First Cross-Border Data Transmission Dispute Dealt With by the Guangzhou Internet Court
Published 4 November 2024
Sarah Xuan
On September 2, 2024, the Guangzhou Internet Court announced the judgement of a civil dispute case concerning cross-border personal data transmission ((2022) Yue 0192 Min Chu No. 6486), the following is a PDF of the court’s decision - http://www.meritsandtree.com/UpLoadFile/Files/2024/9/2/18249331e6e8f0be-b.pdf . The court’s judgment thoroughly elaborated on the compliance requirements for personal data protection, providing clear judicial guidance for fulfilling the obligations associated with cross-border personal data transmission. This article will analyze the case’s background, key points of contention, and the court’s judgment, while evaluating its implications for future compliance practices.
[Case Background]
The case involved a dispute between the plaintiff, Mr. Zuo, and the defendants, Mouqin Business Consulting (Shanghai) Co., Ltd. (“Mouqin Company”) and a multinational corporation, Mougao Co., Ltd. (“Mougao Company”), regarding the cross-border transmission of personal data. The case was filed with the Guangzhou Internet Court on March 28, 2022, and public hearings were held on December 29, 2022, and July 12, 2023.
The matter began when, on October 29, 2021, Mr. Zuo purchased two “Mougao A” cards for RMB 2,588 through a WeChat public account operated by Mouqin Company, thereby becoming a member of the Mougao hotel group. These cards provided discounts for hotel bookings. On February 27, 2022, Mr. Zuo used the “A” mobile application to book a hotel in Yangon, Myanmar, submitting personal information including his name, nationality, phone number, email address, and bank card details. Subsequently, Mr. Zuo discovered that his personal data had been shared with multiple foreign regions. He argued that this data-sharing practice lacked sufficient disclosure and consent, particularly concerning the scope of data sharing and recipient information. He claimed this conduct violated the Personal Information Protection Law of the People’s Republic of China (PIPL) and filed a lawsuit.
[Plaintiff’s Claims]
Mr. Zuo contended that the defendants expanded the scope of personal data recipients without adequate limitations in their Client Personal Data Protection Charter, making it impossible for him to ascertain the flow and handling of his personal information, thus infringing on his rights to be informed and to make decisions. Furthermore, although the defendants provided a method for exercising data subject rights (e.g., contacting a French company via email), this method was cumbersome and lacked a defined processing timeline, failing to protect his legitimate rights.
Mr. Zuo requested the defendants to present documentation proving that their data transmission complied with the law, including security assessments and certifications for personal data protection. He also demanded the deletion of all his personal data and proof thereof, or that the court supervise this process. Additionally, he sought a public apology on the defendants’ public platforms and compensation for economic losses, including lost income, attorney fees, and translation costs, totaling over RMB 80,000.
[Defendants’ Arguments]
Mouqin Company and Mougao Company jointly argued that collecting and transmitting Mr. Zuo’s personal information across borders was necessary for fulfilling the membership service and hotel booking contract, aligning with international hotel industry practices and Chinese legal requirements. They emphasized that Mr. Zuo had explicitly consented to their Client Personal Data Protection Charter when registering as a member and using the “A” application. The defendants asserted that the data processing aimed to verify member identity and ensure the smooth operation of their global booking system, which required international data sharing for customer service and support.
Furthermore, Mougao Company, being an international enterprise with data storage and management systems located abroad, contended that cross-border data transmission was both unavoidable and essential. The defendants maintained that the data transmission procedures and contents adhered to the necessary legal disclosure and consent requirements, asserting the legality and compliance of their actions.
[Key Points of Contention]
The court identified the key points of contention as follows:
1. Justiciability of the Case: The defendants argued that, per Article 50, Paragraph 2 of the PIPL, Mr. Zuo should first have made a claim to the data controller and only filed a lawsuit after rejection, thus questioning the case’s justiciability.2. Violation of Personal Information Rights: Mr. Zuo claimed that the defendants failed to provide sufficient information on the scope and purpose of personal data processing, violating his rights to be informed and to decide.3. Liability for Infringement: Whether the defendants should bear civil liability, including an apology, data deletion, and economic compensation.
