive debates over whether globalization and regulatory competition may cause a “race to the top” or a “race to the bottom” in standard-setting (e.g., Deakin, 2006; Vogel & Kagan, 2004). The “race to the top” hypothesis suggests that under regulatory competition, lawmakers produce better and stricter laws. According to the “race to the bottom” argument, the pressures of competitive lawmaking may induce norm-setters to lower their regulatory standards.

In the area of digital privacy there are indications that regulatory competition among lawmakers actually exists and has the potential to induce a race to the top in public standard-setting (Çapar, 2022; Rustad & König, 2019). The EU GDPR, which also applies to crowdsourcing platforms, has influenced other countries to adopt similar laws. The broad extraterritorial scope of the EU privacy regime puts pressure on countries and firms outside Europe to make changes that are in line with the stricter EU standards. As discussed above, the norms of the European data protection framework have also diffused into Chinese and U.S. privacy laws. A growing number of studies have investigated the regulatory spillover effects of GDPR theoretically and empirically (see especially Bradford, 2020; Frankenreiter, 2022; Peukert et al., 2022). The “Brussels effect” could hence shape future privacy regulation of the platform economy.

In the United States, California has adopted GDPR-like privacy laws as part of its digital market regulation. Other states have followed California’s example and passed stricter online privacy laws. California’s pioneering privacy legislation has thus spread throughout the United States. This seems to further support the thesis of a race of the top in the field of data privacy.

The pressure from customers, workers and consumers could further promote a global upward harmonization of data protection standards. Data privacy awareness among digital users has increased worldwide over recent years. As existing studies have shown (e.g., Xia et al., 2017; Sannon et al., 2022), customers and workers also have high expectations of data privacy and data security in crowdsourcing businesses. Especially among crowdworkers, privacy concerns and fear of surveillance are widespread. The calls for stronger data protection measures on online platforms have become louder, giving us reason to expect that public lawmakers will enact further more specific and stricter privacy regulations in the area of crowdsourcing in the future.