Clarifications of Legal Bases for Cross-Border Data Transfers in Landmark Judgment by the Guangzhou Internet Court in China
30 Oktober 2024The Guangzhou Internet Court in China (Court) recently released its judgment under the Personal Information Protection Law (PIPL) (Case No.: (2022) Yue 0192 Min Chu No. 6486) (Judgment), setting a crucial reference in cross-border data transfers of personal information from China. It is said that this is the first court judgment in China on cross-border data transfer.
Key Takeaways
The Judgment sheds light on the judicial perspective regarding cross-border personal information transfers, offering valuable insights for companies to consider. Multinational companies must give significance to adapting their worldwide compliance strategies locally, especially through the revision of privacy policies and consent mechanisms, to align with Chinese regulatory requirements.
Localization of Global Data Protection Policies Based on Distinct Legal Bases
The Court’s focuses on the defendants’ “Customer Personal Data Protection Charter” and scrutinizes the information provided to users about data collection, processing, and transfer, the Judgment highlights the necessity for companies to localize their global data protection policies to align with PIPL requirements, as reliance on other jurisdictions’ data privacy practices alone, for example the General Data Protection Regulation, might not be considered to be sufficient. It is also important to adopt transparent and well-defined policies that outline specific purposes and scope of data processing to accurately lay out the legal bases for data processing, including cross-border data transfers.
Compliance Requirements of Informed Consent
The Judgment highlighted the importance of clear and comprehensive notifications to data subjects and proper separate informed consent, especially for cross-border data transfers where consent is the chosen legal basis. This is evident in the Court’s examination as to whether the defendants adequately informed the plaintiff of the overseas recipients of the plaintiff’s personal information.
Compliance With Legal Mechanisms for Cross-Border Data Transfers
The plaintiff initially demanded examination of the legal mechanism used by the defendants in their cross-border data transfers, including whether they had obtained necessary security assessments and certifications. Because the plaintiff later withdrew this demand and replaced it with a new demand during the proceedings, the Court did not opine on the legal mechanism. However, it is a good reminder that a legal mechanism and other key compliance points, such as records of processing activities and data protection impact assessments, in the context of cross-border data transfers are essential for demonstrating compliance with PIPL requirements and could be challenged by data subjects when there is a dispute.
Penalty and Damages
In this case, the damages have been awarded to the plaintiff for the direct losses suffered (i.e. legal fee, translation fee and evidence collection cost in this case), but companies should also be aware of the potential administrative penalties imposed on them and personal liabilities imposed on their officers.
For general violations, companies can be subject to penalties including correction orders, warnings, and confiscation of illegal gains. The fines for violations are guided by ranges for companies who are data controllers and for any person in charge or any other individual of companies directly liable for the violation.
As for severe violations, the fines imposed on companies could be up to RMB50 million (around €6.5 million) or 5% of their last year’s annual revenue, and companies can be ordered to suspend business activities or face license revocation; any person in charge or any other individual of the companies directly liable for the violation can be fined and may also be banned for a certain period of time from serving in leadership roles of the companies involved in the violation.
Background
The Judgment was first delivered on 8 September 2023. In this case, the plaintiff, Zuo (Plaintiff), raised concerns about the Plaintiff’s personal information being transferred out of China and shared globally without the Plaintiff’s knowledge and separate consent after he purchased a membership card from a Shanghai company (First Defendant) for discounted services of a French multinational hotel group (Second Defendant, collectively with First Defendant, Defendants) and used the Second Defendant’s app to book a hotel in Myanmar, providing personal information and agreeing to the “Customer Personal Data Protection Charter” published by Second Defendant. However, the Defendants argued the personal information processing was necessary for contract performance and aligned with industry practices for global hotel services.
As mentioned above, the Judgment offers insights into the complexities of PIPL and the balancing of individual privacy rights with multinational companies’ global operational needs. It also reflects a trend of increasing data protection regulations and enforcement in the China landscape. The Judgment serves as a reminder for multinational companies operating in China, as it stresses the need for a careful balance between global business operations and compliance with local data protection laws.
Key Issues Addressed By the Court
In the Judgment, the Court addressed several key issues under the PIPL, particularly in areas such as cross-border data transfers, data subject’s consent, and localization of data privacy protection policies. These key issues are summarized below:
Actionability of the Case
One of the key issues addressed by the Court was the question of whether Plaintiff’s case was actionable in the first place. Despite the Defendants’ argument that Plaintiff had not directly approached them and exercised the Plaintiff’s rights first before taking legal action, the Court took a broader view, distinguishing differences between an infringement of basic rights of a data subject and that of a data subject’s right to access, enabling Plaintiff’s case to proceed based on its merits. This clarified in what circumstances a data subject is required to exercise his rights against a data controller before he can seek judicial remedies and in what circumstances it is not.
The Legal Bases for the Defendants’ Processing of Personal Information; the Requirement of Informed Consent
The Court highlighted that PIPL provides multiple legal bases for processing personal information, with consent being one of the several bases. The Court recognized that the Defendants’ collection and processing of Plaintiff’s personal information was primarily for the purpose of concluding and performing service contracts (for membership and hotel reservation services) and further clarified that contractual necessity, as one of the legal bases for processing personal information under the PIPL, stands on equal footing with consent. In other words, a data subject’s consent is not required when there is the necessity for the conclusion and performance of a contract to which the data subject is a party.
However, the Court did not accept the Defendants’ argument that this contractual necessity basis eliminated the need for separate consent of a data subject. This is because besides using the data subject’s personal information for booking the hotel, the Defendants also collected and onward transferred the relevant personal information to data recipients in other jurisdictions for marketing purposes, which was not necessary for contract performance. The Court also rejected the Defendants’ claim that their privacy policy disclosures were adequate to inform users and obtain consent. Instead, it emphasized the need for more detailed information about overseas recipients and onward transfers, and explicit consent for these specific cross-border data flows beyond general privacy policy acceptances in this context, prior to collecting and transferring the data internationally.
Criteria for Determining Damages
Regarding award of damages to the Plaintiff, the Court is of the view that under the PIPL, the assessment places emphasis on the expenses incurred to prohibit the infringement behavior. In particular, the Court determines what constitutes financial losses, e.g., reasonable expenses incurred by the infringed party to stop the infringement, such as the reasonable expenses incurred in the investigation or collection of evidence. The Court may also consider legal fees incurred.
In the present case, taking into account the reasonableness and necessity of expenses, the extent of fault committed by the Defendants, and the impacts on the Plaintiff’s personal information (including how the personal information has been handled and the volume and extent of the personal information involved), the Court awarded damages in the sum of RMB20,000 (around €2,600) to the Plaintiff (inclusive of reasonable expenses).
Conclusion
As China continues to enforce its data protection regime, businesses should expect increased scrutiny of their data practices. Proactive compliance measures and a user-centric approach to data management will be crucial for navigating this evolving regulatory landscape.
Our firm’s Data Protection, Privacy, and Security team remains available to assist you in achieving the compliance of your companies’ cross-border data transfers with China.