China’s PIPL in Action: Key Takeaways for Multinationals from A Landmark Lawsuit

Posted by Written by Arendse Huld Reading Time: 10 minutes

The Guangzhou Internet Court ruled on a landmark PIPL lawsuit involving cross-border data transfers. The case shows how courts interpret consent, contractual necessity, and privacy notices, offering important compliance lessons for foreign businesses operating in China. We discuss the key takeaways from this landmark China personal information lawsuit.

Cross-border data transfer (CBDT) has been one of the most sensitive compliance issues for foreign companies doing business in China in recent years. Under the Personal Information Protection Law (PIPL), multinational corporations (MNCs) are facing heightened legal uncertainty over what counts as valid consent, what processing can be justified as “necessary for contract performance”, and how transparent privacy disclosures must be. Chinese regulators and courts are beginning to test these standards in practice, sending clear compliance signals in the process.

Find Business Support
Get expert assistance in conducting compliance audits, penetration tests, and impact assessments for improved cybersecurity of your business investments in China.

In September 2024, the Guangzhou Internet Court offered insight into one such ruling when it released a batch of “typical cases” litigated under the PIPL. Among them was a landmark lawsuit filed by an individual against a multinational hotel management group and its China affiliate. The dispute centered on the group’s overseas transfer of personal information and its handling of user rights under the PIPL. 

This case matters for MNCs because it illustrates how Chinese courts interpret key provisions of the PIPL in cross-border contexts, including the limits of contractual necessity, the scope of user consent, and the adequacy of privacy notices. For foreign firms, the ruling provides a preview of how courts may enforce compliance obligations and assess liability in future disputes. 

In this article, we review the lawsuit based on the summary of the case provided by the Guangzhou Internet Court, as well the court’s reasoning and its rulings on each of the plaintiff’s claims, before drawing key lessons for MNCs navigating the evolving legal landscape of personal information protection in China.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Who were the parties involved? 

Defendants: 

  • Company A: A multinational hotel management group registered in an unnamed foreign country that operates an app with various functions, including hotel reservation services.
  • Company B: An affiliate company of Company A registered in China, which operates the hotel’s WeChat official account. 

The plaintiff:  

  • An unnamed person with the alias “Zuo”. Zuo had become a member of the hotel group prior to 2020. In October 2021, Zuo purchased a membership card from Company A, which entitled them to hotel accommodation and meals provided by Company A at a discounted member rate. In February 2022, Zuo booked a room at a hotel abroad using its app, for which they submitted their personal information, including name, nationality, phone number, email address, and bank card number. 

How did the dispute arise? 

Zuo noticed that Company A’s Customer Personal Information Protection Charter (the “charter”) stated that it would share their personal information with multiple regions and recipients around the world. Zuo believed that Company A and Company B had unrestrictedly expanded the scope of countries and entities that could receive their personal information overseas in the charter. This prevented them from knowing in which countries and regions their personal information was processed by which overseas entities, and the two defendants had failed to provide them with convenient channels to withdraw authorization and exercise their rights. This constituted an infringement of Zuo’s personal information rights, leading them to file a lawsuit. 

What did the plaintiff ask for? 

Zuo requested that the court:

  1. Order the two defendants to provide all of the information on the recipients of Zuo’s personal information and to delete all of Zuo’s personal information;
  2. Order Company B to publicly compensate and apologize to Zuo through the WeChat official account;
  3. Order Company A to publicly compensate and apologize to Zuo through the app it operates; and
  4. Order the two defendants to compensate Zuo for economic losses, lost wages, lawyer fees, and so on. 

How did the defendants respond? 

The defendants argued that collecting, processing, and exporting Zuo’s personal information was a necessary activity for them to conclude and perform the member services and hotel booking services contract reached with Zuo. The defendants invoked Item 2, Clause 1 of Article 13 of the PIPL, which describes the conditions under which it is not necessary to obtain Zuo’s consent. 

Item 2, Clause 1 of Article 13 states that personal information processors may process personal information without obtaining consent from the individual if the processing is necessary for the conclusion and performance of a contract to which the individual is a party. 

According to the defendants, they had already obtained Zuo’s consent and confirmation to collect, process, and export Zuo’s personal information, fully protecting Zuo’s right to be informed and right to decide on the processing. 

Zuo’s lawsuit request is limited to realizing their right to know and right to delete. The court does not need to determine or rule on issues such as the legality, legitimacy, and necessity of the defendants’ export of personal information. 

The court’s key questions and rulings 

When deliberating the lawsuit, the court focused on three key issues: (i) whether the case was actionable; (ii) whether the defendants had infringed Zuo’s personal information rights; and (iii) whether the defendants should bear civil tort liability. 

After examining the facts and legal arguments, the court found that the case was actionable. It concluded that Company A had unlawfully processed Zuo’s personal information, thereby infringing their personal information rights, and should bear tort liability. As a result, Company A was ordered to issue a written apology to Zuo, both defendants were instructed to delete all of Zuo’s personal information and provide proof of deletion, and Company A was required to compensate Zuo RMB 20,000 (US$2,786) for economic loss. Zuo’s other claims were dismissed. 