[Court’s Judgment and Rationale]
1. Justiciability of the Case
When assessing the admissibility of the case, the court focused on analyzing the purpose and application of Article 50, Paragraph 2 of the Personal Information Protection Law. The court stated that this provision is designed to ensure that personal information processors establish a convenient mechanism for rights applications, thereby protecting the ability of personal information subjects to exercise their rights easily. The establishment of this mechanism was not intended to restrict or prevent individuals from seeking judicial relief directly when their rights are violated.
The court further elaborated that the Personal Information Protection Law, as a specialized law for protecting personal information rights, emphasizes in its legislative purpose the importance of protecting the right to be informed and the right to decide. The law explicitly introduces “personal information rights” for the first time as an independent personal right, on par with privacy rights and reputation rights. The court reasoned that when individuals claim that their right to be informed or their right to decide has been infringed, they should not be overly constrained by procedural requirements for initiating lawsuits, as this would be contrary to the legislative intent.
The court emphasized that the pre-procedural requirement of Article 50, Paragraph 2 is intended to apply in specific situations where the exercise of rights is hindered, rather than in cases involving broader infringements of rights. Based on this analysis, the court held that Mr. Zuo’s action, taken on the grounds that his personal information rights were violated, was reasonable and legally sound, rendering the case admissible.
2. Violation of Mr. Zuo’s Personal Information Rights
The court conducted a detailed examination of whether the two defendants infringed on Mr. Zuo’s personal information rights, focusing on the following aspects:
1) Legal Validity of Notification and Consent
The court thoroughly explained the core role of the “notification” and “consent” mechanisms in personal information protection. The court pointed out that although Mr. Zuo had clicked to agree to the Customer Personal Data Protection Charter during registration and hotel booking, this action did not mean that the defendants had automatically obtained a legitimate basis for all personal information processing activities. The court emphasized in its reasoning that the key to the notification and consent mechanism lies in whether the user was informed in a clear, understandable, and transparent manner about the purposes, methods, and scope of personal information processing.
The court found that although the defendants provided the Customer Personal Data Protection Charter, its content was complex and lengthy, failing to convey important information to users in an intuitive manner, especially regarding the specific recipients of data transfers and the purposes of processing. The court concluded that this broad and general notification did not comply with the transparency requirements stipulated in Articles 7 and 17 of the Personal Information Protection Law, and therefore did not fulfill the obligation of proper notification.
2) Legitimacy of the Scope of Information Processing
The court examined the legitimacy basis claimed by the defendants, which was “necessary for the performance of a contract” under Article 13, Paragraph 2 of the Personal Information Protection Law. The court reasoned that the application of this provision requires meeting the standard of “objective necessity,” meaning that the information processing must be directly related to the purpose of performing the contract and adhere to the principle of minimum necessity. The court analyzed the case and found that although Mr. Zuo provided basic personal information for booking a hotel, the Customer Personal Data Protection Charter extended the scope of data recipients and sharing to include business partners and marketing personnel, exceeding what was necessary for the performance of the contract.
The court further noted that while cross-border data transfers are common in the international hotel industry, this cannot serve as an absolute basis for legitimacy. The court reasoned, by applying legal provisions to the case, that processing personal information for commercial marketing without explicit consent does not qualify as “necessary for the performance of a contract.”
3) Obtaining Separate Consent
The court cited Article 39 of the Personal Information Protection Law to analyze the applicability and meaning of separate consent. The court explained that separate consent requires personal information processors to inform individuals separately and obtain explicit consent for specific data processing activities, especially those involving cross-border transfers of personal information. The court’s review indicated that the defendants failed to provide evidence showing that they obtained separate consent from Mr. Zuo in cases where the data processing exceeded the necessity of contract performance.
