skip to main content

Amid urgent national security, cybersecurity and data privacy threats, companies require experienced counsel to advise on an ever-changing privacy and cybersecurity compliance landscape and respond to potentially crippling data incidents so they can get back to business. Led by some of the world’s leading legal advisors on national security and data-related regulatory matters, we help boards and top executives safely navigate high-impact breaches and related cyber incidents, and offer specialized regulatory advice in the transactional and compliance contexts.

Chinese Court Releases Landmark Decision on Requirements for Cross-Border Transfer of Personal Information Under the PIPL

October 9, 2024 Download PDF

In September 2024, the Guangzhou Internet Court published the first-ever decision[1] interpreting the requirements for cross-border transfers of personal information[2] under China’s Personal Information Protection Law (“PIPL”).[3] This decision has significant implications for companies handling personal information of individuals located in Mainland China. The PIPL is China’s first comprehensive data privacy law. Effective since November 1, 2021, the law applies to both data processing activities taking place within Mainland China, as well as activities outside of China that relate to the personal information of individuals located in Mainland China. Although the PIPL is similar to the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) in many aspects, it differs in its particular requirements related to the cross-border transfer of personal information. One such requirement is the obligation to obtain “separate consent” from the individual before transferring their data abroad, whereas under the GDPR, consent is one of the derogations allowing for international transfers of data. Under the PIPL, the individual should also be  provided notice beforehand about the foreign receiver’s name, contact method, handling purpose, handling methods, categories of personal information being transferred, and procedures to exercise their rights with the foreign entity. The Guangzhou Internet Court’s decision (the “Decision”) clarified the scope of this consent requirement. According to the Decision, a company seeking to transfer an individual’s personal information outside of Mainland China need not obtain the individual’s consent so long as the scope and purpose of the transfer is necessary for the company to perform its contract with the individual. However, to the extent the company exceeds the scope and purpose beyond what is necessary, it needs to obtain the individual’s “separate consent,” which must be specific and explicit, and cannot be bundled together with general consent for other purposes. Mere checkbox consent to a privacy policy also does not constitute “separate consent.”

Overview of Consent and Cross-Border Transfer Requirements Under the PIPL

Article 13 of the PIPL provides seven legal bases for the processing of personal information. First and foremost, a personal information handler can process the personal information of an individual who has consented to the processing. Absent such consent, the handler can still process the information under one of six bases: (1) where necessary to conclude or fulfill a contract in which the individual is an interested party or necessary to conduct human resources management; (2) where necessary to fulfill statutory duties; (3) where necessary to respond to sudden public health incidents or protect a persons’ life, property, and health; (4) for news reporting and other activities for the public interest; (5) where the information has already been disclosed; and (6) for other circumstances provided under the relevant laws or regulations.

Articles 38 and 39 outline the main requirements for cross-border transfers of personal information. Under Article 38, a personal information handler must meet one of four conditions before such transfer: (1) undergoing personal information protection certification conducted by a specialized body (e.g., the China Cybersecurity Review Technology and Certification Center)[4]; (2) concluding a contract with the foreign receiving side in accordance with a standard contract[5]; (3) obtaining a security assessment organized by the State cybersecurity and informatization department;[6] or (4) other conditions provided under laws or administrative regulations.

Article 39 also requires the personal information handler to provide notice to and obtain separate consent from the individual whose data is being transferred. The notice should include the foreign receiving side’s name, contact method, handling purpose, handling methods, and categories of personal information, as well as ways or procedures for the individual to exercise their rights provided under the PIPL with the foreign receiving side.

The Underlying Case

The case was brought by a Chinese consumer (the “Plaintiff”) who purchased membership cards of a French hotel group (the “Group”) through its affiliate in China (the “Affiliate”) (collectively, the “Defendants”). After the purchase, Plaintiff received a link to download a mobile booking app operated by the Group and subsequently booked a hotel in Myanmar through the app. To complete the booking, Plaintiff provided his name, nationality, phone number, email, and bank account number, and agreed to the app’s extensive privacy policy (the “Privacy Notice”) by checking an “I agree” box. Plaintiff later discovered that the Group relied on this single checkbox consent as a basis to transfer his personal information to Defendants’ personnel and business partners located in countries other than Myanmar.

Plaintiff claimed that Defendants violated Article 39 of the PIPL for failure to provide specific notice regarding the foreign recipients of his personal information and for failure to obtain Plaintiff’s “separate consent” regarding the transfer of his personal information to those entities. Plaintiff also made allegations concerning Defendants’ failure to meet any of the four conditions for transferring personal information abroad under Article 38 but did not appear to have asserted a cause of action for this violation.

Defendants made two main arguments in response. First, Defendants argued that they need not obtain Plaintiff’s consent for the transfer of his personal information abroad because the transfer was necessary to “fulfill a contract” under Article 13 for the provision of membership services to Plaintiff.[7] Second, Defendants argued that Plaintiff’s checkbox consent to the Privacy Notice constituted proper notice and consent under Article 39. Defendants noted that the Privacy Notice contained detailed disclosures about the Group’s potential transfer of his personal information abroad for the purposes of providing services and customized advertising, including to entities located in “South Africa, Algeria, Andora, Angola, Saudi Arabia, and 69 other countries.”[8]

The Court held that the scope of the transfer exceeded what was necessary for Defendants to manage Plaintiff’s hotel booking in Myanmar, and therefore, Defendants were required under Article 39 to obtain Plaintiff’s “separate consent” for the transfer of his personal information abroad. The Court held that Defendants violated Article 39 since Plaintiff’s checkbox consent did not constitute “separate consent.”

The Court’s Opinion

  1. Contractual performance is a legal basis for the transfer of personal information abroad only if the scope and purpose of the transfer is limited to what is necessary for contractual performance.