Company A appealed, but the Guangzhou Intermediate People’s Court largely upheld the original judgment, except for vacating the deletion order on the basis that the defendants had already voluntarily complied. 

Case Summary
Disputes  Ruling  Explanation Legal basis 
Jurisdiction under Chinese law  Yes – The court accepted jurisdiction  The case involves cross-border processing of personal information of a natural person located in China  Article 3 of the PIPL; Article 44 of the Law on the Application of Law to Foreign-Related Civil Relations 
Actionability of the case  Yes – The case is actionable  Individuals may bring a lawsuit if a personal information processor unlawfully processes their personal information, without any prior procedure required  Article 50 of the PIPL; Article 1034 of the Civil Code; Article 2 of the PIPL; Article 1165 of the Civil Code; Article 69 of the PIPL 
Violation of plaintiff’s personal information rights  Yes – The court found infringement  Company A unlawfully processed and transferred Zuo’s personal information without consent, violating their rights  Article 17 of the PIPL; Articles 1034 and 1165 of the Civil Code; Article 69 of the PIPL 
Claims against Company B (other than deletion)  No – Not supported  No unlawful processing was found by Company B; disputed cross-border transfer was carried out by Company A  Article 17 of the PIPL 
Access to personal information  Yes – Granted  Both defendants submitted lists of overseas recipients during trial, satisfying the plaintiff’s access request  Article 17 of the PIPL 
Deletion of personal information  Yes – Granted  Both defendants ordered to delete all personal information of Zuo held by themselves and related recipients  Article 17 of the PIPL 
Public apology  No – Written apology only, not granted publicly  Company A’s apology should be written and sent directly to Zuo, reflecting scope, fault, and impact  Articles 998 and 1000 of the Civil Code; consideration of proportionality and customary practices under the PIPL 
Compensation for losses  Yes – Awarded RMB 20,000 from Company A  Based on Company A’s fault, extent of infringement, and specific use of personal information  Articles 998 and 1000 of the Civil Code; Article 69 of the PIPL 
Compensation from Company B  No – Not awarded  Company B did not unlawfully process personal information  Article 17 of the PIPL 

Why was the PIPL invoked for a case involving a foreign entity? 

The court ruled that the case involved a personal information protection dispute, and all the parties involved in the trial agreed that the case fell under the jurisdiction of Chinese law, including the PIPL. Under Article 3 of the PIPL, the law covers the processing of personal information outside China if it involves individuals located inside China, including “for the purpose of providing products or services to natural persons within the territory of the People’s Republic of China”. 

Further, according to Article 44 of the Law on the Application of Law to Foreign-Related Civil Relations, “the law of the place where the tort occurred shall apply to tort liability, but if the parties have a common habitual residence, the law of the common habitual residence shall apply. After the infringement occurs, if the parties agree on the applicable law, their agreement shall prevail”.

Why was the case found to be actionable? 

While the two defendants argued that the case was not actionable because Zuo did not directly file a lawsuit against them, the court ruled in favor of the plaintiff. 

The court held that an individual’s right to be informed and make a decision on the processing of their personal information is a fundamental position in the legal framework for personal information protection and is not on the same level as infringements of instrumental rights, such as the right to access and copy personal information.

Find Business Support
Ensure your ERP is compliant with China's personal information protection laws wit help from our IS team.

The court pointed to Article 50 of the PIPL, which requires personal information processors to “establish a convenient mechanism for accepting and processing applications from individuals to exercise their rights”, and grants individuals the right to file a lawsuit if a personal information processor denies a request to exercise their rights. 

The cause of action in this case derives from Zuo’s claim that their right to be informed and to make decisions about the processing of their personal information had been violated, as their data was allegedly placed in an unsafe position through the charter. On this basis, they asserted their rights to inquire about and delete their personal information. Thus, the lawsuit is premised on the infringement of their personal information rights and interests resulting from the defendants’ unlawful processing of their data, rather than merely being an action to exercise the rights of access and deletion. 

The protection of personal information is codified as a civil right under Article 1034 of the Civil Code and Article 2 of the PIPL, which both provide that the personal information of natural persons is protected by law. Pursuant to Article 1165 of the Civil Code, a person who infringes the civil rights and interests of another and causes damage shall bear tort liability. Article 69 of the PIPL further specifies that where the processing of personal information infringes personal information rights and interests and causes damage, the personal information processor shall bear tort liability unless they can prove they were not at fault, including compensation for damages. 

Moreover, when an individual brings a lawsuit claiming that a personal information processor’s unlawful conduct infringed upon their personal information rights and interests, there is no, nor should there be, any requirement for prior procedures. 

Why were the defendants found to be violating the plaintiff’s personal information rights? 

While the court held that the defendants’ collection of personal information in this case was necessary for hotel reservations and complied with legal provisions, it also ruled that the scope of information sharing violated legal provisions, and the purpose of information processing exceeded the requirements for contract performance. For these reasons, the defendants were required to provide enhanced information disclosure and obtain additional user consent for legal effect.

