what we think

By Norah Chen, Victoria Lei and Maarten Roos

In September 2024, the Guangzhou Internet Court published what is the first publicly disclosed judgment concerning the cross-border transfer of personal information under China’s Personal Information Protection Law (PIPL). This landmark case clarifies that in hotel management, the transfer of personal information beyond what is necessary for fulfilling the contract must be subject to separate consent from the customer, rather than relying on a general consent through the privacy policy.

Case Background

In the case, the plaintiff purchased membership services from the defendant hotel group through their mobile application (APP), booking a hotel in Myanmar and providing personal information such as name, nationality, phone number, email address, and bank card details. Subsequently, he discovered that the defendant’s privacy policy allowed the sharing of his personal information with third parties and in multiple countries globally. He argued that his data should only have been shared within Myanmar to facilitate his hotel booking; and noted the absence of a separate consent mechanism for more extensive data sharing.

Court Decision

The court concluded that while the transfer of his data to Myanmar for booking purposes and to France for managing the central reservation system was necessary and lawful under PIPL Article 13 (2), the subsequent sharing of his information for marketing purposes to entities in the United States and Ireland exceeded contractual necessity. The court concluded further that these marketing-related data transfers lacked the required separate consent, rendering them unlawful. Consequently, the defendant was ordered to delete the plaintiff’s personal information, provide a written apology, and compensate him CNY 20,000 for economic losses and reasonable expenses.

Practical Implications for Multinational Companies

• Notice-and-Consent Obligations

The court’s decision underscores the critical importance of clear and specific notice-and-consent mechanisms in privacy policies. Multinational companies must ensure that their privacy policies explicitly outline the types of personal data collected, the purposes for which it is used, and the entities with whom it is shared, especially outside China. Vague or overly broad statements such as “data may be shared with third parties” are insufficient to meet PIPL requirements. Instead, businesses must adopt transparent communication strategies that allow users to fully understand how their data will be processed, and ensure that consent is obtained through clear, distinct actions.

• Contractual Necessity

The ruling highlights that data processing must be strictly limited to what is necessary for fulfilling contractual obligations. In the context of hotel reservations, transferring personal data to manage bookings is justified. However, extending data sharing for purposes like marketing exceeds contractual necessity. Multinational companies should rigorously assess whether any data processing activities extend beyond what is essential for contract performance. Only necessary data should be collected, and sharing should be necessary for the specific contractual purpose. 

• Separate Consent

A pivotal take-away from this case is the requirement for separate consent for non-essential data uses, such as marketing. The court clarified that relying solely on a comprehensive privacy policy for consent does not meet the PIPL’s standards for specific consent. Companies must implement distinct consent mechanisms for each additional purpose of data processing that falls outside the scope of contractual necessity. This can be achieved through separate tick-boxes or dedicated consent prompts that allow users to explicitly agree to different types of data processing activities. 

Conclusion 

The Guangzhou Internet Court’s decision serves as a pivotal reminder for multinational companies to meticulously design their privacy policies and consent mechanisms. Clear, specific, and separate consent processes are essential to comply with the PIPL and sufficiently protect users’ personal information rights. By adhering to these principles, businesses cannot only avoid legal repercussions but also build greater trust with their customers in an increasingly data-conscious market.

R&P’s data privacy team supports international clients on compliance with China’s extensive framework on data privacy, providing legal advice, completing personal information impact assessments, completing filings with the CAC, and responding to government investigations. For more information on how we can support you, please contact the authors at chenyixuan@rplawyers.com, leishijing@rplawyers.com or roos@rplawyers.com. or your trusted contact at R&P.