In the fall of 2024, the Guangzhou Internet Court released a final judgment on the extraterritorial scope of China's Personal Information Protection Law, the first on cross-border data transfers under the law, highlighting key compliance priorities for foreign companies doing business with or in China.
In the case, a hotel guest in China sued an unnamed international hotel group based in France over the transfer of their personal data to third parties outside China without separate consent. The French hotel group lost and was required to apologize, among other actions.
The case confirms PIPL's requirement that separate consent — informed, proper, unbundled consent — must first be obtained from the individual when sharing personal information outside China. This requirement was also emphasized in the new Chinese cross-border data rules effective 22 March 2024.
Facts of the case
The lawsuit explains the plaintiff joined the hotel group's loyalty program and booked a stay at one of its hotels in Southeast Asia using the company's app. They agreed to the hotel group's privacy notice before becoming a member of the loyalty program and provided the relevant personal information — including name, nationality, telephone number, email and bank account number — during the process.
According to the court's decision, the hotel group's privacy notice stated it would share guests' personal information with other group companies and business partners worldwide,not unlike the privacy notices of many Western companies. It stated, since the group operates in several countries and aims to provide consistent services to hotel guests throughout the world, guests personal data is shared with "internal and external recipients" including "authorised people and departments in the group," such as staff, IT departments, "commercial partners and marketing services," and "generally, any appropriate person within the group entities for certain specific categories of personal data."
It also stated guests' personal data may be shared "with service providers and partners," noting "the hotel guests' personal data may be sent to a third party for the purposes of supplying the hotel guests with services and improving the hotel guests' stay." These are named to include external service providers like IT sub-contractors, international call centers, banks, credit card issuers and external lawyers.
The notice adds, "the group may, unless the hotel guests specify otherwise to the Data Privacy department, enhance the hotel guests' profile by sharing certain personal information with its preferred commercial partners. In this case, a trusted third party may cross-check, analyse and combine the hotel guests' data. This data processing will allow the group and its privileged contractual partners to determine the hotel guests' interests and customer profile to allow the group to send the hotel guests personalized offers."
Despite agreeing to the privacy notice, the plaintiff complained that the group shared their personal information with other group companies and business partners outside China.
Extraterritorial scope
Similar to Article 3(2) of the EU General Data Protection Regulation, the PIPL's extraterritorial scope means a data controller processing personal information of individuals in China — even from outside of China — to provide products or services or for other purposes, falls within the PIPL's scope.
The court ruled the France-based hotel group processed the plaintiff's personal information for the purpose of providing products or services to the individual and, hence, is subject to the PIPL's extraterritorial scope under Article 3.
Separate consent
Before sharing personal information outside China, the PIPL requires separate consent from the individual to be obtained. According to Article 39 of the PIPL, this separate consent must include notice of the name and contact information of the overseas recipient, processing purposes and methods, types of personal information involved, and the methods and procedures for individuals to exercise their data privacy rights against the overseas recipient.
Therefore, the Chinese legal requirement of separate consent mandates that detailed information on the overseas recipient must be provided to the individual. The level of detail required under the PIPL differs from the cross-border data transfer requirements in most jurisdictions.
As the hotel group's privacy notice did not provide such details but merely outlined the categories of overseas recipients, the court determined its privacy notice did not meet the PIPL's separate consent requirement.
The new Chinese cross-border data rules that took effect 22 March 2024 also emphasize this requirement, stating separate consent from the individual must first be obtained when sharing personal information outside China. Consequently, the court found the French hotel group noncompliant with this requirement.
Key takeaways
This case serves as a reminder that China's PIPL applies to companies even if they are not conducting business in China. Companies outside China that handle the personal information of individuals in China for the purpose of providing products or services to those individuals must also comply with the PIPL.
This case also highlights a key compliance priority for foreign companies doing business with or in China: when sharing personal information outside China, separate consent from the individual must first be obtained.
Chiang Ling Li is a partner at Tiang & Partners.
