In August 2024, a judgment rendered by the Guangzhou Internet Court in 2023 was published on the China Judgment Website. In that case, an international hotel was found liable for infringement for unlawful handling of personal information. This is the first court decision in China involving cross-border transfers of personal information, and is informative for multinational corporations regarding the compliant handling of personal information under the legal framework of Mainland China, especially when sharing customers' personal information with overseas affiliates and third parties.
Loading...
The first domestic court decision on cross-border transfer of personal information
Loading...
Background
The company in question is a multinational hotel management group registered in France. 2021, the plaintiff, Zuo, purchased a membership card through the company's affiliate in China. In 2022, Zuo booked a hotel in Myanmar through the company's app. In the process, Zuo provided personal information, including his name, phone number, e-mail address, and bank card number, and accepted the privacy policy.
Afterward, the plaintiff discovered that, according to the company's privacy policy, his personal information would be shared to multiple out-of-country regions and receiving entities, and that the scope of the receiving subjects and geographic scope were unclear.
According to the lawsuit filed by Zuo, the court found that the company failed to inform Zuo of the details of the offshore recipients; furthermore, the company shared Zuo's personal information with entities located in the U.S. and Ireland for marketing purposes, an act that went beyond what was necessary to fulfill the contract without Zuo's separate consent.
The court ruled that the company violated the Personal Information Protection Act. In addition to an apology and damages, the court required the company to provide Zuo with the details of the offshore recipients of his personal information and to delete all of his personal information.
Key Takeaways Indications
In order to legitimize the cross-border transfer of personal information on the basis of "necessary for the performance of a contract", the scope of the personal information, the scope of the offshore recipients, and the purpose of the transfer must satisfy the necessity requirement.
It was necessary for the company to transfer the plaintiff's personal information to the hotel in Myanmar and to the hotel's central reservation system at its headquarters in France in order to process the plaintiff's booking requests. However, the transfer of the plaintiff's personal information to the United States and Ireland for marketing purposes was not necessary.
For cross-border transfers of personal information for marketing purposes that go beyond what is necessary for the performance of the contract, the company needs to obtain the plaintiff's separate consent; separate consent cannot be obtained by simply checking a blanket privacy policy.
Privacy Policy Localization of Policies
Multinational companies conducting business in Mainland China need to localize their privacy policies to comply with local regulations. Full compliance with the EU GDPR does not necessarily comply with the requirements of the Personal Information Protection Act. For example, when personal information is transferred and shared across borders, the Personal Information Protection Law requires processors of personal information to provide complete notification to the individuals concerned about the information of recipients outside the country and to obtain their individual consent.
Under the Personal Information Protection Law, organizations are required to conduct a personal information protection impact assessment before transmitting personal information outside of China; under certain conditions that would trigger the regulatory mechanism for cross-border transmission of data, the organization concerned may be required to obtain the approval of the Office of the Internet Information Office (OIIO), sign a Standard Contract for the Outbound Transfer of Personal Information and file it for the record.
The maximum fine under the Personal Information Protection Law can be up to 50 million yuan or 5% of the previous year's turnover.
The Importance of Conducting a Privacy Impact Assessment (PIA)
Implementing a Privacy Impact Assessment (PIA) is critical for any organization that handles personal data.A PIA helps identify and mitigate privacy risks before a data breach occurs. Its key components include:
- Identifying Vulnerabilities: Regular assessments can reveal weaknesses in security protocols and data handling practices.
- Establishing Policies: Organizations must have comprehensive data protection policies and guidelines in place to ensure compliance with privacy regulations.
- Training and Awareness Raising: Educating employees about data privacy and security best practices is critical to fostering a culture that is vigilant and values privacy.
DQS Related Services:
- DQS provides ISO 27701 Privacy Information Management System Certification Services;
- DQS HK provides Privacy Impact Assessment (PIA) service;
- DQS HK provides IT system penetration testing services.
Author
DQS HK
"In everything we do, we set the highest standards for quality and competence in every project. This makes our actions the benchmark for our industry, but also our own mission statement, which we renew every day"
Loading...
