In September 2024, the Guangzhou Internet Court published the first-ever decision[1] interpreting the requirements for cross-border transfers of personal information[2] under China's Personal Information Protection Law ("PIPL").[3] This decision has significant implications for companies handling personal information of individuals located in Mainland China. The PIPL is China's first comprehensive data privacy law. Effective since November 1, 2021, the law applies to both data processing activities taking place within Mainland China, as well as activities outside of China that relate to the personal information of individuals located in Mainland China. Although the PIPL is similar to the European Union's ("EU") General Data Protection Regulation ("GDPR") in many aspects, it differs in its particular requirements related to the cross-border transfer of personal information. One such requirement is the obligation to obtain "separate consent" from the individual before transferring their data abroad, whereas under the GDPR, consent is one of the derogations allowing for international transfers of data. Under the PIPL, the individual should also be provided notice beforehand about the foreign receiver's name, contact method, handling purpose, handling methods, categories of personal information being transferred, and procedures to exercise their rights with the foreign entity. The Guangzhou Internet Court's decision (the "Decision") clarified the scope of this consent requirement. According to the Decision, a company seeking to transfer an individual's personal information outside of Mainland China need not obtain the individual's consent so long as the scope and purpose of the transfer is necessary for the company to perform its contract with the individual. However, to the extent the company exceeds the scope and purpose beyond what is necessary, it needs to obtain the individual's "separate consent," which must be specific and explicit, and cannot be bundled together with general consent for other purposes. Mere checkbox consent to a privacy policy also does not constitute "separate consent."
Overview of Consent and Cross-Border Transfer Requirements Under the PIPL
Article 13 of the PIPL provides seven legal bases for the processing of personal information. First and foremost, a personal information handler can process the personal information of an individual who has consented to the processing. Absent such consent, the handler can still process the information under one of six bases: (1) where necessary to conclude or fulfill a contract in which the individual is an interested party or necessary to conduct human resources management; (2) where necessary to fulfill statutory duties; (3) where necessary to respond to sudden public health incidents or protect a persons' life, property, and health; (4) for news reporting and other activities for the public interest; (5) where the information has already been disclosed; and (6) for other circumstances provided under the relevant laws or regulations.
Articles 38 and 39 outline the main requirements for cross-border transfers of personal information. Under Article 38, a personal information handler must meet one of four conditions before such transfer: (1) undergoing personal information protection certification conducted by a specialized body (e.g., the China Cybersecurity Review Technology and Certification Center)[4]; (2) concluding a contract with the foreign receiving side in accordance with a standard contract[5]; (3) obtaining a security assessment organized by the State cybersecurity and informatization department;[6] or (4) other conditions provided under laws or administrative regulations.
Article 39 also requires the personal information handler to provide notice to and obtain separate consent from the individual whose data is being transferred. The notice should include the foreign receiving side's name, contact method, handling purpose, handling methods, and categories of personal information, as well as ways or procedures for the individual to exercise their rights provided under the PIPL with the foreign receiving side.
The Underlying Case
The case was brought by a Chinese consumer (the "Plaintiff") who purchased membership cards of a French hotel group (the "Group") through its affiliate in China (the "Affiliate") (collectively, the "Defendants"). After the purchase, Plaintiff received a link to download a mobile booking app operated by the Group and subsequently booked a hotel in Myanmar through the app. To complete the booking, Plaintiff provided his name, nationality, phone number, email, and bank account number, and agreed to the app's extensive privacy policy (the "Privacy Notice") by checking an "I agree" box. Plaintiff later discovered that the Group relied on this single checkbox consent as a basis to transfer his personal information to Defendants' personnel and business partners located in countries other than Myanmar.
Plaintiff claimed that Defendants violated Article 39 of the PIPL for failure to provide specific notice regarding the foreign recipients of his personal information and for failure to obtain Plaintiff's "separate consent" regarding the transfer of his personal information to those entities. Plaintiff also made allegations concerning Defendants' failure to meet any of the four conditions for transferring personal information abroad under Article 38 but did not appear to have asserted a cause of action for this violation.
