In the News: First Cross-Border Data Transfer Judgment in China; New EU-China Mechanism to Facilitate Data Flows; and High-Frequency Futures Traders

Credit: Who is Danny/Adobe Stock

Groundbreaking Personal Data Transfer Case in China

The Guangzhou Internet Court has determined that an unnamed international hotel brand mishandled personal data, according to a landmark case released by the Court on Sept 2. This is the first court judgment in China on cross-border data transfer.

A person surnamed Wang purchased accommodation services with a service company via WeChat and booked a stay with an international hotel brand via its app. Wang consented to the defendant's personal data protection rules, which involved submitting his name, nationality, phone number, email address, and credit card details. When he realized the data protection rules explicitly stated that the data would be shared overseas, Wang sued both companies.

The Court held that the cross-border transfer of personal data for overseas hotel reservations is necessary for contractual performance, thus a separate consent is not necessary. However, the defendants failed to truthfully, accurately and completely explain to the plaintiff how they process data in their personal data protection rules. Furthermore, the Court found that the data was used for commercial purposes—it was sent to third parties in the U.S. and Ireland for processing, exceeding the necessary requirements for contractual performance. The defendants failed to fully disclose such acts and purposes to Wang and seek his separate consent. This illegal use of information and breach of Wang's rights over personal information means that the defendants are liable for civil infringement. The defendants were ordered to delete the plaintiff's personal data and pay damages of RMB 20,000.