In August 2024, the Guangzhou Internet Court in China published its final decision in the case No. (2022) Yue 0192 Minchu 6486 regarding the cross-border transfer of personal information under the Personal Information Protection Law (“PIPL”), which was originally issued on September 8, 2023. It is the first case explaining the reliance on necessity for performance of contract in cross-border data transfer activities.
In this case, the defendant was the foreign entity registered in France, Acco* Group, subject to the extra-territorial jurisdiction of PIPL due to its collection of personal information of individuals in China through its website hosted outside of China. The plaintiff in the case booked their hotel through the defendant’s website.
Justiciability of Data Subjects’ Rights
The case clarifies that the right to be informed and the right of decision-making (i.e., to restrict or object to processing) are the core rights relating to personal information. The right of access, right of copy, right of data portability, right of correction, right of supplementation and the right of explanation are the instrumental and remedial rights that protect and help realize the right to be informed and the right of decision-making. The data subject must exercise these rights directly with a data handler before being able to claim such rights in court (in the event that the data handler does not comply with the request).
Overseas Recipients
In the privacy statement of the defendant, it stated: “the data subjects’ personal information will be shared with internal personnel and departments within Acco* Group, business partners and marketing personnel in multiple countries.” The judge determined that the scope of the parties with whom the personal information would be shared and the scope of the geography of such sharing were not clearly stated in the privacy statement and that the plaintiff was not clearly informed of where their personal information would be transferred, or how the receiving parties would process their personal information. The statements provided in the privacy policy did not comply with the principle of openness and transparency. In order to comply, data handlers need to specify the parties and countries to which personal information will be transferred.
Additionally, clicking on a checkbox in a privacy policy is not sufficient to provide separate consent under the law – a data handler must obtain a separate consent from the data subject(s).
Necessity Test for Performance of a Contract
In the privacy policy of the defendant, it stated: “We share your data with a number of authorized people and departments in the Acco* Group in order to offer you the best experience in our hotels. The following teams may have access to your data:…..Commercial partners and marketing services.” The judge stated that “[n]ecessary for the performance of the contract” is an objective necessity. As such, the scope of the parties entrusted by the data handler with the processing of personal information should be legitimate and necessary for the performance of the contract. This necessity should be judged based on the purpose of the contract, and the scope of the entrusted parties should comply with the principle of minimum necessity. The judge held that “all commercial partners and marketing staff of the hotel group exceeds the extent of necessity for fulfillment of the contract from the scope of recipients and geographical scope.”
Additionally, the judge held that marketing cannot be considered necessary for the performance of the contract (e.g., hotel booking for this case), as such marketing activity does not fall in the scope and/or the purpose which is necessary to perform the contract.
The PIPL provides that “those conducting information push delivery or marketing to individuals through automated decision-making methods shall simultaneously provide the option to not target an individual’s characteristics, or provide the individual with a convenient method to refuse.” If an individual is able to refuse, marketing must not be necessary for the fulfillment of the contract. The purpose for individuals to enter into contracts is to receive specific goods and services, not to be identified or profiled, and therefore processing of personal information for marketing purposes poses a potential risk to the rights and interests of data subjects.
Given that the judge did not support the defendant’s argument that marketing was necessary for performance of the relevant contract and consent was therefore not required, the defendant could not rely on the legal basis of “performance of the contract” for the cross-border transfer of personal information. The judge held that a separate consent should have been obtained for the transfer.
In practice, with respect to cross-border transfers, data handlers have often taken a broader approach when interpreting necessity for performance of a contract. This case provides a rule for the necessity test for fulfillment of contract, which is “a series of acts based on the necessity of performance of the contract in a single act.” Data handlers may refer to this rule when reviewing whether their processing purposes meet the necessity test for performance of contract in the scenario of cross-border transfer.
Tort Liabilities
Given that the defendant’s processing activities were unlawful (as they unnecessarily shared personal information with recipients overseas and transferred personal information outside of China for marketing purposes without separate consent), the defendant should bear the tort liabilities including making a written apology to the plaintiff and providing compensation fees for investigation, forensics, interpretation and attorney fees to the plaintiff totaling RMB 20,000 (approximately $3,000).
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code