In August 2024, the Guangzhou Internet Court in China published its final decision in the case No. (2022) Yue 0192 Minchu 6486 regarding the cross-border transfer of personal information under the Personal Information Protection Law (“PIPL”), which was originally issued on September 8, 2023. It is the first case explaining the reliance on necessity for performance of contract in cross-border data transfer activities.

In this case, the defendant was the foreign entity registered in France, Acco* Group, subject to the extra-territorial jurisdiction of PIPL due to its collection of personal information of individuals in China through its website hosted outside of China. The plaintiff in the case booked their hotel through the defendant’s website.

Justiciability of Data Subjects’ Rights

The case clarifies that the right to be informed and the right of decision-making (i.e., to restrict or object to processing) are the core rights relating to personal information. The right of access, right of copy, right of data portability, right of correction, right of supplementation and the right of explanation are the instrumental and remedial rights that protect and help realize the right to be informed and the right of decision-making. The data subject must exercise these rights directly with a data handler before being able to claim such rights in court (in the event that the data handler does not comply with the request).

Overseas Recipients

In the privacy statement of the defendant, it stated: “the data subjects’ personal information will be shared with internal personnel and departments within Acco* Group, business partners and marketing personnel in multiple countries.” The judge determined that the scope of the parties with whom the personal information would be shared and the scope of the geography of such sharing were not clearly stated in the privacy statement and that the plaintiff was not clearly informed of where their personal information would be transferred, or how the receiving parties would process their personal information. The statements provided in the privacy policy did not comply with the principle of openness and transparency. In order to comply, data handlers need to specify the parties and countries to which personal information will be transferred.

Additionally, clicking on a checkbox in a privacy policy is not sufficient to provide separate consent under the law – a data handler must obtain a separate consent from the data subject(s).

Necessity Test for Performance of a Contract

In the privacy policy of the defendant, it stated: “We share your data with a number of authorized people and departments in the Acco* Group in order to offer you the best experience in our hotels. The following teams may have access to your data:…..Commercial partners and marketing services.” The judge stated that “[n]ecessary for the performance of the contract” is an objective necessity. As such, the scope of the parties entrusted by the data handler with the processing of personal information should be legitimate and necessary for the performance of the contract. This necessity should be judged based on the purpose of the contract, and the scope of the entrusted parties should comply with the principle of minimum necessity. The judge held that “all commercial partners and marketing staff of the hotel group exceeds the extent of necessity for fulfillment of the contract from the scope of recipients and geographical scope.”

Additionally, the judge held that marketing cannot be considered necessary for the performance of the contract (e.g., hotel booking for this case), as such marketing activity does not fall in the scope and/or the purpose which is necessary to perform the contract.

The PIPL provides that “those conducting information push delivery or marketing to individuals through automated decision-making methods shall simultaneously provide the option to not target an individual’s characteristics, or provide the individual with a convenient method to refuse.” If an individual is able to refuse, marketing must not be necessary for the fulfillment of the contract. The purpose for individuals to enter into contracts is to receive specific goods and services, not to be identified or profiled, and therefore processing of personal information for marketing purposes poses a potential risk to the rights and interests of data subjects.

Given that the judge did not support the defendant’s argument that marketing was necessary for performance of the relevant contract and consent was therefore not required, the defendant could not rely on the legal basis of “performance of the contract” for the cross-border transfer of personal information. The judge held that a separate consent should have been obtained for the transfer.

In practice, with respect to cross-border transfers, data handlers have often taken a broader approach when interpreting necessity for performance of a contract. This case provides a rule for the necessity test for fulfillment of contract, which is “a series of acts based on the necessity of performance of the contract in a single act.” Data handlers may refer to this rule when reviewing whether their processing purposes meet the necessity test for performance of contract in the scenario of cross-border transfer.

Tort Liabilities

Given that the defendant’s processing activities were unlawful (as they unnecessarily shared personal information with recipients overseas and transferred personal information outside of China for marketing purposes without separate consent), the defendant should bear the tort liabilities including making a written apology to the plaintiff and providing compensation fees for investigation, forensics, interpretation and attorney fees to the plaintiff totaling RMB 20,000 (approximately $3,000).