China – Annual Review Of Cyber Security Compliance – Judicial Cases And New Developments.

30 January, 2020

 

Cyber life continued to be active and vigorous in 2019. The flow of new Internet products and services brought significant changes and challenges, both to our work and our lifestyles. Judicial cases involving cyber security and data economy increased in both number and type. 

 

1. In several security cases involving users’ personal information, network operators were required to bear the burden of proof to establish their non-infringement, the failing of which bore tort liability (as specified in Section I below);

 

2. Unfair competition lawsuits against Internet data crawling occurred frequently. Property rights or interests in data were generally recognized, and a misuse of web crawler and/or other technologies to crawl for the collection of data or the usage of data might be determined as unfair competition (as specified in Section II below);

 

3. Cloud services and other new network services raised new challenges to the determination of the tort liability to be borne by the network service platform operators. The ‘Notice-Delete’ principle may not apply to all network service providers. ‘Forward Notice’ to an extent may become an independent measure necessary for the exemption of network service providers (as specified in Section III below);

 

4. The use of new technologies poses an increase in insecurity and data compliance risk. It is a matter of urgency to reinforce industrial policies and regulations and promulgate specific laws and rules. Operators need to fully assess the relevant risks before using a new technology (as specified in Section IV below).

 

I. The burden of proof was required to be borne by the tortfeasor in personal information leakage cases

 

We noticed that in several cases1 initiated by individuals regarding infringement on right to privacy in accordance with the Tort Liability Law, which request the tortfeasor to bear the liability for leakage of personal information, judicial authorities require the tortfeasor to bear the burden of proof, e.g. Zhou Yuchan vs. Guangdong Quik Agel Ecommerce Co., Ltd.(“Quik”) Dispute over Network Tort Liability in 2019 ((2019) Yue 03 Min Zhong No. 3954) (“Quik Case”) as below.

 

1. Case Overview

 

Zhou Yuchan shopped on the ‘KKguan’ App operated by Quik. She requested to return the product through an online service, however was told that she could not return the product without giving a reason for the return.

 

The next day, Zhou Yuchan received a phone call from a person identifying herself as ‘Aftersales Employee Chu Chu’ and who then friended her on WeChat. ‘Aftersales Employee Chu Chu’ sent the shopping-related information (including the express tracking number, the consignee’s mobile phone number, the consignee’s address, time of payment, time of consignment, time of finish, method of payment, user ID, name of product, and price of product, etc.) to Zhou Yuchan. Zhou Yuchan mistook ‘Aftersales Employee Chu Chu’ as a staff member of KKguan’. She sent her account name, account number and other personal information to ‘Aftersales Employee Chu Chu’ and then suffered a loss of property.

 

Both the trial court and the appeal court held that Zhou Yuchan, as an ordinary consumer, had no capacity to provide proof establishing whether there was a bug in Quik’s internal data and information management system.

 

Therefore, from an objective perspective, Quik should bear the burden of proof to establish that it had not committed an information leakage. Quik alleged that they sent the entire package of shopping-related information to the suppliers, express services and other third parties, therefore, the possibility could not be ruled out that one of these third parties leaked Zhou Yuchan’s information. In response to this allegation, the trial court held that, firstly, Quik was unable to prove the leakage of the information was caused by a third party; and secondly, the information was more likely to be leaked during the transmission of the whole package of the shopping-related information to the third parties. In conclusion, under the circumstance that all the other possible leakages had been ruled out, it could be determined that the information leakage was caused by Quik’s negligence and Quik should bear tort liability for such negligence.

 

2. Compliance Implication

 

No statutory provision directly stipulates that the burden of proof should be inversed in the case of personal information leakage by a network operator, but the judges in many cases including Quik Case, held that technically, the user as an individual has much less capacity to provide evidence, and it is difficult for them to know or provide evidence for the information management breach or for the information leakage committed by the network operator. Therefore, the network operator should provide evidence to prove that the user’s personal information leakage was not the result of their actions or was resulted by a third party, failing which the network operator may be determined as being responsible for the user’s personal information leakage and having committed a civil tort based on the balance of probability in a civil action.

 

In this situation, the network operators, especially those receiving and processing massive amounts of users’ personal information, should establish a stronger data and cyber compliance system in order to prevent and respond to data leakage and litigation risk. The network operators may consider the following measures to minimize risks: (1) establish a thorough internal control system for personal information protection; (2) carry out assessments and registrations under the classified cyber security protection system; (3)  improve the mode of data-related cooperation with others, and to make strong efforts to manage the compliance and agreements of or with the suppliers; and (4) keep proper records of compliance works and data processing activities, and to improve their capacity to provide evidence in potential litigation risks.

