LATEST ARTICLES ,

Yin Yi Nian Shu: Interpretation of the First Cross border Dispute over Personal Information

2024-10-26

LABEL: Telecommunications, media, entertainmentand high technology , Compliance business , Digital economy ,

introduction

Recently, the Guangzhou Internet Court released a civil judgment on a personal information protection dispute [(2022) Yue 0192 Min Chu No. 6486], involving a dispute over cross-border transmission of personal information, which was concluded in September 2023. This case is a personal information protection dispute, which is the first judicial judgment on cross-border transmission of personal information disputes announced by the court after the promulgation of the Personal Information Protection Law. We will analyze and interpret the four legal issues involved one by one for reference by all sectors of society.

(1) Legal application issues.

(2) Do individual lawsuits require preconditions?

(3) How to determine infringement of personal information rights?

(4) How to determine and bear civil tort liability?
1、 Case facts

The plaintiff, Mr. Zuo, paid 2588 yuan to a certain music company (one of the defendants) on October 29, 2021 to purchase two high A * cards. Holding these cards allows members to enjoy hotel accommodation services provided by the high company (the second defendant) at a discounted price. On February 27, 2022, Zuo booked a hotel in Myanmar on the "A *" mobile application (APP) for March 8-9, 2022, and submitted personal information such as name, nationality, phone number, email address, bank card number, etc. Afterwards, Zuo discovered that the defendant had transferred their personal information to multiple regions and recipients worldwide in the "Customer Personal Data Protection Regulations". He believed that the two defendants illegally processed their personal information across borders through the "A *" mobile application (APP), and the two defendants could not prove the legality of their cross-border transfer behavior. The two defendants have unlimited expansion of the scope of countries and subjects for receiving personal information overseas in their "Customer Personal Data Protection Regulations". Zuo cannot know which countries and regions his personal information is processed by which foreign subjects, and his right to know as a consumer and data subject cannot be effectively protected. Although the two defendants provided a path to exercise and maintain their data subject rights on the surface, it was limited to sending emails to France. The two defendants transmitted and shared Zuo's personal information in a highly automated manner, but only provided Zuo with a manual, no acceptance deadline, and no processing deadline exercise channel, failing to provide customers with a convenient channel for revoking authorization and exercising rights.

Zuo's demand: 1. Order the two defendants to provide all recipient information of Zuo's personal information received overseas, including the recipient's name (name), contact information, processing purpose, processing method, and type of personal information, and order the two defendants and all recipients to delete all of Zuo's personal information from their respective original data storage carriers, and provide relevant proof, or have the court supervise the execution; 2. Order a piano company to make a public claim to the left on its WeChat official account "A *"

Apologize politely, and the specific content of the apology will be jointly confirmed by the court and Mr. Zuo; 3. Order a certain high company to publicly apologize to Mr. Zuo on the homepage of its "A *" mobile application (APP), and the specific apology content shall be jointly confirmed by the court and Mr. Zuo; 4. Order the two defendants to jointly compensate Mr. Zuo for economic losses of 50000 yuan; 5. Order the two defendants to jointly compensate Mr. Zuo for a loss of 9600 yuan, the cost of hiring two lawyers for Mr. Zuo, each 9600 yuan, and a translation fee of 2500 yuan; 6. Order the two defendants to jointly bear the case acceptance fee.

The first instance judgment of the court is as follows: 1. Defendant A * (a certain company limited by shares) shall, within fifteen days from the date of the legal effect of this judgment, apologize in writing to Plaintiff Zuo, and the content of the apology statement shall be reviewed by this court; 2. Defendants Qin Business Consulting (Shanghai) Co., Ltd. and A * (Gao Co., Ltd.) shall delete all personal information of Plaintiff Zuo from the two defendants and related personal information recipients within fifteen days from the date of this judgment becoming legally effective, and provide relevant evidence; 3. Defendant A * (a certain company limited by shares) shall compensate Zuo for property losses of 20000 yuan (including reasonable expenses) within ten days from the date of this judgment becoming legally effective; 4. Reject the other claims of the plaintiff, Mr. Zuo.
2、 Applicable legal issues

Article 3 of the Personal Information Protection Law stipulates:

The activities of processing personal information of natural persons within the territory of the People's Republic of China shall be governed by this Law.