The court reasoned that clicking to agree to a privacy policy can only be regarded as consent in general information processing activities, but for more complex or high-risk activities, such as cross-border data transfers, separate consent is required. The court concluded that since the defendants did not take this measure, their data processing activities were illegal due to the lack of valid consent.
3. Civil Liability
When examining the assumption of liability, the court thoroughly discussed the fault of the defendant, Company A (Certain High Corporation), and the consequences of the infringement. The court stated that the civil liability for infringing on personal information rights refers to the obligation of the personal information processor to compensate for damages caused by improper actions that infringe on the rights of natural persons.
The court considered the following points in its reasoning:
1) Deletion of Personal Information
The court held that deleting relevant information is an essential measure for maintaining the security of personal information and protecting Mr. Zuo’s rights. The court required the defendants to provide proof of data deletion to ensure the authenticity and completeness of the execution.
2) Apology
The court evaluated the nature of the infringement and its impact on the parties involved, ruling that Company A should issue a written apology. The court noted that a written form of apology would better balance the need for transparency and the specific circumstances, achieving the purpose of restoring reputation without causing excessive impact.
3) Economic Compensation
The court provided a detailed analysis of the reasonableness of damage compensation. It cited Article 69 of the Personal Information Protection Law and Article 1182 of the Civil Code, explaining that compensation should be determined based on actual losses or the benefits obtained by the infringer. In this case, as specific losses were difficult to quantify, the court determined a compensation amount of RMB 20,000, covering translation and legal fees, based on the specific circumstances of the case.
4. Liability of Mouqin Company
After analysis, the court found that while Company B participated in data collection, it did not engage in cross-border data transfers and therefore did not constitute an infringement. The court reasoned that Mr. Zuo’s claim that Company B and Company A jointly committed infringement was unsupported by evidence and thus was not upheld. The court decided that Company B was only required to delete Mr. Zuo’s personal information, and other claims were not supported.
The above summary expands on the court’s reasoning process, fully demonstrating its approach to interpreting legal provisions, analyzing evidence, and protecting rights, reflecting an in-depth understanding of the Personal Information Protection Law and the Civil Code.
Neither the plaintiff nor the defendant in this case appealed against the judgment.
[Analysis]
This landmark case provides essential guidance and a cautionary example for enterprises concerning compliance practices. The ruling clarified the applicability of the PIPL to cross-border data transmissions, emphasizing that companies must enhance transparency and obtain explicit, separate consent when processing personal information, particularly for international transfers. This underscores that compliance involves not just procedural adherence but an integrated approach throughout data handling, ensuring legal standards are met at each step. Enterprises must, based on this ruling, conduct comprehensive risk assessments, update data transmission agreements, and revise internal audit procedures to address potential compliance gaps proactively. Specifically, the key areas for future compliance need to be focused on:
1) Transparency and Information Disclosure
Companies must ensure transparency in their data handling policies and operational procedures to build user trust and meet regulatory standards. For instance, enterprises should update and publicly share multi-language versions of privacy policies and data protection statements. During user registration, simplified guides should be provided, explaining data transfer details, destinations, potential legal risks, and protective measures.
2) Obtaining Explicit Consent
Companies must design user-friendly, legally compliant consent processes that provide users with detailed information about data transfer purposes, handling methods, and recipient details. These records must be maintained within the system for potential audits by regulatory authorities or user queries.
3) Building and Maintaining Compliance Systems
A comprehensive compliance management system should include policies, procedures, and staff coordination. Companies should conduct regular internal reviews and external compliance audits to adapt to evolving regulations and technology. Establishing dedicated compliance teams or appointing Data Protection Officers (DPOs) to oversee personal data handling, especially cross-border aspects, is vital.