 

II. Data scrapping may constitute unfair competition

 

Under the current market environment, data is more and more valued as a type of strategic asset, and more disputes related to ownership or use of data have been raised.

 

There is no express provision with respect to the rights or interests in or to data under the existing Chinese law. It is provided in Article 127 of the General Rules on the Civil Law that, “if there are statutory provisions on the protection of data and virtual property, such statutory provisions shall apply”, which leaves the door for property rights of data by such ambiguous regulation. In judicial practice, the Anti- Unfair Competition Law becomes the main legal basis governing a dispute over the ownership of data, e.g. the lawsuit initiated by Micro Dream against Foyo for unfair competition in 2019 (Case No.: (2019) Jing 73 Min Zhong No. 2799)2 as below.

 

1. Case Overview

 

Micro Dream Network Technology (China) Co., Ltd. (“Micro Dream”) initiated a lawsuit against Foyo Culture & Entertainment Co., Ltd. (“Foyo”) for unfair competition, alleging that: Micro Dream was the operator of and service provider for www.weibo.com; without authorization, Foyo scrapped the content of a celebrity’s Weibo, created a ‘Weibo theme’ in a celebrity’s account on the ‘Foyo(饭友)’ App, and embedded the interface of the celebrity’s Weibo account in this theme. They displayed the interfaces, contents and all the other data of the celebrity’s Weibo; Foyo also maliciously blocked certain functions of Weibo and added some functions of its own when using Weibo’s data; therefore, the behavior of Foyo violated the “good faith” principle and generally accepted business ethics, and constituted an unfair competition. Both the trial court and the appeal court upheld Micro Dream’s allegations and ordered the defendant to make a public statement and pay RMB 2.1 million as economic compensation and indemnification for reasonable expenses in total.

 

Regarding acknowledgement of the rights and interests in or to data, the court held that: Micro Dream, as a social media platform, designed software interfaces and information layout and provided satisfactory contents and experiences to the users; also, as the operator of Weibo, Micro Dream was entitled to the rights and interests in or to all of Weibo’s frontend and backend data and to use Weibo as an ecological chain for commercial interest; therefore, Micro Dream had the right to make a claim against any illegal scrapping and use of data from Weibo.

 

Foyo(饭友) App grabbed some of the potential user flow from Micro Dream, and  scrapped the backend data. The scrapping of this backend had to bypass or sabotage Micro Dream’s technical protection system. Therefore, the scrapping and use of such data by the defendant infringed the exclusive rights and interests of Micro Dream in or to such data. The court ruled that the scrapping of data from Weibo and the displaying them on the Foyo(饭友) App was improper and constituted unfair competition.

 

2. Compliance Implication

 

Generally, the court will recognize the property rights or interests of an Internet company in or to the frontend and backend data of their products. If a competitor takes data from an Internet platform by illegal means (such as scrapping data by bypassing anti-crawling systems) or using data outside the scope of authorization, such behavior is very likely to be determined as being improper and having constituted an unfair competition.

 

We suggest that network operators avoid the improper acquisition of a third party’s data on the one hand and take measures to protect their own rights and interests in or to data on the other hand. Network operators may consider the following compliance and protection measures:

 

(1) in the agreements related to the use of data, they should expressly set forth their claims for the rights and interests in or to the data, and set up a robot protocol;

 

(2) according to the actual business requirement, pay more attention to abnormal situation of IP address and other data, and use anti-crawling technologies; and

 

(3) fully analyze the risks that may arise from the acquisition or use of non-self-owned data.

 

III. Judicial cases on the liabilities of cloud services providers

 

As the Internet, big data, cloud computation and other technologies innovate from time to time, more new network services, for example, cloud services, are emerging in the market. Such new network services have imposed a new challenge to the determination of the category of the traditional network service platform operators and their tort liability: in the case of any infringing content in the cloud service provided by a network service platform operator, how should we determine its legal position and tort liability? Should Article 36 of the Tort Liability Law apply?  We shall use the first case of an infringement by cloud service (Dispute between Alibaba Cloud Computing Co., Ltd. and Beijing Locojoy Technology Ltd. over infringement of the right to disseminate works or information via network ((2017) Jing 73 Min Zhong No. 1194)) as examples to explain this issue.

