In a significant ruling that underscores the growing emphasis on personal data protection in China, the Guangzhou Internet Court recently concluded a case involving cross-border data transfer violations under the Personal Information Protection Law of the People’s Republic of China (PIPL). The case, titled (2022) Yue 0192 Min Chu 6486, saw Mr. Z, a Chinese citizen, sue two defendants: Shanghai A Business Consulting Co., Ltd. (Company A) and the mother company B, a multinational hotel management company based in Europe (Mother Company B).

Background of the Case

Mr. Z’s case centred around the unauthorized cross-border transfer of his personal information. The plaintiff had purchased membership cards from Company A, allowing him to book hotels worldwide under Mother Company B’s membership program at discounted rates. In February 2022, he used Mother Company B’s mobile app to book a hotel in Yangon, Myanmar, and provided personal information such as his name, nationality, phone number, email address, and credit card details.

Later, Mr. Z discovered that his personal information was being transferred and shared across multiple regions and entities without proper legal safeguards, violating the recently implemented PIPL. Specifically, he claimed that the defendants had not obtained the necessary certifications or conducted the mandated security assessments or concluded the Chinese Standard Contractual Clauses (SCCs) required for cross-border data transfers. Furthermore, the defendants failed to inform him about the specific overseas recipients of his data, their processing purposes, or methods.

Plaintiff’s Claims and Legal Arguments

Mr. Z initially sought several remedies from the court, including:

  1. Disclosure of Information: Requiring the defendants to provide detailed information about all overseas entities receiving his personal data, including their identities, contact information, processing purposes, and methods.
  2. Deletion of Data: An order compelling the defendants and all overseas recipients to delete his personal data from their databases and provide proof of deletion, supervised by the court if necessary.
  3. Public Apology: A demand for a public apology on the defendants‘ platforms (WeChat and the mobile app), with the content of the apology approved by the court.
  4. Compensation: Financial compensation for economic losses, legal fees, translation costs, and lost wages.
  5. Court Costs: Requesting the defendants to bear all court-related expenses.

The Defendants‘ Defense

The defendants argued that the collection, processing, and transfer of Mr. Z’s personal data were necessary to fulfil their contractual obligations related to the membership and hotel booking services. They asserted that these actions were in line with international hotel industry standards and did not contravene any Chinese laws. Furthermore, the defendants maintained that Mr. Z had consented to their data policies by clicking agreement on their platform, thus waiving any need for separate consent for cross-border data transfers.

They also contended that according to PIPL Article 13, obtaining separate consent was unnecessary since the data processing was necessary for contract performance. Therefore, they argued that their actions were fully compliant with Chinese law.

Court’s Findings and Key Legal Issues

The court’s examination of the case focused on three critical issues:

  1. Justiciability of the Case: The defendants argued that Mr. Z should have first requested the exercise of the data subject rights from the data controllers (the defendants) before filing a lawsuit, as stipulated under PIPL Article 50. However, the court clarified that when a plaintiff alleges a violation of their privacy rights, such as unauthorized data processing, they are entitled to seek judicial relief directly without prior refusal from the data controllers. Only if the sole purpose of the claim is to exercise data subject rights, such as the right of access and the right to obtain a copy, should the data subject first contact the data controller. Only if the data controller fails to satisfy the data subject’s rights may the data subject bring an action against the data controller.
  2. Violation of Personal Information Rights: The court determined that the defendants did not comply with the PIPL’s transparency and consent requirements. Specifically, it found that Mother Company B failed to provide clear, specific, and understandable information regarding the scope and purpose of data processing, especially regarding cross-border data transfers. The court noted that merely obtaining a general agreement through a single click was insufficient for such sensitive matters, particularly when enhanced consent is required under the law.
  3. Liability and Consequences for the Defendants: The court ruled that the cross-border data transfer performed by Mother Company B exceeded the necessary scope of data processing beyond what was required to perform the service contract. It also found that Mother Company B failed to obtain the required separate consent for cross-border data transfers. Thus, the cross-border data transfer lacks a proper legal basis. However, Company A, as an affiliate entity located in China, was not found liable for the specific data processing actions taken by Mother Company B.

Court’s Decision and Implications

The court issued a multi-faceted judgment, addressing both remedial measures and compensation:

  1. Written Apology: Mother Company B was ordered to issue a written apology to Mr. Z, with the content reviewed and approved by the court.
  2. Data Deletion: Both defendants were ordered to delete Mr. Z’s personal information from their databases and those of their partners and provide proof of deletion.
  3. Compensation: Mother Company B was ordered to pay Mr. Z 20,000 RMB (approx. 2, 551 EUR) in compensation, covering economic losses and reasonable expenses.
  4. Dismissal of Other Claims: The court dismissed some of Mr. Z’s additional claims as they were deemed either outside the scope of the defendants‘ liability or unsubstantiated.
  5. Court Costs: The court ordered Mother Company B to cover the court fees of 500 RMB (approx. 64 EUR).

