Consumer Personal Information Protection from a Comparative Law Perspective

In the context of the digital economy, the protection of consumer personal information has increasingly become a common issue faced by laws in various countries. From a comparative law perspective, EU countries have stricter regulations on the protection of consumer personal information, focusing on the overall regulation of how businesses handle personal information. The U.S. law


INTRODUCTION
The protection of consumer personal information has become a global issue alongside technological development.Currently, with the advancement of society and technology, big data and Internet of Things technologies are widely applied in various fields such as finance, healthcare, and justice, becoming important production factors.The collection and application methods of consumer information have gradually become digitalized.Big data can process, understand, and analyze complex data information, helping businesses make more precise and effective decisions.Meanwhile, as consumers enjoy personalized services, the risk of information privacy breaches increases, and consumers find it difficult to control the illegal use of their information by businesses, putting them at a disadvantage.Economically, the difference between price and cost is the business's surplus [1].Businesses use algorithms to collect and analyze consumer information for personalized and differentiated pricing, attempting to capture as much consumer surplus as possible.Businesses might misuse big data technology to directly or indirectly collect, monitor, calculate, analyze, and predict a large amount of consumer online information data, allowing them to allocate resources and set rules to manage the market efficiently and at low cost.Converting big data technology and data resources into profits further increases business surpluses, violating consumer information rights in various ways.Examples include targeted advertising, excessive collection of biometric information such as facial and fingerprint recognition, and using big data to discriminate against returning customers.This leads to an imbalance of interests between consumers and platform operators, eroding consumer trust.With the globalization of consumer data flow, the protection of consumer personal information has also become a core element of data security in various countries, potentially leading to legal conflicts.Therefore, examining the consumer personal information protection of various countries from a comparative law perspective to improve China's network data information protection framework and methods has significant theoretical and practical value.From domestic research, scholars' focus on consumer personal information primarily revolves around the following aspects: protection of personal information in special fields as the main research focus [2]; the combination of consumer personal information protection and antitrust law [3]; protection of consumers' personal genetic information [4]; the combination of personal information protection and bankruptcy law [5]; comprehensive protection paths for consumer personal information rights [6]; and the combination of personal information protection and civil law [7].Overall, the existing research covers both macro and micro levels, providing a rich research foundation for this study.

LEGISLATION AND PRACTICE OF CONSUMER PERSONAL INFORMATION PROTECTION UNDER CYBERNETICS
Currently, the mainstream theory in China for consumer personal information protection is the personal information control theory, which is about controlling the property rights and information rights of consumers over their personal information [8].This theory mainly protects consumer network data information from the perspective of consumer consent, both in process and outcome, reflecting traditional civil law rights values.However, in the era of big data, consumer network data information is characterized by openness and sharing.While protecting consumer network data information, attention should also be paid to the circulation and utilization efficiency of information, balancing the protection of consumer rights and the flow, processing, and utilization of network data information.Absolute control should not be used to protect consumer personal information.Instead, on the basis of clarifying business responsibilities, a relative control theory should be established to relatively control consumer personal information.

Legislative System for Consumer Personal Information Protection
Currently, China's consumer personal data protection has a three-dimensional provision, including both civil basic law and special law provisions.The Personality Rights section of the Civil Code specifically stipulates the legal protection of personal information.In terms of value concepts, personal information is regulated as a civil right rather than as an independent civil right.Consumer personal information is an important part of natural person personal information.From the perspective of special law regulations, the most important are the "Law on

Judicial Practice of Consumer Personal Information Protection
Observing the current status of judicial protection of consumer personal information, typical cases released by the Supreme People's Court on consumer rights protection can be selected.For several consecutive years, the Supreme Court has issued typical cases on personal information protection, reflecting the urgency of consumer personal information protection.
Whether consumer personal information protection is purely a private law issue or a public law issue, and whether the protection approach should mainly rely on private law or public law, is a matter of some controversy in practice [9].These disputes objectively affect the actual effectiveness of legal protection.

LEGAL PROTECTION OF CONSUMER PERSONAL INFORMATION IN FOREIGN LAWS
From a comparative law perspective, although countries (regions) have different views on whether to recognize personal information rights, no country (region) completely treats the protection of personal information as a purely public law task.Countries (regions) use a combination of public and private law to effectively protect personal information [10].Based on the differences in legal culture between the civil law system and the common law system, there are significant differences in protection concepts.

Legislative and Practical Models of EU Law
The latest EU rules on the utilization of consumer network data mainly apply the scenario theory.The 2016 EU General Data Protection Regulation (GDPR) established the principle of legality for data processing.This theory posits that the basis for data processing includes the consent of the data subject, the fulfillment of legal obligations, the establishment and performance of contracts, and the public interest, among others.The legality of data processing needs to be comprehensively judged based on factors such as the consent of the data subject.Overall, EU legislation, according to the Unified Tort Law Directive, focuses more on the tort protection of personal information.Legislation and law enforcement are more inclined to protect consumers and impose stricter regulations on businesses.

Legislative and Practical Models of US Law
In terms of legal nature, US personal information protection mainly adopts the consumer protection stance, characterized by market regulation law.
In areas without specific personal information protection legislation, the US protects personal information through general consumer protection models, with market supervision by the Federal Trade Commission (FTC).In areas and states with specific personal information protection legislation, the US adopts a "specialized" consumer protection law.
Compared to European law, US legal culture advocates more market freedom, with regulatory norms being more diluted.In legal values, the principle of contractual freedom is more emphasized, with consumer-business relationships generally adjusted through contract law.In the legal system, federal and state laws coexist, and even in areas with specific personal information protection legislation, US regulation is not as stringent as in the EU.The civil law system values general provisions in civil legislation, with personal information protection primarily remedied through torts.In handling the consumer-business relationship, the business's processing of consumer personal information inherently risks violating consumer dignity.In contrast, US law emphasizes typifying torts, regulating personal information processing based on the risk type of information.For the US, personal information processing is more like amplifying related risks, which varies across different fields and scenarios.In low-risk areas, the expansion of risks from personal information processing might be negligible, thus not requiring legislative risk preemptive measures.In high-risk areas, legislation and pre-regulation are needed.
Hence, the US personal information legislation's risk view is more pragmatic, closer to the actual risks brought by improper use or leakage of personal information [11].
From the content of the legislation, the US does not have unified personal information protection legislation; legislation is fragmented and diversified.At the federal level, state laws and industry self-regulation norms exist; public and private fields are regulated differently.In the public domain, the correct collection and use of personal information by government departments are emphasized, while in the private domain, industry-specific regulations are applied.The 2018 California Consumer Privacy Act is currently the strictest personal information protection law in the US, imposing new disclosure obligations on related entities regarding the categories of collected consumer personal information and introducing access and deletion rights for residents.Consumers can refuse to sell personal information to third parties, providing legal means for controlling personal information.In March 2021, Virginia passed the Consumer Data Protection Act, becoming the second state to enact comprehensive privacy legislation [12].

Legislative Improvement of Consumer Personal Information Protection
China has long adhered to the principle of "prefer coarse over fine" in legislative thought, making the content of legislation relatively general and leaving many detailed issues to be resolved through judicial practice.From the legislative concept, the overall legislation for personal information protection focuses on practical value.While this is conducive to solving practical issues in law enforcement, it also leads to inconsistencies within the legal system.Based on the current legislative status, future amendments to personal information protection legislation should adhere to three orientations [13].Firstly, paying attention to and borrowing from the latest foreign legislation, such as scenario theory, which helps accurately define consumer personal information types.Secondly, ensuring logical consistency among existing laws, especially the Consumer Rights Protection Law, the E-commerce Law, and the Cybersecurity Law, to establish a complete legal system.Thirdly, legislative measures should emphasize the flexibility and feasibility of the law, allowing for timely responses to changes in actual situations.

Practical Improvement in the Judicial Protection of Consumer Personal Information
Judicial protection of consumer personal information should focus on both civil and administrative relief methods [14].Firstly, enhance the protection role of civil law.Judicial authorities should fully recognize the tort liability and contract liability issues arising from consumer personal information infringement and clarify the application of legal rules through judicial interpretations and guiding cases, making judicial protection of consumer personal information more operable.Secondly, strengthen administrative intervention.Administrative organs should play a role in ex-ante prevention by reviewing standard contracts to prevent the risk of excessive collection and misuse of consumer personal information by businesses.

Constructing a Comprehensive Mechanism for Consumer Personal Information Protection
Establish a comprehensive protection mechanism for consumer personal information that combines administrative and judicial measures, public and private laws.Administrative authorities should establish a robust regulatory mechanism to monitor businesses' handling of consumer personal information and enforce penalties for violations.Concurrently, judicial authorities should provide effective remedies for consumers through civil litigation.In terms of private law protection, businesses should establish self-discipline norms, actively improve internal management systems, and protect consumer personal information rights.In terms of public law protection, enhance the role of regulatory agencies, improve law enforcement capabilities, and increase the cost of violations for businesses to form an effective deterrent.

CONCLUSION
With the rapid development of the digital economy, the protection of consumer personal information faces new challenges.By learning from the advanced experience of foreign legislation and combining the actual situation in China, it is essential to continuously improve the legal system for consumer personal information protection.Through legislative refinement, judicial improvements, and the establishment of comprehensive protection mechanisms, we can achieve effective protection of consumer personal information and maintain the balance of interests between consumers and businesses.

DISCLAIMER (ARTIFICIAL INTELLIGENCE)
Author(s) hereby declare that NO generative AI technologies such as Large Language Models (ChatGPT, COPILOT, etc) and text-to-image generators have been used during writing or editing of manuscripts.

COMPETING INTERESTS
Author has declared that no competing interests exist.