4) Technical and Legal Safeguards
Companies must employ dual-layered safeguards - technical and legal to ensure data security during transfers. Basic measures such as encryption, data anonymization, and access control should be implemented to mitigate risks. Legally, contracts with third-party partners should incorporate standard contractual clauses (SCCs) or supplementary provisions to ensure data recipients meet equivalent protection standards.
This case underscores the importance of companies adopting a robust compliance framework that incorporates detailed operational practices and regular policy updates, facilitating adherence to stringent data protection laws and fostering sustainable growth in a regulated environment.
[Case Background]
The case involved a dispute between the plaintiff, Mr. Zuo, and the defendants, Mouqin Business Consulting (Shanghai) Co., Ltd. (“Mouqin Company”) and a multinational corporation, Mougao Co., Ltd. (“Mougao Company”), regarding the cross-border transmission of personal data. The case was filed with the Guangzhou Internet Court on March 28, 2022, and public hearings were held on December 29, 2022, and July 12, 2023.
The matter began when, on October 29, 2021, Mr. Zuo purchased two “Mougao A” cards for RMB 2,588 through a WeChat public account operated by Mouqin Company, thereby becoming a member of the Mougao hotel group. These cards provided discounts for hotel bookings. On February 27, 2022, Mr. Zuo used the “A” mobile application to book a hotel in Yangon, Myanmar, submitting personal information including his name, nationality, phone number, email address, and bank card details. Subsequently, Mr. Zuo discovered that his personal data had been shared with multiple foreign regions. He argued that this data-sharing practice lacked sufficient disclosure and consent, particularly concerning the scope of data sharing and recipient information. He claimed this conduct violated the Personal Information Protection Law of the People’s Republic of China (PIPL) and filed a lawsuit.
[Plaintiff’s Claims]
Mr. Zuo contended that the defendants expanded the scope of personal data recipients without adequate limitations in their Client Personal Data Protection Charter, making it impossible for him to ascertain the flow and handling of his personal information, thus infringing on his rights to be informed and to make decisions. Furthermore, although the defendants provided a method for exercising data subject rights (e.g., contacting a French company via email), this method was cumbersome and lacked a defined processing timeline, failing to protect his legitimate rights.
Mr. Zuo requested the defendants to present documentation proving that their data transmission complied with the law, including security assessments and certifications for personal data protection. He also demanded the deletion of all his personal data and proof thereof, or that the court supervise this process. Additionally, he sought a public apology on the defendants’ public platforms and compensation for economic losses, including lost income, attorney fees, and translation costs, totaling over RMB 80,000.
[Defendants’ Arguments]
Mouqin Company and Mougao Company jointly argued that collecting and transmitting Mr. Zuo’s personal information across borders was necessary for fulfilling the membership service and hotel booking contract, aligning with international hotel industry practices and Chinese legal requirements. They emphasized that Mr. Zuo had explicitly consented to their Client Personal Data Protection Charter when registering as a member and using the “A” application. The defendants asserted that the data processing aimed to verify member identity and ensure the smooth operation of their global booking system, which required international data sharing for customer service and support.
Furthermore, Mougao Company, being an international enterprise with data storage and management systems located abroad, contended that cross-border data transmission was both unavoidable and essential. The defendants maintained that the data transmission procedures and contents adhered to the necessary legal disclosure and consent requirements, asserting the legality and compliance of their actions.
[Key Points of Contention]
The court identified the key points of contention as follows:
1. Justiciability of the Case: The defendants argued that, per Article 50, Paragraph 2 of the PIPL, Mr. Zuo should first have made a claim to the data controller and only filed a lawsuit after rejection, thus questioning the case’s justiciability.2. Violation of Personal Information Rights: Mr. Zuo claimed that the defendants failed to provide sufficient information on the scope and purpose of personal data processing, violating his rights to be informed and to decide.3. Liability for Infringement: Whether the defendants should bear civil liability, including an apology, data deletion, and economic compensation.
