[China] (2022) Yue 0192 Min Chu No. 6486, the CBDF case in the Guangzhou Internet Court
(2022) 粤 0192 民初 6486 号
According to some Chinese posts on Weixin, a civil dispute recently concluded in the Guangzhou Internet Court, and a civil judgment made on 8 Sep 2023 was disclosed ((2022) Yue 0192 Min Chu No. 6486 / (2022) 粤 0192 民初 6486 号).
I think this judgment is rich in information for privacy compliance folks, particularly if you are an MNC that centralises processing or storage overseas, or that is in the tourism sector.
In this post I set out my key takeaways, the brief facts, the court’s orders, and key points in the judgment (based on what I think would be important for privacy and compliance professionals to know); and provide the Chinese and machine-translated English versions of the judgment.
Note:
This post is based on the machine-translated English version of the judgment, which is not perfect. Where I felt that the translation was not very accurate, I checked against other machine translations.
The grammar in this post may seem a little strange or ineloquent. This is because I deliberately used the direct English translation, because I thought that it more accurately relayed the court’s thinking in the context of China’s laws and their specific wordings and requirements.
According to Fangda Partners, the case was appealed against, and on appeal the court sustained the decision.
Key takeaways
If your PI processing activities require enhanced notice and consent in the form of separate consent, the user's act of clicking to agree to a privacy policy will not be sufficient. It does not constitute separate consent.
If you are relying on any of the legal bases under Article 13(2)-(7) of the PIPL for your processing, you need not obtain personal or separate consent for data exports.
3. In deciding if your processing activities are contractually necessary (under Article 13(2) of the PIPL), the court will apply an objective test based on the contract's purpose.
4. If you ever wondered about the standing of TC260's standards, the court referred to one that was voluntary in nature: the Implementation Guidelines for Notice and Consent in Personal Information Processing (GB/T 42574—2023).