Guangzhou Internet Court issues the first decision on cross-border transfer of personal data under PIPL

The Guangzhou Internet Court (the “Court”) recently issued its first judgment involving the cross-border transfer of personal data under the Personal Information Protection Law (“PIPL”).¹ An international hotel group was accused of unlawfully transferring the Plaintiff's personal data to various overseas entities in the course of processing a hotel reservation.

The Court ruled that the cross-border transfer of personal data to the hotel in Myanmar for hotel reservation and an entity in France managing and operating the hotel's central reservation system was necessary for contractual performance and therefore lawful. On the other hand, the transfer of personal data to other overseas entities for marketing purposes was not necessary for the performance of the relevant contract and, in the absence of separate consent provided by the Plaintiff, was unlawful.

Background

We set out the parties involved and their roles in this case:

In 2022, the Plaintiff booked a hotel in Myanmar through the Defendants. The Plaintiff then discovered the Defendants' Customer Personal Data Protection Policy ("Policy"), which indicated that the Defendants transmitted and shared his personal data to multiple regions and recipients around the world. Aggrieved, the Plaintiff commenced proceedings before the Court, alleging that the Defendants' conduct was in breach of Article 13 of the PIPL, which requires that personal information may only be processed, in circumstances where, inter alia, “necessary for entering into or fulfilling a contract to which the individual is an interested party”

The Plaintiff's main contentions were as follows.

• The Policy unlimitedly expanded the scope of countries or overseas recipients that can receive customers' personal information. The Plaintiff was unable to find out where and by whom his personal information was handled, which undermined his right to be informed about the processing of his personal information.
• The Defendants' processing of personal data went beyond what was necessary for the conclusion and performance of the contract. To book a hotel in Myanmar, it was only necessary to process the Plaintiff's name, valid ID number, and a valid contact method (not his zip code, address, bank card number, etc.); and to transfer personal data to Myanmar (not elsewhere).
• The Defendants were unable to show that they had undergone one of the three routes for the lawful cross-border transfer of personal data, namely that they had: i) conducted a security assessment or ii) obtained personal information protection certification or iii)  entered into standard contract with respect to the cross-border transfer of personal information. The Defendants did not provide any evidence showing that the overseas recipient of the personal information conducted their processing activities in accordance with the law.

In response, the Defendants’ provided the following arguments:

• Their collection and processing of the Plaintiff's personal information was necessary for the purposes of the contract entered into between the parties (for membership services and hotel reservation services) and in line with the practice of the international hotel industry. Moreover, the 2^nd Defendant is an overseas company whose role is to manage a global membership reward scheme using the global membership database. Accordingly, it was not necessary to obtain the Plaintiff's separate consent to the data processing activities undertaken.
• Further, the Defendants had obtained the Plaintiff's consent – the Defendant had read and agreed to the Policy (by clicking an "I agree" button)  The Defendants had fulfilled their obligation to obtain consent and had provided sufficient information to protect the Plaintiff's right to know and right to decide.
• In any event, the Plaintiff's complaint was limited to the infringement of his right to know and right to delete his personal information. As stipulated under Article 50 of PIPL, the Plaintiff could only file his action had the Defendants rejected the Plaintiff’s request to review and delete. As no such request had been made, he did not meet the procedural requirements so as to have a right of action.

Overall, the Court ruled partially in favour of the Plaintiff and found that the 2^nd Defendant had participated in certain activities involving the unlawful transfer of the Plaintiff's personal data overseas. The 1^st Defendant, however, was found not to have participated in the infringing activity and was not held jointly liable.

The Court’s Findings

1.  Right of action

The Plaintiff claimed that his right to know and right to decide had been compromised given the Defendants’ inadequate notification and consent mechanisms, which amounts to a claim of infringement of his core personal information rights and interests, which allows the Plaintiff to sue directly in court without having to undertake any other procedural steps.

The present situation was to be distinguished from situations where individuals file a lawsuit on the grounds that their right to access and right to delete cannot be exercised. In the latter situation, the individuals bear the burden to prove that such rights cannot be exercised, and should therefore seek to assert their rights against the data processor prior to filing a lawsuit.

2. Consent

The Court highlighted the fact that separate consent under Article 39 of the PIPL for cross-border transfer of personal information is to be distinguished from the one-off general consent obtained for multiple purposes and manners of processing of personal data. A separate consent requires a data processor to separately notify the data subjects of the particular purpose of processing of the personal information, and shall be an act of specific and express authorisation by the data subject.

The Court found that the Policy was deficient in that, despite being 20,000-words long, it did not clearly indicate the geographical scope of the Defendants' personal data processing activities, the recipients of the personal information, and how the personal information would be handled by overseas recipients. As such, the Policy only provided a general notification to the data subjects as to the multiple purposes and manners of handling of personal information, which should only be regarded as such, and failed to comply with the core principles of openness and transparency under the PIPL.

In particular, the Court referred to the “Implementation Guidelines for Notification and Consent in Information Security Technology of Personal Information Processing”², which contained a statement to the effect that clicking or checking a box to agree to personal information protection policies in respect of products or services supplied, shall not necessarily constitute a separate consent for specific personal information processing activities. It follows that the Plaintiff's act of clicking the checkbox on the Policy did not amount to separate consent to the specific activity of transferring his personal data overseas.

3. Necessity for contractual performance 

The personal information collected by the Defendants – namely, the Plaintiff's name, phone number, email address, address, nationality, and bank card number – was found by the Court to be in accordance with the required practices in the hotel service industry. The scope of personal information collected and processed by the Defendants was therefore in compliance with PIPL.

In terms of the scope of recipients that the Defendants shared the Plaintiff’s personal information with and the geographical locations in which such personal information was shared, although the Court found that the cross-border transfer of the Plaintiff’s personal data to the hotel in Myanmar and to the 2^nd Defendant’s central reservation system in France was legitimate and necessary, it also held that, for the purpose of performing the contract, it is not necessary to share the personal information with all the business partners and marketing personnel of the Defendants’ hotel group, having regard to the data minimisation principle. Business marketing activities using personal information without consent shall not be regarded as necessary for performance of the contract.

The 2^nd Defendant should have, but had failed to, obtain separate consent for this.

4.  Damages

The Court ordered the 2^nd Defendant to provide a written apology and pay RMB 20,000 (approx. US$2,800) in damages. Both Defendants were ordered to delete the Plaintiff’s personal data stored in the Defendants and other relevant recipients.

Implications

This ruling is the first dispute concerning the cross-border transfer of personal information to go to court in China. The case is significant because it provides clarification on the concept of “separate consent”, and sheds light on the interpretation of the “necessary for contractual performance” exemption. As businesses formulate their notifications and consent forms for processing personal information, they should bear in mind the requirement for separate consent for data processing activities, as well as the need to provide clear and comprehensible information to data subjects in respect of all processing activities and the classes of transferees to whom their data is provided.

This case is a clear reminder of the awareness of privacy rights by consumers in China and the need for companies to review their privacy practices and procedures and ensure that their cross-border transfers are undertaken under one of the three routes available under the PIPL.