If any of the following circumstances apply to the processing of personal information of natural persons within the territory of the People's Republic of China outside the territory of the People's Republic of China:

(1) For the purpose of providing products or services to natural persons within the country;

(2) Analyze and evaluate the behavior of natural persons within the territory;

(3) Other circumstances stipulated by laws and administrative regulations

From Article 3 of the Personal Information Protection Law, it can be seen that China's personal information protection adopts the principle of territorial jurisdiction, supplemented by necessary protective jurisdiction, in terms of the scope of spatial application. The first paragraph of Article 3 reflects the principle of territoriality, and all activities related to the processing of personal information of natural persons that occur within the territory of China shall be subject to the jurisdiction of the Personal Information Protection Law. The second paragraph of Article 3 can be understood as a protective jurisdiction clause similar to the "targeting criteria" principle in the General Data Protection Regulation, which means that in order to protect the interests of China and its citizens, processing activities targeting personal information of natural persons within China that occur outside of China should also be governed by the Personal Information Protection Law when corresponding conditions are met.

In this case, the court held after trial that a certain high-tech company is a foreign legal person, and this case belongs to a foreign-related case. According to Article 3 of the Personal Information Protection Law, the personal information processing behavior involved in this case belongs to the act of "providing products or services to domestic natural persons for the purpose", and all parties involved in the trial agreed to apply Chinese law to handle this case. Therefore, the Personal Information Protection Law and other laws will ultimately be applied to handle this case.

The court did not rely on Article 3, Paragraph 1 of the Personal Information Protection Law, but instead determined the applicable law based on Paragraph 2. It can be inferred that a certain high-tech company does not have any entities within China (the judgment also states that the company's domicile is in France), and the company should have processed the plaintiff's personal information overseas. Considering that all parties involved have agreed to apply Chinese law in this case, the court has not conducted any analysis based on this. However, the principle of "target market" jurisdiction determined in Article 3 (2) of the Personal Information Protection Law has important practical significance. Although the court did not conduct an analysis in this case, the subject involved can also serve as a reference case for the principle of "target market" jurisdiction. At the same time, it should be noted that Article 53 of the Personal Information Protection Law stipulates that personal information processors outside the territory of the People's Republic of China, as stipulated in Article 3, paragraph 2 of this Law, shall establish specialized agencies or designate representatives within the territory of the People's Republic of China to handle personal information protection related affairs, and submit the names of relevant agencies or representatives, contact information, etc. to the department responsible for fulfilling personal information protection duties.
3、 Do individual lawsuits require preconditions?

One of the controversial points summarized in the judgment is whether the case is justiciable. The reason for this problem is that Article 50 (2) of the Personal Information Protection Law stipulates that after a personal information processor refuses an individual's request to exercise their rights, the individual may file a lawsuit with the people's court in accordance with the law. In this case, the two defendants also argued based on this provision that Zuo should first assert his rights to the personal information processor and only file a lawsuit after being refused. Therefore, this case lacks justiciability.

According to the aforementioned claim of Zuo, "1. Order the two defendants to provide all recipient information of Zuo's personal information received overseas, including the recipient's name (name), contact information, processing purpose, processing method, and type of personal information, and order the two defendants and all recipients to delete all of Zuo's personal information from their respective original data storage carriers, and provide relevant proof or be supervised by the court." This seems to be a claim for access and deletion rights, which should be subject to the provisions of Article 50 (2) of the Personal Information Protection Law, and require individuals to assert their rights against personal information processors as a prerequisite.

However, the court gave a different view. The court believes that the "personal information rights and interests" protected by the Personal Information Protection Law are personality rights that are on par with privacy and reputation rights. Among them, the "right to know and decide personal information" is the most core content of personal information rights and interests, while the "right to access and copy personal information" is a tool power, and the two do not belong to the same level. When an individual claims that their right to know and decide on personal information has been infringed upon, that is, their personal information rights have been infringed upon. At this time, the party concerned has the right to directly request the infringer to bear the liability for infringement based on Article 120, Article 995, and Article 1167 of the Civil Code of the People's Republic of China. When an individual files a lawsuit purely on the grounds that their instrumental rights such as the right to access and copy personal information have not been exercised, the party concerned bears the burden of proof to prove that their specific rights and interests in personal information cannot be realized. Only then should the provisions of Article 50 (2) of the Personal Information Protection Law be applied for judgment.