Significance of the Case

After the coming into effect of the PIPL, the interpretation of many definitions and legal instruments were disputed in the practice, resulting in legal uncertainty and unsatisfaction in the implementation of the law. This ruling marks a significant interpretation of the PIPL, emphasizing the need for transparency and strict adherence to consent requirements, particularly in cross-border data transfers. The case highlights the following important legal principles:

  • Transparency and Enhanced Consent Requirements: Companies must provide clear, specific and understandable information about data processing activities, especially when data is transferred across borders. A very general reference to cross-border data transfers does not provide data subjects with transparent information about cross-border data transfers. In particular, if the legal basis for the cross-border data transfer is an enhanced separate consent, the general wording of the privacy policy and a simple click-through of the privacy policy are not sufficient. To be on the safe side, companies should list the specific data recipients in the third country, as well as the scope and purpose of each transfer, in order for the enhanced separate consent to be valid.
  • The Relationship between Enhanced Consent and Normal Consent: It has long been debated whether enhanced separate consent should be treated as a type of consent, and thus as only one of the 6 legal bases explicitly provided by the PIPL, i.e., if another legal basis can be relied upon, then no consent/enhanced separate consent is required. Some scholars argued that if the PIPL mentions enhanced separate consent, then separate consent is always required, even if other legal bases could apply to the case. This was a major obstacle for cross-border data transfers, as in some cases consent is simply impossible to obtain or there are other more appropriate legal bases. The decision presented clarified for the first time that if other legal bases, such as performance of contract, can be relied upon, consent is not required, even in cases where the PIPL requires an enhanced separate consent when consent is used as a legal basis.
  • Data Subject Rights: Individuals have the right to know where their data is processed and the purposes for which it is used. Organizations must respect these rights and ensure proper communication and documentation to avoid legal disputes. The mere exercise of data subject rights should first be addressed to the data controller. Only if the data controller fails to satisfy the data subject’s rights, the data subject may go to court to enforce the data subject’s rights.
  • Cross-Border Data Transfer Compliance: The ruling underscores the importance of complying with the requirements of the PIPL for cross-border data transfers. Cross-border data transfers should comply with basic data protection principles. If companies wish to rely on performance of contract as a legal basis for cross-border data transfers, they should carefully consider whether the data transferred and the scope of the recipient are really necessary for the performance of the contract with the data subject. In the present case, the court found that the transfer of personal data to the hotel in Myanmar and the central booking system of the hotel group in France was necessary for the performance of the service. However, the Court criticized the transfer of data to the United States and Ireland for commercial marketing purposes, finding that this transfer was not necessary for the performance of the service and therefore required an enhanced separate consent of the data subject, which the data controller failed to obtain. It is also worth noting that although the plaintiff claimed that the data controller should have conducted security assessments, obtained certifications or entered into Chinese SCCs for the cross-border data transfers conducted by the data controller, the court did not consider this to be the main issue and did not find it necessary. This may be due to the implementation of the new Cross-Border Regulation, which eases restrictions on cross-border data transfers.
  • Legal Liability and Compensation: The decision also demonstrates the court’s willingness to award compensation and enforce corrective measures when data rights are infringed, underscoring the serious legal consequences of non-compliance with data protection laws in China. However, in deciding on the remedies and compensation, the court also considered the impact of the breach and the proportionality of the remedies and the amount of compensation. Instead of requiring the data controller to publicly apologize to the data subject on its mobile app, which is accessible to all of the data controller’s customers worldwide, the court merely ordered the data controller to issue a written apology to the data subject. In addition, the amount of compensation is 20,000 RMB, which is about 2,500 EUR, which mainly covers the costs incurred by the data subject/plaintiff during the litigation, compared to the data subject’s claimed damages of 50,000 RMB (approx. 6,380 EUR). The data subject has not really received significant compensation for his intangible damages. In addition, since the Mother Company B is the one that manages and owns the booking system, the mobile App and the one that decides on the data transfer, Mother Company B is the controller responsible for the data transfer and thus the one who should bear the legal responsibilities, even if Mother Company B is not located in China and Company A is the Chinese subsidiary.

Conclusion

The Guangzhou Internet Court’s ruling in Mr. Z’s case against Company A and Mother Company B sets a critical precedent in personal information protection under Chinese law. It serves as a warning to multinational companies operating in China to align their data processing practices with the PIPL’s stringent requirements or face significant legal and financial repercussions. This case will likely influence future litigation involving personal data protection and cross-border data transfer practices, reinforcing China’s commitment to safeguarding personal information in the digital age.