 

1. Case Overview

 

Beijing Locojoy Technology Ltd. (“Locojoy”) owns the copyright to game software named “My Name Is MTonline (我叫MTonline)”. In 2015, Locojoy found that the www.callmt.com website provided a service to download an iOS version and an Android version of a game called “My Name Is MT (Free Version)( 我叫MT畅爽版)” and the relevant payment services (collectively the “Infringing Games”) without authorization. After investigation, Locojoy found that the content of the Infringing Games was saved on Ali Cloud’s server, and the relevant game services were also provided to the users through such server. In October, 2015, Locojoy sent three notices to Alibaba Cloud Computing Co., Ltd. (“AliCloud”), requiring it to delete the Infringing Games and provide the information of the person who leased the server. But AliCloud only forwarded such notices to the user but has not deleted the Infringing Games. The trial court held that, although the cloud server provider was not required to review whether the content saved in the server is infringing, if the rights or interests of a person was damaged as a result of its service, it should take measures to help such person to protect his/her rights or interests. Therefore, the trial court ruled that AliCloud has committed an infringement. The court of appeal held that the lease of cloud server is to provide basic condition for the user to connect to internet under a traditional mode, excluding any service for higher-level content; the callmt.com website is the direct controller of information and data, while Ali Cloud only has the technical capacity to shut down the cloud server or evacuate space in the cloud server, but could not directly control the specific content saved at the cloud server leased by it; therefore, the “Forward Notice” done by AliCloud was a reasonable action. In the end, the court of appeal overthrew the judgment of first instance and ruled that AliCloud has committed no infringement.

 

2. Compliance Implication

 

The services provided by the cloud service is regarded as basic network service; AliCloud could not directly and accurately control the content in the cloud server; and AliCloud is not subject to the ‘Notice-Delete’ principle under the Regulations on Protection of the Right to Disseminate Information via Network, and also that the actual ‘Forward Notice’ itself may have already constituted a necessary action under Tort Liability Law; however, individual case could not establish a general rule, and also whether ‘Forward Notice’ itself constitutes a ‘necessary action’ under Article 36 of the Tort Liability Law remains uncertain.

 

IV. New technology applications caused controversy

 

Technology is developing extremely rapidly. Some new technologies are very controversial in terms of privacy and security. An example of this is with respect to facial recognition; so far no statutory provision has been promulgated on the commercial applications of facial recognition technology in China. However, facial features that are collected by facial recognition technology is very sensitive personal information governed by personal information protection laws. A lawsuit initiated by a customer called Guo against a Safari Park for the improper collection of their facial image remains controversial and the case is discussed below.  

 

1. Case Overview

 

In April, 2019, Mr. Guo, a college teacher, bought an annual pass from a Safari Park (“Safari Park”). The Safari Park undertook that they would check both the annual pass and the fingerprint of the tourist who held the annual pass within the valid term for admission. In October, 2019, Mr. Guo received a text message from the Safari Park, notifying him that they had launched a facial recognition system and no tourists could be admitted to the Safari Park without facial recognition. Guo was unwilling to have his facial image collected due to privacy considerations and requested a refund of the annual pass, but this was refused by the Safari Park. Guo then initiated a lawsuit against the Safari Park. This case is still pending for trial.

 

This case was the first lawsuit involving facial recognition in China, but it was not the first controversy over facial recognition technology. In September, 2019, a university installed facial recognition access control devices to record attendance and monitor students in class. This caused a large public controversy. In September, 2019, a deep-fake software used AI technology to replace a person in a film, TV drama or video with the photo of a face uploaded by a user, so as to produce a clip of a video in which the user was the hero. On September 3, with respect to the non-compliance of users’ privacy policy, data leakage risk and other cyber data security related risks of such App, MIIT interviewed some officers and ordered them to collect and use the users’ personal information in accordance with the applicable laws and regulations and take stronger measures to protect cyber data and users’ personal information.

 

2. Compliance Implication 

 

Many new technologies are not mature themselves; therefore there is no well-established mode for prevention of their potential compliance risk in practice or for cooperative arrangements with third parties. Considering the rapid development of technologies, we suggest that the operators using new technologies should

 

(1) conduct full technical and legal assessments on the compliance of new technologies, and take or establish a series of measures and systems to minimize their legal risks;

 

(2) during the cooperation with third parties, carefully assess their technical capacity and cyber security protection capacity, and execute strict confidentiality agreements with them to set forth responsibilities for data security;

 

(3) adopt strict risk controls and public strategies in trial operation; and

 

(4) adjust the compliance measures in response to the problems found in operation.