Specifically, in this case, the reason why Zuo filed the lawsuit is that he believes that the two defendants did not provide truthful, accurate, and complete information when handling his personal information, resulting in infringement of his right to make informed decisions. Therefore, this case is not simply a lawsuit for exercising the right to access and delete, but a lawsuit for infringement of personal information rights and interests. Therefore, the court ultimately determined that there is no pre procedural requirement for this case and it is appealable.

It is worth mentioning that in the first case of personal information access and reproduction right dispute in China (the case of Zhou Mou suing an e-commerce company for personal information protection dispute, Guangzhou Internet Court (2021) Yue 0192 Min Chu No. 17422), the plaintiff claimed no rights to the defendant company, and then filed a lawsuit to the court. This case is consistent with the path of the court's determination of access, reproduction and other instrumental rights in this case.
4、 How to determine infringement of personal information rights?

In this case, the court reviewed the legality of personal information processing to determine whether it infringed on personal information rights and interests. The key issues include informed consent, necessary consent for contract performance, and separate consent.
1. Regarding the notification of consent

The court first analyzed whether Zuo's clicking and checking action on the "Customer Personal Data Protection Charter" of a certain high company had the legal effect of obtaining informed consent. The judgment holds that according to the Personal Information Protection Law of China, the legality basis for processing personal information is centered on individual consent, supplemented by six other legality bases such as those necessary for fulfilling contracts. 'Notification' and 'consent' need to be understood separately. Personal handling behavior requires both informing the individual (except in exceptional circumstances) and obtaining their consent (based on the legality of consent). The court believes that in this case, a certain high company presented a nearly 20000 word "Customer Personal Data Protection Charter" on the client side, which stated the scope of recipients of personal information for overseas sharing as internal personnel and departments of multiple countries, business partners, and marketing departments. The personnel and geographical scope were not clearly indicated, and there was no clear indication of where personal information would be transmitted and how it would be processed. Therefore, it does not comply with the relevant provisions of Article 7 and Article 17 of the Personal Information Protection Law, fails to reflect the principle of openness and transparency, and fails to enable users or consumers to obtain truthful, accurate, and complete notification content through clear and understandable language.

The judgment summarizes three aspects of the understanding of the informed consent mechanism: ① The informed consent mechanism is a series of normative measures to achieve friendly, reasonable, and effective interaction between personal information processors and individuals (users or consumers), safeguarding individuals' right to know and decide on personal information; ② In the digital age, individuals and personal information processors are in an unequal relationship in terms of technological capabilities and power distribution. The key to the informed consent mechanism lies in the disclosure obligation of personal information processors. Article 17 of the Personal Information Protection Law requires personal information processors to inform individuals truthfully, accurately, and completely in a prominent and clear language, which is also an important way to strengthen personal information processors' self compliance The setting of display interfaces or channels for notification, reasonable notification timing and frequency, and other mechanisms can provide users (consumers) with relevant knowledge of personal information protection, strengthen their awareness of personal information protection, and reflect full respect for their personal information rights and interests.

As for the legal effect of "consent", the judgment holds that, given the current situation of personal information protection and processing in China, users (consumers) who click and check the privacy policies displayed on various mobile applications (APPs) do not necessarily have the legal effect of "consent" to the privacy policies. The court further summarized the criteria for determining the legal effect of "consent": whether subsequent personal information processing actions require enhanced informed consent. If subsequent personal information processing requires enhanced notification and consent, checking the privacy policy does not have the legal effect of "consent". On the contrary, it has the legal effect of "consent".
2. Regarding the necessity of fulfilling the contract

A certain high-tech company argues that the legality of its personal information processing is based on the requirement of Article 13, Paragraph 1, Item 2 of the Personal Information Protection Law to fulfill the contract, and does not require the consent of the individual. The court does not agree with this.