Defendants made two main arguments in response. First, Defendants argued that they need not obtain Plaintiff's consent for the transfer of his personal information abroad because the transfer was necessary to "fulfill a contract" under Article 13 for the provision of membership services to Plaintiff.[7] Second, Defendants argued that Plaintiff's checkbox consent to the Privacy Notice constituted proper notice and consent under Article 39. Defendants noted that the Privacy Notice contained detailed disclosures about the Group's potential transfer of his personal information abroad for the purposes of providing services and customized advertising, including to entities located in "South Africa, Algeria, Andora, Angola, Saudi Arabia, and 69 other countries."[8]
The Court held that the scope of the transfer exceeded what was necessary for Defendants to manage Plaintiff's hotel booking in Myanmar, and therefore, Defendants were required under Article 39 to obtain Plaintiff's "separate consent" for the transfer of his personal information abroad. The Court held that Defendants violated Article 39 since Plaintiff's checkbox consent did not constitute "separate consent."
The Court's Opinion
First, the Court addressed Defendants' argument that their transfer of Plaintiff's personal information abroad did not require Plaintiff's consent since, pursuant to Article 13 of the PIPL, the transfer was necessary to fulfil their service contract with Plaintiff. To determine whether consent was required, the Court considered whether the scope and the purpose of the transfer were necessary to fulfill the contract.
The Court found that the scope of the personal information transferred was necessary to fulfill the parties' service contract (i.e. Plaintiffs' booking of a hotel in Myanmar). The Court referenced the Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, noting that information such as name, telephone number, email address, physical address, and bank information are necessary for hotel booking transactions. However, the Court found that the scope of the recipients -- including all of the Group's business partners and marketing personnel -- went well beyond what was necessary to perform the parties' contract.
Similarly, the Court found that the purpose of the transfer exceeded what was necessary to fulfill the parties' contract. The Court found that Defendants transferred Plaintiffs' personal information to entities in the United States and Ireland for the purpose of business marketing, which was not necessary to manage Plaintiff's booking of a hotel in Myanmar. The Court noted that the purpose of a service contract is for consumer to receive services, not to be profiled for advertising purposes.
Accordingly, the Court held that, absent any other valid basis for processing under Article 13, "separate consent" was required for the cross-border transfer of Plaintiff's personal information under Article 39.
Second, the Court interpreted the "separate consent" requirement under Article 39. As a threshold matter, the Court noted that, as a matter of law, checkbox consent to a general privacy policy does not constitute separate consent. The Court explained that "separate consent" is a type of "enhanced consent," and refers to an individual's specific, explicit authorization for a certain processing of their personal information. The Court further explained that "separate consent" requires "separate notification," and is not valid for multiple purposes or multiple types of use of personal information. Here, the Court found that the Privacy Notice at issue provided only "general notice," as opposed to "enhanced notice." The Court noted that the Privacy Notice only vaguely described the potential foreign recipients of a user's personal information to include, among others, "people and departments within the Group" and "business partners and marketing staff"; it did not clearly delineate the scope of these categories.
Accordingly, the Court held that Defendants violated Article 39 of the PIPL by failure to obtain Plaintiff's "separate consent" for the transfer of his personal information beyond what was necessary to manage his hotel booking in Myanmar, including, for example, the transfer of his information to the United States and Ireland for business marketing purposes.
The Court awarded Plaintiff 20,000 RMB (around 2,840 USD) in damages, based on an assessment of the method and scope of Defendants' unlawful use of Plaintiff's personal information, as well as Plaintiff's litigation costs and expenses. Pursuant to Article 47 of PIPL, the Court also ordered Defendants to promptly erase all of Plaintiff's personal information stored in their systems and provide a written apology to Plaintiff.