[Court’s Judgment and Rationale]
1. Justiciability of the Case
When assessing the admissibility of the case, the court focused on analyzing the purpose and application of Article 50, Paragraph 2 of the Personal Information Protection Law. The court stated that this provision is designed to ensure that personal information processors establish a convenient mechanism for rights applications, thereby protecting the ability of personal information subjects to exercise their rights easily. The establishment of this mechanism was not intended to restrict or prevent individuals from seeking judicial relief directly when their rights are violated.
The court further elaborated that the Personal Information Protection Law, as a specialized law for protecting personal information rights, emphasizes in its legislative purpose the importance of protecting the right to be informed and the right to decide. The law explicitly introduces “personal information rights” for the first time as an independent personal right, on par with privacy rights and reputation rights. The court reasoned that when individuals claim that their right to be informed or their right to decide has been infringed, they should not be overly constrained by procedural requirements for initiating lawsuits, as this would be contrary to the legislative intent.
The court emphasized that the pre-procedural requirement of Article 50, Paragraph 2 is intended to apply in specific situations where the exercise of rights is hindered, rather than in cases involving broader infringements of rights. Based on this analysis, the court held that Mr. Zuo’s action, taken on the grounds that his personal information rights were violated, was reasonable and legally sound, rendering the case admissible.
2. Violation of Mr. Zuo’s Personal Information Rights
The court conducted a detailed examination of whether the two defendants infringed on Mr. Zuo’s personal information rights, focusing on the following aspects:
1) Legal Validity of Notification and Consent
The court thoroughly explained the core role of the “notification” and “consent” mechanisms in personal information protection. The court pointed out that although Mr. Zuo had clicked to agree to the Customer Personal Data Protection Charter during registration and hotel booking, this action did not mean that the defendants had automatically obtained a legitimate basis for all personal information processing activities. The court emphasized in its reasoning that the key to the notification and consent mechanism lies in whether the user was informed in a clear, understandable, and transparent manner about the purposes, methods, and scope of personal information processing.
The court found that although the defendants provided the Customer Personal Data Protection Charter, its content was complex and lengthy, failing to convey important information to users in an intuitive manner, especially regarding the specific recipients of data transfers and the purposes of processing. The court concluded that this broad and general notification did not comply with the transparency requirements stipulated in Articles 7 and 17 of the Personal Information Protection Law, and therefore did not fulfill the obligation of proper notification.
2) Legitimacy of the Scope of Information Processing
The court examined the legitimacy basis claimed by the defendants, which was “necessary for the performance of a contract” under Article 13, Paragraph 2 of the Personal Information Protection Law. The court reasoned that the application of this provision requires meeting the standard of “objective necessity,” meaning that the information processing must be directly related to the purpose of performing the contract and adhere to the principle of minimum necessity. The court analyzed the case and found that although Mr. Zuo provided basic personal information for booking a hotel, the Customer Personal Data Protection Charter extended the scope of data recipients and sharing to include business partners and marketing personnel, exceeding what was necessary for the performance of the contract.
The court further noted that while cross-border data transfers are common in the international hotel industry, this cannot serve as an absolute basis for legitimacy. The court reasoned, by applying legal provisions to the case, that processing personal information for commercial marketing without explicit consent does not qualify as “necessary for the performance of a contract.”
3) Obtaining Separate Consent
The court cited Article 39 of the Personal Information Protection Law to analyze the applicability and meaning of separate consent. The court explained that separate consent requires personal information processors to inform individuals separately and obtain explicit consent for specific data processing activities, especially those involving cross-border transfers of personal information. The court’s review indicated that the defendants failed to provide evidence showing that they obtained separate consent from Mr. Zuo in cases where the data processing exceeded the necessity of contract performance.
The court reasoned that clicking to agree to a privacy policy can only be regarded as consent in general information processing activities, but for more complex or high-risk activities, such as cross-border data transfers, separate consent is required. The court concluded that since the defendants did not take this measure, their data processing activities were illegal due to the lack of valid consent.
