(1)Cross-border data transfers have become a matter of daily occurrence against the backdrop of the development of cloud computing and artificial intelligence. Consequently, where a data leak gives rise to civil liability, the determination of that liability inevitably assumes an international dimension involving foreign elements. (2)As is starkly demonstrated by secret sharing technology in cloud computing, fragments of data may be presumed to be distributed across multiple jurisdictions on a global scale. This renders traditional private international law measures -- predicated on the identification of a physical location -- inadequate for the purposes of determining the applicable law, a difficulty that is particularly acute in relation to non-contractual obligations. (3)Bearing in mind the typical scenario encountered in practice -- in which a Data Subject brings a claim for damages against a SaaS (Software as a Service) provider, which in turn seeks recourse against an IaaS (Infrastructure as a Service) or PaaS (Platform as a Service) provider -- a characteristic feature of such cases is the concurrence of contractual and non-contractual obligations. Taking this feature into account, it is possible to determine the applicable law governing non-contractual obligations through party autonomy -- by aligning it with the law governing the contractual obligation as selected by the parties, an approach that may be termed private ordering. This serves to overcome the difficulties associated with the identification of a physical location and, at the same time, contributes to ensuring the foreseeability of the parties.

翻译：（1）在云计算与人工智能技术快速发展的背景下，跨境数据转移已成为日常现象。当数据泄露引发民事责任时，该责任的认定必然涉及具有涉外因素的国际化维度。（2）云计算中的秘密共享技术清晰表明，数据碎片可能分布于全球多个司法管辖区。这使得以物理位置识别为根基的传统国际私法规则，在确定准据法时显得力不从心——尤其对非合同义务领域而言，这一困境尤为突出。（3）结合实践中的典型场景（数据主体向软件即服务提供商主张损害赔偿，后者进而向基础设施即服务或平台即服务提供商追偿），此类案件的核心特征在于合同义务与非合同义务的竞合。基于这一特征，可通过当事人自治原则确定非合同义务的准据法——即将其与当事人选择的合同义务准据法保持一致，此种方法可称为"私人秩序"。此举既能克服物理位置识别的困难，同时有助于保障当事人对法律后果的可预见性。