Landmark China Data Ruling Offers Critical Lessons for Multinationals on Cross-Border Transfers
By Norah Chen, Victoria Lei and Maarten Roos
This article provides a detailed analysis discussed in our article on this case.
I. Introduction
In September 2024, the Guangzhou Internet Court published one of its top ten cross-border data dispute cases, marking the first publicly disclosed judgment concerning the cross-border transfer of personal information under China's Personal Information Protection Law (PIPL). This ruling sets a significant precedent for both domestic and foreign organizations processing personal information of individuals in China.
Much of the dispute in this case centered around whether the international hotel group had unlawfully transferred a Chinese consumer's personal information to multiple recipients located abroad. The decision highlights several key points for businesses processing or transferring personal data across borders, particularly around notice-and-consent obligations, contractual necessity, and the PIPL's "separate consent" requirement.
II. Case Background
1. Parties Involved
1) Plaintiff (Mr. Zuo)
Mr. Zuo, a customer who booked a hotel in Myanmar through A Hotel Group (name partially redacted), discovered that his personal data was being transferred to other international entities. He claimed that these such data transfers violated the PIPL.
2) 1st Defendant (Qin Business Consulting Company, name partially redacted)
A Shanghai-based company linked to A Hotel Group operates a platform to sell membership cards. Mr. Zuo also acquired two membership cards from Qin Business Consulting Company, granting him the ability to purchase hotel services from A Hotel Group at a discounted rate.
3) 2nd Defendant (A Hotel Group, name partially redacted)
A multinational hotel management group headquartered in France manages a global membership rewards program and a central reservation system. This defendant was specifically accused of transferring the Plaintiff's personal data internationally without obtaining the requisite separate consents.
2. Factual Overview
In 2021, Mr. Zuo became member of the A Hotel Group's hotel loyalty program. In early 2022 he booked a hotel in Myanmar using the A Hotel Group's "A**" mobile application, and provided personal details such as his name, nationality, phone number, email address, and bank card information. Mr. Zuo noticed that the A Hotel Group's "Customer Personal Data Protection Policy" permitted the sharing of his personal data across various countries for marketing or other promotional activities. Concerned that these international data transfers were being conducted without a lawful basis under the PIPL and concerns about his right to privacy, Mr. Zuo decided to initiate legal action against the Defendants.
3. Plaintiff's Allegations
The Plaintiff challenged the privacy policy maintained by A Hotel Group, arguing that it unnecessarily broadened the range of potential countries and recipients which could access his personal data, thus obscuring his understanding of where and how his data was being processed.
He contended that the extent of data processing and cross-border transfers far exceeded what was strictly necessary for the purposes of booking and fulfilling the requirements of the hotel reservation contract.
Moreover, he claimed that the Defendants failed to adhere to any of the three legally recognized methods for cross-border data transfer under Chinese law (an official security assessment, personal information protection certification, or the use of standard contractual clauses).
He also accused them of not obtaining proper "separate consent" for non-essential uses of his data, such as for marketing purposes.
4. Court's Decision
Ultimately, the Court:
1) Ruled partially in favor of the Plaintiff, finding that certain marketing-related data transfers abroad by the A Hotel Group lacked a valid legal basis.
2) Held that the A Hotel Group unlawfully processed the Plaintiff's personal data (especially for marketing purposes) but recognized that transfers strictly to Myanmar (for hotel booking) and France (for managing the customer relationship system, CRS) were necessary and thus lawful without separate consent.
3) Found that the 1st Defendant did not partake in the actual cross-border transfers, so it was not jointly liable.
4) Ordered the A Hotel Group to delete the Plaintiff's data, provide a written apology, and pay CNY 20,000 in damages covering economic losses and certain reasonable expenses.
III. Court's Key Findings
The Court's judgment delved deeply into the legal framework governing personal data protection, particularly focusing on notice-and-consent obligations, contractual necessity, and the requirement for separate consent under the PIPL. These findings provide critical insights for businesses engaged in cross-border data transfers.
1. Notice-and-Consent Obligations
1) Transparency and Clarity in Privacy Policies
The Court emphasized that privacy policies must adhere to the principles of openness and transparency as mandated by the PIPL. In this case, the A Hotel Group's "Customer Personal Data Protection Policy" was nearly 20,000 words long and listed numerous countries and recipients for data transfer, including those for marketing purposes. However, the policy failed to clearly specify which data would be shared with which entities and for what specific purposes.
The Court held that such broad and vague disclosures do not satisfy the PIPL's requirements for transparency. Users must be able to easily understand who receives their data and how it will be used. Overly generalized policies can mislead users into believing their data is being handled in a manner that aligns with their consent when, in reality, this may not be the case.
2) Validity of Consent Through Simple Clicks
The Court further clarified that one simple action such as clicking an "I agree" button does not automatically constitute valid consent for all forms of data processing, especially for high-risk activities such as cross-border transfer of personal information for marketing purposes. Under Article 39 of the PIPL, separate consent is required for such specific data processing activities unless another legal basis applies.
