Testing data privacy in the courts

As internet activity surges and Chinese consumers turn to shopping online, more personal information is being uploaded on a growing number of platforms, posing risks to data security and privacy. The Supreme People's Court has issued the Provisions on Several Issues Concerning the Application of the Law in the Trial of Civil Dispute Cases Involving the Utilisation of Information Networks to Infringe Personal Rights and Interests (最高人民法院关于审理利用信息网络侵害人身权益民事纠纷案件适用法律若干问题的规定) to crack down on personal data infringement, which has become a serious problem.

This judicial interpretation supplements Article 36 of the PRC Tort Liability Law (中华人民共和国侵权责任法), which provides general principles of liability for infringement of users' rights online and subsequent remedial measures imposed on internet service providers (ISPs).

Two aspects, however, have sparked debate. First, Article 4 of the Provisions requires ISPs to provide the identity and contact details of infringing internet users during litigation (and the ISPs face punishment if they do not comply). Also, Article 9 revisits the liability issue and specifies conditions for ISPs' knowledge of the infringement.

“The new Provisions explicitly state ISPs should disclose third parties' private information and clarify whether the safe harbour rule applicable to online copyright cases is also applicable to cases where personal rights are infringed upon,” said Fang Qi of Fangda Partners.

Article 4: exposing third parties

The objective of the judicial interpretation is to strike a balance between protecting personal rights and deterring infringement through liability. “What generated some controversy is that Article 4 makes the ISPs disclose users' confidential information, when they are supposed to protect it,” said Qi.

In typical copyright cases where the holder sues the ISP, there is no discussion on whether the ISP should provide confidential information on the direct infringer, since the disputes are more about property rights and monetary compensation, and the case is settled when the ISP pays up.

But violation of personal rights is a separate issue, and practitioners believe the requirement may be justified as it is important to know who posted the infringing material.

Article 9: ISP liability

What ISPs are most concerned about is whether they can be identified as having knowledge of the infringement. Article 9 explicitly states that the ISP should have known of the infringing material and is therefore liable to act accordingly.

Earlier, if the ISP did not have or should not have had the required knowledge, it could avoid the issue by deleting the infringing material from its network as soon as it received notice, but Article 9 makes clear that the ISP does not fall under the safe harbour rule by stating it should have known, Qi explained.

This poses a problem as the service providers can find it difficult to monitor and control public platforms. They rely on limited mechanisms to detect infringement, and often on the declaration of the user when they post material.

The wording of Article 9 is highly subjective, which leaves the concept of ISP liability open to interpretation by the courts. For instance, one aspect not touched upon is what would happen when the ISP charges money for the infringing material. “In cases where the ISP profited from the dissemination of information by charging those who want access, the SPC has been very clear that the ISP should have known of the nature of the content,” said Qi.

To the courts or the AIC

There are two routes an infringement victim can take. Aside from civil litigation, they can file a complaint with the Administration of Industry and Commerce (AIC). The benefit of this option is that the AIC has the power to investigate (in civil cases the burden of proof and evidence rests on the plaintiff) and take administrative action against the ISP. But the downside is that it does not have the power to award damages to the victim.

However, Joe Simone of Simone IP Services questioned the AIC's ability to uncover facts. “The AIC has enormous resources and lots of manpower, but one thing it does not have is solid investigative powers,” he said. “The AIC was set up based on a very old fashioned-model, and that was in the physical world. The internet is a totally different realm,” he added.

“Everyone is looking at how Tmall and Taobao, JD.com, Paipai and so on will be regulated,” said Simone, referring to the AIC's role in the online commerce industry. “The law hasn't been clear as the government has just let them grow, and the sector has become really big and ugly.”


By Katherine Jo