Zuo booked a hotel in Myanmar through the A * mobile application (APP) operated by the defendant Gao Company. The two parties established a contractual relationship for hotel booking, and Gao Company transmitted Zuo's personal information to the hotel in Myanmar and to the hotel's central reservation system located at its headquarters in France for management and operation. The court believes that their actions are legitimate and necessary. However, the court found that the scope and purpose of the recipients of the two defendants' personal information shared abroad were unreasonable.

In terms of accepting personnel, the "Customer Personal Data Protection Charter" of a certain high-end company lists seven categories of people for sharing personal data, including business partners and marketing department personnel, which exceeds the necessary scope for fulfilling the contract. The necessary performance of the contract should be objectively necessary, that is, the scope of the subject entrusted by the personal information processor for shared processing should be legitimate and necessary for the performance of the contract. In this case, the sharing of all business partners and marketing department personnel of the hotel group should not be necessary for the performance of the contract. It is worth noting that the scope of recipients listed in the articles of association of the two defendants in this case did not actually occur. However, the court believes that their articles of association, as a compliance basis, do not comply with the principles of openness and transparency in handling personal information. Moreover, based on the overseas recipients and information transmission list provided by them, the actual scope has exceeded the requirements for fulfilling the contract.

In terms of processing purposes, the "Customer Personal Data Protection Charter" of a certain company shows that its processing behavior includes "commercial and marketing services", and the company has actually implemented information transmission and processing behavior to a company located in the United States and Ireland for marketing communication purposes. The court believes that commercial marketing activities of personal information without consent cannot be considered necessary for the performance of the contract, except for the scope and purpose of processing necessary for the performance of the contract. At the same time, the judgment further combines the provisions of Article 24 (2) of the Personal Information Protection Law, which states that "when using automated decision-making methods to push messages or conduct commercial marketing to individuals, options that are not specific to their personal characteristics should be provided, or convenient refusal methods should be provided to individuals." It is believed that if refusal is possible, it is not necessary to fulfill the contract.
3. Regarding separate consent

Article 39 of the Personal Information Protection Law stipulates that the transmission of personal information outside the country shall obtain the individual's separate consent.

In this case, a certain high company did not take separate consent measures, but it is worth noting that the court analyzed the relationship between the legality basis of Article 13 (2) to (7) of the Personal Information Protection Law and "separate consent" based on the claims of the certain high company. The judgment recognizes that if the provision of personal information to overseas has a legal basis as stipulated in Article 13 (2) to (7) of the Personal Information Protection Law, neither notification nor individual consent is required. This is consistent with the provision of Article 13, Paragraph 2 of the Personal Information Protection Law, which states that "in accordance with other relevant provisions of this Law, personal consent shall be obtained for the processing of personal information, but in the circumstances specified in the second to seventh items of the preceding paragraph, personal consent is not required.

In summary, the court believes that the information processing behavior of a certain high-tech company did not obtain the user's consent/individual consent, and exceeded the necessary requirements for fulfilling the contract, without a legal basis, and constitutes illegal processing of personal information.
5、 How to determine and bear civil tort liability?
1. Regarding the responsible party

The defendant, Qin Company, is an affiliated company of Gao Company established in China and is an independent legal entity. The court believes that the disputed personal information export behavior in this case was carried out by the defendant, a certain high company, and does not support the claim made by Zuo that a certain qin company and a certain high company jointly committed infringement.
2. Regarding the compensation amount

Zuo's lawsuit request involves two damages: economic loss of 50000 yuan; The cost of lost work is 9600 yuan, the cost of hiring two lawyers is 9600 yuan each, and the translation fee is 2500 yuan. The total amount was 71700 yuan, and the first instance court supported a compensation of 20000 yuan for damages.

Article 69, Paragraph 2 of the Personal Information Protection Law stipulates that the liability for damages as stipulated in the preceding paragraph shall be determined based on the losses suffered by the individual or the benefits obtained by the personal information processor as a result; If it is difficult to determine the losses suffered by individuals and the benefits obtained by personal information processors as a result, the compensation amount shall be determined based on the actual situation.

