First case on PIPL's extraterritorial scope highlights key compliance priorities

In the fall of 2024, the Guangzhou Internet Court released a final judgment on the extraterritorial scope of China's Personal Information Protection Law, the first on cross-border data transfers under the law, highlighting key compliance priorities for foreign companies doing business with or in China.

In the case, a hotel guest in China sued an unnamed international hotel group based in France over the transfer of their personal data to third parties outside China without separate consent. The French hotel group lost and was required to apologize, among other actions.

The case confirms PIPL's requirement that separate consent — informed, proper, unbundled consent — must first be obtained from the individual when sharing personal information outside China. This requirement was also emphasized in the new Chinese cross-border data rules effective 22 March 2024.

Facts of the case

The lawsuit explains the plaintiff joined the hotel group's loyalty program and booked a stay at one of its hotels in Southeast Asia using the company's app. They agreed to the hotel group's privacy notice before becoming a member of the loyalty program and provided the relevant personal information — including name, nationality, telephone number, email and bank account number — during the process.