Find Business Support
Our virtual CIO service can accelerate connectivity between your Asia-based employees and your global organization - learn how.

During the proceedings, both defendants submitted “lists of overseas recipients and data transfers”, which identified the names, contact details, processing purposes, processing methods, and categories of personal information transmitted overseas. According to Company A’s list, personal information was transferred to seven overseas recipients located in France, Myanmar, the United Kingdom, the United States, the Netherlands, and Ireland, for purposes such as central reservation system management, processing individual bookings, customer service management, marketing communications, business analytics, and information storage. 

From the perspective of the recipients and geographic scope of cross-border personal information sharing, the court found that providing personal information to the hotel group’s commercial partners and marketing personnel was described in a vague and ambiguous manner, contrary to Article 17 of the PIPL, which requires personal information processors to inform individuals in a prominent, clear, truthful, accurate, and complete manner, covering: 

  • The processor’s name and contact information;
  • The purpose, method, type, and retention period of processing;
  • The methods for exercising statutory rights; and
  • Other matters required by law. 

The list of overseas recipients and data transfers submitted by the defendants also showed that, for “marketing communication purposes”, they transferred and processed information to a company located in the United States and Ireland. According to the court, this processing purpose clearly exceeded what is necessary for performing the contract and was conducted without obtaining the plaintiff’s consent. For this reason, the defendants’ processing activity lacked a legal basis under personal information law. 

As a result, the court determined that the defendants’ personal information processing infringed upon the personal information rights and interests of the plaintiff. 

How did the court rule on each of the plaintiff’s claims? 

Claims for compensation against Company B 

Not granted.

The court reviewed the overseas recipient and data transfer lists submitted by Company B and did not find any unlawful processing. Since the disputed cross-border data transfer was carried out by Company A, the plaintiff’s claims against Company B, beyond the requirement to delete their personal information, were not supported. 

Right to access personal information 

Claim granted. 

Both defendants submitted overseas recipient and data transfer lists to the court. Therefore, Zuo’s right to access their personal information had already been fulfilled, through the process of the trial.  

Right to delete personal information 

Claim granted.

The court granted the plaintiff’s claim to delete personal information. Both defendants were required to delete all of Zuo’s personal information held by themselves and any related recipients. 

Claim for apology from Company A 

Claim granted.

Under Article 998 of the Civil Code, when determining civil liability for infringement of personality rights (other than the right to life, body, and health), the court should consider factors such as the occupations of the parties, the scope of impact, the degree of fault, and the purpose, manner, and consequences of the act. Pursuant to Article 1000, where a person infringes personality rights, civil liability in the form of eliminating the impact, restoring reputation, or issuing an apology must be proportionate to the nature of the conduct and the extent of its impact.  

On this basis, the court ordered Company A to issue a written apology to Zuo rather than a public one, with the content subject to court approval. 

Claim for economic compensation from Company A 

Claim granted.

Taking into account the reasonableness and necessity of claimed costs, Company A’s fault in the case, the consequences of the infringement, and the specific use of the plaintiff’s personal information, the court awarded the plaintiff RMB 20,000 in economic compensation, including reasonable expenses. 

Key takeaways for foreign companies and MNCs 

For foreign companies and MNCs operating in China, this case highlights the importance of understanding how Chinese courts scrutinize the legal basis for processing personal information, particularly when it comes to obtaining consent and assessing the necessity of personal information processing for contract performance. As a judge for the Guangzhou Internet Court explained, when relying on user consent, courts assess not simply whether a user clicked “agree”, but whether the content and form of notice meet the standards set out in in Articles 7 and 17 of the PIPL.

Find Business Support
Does Your Business Need to File DPO Information With the CAC?

Specifically, Article 7 of the PIPL requires the processing of personal information to adhere to the principles of “openness and transparency”, and mandates processers publicize the rules for personal information processing, while clearly indicating the purpose, method, and scope of processing. If such “general” notice is insufficient, companies are expected to provide enhanced notice and obtain separate consent, especially for processing that falls outside users’ reasonable expectations or has a significant impact on their rights. 

Similarly, when invoking the necessity of personal information processing for the performance of a contract outlined in Article 13 of the PIPL, as the defendants did in this case, companies must demonstrate that processing is truly indispensable for the contract to be concluded and performed. The users must also have been informed during the negotiation stage of the reasons for the processing of certain data, not after the contract has been concluded. Courts will look at whether, in the context of the individual case, users could reasonably expect the data processing activity. In commercial practice, this often corresponds to standard business customs.  

Importantly, even when the contract performance basis applies, for example, to cross-border transfers involving identity card or credit card data, separate consent is not required if the processing is truly necessary to fulfill the contract, so long as appropriate prior notice has been given. 

Finally, the court emphasized that notice and consent in China is not a one-off event, but a continuing, interactive process throughout the personal information lifecycle. In dynamic digital business models, companies must continuously update users about new or changing processing activities and obtain updated consent where necessary. Judicial review will focus on whether users were able to make autonomous and informed choices about the entire lifecycle of personal information processing, particularly in cross-border scenarios.

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.