In August 2024, China Judgements Online published a ruling issued by the Guangzhou Internet Court on September 8, 2023, in a case widely regarded as China's first judicial decision addressing cross-border personal information transfer. The court found a global hotel group liable for the unlawful handling of personal data, marking a milestone in the enforcement of China's personal information protection regime. [1]

Following the first-instance judgment, one of the defendants, a company referred to as "Company G" appealed. On June 28, 2024, the Guangzhou Intermediate People's Court ("GZ Intermediate Court") upheld the initial ruling in the second instance.[2]

This landmark decision sheds light on previously ambiguous aspects of China's Personal Information Protection Law ("PIPL") and provides clearer guidance for multinational corporations to formulate tailored compliance strategies under Chinese law.

I. Key Facts and Cross-Border Data Transfer at Issue

Company G is a multinational hotel management group incorporated in France. In 2021, the plaintiff, Mr. Zuo, purchased a hotel membership card through a WeChat public account ("Hotel A*") operated by Company G's affiliated entity, Company Q.

In 2022, Mr. Zuo booked a hotel in Myanmar via Company G's app ("A*"), providing personal information such as name, nationality, phone number, email address, and bank card information, and consented to the app's Customer Personal Data Protection Charter (the "Charter") by checking the relevant box.

Later, Mr. Zuo discovered that, according to the Charter, his personal information would be shared with multiple recipients worldwide, without disclosing the specific recipients or geographic locations. Furthermore, there were no accessible mechanisms to revoke consent or exercise related rights. Mr. Zuo alleged that these practices infringed his personal information rights and sued the defendants (Company G and Company Q, collectively "defendants"), demanding disclosure of recipients, deletion of his data, a public apology, and compensation for economic losses.

The first-instance court partially upheld the plaintiff's claims, ordering the defendants to issue a written apology, delete his personal data, and pay RMB 20,000 as reimbursement for reasonable expenses. As the deletion obligation was fulfilled by the defendants during the appeal, the GZ Intermediate Court set aside the deletion order while upholding the remainder of the first-instance judgment.

II. Legal Clarifications Provided by the Courts

The first-instance court addressed several legal issues, including the justiciability of the case, the validity of click-through consent, the necessity of the processing for contract performance, and whether separate consent had been obtained. The appellate court further focused on the legal validity of informed consent and contract necessity, endorsing and supplementing the lower court's opinion.

A. Liability: Foreign Entities Providing Services to Chinese Residents Are Subject to the PIPL

Company Q is a legally independent affiliate of Company G incorporated in China. The plaintiff argued that Company Q's commercial appearance led reasonable consumers to perceive it as the contractual party and data recipient. However, the court ultimately held that Company G was responsible for the cross-border data transfer in question and bore the infringement liability (except for deletion).

Importantly, Article 3 of the PIPL stipulates the law's extraterritorial effect. Although Company G is registered in France, its processing activities targeting Chinese individuals fall within the scope of the PIPL.

B. Justiciability: Infringement of "Core Rights" Does Not Require Prior Exercise and Denial

The defendants argued that under Article 50(2) of the PIPL, litigation can only be initiated after a data subject's request is refused. The court rejected this, clarifying that the provision applies only to procedural rights listed in Chapter IV of the PIPL.

The court emphasized that personal information rights, as part of personality rights, center on the "right to know" and "right to decide." The rights to access and copy data are merely instrumental. The plaintiff's claims stemmed from a failure to provide truthful, complete, and accurate notice and to obtain separate consent, thus constituting a personality rights infringement actionable directly under the Civil Code without prior request denial.

C. Validity of "Notice-Consent": Blanket Consent Does Not Equal Separate Consent

Both courts found that the Charter interface presented by Company G constituted generalized, bundled consent. The Charter vaguely referenced data sharing with recipients "across multiple countries" but failed to specify which entities or jurisdictions were involved.

Per Article 39 of the PIPL, separate consent is required for cross-border transfers. The court emphasized that separate consent must be unambiguous and specific, particularly for cross-border transfers. A bundled privacy policy, presented as a take-it-or-leave-it option, is not sufficient. To comply, controllers should implement clear consent flows -- such as pop-ups or separate checkboxes -- when collecting consent for sensitive or cross-border processing.

D. Defining "Necessity for Contract Performance": The Rigid Constraint of Data Minimization

Company G argued that its processing of the plaintiff's personal data was lawful under Article 13(1)(2) of the PIPL, which permits data processing when "necessary for the performance of a contract," thereby obviating the need for consent. Both courts rejected a blanket application of this clause and emphasized that such necessity must be narrowly construed in line with the data minimization principle set out in Article 6 of the PIPL.

The courts assessed necessity across three dimensions: (1) the scope of personal data collected, (2) the scope of cross-border recipients, and (3) the specific processing purposes.

Regarding data scope, the courts referenced Cyberspace Administration of China (CAC)'s regulatory guidance, concluding that necessary personal data for hotel services includes name, contact details, check-in/check-out times, and hotel names. Bank card data was also deemed necessary for payment purposes.

Regarding the scope of recipients and processing purposes, the courts stressed that "necessity" must be objectively tied to the fulfillment of the contractual relationship. In this case, personal data was transferred to seven overseas entities across six countries for purposes such as managing the central reservation system, processing bookings, customer service, marketing communications, analytics, and data storage.

The transfer of data to the hotel in Myanmar and to Company G's central reservation system in France was deemed necessary for executing the hotel reservation and thus permissible under the contract necessity clause. However, data transfers to entities in the United States and Ireland for marketing purposes were unrelated to contract performance and therefore required separate consent under the PIPL.

Notably, in current practice, whether personal data transfers to overseas central reservation systems are justified when the user books only domestic hotels remains controversial. Regulatory authorities may view such transfers as exceeding the scope of contract necessity, posing potential compliance risks.

III. Practical Implications: One Global Policy Is Not Enough -- Localization Under China's PIPL Is Essential

Many multinationals rely on global privacy policies rooted in the EU's General Data Protection Regulation (GDPR). However, GDPR compliance does not guarantee compliance with China's PIPL. Under the PIPL, requirements for informed notice and separate consent are more stringent than under the GDPR.

Before transferring personal information overseas, multinational enterprises must conduct a Personal Information Protection Impact Assessment (PIPIA) in accordance with the PIPL. Depending on the nature and volume of data involved, businesses may also be required to (i) undergo a security assessment conducted by the CAC, (ii) enter into and file Standard Contracts for cross-border data transfers, or (iii) obtain personal information protection certification under China's evolving regulatory framework.

This case's inclusion in the People's Court Case Database underscores its guiding significance. It offers clear guidance for multinationals, illustrating that generic global policies may not meet the standards required under Chinese law and judicial practice. To minimize compliance and litigation risks, foreign companies should develop localized privacy notices and data governance programs that are specifically aligned with PIPL and other applicable Chinese regulations. Failure to do so may expose them to severe administrative penalties -- up to RMB 50 million or 5% of annual turnover -- as well as civil liability for privacy-related tort claims.