A Hotel Group' approach of embedding extensive data sharing permissions within a single, lengthy privacy policy and relying solely on user consent through a checkbox was deemed insufficient. Effective consent mechanisms should involve specific, informed, and voluntary actions that reflect the user's understanding and agreement to particular data processing activities.
2. Contractual Necessity
1) Legitimate Basis for Data Processing
The Court acknowledged that the transfer of Mr. Zuo's personal data to the hotel in Myanmar and to the French CRS was necessary to fulfill the contractual obligations related to his hotel booking and for membership services. This falls under Article 13(1)(2) of the PIPL, which allows for personal data processing without explicit consent when it is necessary for the performance of a contract to which the data subject is a party.
However, the Court scrutinized the breadth of data sharing beyond what was strictly necessary for performance of the contract(s). The privacy policy's reference to multiple business partners and marketing departments in various countries went beyond the data minimization principle, which requires that data processing should not exceed what is necessary for the stated purpose. Thus, while the initial data transfers for contract fulfillment were lawful, the subsequent transfers for marketing purposes were not justified under the principle of contractual necessity.
2) Data Minimization Principle
The data minimization principle under the PIPL mandates that personal data collection and processing must be limited to what is necessary to achieve the specific purpose. The Court found that sharing Mr. Zuo's data with a broad range of entities, particularly for marketing, exceeded what was necessary for contractual performance. This overreach invalidated the justification based on contractual necessity, leading to the conclusion that such data transfers required separate consent.
3. Separate Consent
1) Definition and Requirement
Under Article 39 of the PIPL, separate consent is required for specific high-risk data processing activities, including cross-border data transfers for purposes beyond contractual fulfillment, such as marketing. Separate consent entails distinct and explicit user authorization for each specific purpose, ensuring that consent is informed and specific rather than broad and general.
2) Implementation Challenges
A Hotel Group failed to obtain separate consent for the marketing-related data transfers. The Court highlighted that relying solely on a general consent through a lengthy privacy policy does not meet the PIPL's standards for separate consent. Effective separate consent mechanisms should involve clear and distinct actions by users, such as separate checkboxes or explicit prompts for different types of data processing activities.
3) Judicial Guidance
The Court referenced the national standard GB/T 42574-2023 (Guidelines for Notice and Consent in Personal Information Processing), which provides detailed guidance on implementing notice-and-consent mechanisms, including separate consent requirements. Although these guidelines are not legally binding, their inclusion in judicial reasoning indicates their increasing importance in regulatory and judicial assessments of data processing compliance.
IV. Practical Implications
1) Strengthen Privacy Policy Drafting
Companies must ensure that their privacy policies are clear, concise, and specific. Policies should explicitly state: (a) which data is being collected; (b) who will receive the data; (c) for what purpose the data will be used; (d) how the data will be processed.
Businesses should also avoid overly broad or vague descriptions that could mislead users and may fail to meet the transparency requirements of the PIPL.
2) Implement Robust Notice-and-Consent Mechanisms
For high-risk data processing activities, such as cross-border transfers for marketing purposes, companies should obtain separate consent through distinct user actions (e.g. separate checkboxes, pop-up confirmations). Users must be properly informed about the specific purposes and recipients of their data.
3) Establish Clear User Rights Response Processes
Companies should develop efficient and user-friendly channels for handling data subject requests, including access, deletion, and correction of personal data. This can help not only to reduce the likelihood of litigation by resolving disputes promptly but is also a compliance obligation under the PIPL.
4) Manage Global Compliance Obligations
For multinational companies, we also advise to: (a) designate a local representative or establish an office in China as required by Article 53 of the PIPL; (b) ensure cross-border data transfers comply with both Chinese laws and the laws of other jurisdictions involved, which may include filling with the government; (c) conduct regular personal information protection impact assessments (PIAs) to identify and mitigate risks associated with international data transfers.
V. Conclusion
This landmark judgment by the Guangzhou Internet Court illustrates China's efforts for transparent and lawful data processing, especially when it comes to cross-border personal information transfers. The Court's detailed interpretation of "notice-and-consent", "contractual necessity", and "separate consent" offers critical guidance to companies handling personal data within or directed at the Chinese market.
As consumer awareness of data privacy concepts grows and judicial as well as regulatory scrutiny intensifies, organizations should proactively localize their data compliance frameworks, ensuring that cross-border data flows and related processing are justified and properly disclosed. Moving forward, businesses will do well to conduct thorough compliance assessments, adopt best practices from national standards, and implement meaningful user consent procedures – thereby reducing legal risk and preserving user trust in a data-driven business environment.
R&P's data privacy team supports international clients on compliance with China's extensive framework on data privacy, providing legal advice, completing personal information impact assessments, completing filings with the CAC, and responding to government investigations. For more information on how we can support you, please contact the authors at [email protected], [email protected] or [email protected] or your trusted contact at R&P.