3. Civil Liability
When examining the assumption of liability, the court thoroughly discussed the fault of the defendant, Company A (Certain High Corporation), and the consequences of the infringement. The court stated that the civil liability for infringing on personal information rights refers to the obligation of the personal information processor to compensate for damages caused by improper actions that infringe on the rights of natural persons.
The court considered the following points in its reasoning:
1) Deletion of Personal Information
The court held that deleting relevant information is an essential measure for maintaining the security of personal information and protecting Mr. Zuo’s rights. The court required the defendants to provide proof of data deletion to ensure the authenticity and completeness of the execution.
2) Apology
The court evaluated the nature of the infringement and its impact on the parties involved, ruling that Company A should issue a written apology. The court noted that a written form of apology would better balance the need for transparency and the specific circumstances, achieving the purpose of restoring reputation without causing excessive impact.
3) Economic Compensation
The court provided a detailed analysis of the reasonableness of damage compensation. It cited Article 69 of the Personal Information Protection Law and Article 1182 of the Civil Code, explaining that compensation should be determined based on actual losses or the benefits obtained by the infringer. In this case, as specific losses were difficult to quantify, the court determined a compensation amount of RMB 20,000, covering translation and legal fees, based on the specific circumstances of the case.
4. Liability of Mouqin Company
After analysis, the court found that while Company B participated in data collection, it did not engage in cross-border data transfers and therefore did not constitute an infringement. The court reasoned that Mr. Zuo’s claim that Company B and Company A jointly committed infringement was unsupported by evidence and thus was not upheld. The court decided that Company B was only required to delete Mr. Zuo’s personal information, and other claims were not supported.
The above summary expands on the court’s reasoning process, fully demonstrating its approach to interpreting legal provisions, analyzing evidence, and protecting rights, reflecting an in-depth understanding of the Personal Information Protection Law and the Civil Code.
Neither the plaintiff nor the defendant in this case appealed against the judgment.
[Analysis]
This landmark case provides essential guidance and a cautionary example for enterprises concerning compliance practices. The ruling clarified the applicability of the PIPL to cross-border data transmissions, emphasizing that companies must enhance transparency and obtain explicit, separate consent when processing personal information, particularly for international transfers. This underscores that compliance involves not just procedural adherence but an integrated approach throughout data handling, ensuring legal standards are met at each step. Enterprises must, based on this ruling, conduct comprehensive risk assessments, update data transmission agreements, and revise internal audit procedures to address potential compliance gaps proactively. Specifically, the key areas for future compliance need to be focused on:
1) Transparency and Information Disclosure
Companies must ensure transparency in their data handling policies and operational procedures to build user trust and meet regulatory standards. For instance, enterprises should update and publicly share multi-language versions of privacy policies and data protection statements. During user registration, simplified guides should be provided, explaining data transfer details, destinations, potential legal risks, and protective measures.
2) Obtaining Explicit Consent
Companies must design user-friendly, legally compliant consent processes that provide users with detailed information about data transfer purposes, handling methods, and recipient details. These records must be maintained within the system for potential audits by regulatory authorities or user queries.
3) Building and Maintaining Compliance Systems
A comprehensive compliance management system should include policies, procedures, and staff coordination. Companies should conduct regular internal reviews and external compliance audits to adapt to evolving regulations and technology. Establishing dedicated compliance teams or appointing Data Protection Officers (DPOs) to oversee personal data handling, especially cross-border aspects, is vital.
4) Technical and Legal Safeguards
Companies must employ dual-layered safeguards - technical and legal to ensure data security during transfers. Basic measures such as encryption, data anonymization, and access control should be implemented to mitigate risks. Legally, contracts with third-party partners should incorporate standard contractual clauses (SCCs) or supplementary provisions to ensure data recipients meet equivalent protection standards.
This case underscores the importance of companies adopting a robust compliance framework that incorporates detailed operational practices and regular policy updates, facilitating adherence to stringent data protection laws and fostering sustainable growth in a regulated environment.