In this case, the court further relied on Article 12 (1) of the "Provisions of the Supreme People's Court on Several Issues Concerning the Use of Law in the Trial of Civil Disputes Involving the Infringement of Personal Rights and Interests through the Use of Information Networks", which states that "reasonable expenses paid by the infringed party to stop the infringing act may be recognized as property losses under Article 1182 of the Civil Code. Reasonable expenses include reasonable expenses incurred by the infringed party or its authorized agent in investigating and collecting evidence of the infringing act. The people's court may, at the request of the parties and based on the specific circumstances of the case, calculate lawyer fees that comply with relevant national regulations within the scope of compensation." In the judgment, it was pointed out that, The translation and evidence collection fees and lawyer fees claimed by Mr. Zuo, as well as the minimum calculation standard for the claimed lawyer fees, taking into account the reasonableness and necessity of the fees, the degree of fault and damage consequences of a certain high company, and the specific use, quantity, scope, and degree of personal information of Mr. Zuo, this court has lawfully determined that a certain high company shall compensate Mr. Zuo for an economic loss of 20000 yuan (including reasonable expenses).

From the above judgment, it seems that the court did not support Zuo's lawsuit request for an economic loss of 50000 yuan, or combined the damage to personal information rights with the reasonable expenses paid to stop the infringement. Therefore, the court did not specify how to determine the method of personal information rights infringement. Generally speaking, the methods for calculating damages to personal information rights and interests include two approaches: "quantity based" and "effect based". The former is obtained by multiplying the number of personal information involved with the amount of damage caused to each individual information, while the latter is determined based on the circumstances of the case. In this case, the court did not examine the quantity of personal information involved, and it can be inferred that it did not adopt a "quantity based" judgment method. However, based on the characteristics of this case, it remains to be seen whether this is a common method for determining personal information protection disputes in the future.
3. Regarding apology and apology

Zuo demands that a certain high-end company publicly apologize on the homepage of its mobile application (APP). The judgment pointed out that according to Article 998 and Article 1000 of the Civil Code, the civil liability of a certain high company for infringement should take into account the professions, scope of influence, degree of fault of both parties in this case, as well as the purpose, method, and consequences of the infringement. The civil liability of a certain high company for apologizing for infringing on the information rights and interests of a certain individual should be adapted to the specific method and scope of influence of the behavior. Based on this, the court believes that the apology of a certain high company is not suitable to be made public, and it is appropriate to adopt a written apology from the high company to the left.
6、 Implications for Corporate Compliance

At the end of the judgment, it was pointed out that "since the implementation of China's Personal Information Protection Law, various mobile application (APP) operators have actively made compliance improvements, but there are still a considerable number of personal information processors who have not correctly understood the legal significance of clicking and selecting privacy policies, as well as the relationship between individual consent and informed consent. The understanding and implementation of the legality of personal information processing are improper, and this should be highly valued by the industry. The judgment was formed on September 8, 2023, and the issues related to privacy policy compliance, personal information processing compliance, etc. are still the key issues of personal information protection compliance in the current industry. We have also observed that some companies' privacy policies still have compliance risks, such as non-standard disclosure and forced consent, which not only violate the relevant requirements of the Personal Information Protection Law, but also do not comply with the special rectification requirements of relevant regulatory departments. It is worth the attention of relevant companies and timely compliance adjustments. Based on this case, it is recommended that relevant enterprises pay attention to the following points in the compliance process:
1. Improve privacy policy

As stated in the judgment, "the informed consent mechanism is a friendly, reasonable, and effective interaction between personal information processors and individuals (users or consumers)," and privacy policies are often the main or even the only carrier of the informed consent mechanism. Therefore, privacy policies are not simply text stuffing, but a comprehensive reflection of personal information processing activities. Developing a privacy policy is not simply a matter of textual writing, but rather a textual presentation based on compliance activities. Moreover, privacy policies should be adjusted in a timely manner according to changes in business activities to prevent and reduce compliance risks in personal information protection. The judgment of this case provides a detailed discussion on the principle of "informed consent", reflecting the court's evaluation and views on privacy policies in judicial practice, and is an important reference material for the construction of enterprise data compliance systems. From the judgment of this case, it can be seen that the court has put forward high requirements for the writing of corporate privacy policies. When writing privacy policies, companies should pay attention to being clear, specific, and explicit. Taking information transmission as an example, the judgment believes that the disclosure of information transmission matters in the enterprise privacy policy should reach the level that allows users to "clearly know where their personal information will be transmitted and how it will be processed" after reading the privacy policy. At the same time, in practice, enterprises tend to list all "possible" information transmission and sharing matters in their privacy policies for reasons such as notification efficiency. However, this way of writing privacy policies is considered "inconsistent with the principle of openness and transparency in handling personal information" in this case. This type of notification method is indeed prone to causing misunderstandings among users, making them believe that their personal information has actually been transmitted and shared within such a broad scope, resulting in user dissatisfaction and incurring legal burdens for the enterprise. Enterprises should take this case as a lesson and adjust such disclosure clauses based on actual circumstances.
2. Pay attention to the compliance of "consent"

