On September 10, 2024, OneTrust DataGuidance Research confirmed with Dora Luo (Duoqun), partner at Hunton Andrews Kurth, that on September 8, 2023, the Guangzhou Internet Court issued a decision in case No. (2022) Yue 0192 Minchu 6486 regarding cross-border transfer of personal data under the Personal Information Protection Law (PIPL).

Background of the decision

The court outlined that the plaintiff claimed that two defendants (a Shanghai consultancy and a French company) transferred their personal data (i.e., name, telephone number, email, zip code, address, nationality, and bank card number) to various regions and recipients worldwide in the context of a hotel reservation.

Furthermore, the plaintiff alleged that the defendants failed to provide true, accurate, and complete information when handling their personal information and collecting their consent, as well as did not clearly state the purpose, method, and scope of personal information processing, which infringed their right to informed decision under PIPL.

Findings of the court

First, the court held that a lawsuit against a personal information handler for failing to exercise the right to access and deletion may be brought only after the data subject exercises the right against the data handler and such a request is rejected. In the present case, the plaintiff's lawsuit was based on the unlawful processing of personal information by the data handler, which resulted in the infringement of the data subject's right to information and decision-making.

Regarding notification and consent, the court decided, among other things, that:

• in the notification and consent mechanism, the 'notification' and 'consent' should be understood separately;
• the personal information handler cannot assume that the customer's clicks on a checkbox on a privacy policy displayed complete the obtention of enhanced consent;
• if no enhanced consent is required, clicks on a checkbox on a privacy policy displayed has the legal effect of consent; and
• if subsequent processing requires enhanced notification and consent, checking the privacy policy does not have a legal effect of consent.

Regarding the necessity to process personal information for the fulfillment of the contract, the court held, among other things, that:

• the scope of personal information collected and processed by the defendants was not inappropriate for the purpose of making a hotel reservation;
• legal basis of 'necessary for the performance of the contract' is to be understood as an objective necessity and should be judged based on the purpose of the contract; and
• commercial marketing operations of personal information without consent cannot be considered necessary for the performance of the contract.

Following the above, the court decided that from the perspective of the scope of overseas recipients and geographic scope, sharing personal information with all the hotel group's business partners and marketing staff was not necessary for the performance of the contract, and the defendants violated the law.

Lastly, regarding separate and individual consent for the cross-border transfer, the court outlined that:

• clicking on a checkbox of the privacy policy does not constitute separate consent, nor the checking by the plaintiff of the Client's Personal Data Protection Charter; and
• Article 13(2)-(7) of the PIPL outlines the types of legal bases on which to base the processing of personal information - if the legal basis of 'necessary for the performance of a contract' is applicable, the legal basis of consent is neither possible nor necessary.

Following these observations, the court concluded that the defendants could not base the processing of personal information for cross-border transfers for the purpose of marketing activities on the necessity for the performance of a contract and should have obtained individual and separate consent from the plaintiff.

Outcomes

The court decided that the defendants must:

• issue a written apology to the plaintiff;
• delete all of the plaintiff's personal information, including from the receivers, within 10 days of the date of the legal effect of the judgment; and
• one of the defendants must pay CNY 20,000 (approx.$2,820) in damages (e.g., evidence collection fees and attorney fees) to the plaintiff within 10 days of the date of the legal effect of the judgment.