First, the Court addressed Defendants’ argument that their transfer of Plaintiff’s personal information abroad did not require Plaintiff’s consent since, pursuant to Article 13 of the PIPL, the transfer was necessary to fulfil their service contract with Plaintiff. To determine whether consent was required, the Court considered whether the scope and the purpose of the transfer were necessary to fulfill the contract.

The Court found that the scope of the personal information transferred was necessary to fulfill the parties’ service contract (i.e. Plaintiffs’ booking of a hotel in Myanmar). The Court referenced the Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, noting that information such as name, telephone number, email address, physical address, and bank information are necessary for hotel booking transactions. However, the Court found that the scope of the recipients—including all of the Group’s business partners and marketing personnel—went well beyond what was necessary to perform the parties’ contract.

Similarly, the Court found that the purpose of the transfer exceeded what was necessary to fulfill the parties’ contract. The Court found that Defendants transferred Plaintiffs’ personal information to entities in the United States and Ireland for the purpose of business marketing, which was not necessary to manage Plaintiff’s booking of a hotel in Myanmar. The Court noted that the purpose of a service contract is for consumer to receive services, not to be profiled for advertising purposes.

Accordingly, the Court held that, absent any other valid basis for processing under Article 13, “separate consent” was required for the cross-border transfer of Plaintiff’s personal information under Article 39.

  1. Separate and specific individual consent is required for cross-border transfer of personal information.

Second, the Court interpreted the “separate consent” requirement under Article 39. As a threshold matter, the Court noted that, as a matter of law, checkbox consent to a general privacy policy does not constitute separate consent. The Court explained that “separate consent” is a type of “enhanced consent,” and refers to an individual’s specific, explicit authorization for a certain processing of their personal information. The Court further explained that “separate consent” requires “separate notification,” and is not valid for multiple purposes or multiple types of use of personal information. Here, the Court found that the Privacy Notice at issue provided only “general notice,” as opposed to “enhanced notice.” The Court noted that the Privacy Notice only vaguely described the potential foreign recipients of a user’s personal information to include, among others, “people and departments within the Group” and “business partners and marketing staff”; it did not clearly delineate the scope of these categories.

Accordingly, the Court held that Defendants violated Article 39 of the PIPL by failure to obtain Plaintiff’s “separate consent” for the transfer of his personal information beyond what was necessary to manage his hotel booking in Myanmar, including, for example, the transfer of his information to the United States and Ireland for business marketing purposes.

  1. Awarded Relief.

The Court awarded Plaintiff 20,000 RMB (around 2,840 USD) in damages, based on an assessment of the method and scope of Defendants’ unlawful use of Plaintiff’s personal information, as well as Plaintiff’s litigation costs and expenses. Pursuant to Article 47 of PIPL, the Court also ordered Defendants to promptly erase all of Plaintiff’s personal information stored in their systems and provide a written apology to Plaintiff.

Main Takeaways

  • GDPR compliance does not ensure PIPL compliance. The Opinion suggests that companies relying on their compliance with the GDPR to ensure the lawfulness of their data privacy practices globally may find themselves liable under the PIPL. The PIPL’s requirements for cross-border transfers appear to be stricter than those under the GDPR – whereas there are a number of derogations available under the GDPR (including where the recipient country has been granted an adequacy decision, where the transfer is necessary to perform a contract, where certain additional contractual clauses have been executed, where consent has been obtained etc.) to legitimize cross-border transfers,[9], it appears that the options are much more limited under the PIPL. Article 38 of the PIPL requires one of four conditions to be satisfied before a cross-border transfer can take place and Article 39 further requires “separate consent” from the individual. Although the level of consent may be the same as that for consent under the GDPR (e.g. specific, unambiguous, informed and freely given), multinational corporations (“MNCs”) with a data privacy infrastructure grounded in GDPR compliance must ensure that they have obtained consent where necessary under the PIPL (i.e., not rely on their GDPR legitimization methods), obtain a separate consent to PIPL to that obtained under the GDPR, and ensure that their operations in China satisfy any additional requirements imposed by the PIPL.
  • Companies operating in China should make sure to obtain specific consent for any cross-border data transfers. Since each instance of cross-border transfer of personal information of individuals located in Mainland China requires separate and specific consent, companies collecting such personal information could be exposed to significant liability if they do not comply with Articles 13 and 39 of the PIPL in effecting transfers of such data. Companies should thus ensure that they obtain specific consent of Chinese individuals before initiating any cross-border transfers. Companies should also note that expansive cross-border transfers for “marketing purposes” is unlikely to be considered a valid legal basis for processing under Article 13 based on fulfilment of a contract that is unrelated to the provision of marketing services. Accordingly, companies should consider limiting their data transfer to only those recipients necessary for fulfilling contractual obligations, and obtaining specific and separate consent for using personal information for marketing purposes.

*       *       *

 

[1]        2022粤01292民初6486; No. (2022) Yue 0192 Minchu 6486, available here.

[2]        “Personal Information” is defined as “various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.” PIPL Art. 4.

[3]        Personal Information Protection Act of the People’s Republic of China, available here.

[4]        Implementation Rules for Personal Information Protection Certification (Nov. 18, 2022).

[5]        See Guidelines for Filing Standard Contracts for Transfer of Personal Information Abroad (June 1, 2023).

[6]        See Measures for Data Export Security Assessment (Sept. 1, 2022).

[7]        PIPL Art. 13.

[8]        2022粤01292民初6486; No. (2022) Yue 0192 Minchu 6486, available here.

[9]        GDPR Art. 45.

© 2024 Paul, Weiss, Rifkind, Wharton & Garrison LLP

Privacy Policy