Article 13 of the Personal Information Protection Law establishes the legality basis with individual consent as the core, and further stipulates "separate consent" and "written consent" in corresponding provisions. Therefore, in the compliance process of enterprises, it is advisable to clarify the scenarios of personal information processing. For scenarios that require "separate consent" or "written consent", special attention should be paid, and appropriate "separate consent" or "written consent" methods should be selected based on relevant standard guidelines or industry practices. For example, the cross-border transmission of personal information involved in this case is a typical scenario that requires "separate consent".
3. Protecting users' personal information rights

Chapter 4 of the Personal Information Protection Law stipulates the "rights of individuals in personal information processing activities", including the right to access, copy, carry, correct, delete, interpret and explain, and the rights of close relatives of the deceased. The right to personal information is one of the important contents of the Personal Information Protection Law and a common cause of disputes over personal information protection. In the process of corporate compliance, it is advisable to establish compliance mechanisms and methods for rights response, as well as crisis response, to ensure that disputes can be handled properly and effectively. Especially, in this case, the court determined that a pure claim of rights is a prerequisite for an individual's lawsuit. Therefore, if compliance is implemented in response to personal information rights, it can effectively avoid falling into litigation disputes to a large extent.
4. Pay attention to policy trends

In this case, the court, when evaluating whether the scope of information collected by the defendant conforms to the provisions of the Personal Information Protection Law, identified the scope of personal information collection by reference to the provisions on the scope of personal information collection of travel and hotel mobile applications in the Provisions on the Scope of Personal Information Necessary for Common Types of Mobile Internet Applications. It can be seen that such administrative regulatory documents are important reference standards for evaluating the compliance of personal information processors' behavior in judicial practice. At present, the data management rules of various industries in China are being constructed and improved. It is recommended that enterprises pay attention to the dynamic changes in the data management regulations of the industries involved, and conduct self inspection and improvement of their compliance situation in a timely manner according to the requirements.
Related Fields

About The Author

    Latest articles
    HOT SPOTS
    The United States has released proposed rules to restrict connected vehicles, and the Chinese automotive industry will face challenges head-on
    On September 23, 2024, the Bureau of Industry Security (BIS) of the US Department of Commerce offici

    2024/10/26

    HOT SPOTS
    Enterprise Going Global - Overview of Overseas Data Compliance (South Africa Edition)
    South Africa is currently the second largest economy in Africa, with a leading level of economy and

    2024/10/26

    HOT SPOTS
    The United States is about to take measures to ban trading of Chinese connected vehicles
    On September 23rd, the Bureau of Industry and Security (BIS) of the US Department of Commerce releas

    2024/10/26

    Read the latest articles
    PROFESSIONAL TEAM
    English | Chinese
    Chinese English
    PROFESSIONAL TEAM
    OFFICE
    FRONTIER OBSERVATION
    CAREER DEVELOPMENT
    ABOUT US
    Explore our expertise
    Read article
    阅读更多文章
    Contact us
    PROFESSIONAL AREAS
    MEDIA CENTER
    PROFESSIONAL TEAM
    OFFICE
    FRONTIER OBSERVATION
    CAREER DEVELOPMENT
    ABOUT US
    King & Wood Mallesons Logo

    ©2024 Zhejiang Zhiben Law Firm. All rights reserved.Zhejiang 

    浙ICP备2024130020号-1  | 

    privacy policy
    Terms of use and legal notice