In the “Ten Typical Cases of Cross-border Data Disputes” released by the Guangzhou Internet Court in September 2024, the case of cross-border transfer of personal information by an international hotel company [(2022) Yue 0192 Min Chu No. 6486] is called as “the first case of cross-border transfer of personal information” in China , which initially defines the judicial review rules of cross-border processing of personal information, provides a judicial model for the practical exploration of cross-border transfer of personal information, and has certain reference and enlightenment significance. This article will introduce the rules for reviewing the legality of cross-border processing of personal information indicated by the Guangzhou Internet Court in light of this case.
1. Brief Introduction
In this case, the plaintiff (a natural person) purchased a membership card of an international hotel as defendant and booked overseas accommodation services through the hotel APP. During the booking process, the plaintiff clicked and agreed to the “Customer Personal Information Protection Rules” (“Rules”) provided by the hotel, and provided information such as name, phone number, nationality, bank account and so on. Later, the plaintiff found that all the personal information submitted by the plaintiff would be transmitted and shared to multiple overseas regions and entities. The plaintiff believed that the cross-border transmission and sharing of personal information of the hotel exceeded the necessity of performing the contract, and should bear the infringement liability, and then sued to the Guangzhou Internet Court.
The effective judgment of the Guangzhou Internet Court held that the collection of personal information by the defendant for consumers to book overseas hotel services and transfer it to the corresponding overseas hotel is necessary for the performance of the contract and does not require separate consent. However, the defendant failed to follow the principle of openness and transparency, truthfully, accurately and completely inform it of the processing rules, and failed to correctly perform its notification obligations in accordance with the law. In addition, the defendant company’s act of transferring and processing personal information to a third-party company located in other overseas countries and regions for commercial marketing purposes and the purpose of processing exceeded the necessity for the performance of the contract, and did not fully inform the subject and obtain the separate consent, which is an illegal processing act and infringes on the rights and interests of personal information protection, and shall bear civil tort liability and ordered the defendant to apologize to the plaintiff, delete all of the plaintiff’s personal information, and compensate RMB 20,000 for property losses (including reasonable expenses for rights protection).
2. Implications for cross-border processing of personal information
(1) How to determine that the processing of personal information is “necessary for the performance of the contract”
In the judgment of this case, the Guangzhou Internet Court stated that the determination of whether personal information is “necessary for the performance of the contract” is mainly based on the following two aspects: (i) whether the scope of personal information collected and processed, the scope of sharing with other overseas recipients is necessary to perform the contract or not; (ii) whether the purpose of processing is necessary for the performance of the contract. From the perspective of the scope of personal information collection, the processing of personal information shall have a clear and reasonable purpose, and shall be directly related to the purpose of processing, and shall adopt a method that has the least impact on the rights and interests of individuals.
(2) How to fulfill the obligation to inform and obtain consent
In this case, the court indicated that the legal basis of processing personal information is based on the consent of the individual, and the consent of the individual is a prerequisite for being clearly informed, so the legality of the two levels of notification and consent should be examined.
Regarding the obligation to “inform”, unless otherwise provided for by law, the personal information processor shall inform in accordance with the principles and methods stipulated in Articles 7 and 17 of the Personal Information Protection Law of the People’s Republic of China, and disclose the personal information processing rules, that is, to inform individuals in a conspicuous manner and clear and understandable language truthfully, accurately and completely for the name and contact information of the personal information processor; the purpose, method, scope and retention period of personal information; the manner and procedure by which an individual exercises their legal rights, etc.
With regard to “consent”, except for the exceptions provided for in Article 13 of the Personal Information Protection Law, personal information processors shall obtain the
consent of users in advance. In the following five situations, it is also necessary to obtain the user’s separate consent: providing personal information to other personal information processors; disclosure of personal information; use personal images and identification information collected in public places through image collection and personal identification devices for purposes other than maintaining public safety; processing sensitive personal information; provision of personal information overseas.
(3) Whether the user tick to agree on the personal information processing rules in the APP will necessarily have the legal effect of “consent”.
The Guangzhou Internet Court made it clear in this case that the user’s clicking on the privacy policy displayed by mobile applications (APPs) does not necessarily have the legal effect of consent to the privacy policy, and whether the clicking on the privacy policy has the legal effect of consent depends on whether the subsequent processing behavior of the personal information processor requires enhanced notification and consent. If it is needed (such as the situation that requires the user’s separate consent), the tick of privacy policy will not have the legal effect of consent. Only when the enhanced notification and consent is not required, such a tick can have the legal effect of consent.
3. Conclusion
The above-mentioned case is currently a benchmark case in the field of legality review of cross-border processing of personal information in China, providing useful judicial practice exploration for the legality review of cross-border transmission of personal information. It is recommended that data processors involved in cross-border transfer of personal information collect information within the necessary scope, and prudently perform obligations such as notification and consent in light of this case, and conduct a compliance review of personal information processing activities in advance to ensure compliance in the transmission of processed information.
