The Guangzhou Internet Court released the first ruling interpreting the requirements for cross-border transfer of personal information under the Personal Information Protection Law (PIPL). This case has significant implications for companies handling personal information in China.
The case highlights the following implications for multinational companies handling personal information in China:
The lawsuit was brought by a Chinese plaintiff (the Plaintiff) who purchased membership cards of an international hotel group (the Hotel) through its Chinese affiliate (collectively, the Defendants). The Plaintiff booked a hotel in Myanmar on the Hotel's app, submitted personal information, and agreed to the app’s privacy policy (Privacy Policy) by clicking a “consent” button.
The Plaintiff claimed the Defendants violated the PIPL by (1) handling personal information beyond contractual necessity (personal information was transferred to several countries other than Myanmar) and (2) failing to set up adequate notification and separate consent mechanisms.
The Defendants argued that (1) they did not need to obtain the consent of the Plaintiff for the cross-border transfer because the transfer was based on other legal ground under Article 13 of the PIPL (i.e., it was necessary for performing a contract to which the data subject is a party); (2) the Privacy Policy has been provided to and consented by the Plaintiff that included detailed description on where the personal information will be transferred, including to entities located in Austria, Belgium, Bulgaria, Croatia, and 100 other countries and regions; and (3) the Plaintiff should first claim his rights against the Defendant and then file a lawsuit after being rejected based on Article 50.2 of the PIPL, which provides that if a data controller rejects a person's request to exercise his or her rights, the person may, in accordance with the law, file a lawsuit in a people's court.
The court sustained the Plaintiff’s claim by holding that (1) the scope of the transfer exceeded what was necessary for the Defendants to perform the hotel booking services in Myanmar, (2) the Defendants’ consent mechanism failed to satisfy the separate consent requirements and thus violated Article 39 of the PIPL, and (3) the Plaintiff can directly claim such rights in court without first requesting the privacy rights with the Defendants.
The court analyzed its reasoning from the following perspectives.
Was the Defendants' Handling of Personal Information Necessary for the Performance of the Contract?
The court first addressed the Defendants’ argument about whether the cross-border personal information transfer is necessary for the performance of the contract to waive the consent requirement.
The court confirmed that the scope of personal information handled—name, nationality, telephone number, e-mail address, bank card number—was necessary for performing a hotel booking contract. However, the scope of overseas recipients with whom the Defendants shared personal information—all of the Hotel’s business partners and marketing personnel—exceeded the scope necessary for performing a hotel booking contract in Myanmar. Additionally, the court determined that the purpose of the transfer—for the purpose of business marketing—exceeded what was necessary to fulfill the contract because the purpose of the contract was to receive the services rather than to receive marketing advertisements.
Under Article 13 of the PIPL, informed consent is one of the legal basis for the handling of personal information, and informed consent can be waived if the data controller has other legal basis, such as when the handling is necessary for performing the contract. In this case, the court determined that the informed consent cannot be waivered because the Defendants’ handling of personal information exceeded the scope necessary for performing the contract.
Was the Defendants' Privacy Policy Sufficient to Constitute Separate Consent of Data Subjects?
The Defendants’ second argument was that they had already obtained the consent of the Plaintiff via the Privacy Policy.
Under Article 39 of the PIPL, separate consent is required for cross-border transfer of personal information. In this case, the court noted that, separate consent is the specific and explicit authorization given by an individual specifically for the particular handling of his or her personal information and does not include consent given for the handling of personal information for multiple purposes or multiple types of use of personal information at one time. Separate consent is valid only when an individual is informed separately of an enhanced notice first and then consents to the content being informed.
In this case, the Plaintiff checked the Privacy Policy with nearly 20,000 words for multiple purposes in a “package.” The Plaintiff was not clearly informed of the scope of the parties with whom the personal information would be shared, or how the overseas recipients would handle their personal information, so the statements provided in the Privacy Policy did not comply with the principle of openness and transparency.
Therefore, the court found that the Defendants’ Privacy Policy only constituted “general notice,” as opposed to “enhanced notice,” so it could not satisfy the separate notification and separate consent requirements for the cross-border transfer of personal information.
For the separate consent requirement, the court clarified a long-debated topic in this ruling whether the separate consent is required if the handling is based on legal grounds other than consent as provided under the PIPL. The court held that according to Article 13 of the PIPL, informed consent is one of the legal basis for the handling of personal information, and informed consent and separate consent can be waived if the personal information handler has other legal basis, such as when the handling is “necessary” for performing the contract. However, as mentioned above, in this case, the Defendants’ handling exceeded the scope necessary for the performance of contracts, so the Defendants did not have other legal basis for the handling beyond the necessary scope and separate consent is required for such handling.
Should the Plaintiff First Request the Privacy Rights with the Defendants Before Pursuing the Case in Court?
The Defendants argued that the Plaintiff should first claim his privacy rights against the Defendants and then file a lawsuit after being rejected, based on Article 50.2 of the PIPL, which provides that if a data controller rejects a person's request to exercise his or her rights, the person may, in accordance with the law, file a lawsuit in a people's court.
The court interpreted that, the right to be informed and the right of decision-making are the core rights relating to personal information, which differ from other instrumental and remedial rights, including the right of access, right of copy, right of data portability, right of correction, right of supplementation, and the right of explanation. The infringement on the right to be informed and the right of decision-making is an infringement on civil rights, which can be directly sued in court based on the Civil Law.
Therefore, the court held that the mechanisms for informed consent are the right to be informed and the right of decision-making, so the Plaintiff can directly claim the rights in court (without first requesting privacy rights with the data controller).
Based on the above analysis, the Guangzhou Internet Court held that the Defendants' handling of personal information violated the Plaintiff's personal information rights and ordered the Defendants to do the following:
This case is a starting point and a warning to multinational companies operating in China to align their data processing practices with the PIPL.
EU General Data Protection Regulation (GDPR) Compliance Does Not Ensure PIPL Compliance
PIPL is similar to but stricter than GDPR in some respects. For example, the PIPL specifically requires separate consent for several data handling activities that may pose a greater risk to the security of personal information, including providing personal information to other handlers and transferring personal information abroad.
Additionally, there are no legitimate interests exception under the PIPL, so the ground of consent is weighed heavily in practice. Multinational companies that comply with the GDPR must customize their data compliance efforts for use in China. This involves a comprehensive review of overall data handling practice in China through a data mapping process to determine whether there are compliance gaps under the PIPL.
Updates to Privacy Policies and Consent Mechanisms
According to this case and the PIPL, the privacy notices should be clear, concise, and easily comprehensible, enabling individuals to make informed decisions. Additionally, separate consent is required for cross-border data transfer, handling sensitive personal information, and other high-risk data handling activities. As a result, it is advisable for companies to review their privacy notices and policies to comply with the PIPL.
Our team is closely monitoring developments in this area and is available to assist companies in reviewing and updating their data protection practices in China.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: