Case update on personal data and privacy infringement in China: The WeRead case – does a one-size-fit-all model still work?

Introduction

In our previous articles, we have discussed the remarkable transformation of the personal information protection legal regime in China since the introduction of the PRC Cybersecurity Law and administrative guidelines such as the National Standard “Information Security Technology – Personal Information Security Specification” (信息安全技术-个人信息安全规范) (“PIS National Standard”). Enforcement actions have become regular headlines in the local news. As the public becomes more sensitive to protecting their personal information and privacy rights, an increasing number of civil law suits have been brought, allowing the Chinese Courts to explain the key personal information protection principles and practices.

On 30 July 2020, the Beijing Internet Court rendered a first-instance judgment in Huang v. Tencent Technology (Shenzhen) Co., Ltd. and Guangzhou Branch and Tencent Technology (Beijing) Co., Ltd. (“WeRead Case”), which addresses some common personal data and privacy issues that businesses should take heed of, especially when operating mobile applications in China. This article highlights some of the key takeaways from the WeRead Case.

Background

Soon after subscribing to Tencent’s WeRead (微信阅读) mobile application service, it came to the plaintiff’s attention that the reading data of his friends on WeChat (another mobile application offered by Tencent) could be viewed under the “My Subscriptions” and “Others’ Subscriptions” columns on the WeRead application, even though he did not make or allow such subscriptions. The plaintiff sued Tencent for infringing his personal data and privacy rights. The plaintiff alleged that Tencent infringed his rights via a bundled consent, mandating the collection of his WeChat friends list upon the initial registration of his WeRead account. Moreover, the WeRead application automatically activated the functions of following and publicly sharing his reading habits with his WeChat friends, without obtaining proper informed consent. The Court upheld the plaintiff’s claim and ordered Tencent to, among other things, delete and stop collecting and using the plaintiff’s WeChat friends list on WeRead, and also to stop sharing the plaintiff’s reading data with his WeChat friends on WeRead

(1)   Are “WeChat friends list” and “reading data” personal data and/or matters of privacy?

The Court reasoned that although a WeChat friends list and reading data (including reading duration, history and habits) are not the typical types of personal data mentioned in the PRC Cybersecurity Law, they can qualify as “personal data”. It referred to the PIS National Standard which has expanded the definition of “personal data” to cover “data reflecting the activities of a particular natural person”.

However, the Court viewed that whether or not a WeChat friends list and reading data can qualify as matters of “privacy” under the PRC General Principles of Civil Law, would depend on the actual context. In the WeRead Case, the Court ruled that a WeChat friends list and reading data are not protectable as “privacy” as they lack the required “secrecy”. The Court referenced concepts set out in the PRC Civil Code which will come into force in January 2021. In its view, the two books read by the plaintiff and disclosed to his WeChat friends with the titles “Good mother is better than good teacher” and “So-called high EQ means speaking properly” are not something secret and non-disclosable by nature.

(2)   Would collection and use of the plaintiff’s personal data constitute infringement?

The Court next considered whether Tencent infringed the plaintiff’s personal data rights through bundling the consent for collecting and using the plaintiff’s own personal data and his WeChat friends list. The Court held that obtaining consent in this manner did not constitute infringement, per se, because unlike applications such as WeChat which has become an indispensable communication tool, there are alternatives to WeRead and users who do not wish to disclose their WeChat friends list to WeRead, may opt for replacements.

However, the Court held that Tencent had infringed the plaintiff’s personal data rights by automatically activating the functions of following and publicly sharing his reading habits with his WeChat friends. The Court commented that general users would not have reasonably expected that their WeChat friends lists would also be used on WeRead by default. Tencent was not “reasonably transparent” in its terms and conditions that his WeChat friends list would be used in this manner; Tencent should have obtained express consent and prominently drawn to the plaintiff’s attention about how his WeChat friends list and reading habits would be used before the automatic activation of such functions.

Why does it matter to you?

As the Civil Code will soon be implemented, we expect that more robust court actions will be filed by individuals asserting personal data and privacy infringement against businesses. In fact, on the same day  the judgment in the WeRead Case was rendered, the Court also issued another unpublished judgment in relation to a civil claim against the operator of the mobile application TikTok  According to media reports, TikTok was held liable for infringing the plaintiff’s personal data by misusing the user’s name, mobile phone number and social relationship, in offering personalized recommendations of friends to follow, and also by collecting the user’s geographical location, without obtaining informed consent.

Here are some key takeaways from the WeRead Case:-

(1) “Behavioural data”, such as reading data in the WeRead Case, is commonly collected and used in the context of mobile applications. It is now settled that behavioural data would generally be regarded as personal data, and therefore, businesses are recommended to comply with the applicable personal data protection obligations when collecting, using or handling such data.

(2) Consistent with the approach of the PRC Civil Code coming into force in January 2021, the Court in the WeRead Case examined whether there is infringement of personal data and privacy separately. It remains unclear what the practical implications of such a distinction are (e.g. whether a higher amount of damages would be granted where there is infringement of both personal data and privacy rights). In any event, businesses should bear in mind that data such as an undisclosed criminal record, which not only intrudes on one’s privacy, may also qualify as “sensitive personal data”, which requires a higher level of treatment and protection under the PIS National Standard. For instance, the rules of collection and use of “sensitive personal data” referenced in a privacy policy, should be prominently displayed and express consent must be sought.

(3) Balancing customers’ experience and compliance risk is more of an art than a science. It is understandable that businesses are inclined to prioritize customers’ experience in using their mobile applications and, therefore, are minded to minimize the “disruption” to the customers that would be caused by, for instance, obtaining a valid informed consent. However, the WeRead Case clearly demonstrates the adverse consequences if such steps are not properly taken. Also, businesses should not take it for granted that intra-group sharing of personal data is, by itself, justified. The key is to be “reasonably transparent” in your practice.

It can be distilled from these cases that the Chinese courts will thoroughly examine the actual operation of mobile applications in determining personal data infringement and liability, especially how they collect and use the personal data of users.  Therefore, it begs the question of whether a “one-size-fit-all” model of collecting and processing personal data is still suitable for managing compliance risks. Businesses are recommended to work closely together with different stakeholders to review and refine their practices to embrace the challenges and opportunities brought about by the collection and use of personal data.