Publications | 23 December 2016

China data privacy policy case implications for browse wrap and implied consent

On 12 October 2016, Hangzhou West Lake District People's Court issued its decision concerning the enforceability of a data privacy policy forming part of the Alibaba's Taobao user agreement.  This ruling was recently made public and is an important one given how it puts data privacy policy terms under the spot-light and raises broader implications for contracting in the mobile and online space.  Although the court issuing the judgment is relatively low in China's overall judicial hierarchy, the scarcity of cases in China addressing data privacy policies makes this judgment (in particular, what can be read between its lines) well worth noting.  In particular, the decision can be seen as an implicit endorsement of the "browse wrap" approach to implied consent to contract terms and privacy policies that is widely used in the online and mobile contexts in China as elsewhere in the world.

Background

The plaintiff, Zhou Wangchun, a user of Alibaba's Taobao e-commerce app, filed a lawsuit against Alibaba in October 2015, alleging that the data privacy policy forming part of Alibaba's Taobao Cellphone Software Licensing Agreement ("User Agreement") infringed users' privacy and impaired social and public interests.  The court ruled in favor of Alibaba and rejected the plaintiff's claims.

Issue 1 – validity of user data licence

The first claim addressed by the Hangzhou court was whether Article 7(1) of the User Agreement was valid.  That clause obliges the users to grant Alibaba and its affiliates an exclusive, world-wide, irrevocable, royalty-free license to use all materials and data provided by the user when they use Taobao.  Mr. Zhou claimed that this was a standard form clause and it infringed upon his right to freedom of communication, his rights of personality, and his right to privacy.  Mr. Zhou further claimed that this clause harmed social and public interests by authorizing Alibaba to publish the data of over 200 million Chinese users on a worldwide basis.  By way of background, under the Contract Law, a standard form clause can be invalidated if it exempts the party providing the standard clause from liability, or increases the liabilities or deprives the principal rights of the other party (although the Contract Law and certain Supreme People's Court interpretations outline ways to make such clauses fair and enforceable).

In its defence, Alibaba argued that Article 7(1) should be read together with the other provisions in the User Agreement, in particular Articles 6(2) and 6(3) which require Alibaba to keep users' private personal data confidential and not disclose it without notifying the users.  Further, Alibaba argued that the use of standard form agreements in this way is an industry common practice for online and mobile services.  In the User Agreement "private personal data" is broadly defined as data which can be used to identify a specific user or data related to a user's contact details, such as ID number, cellphone number, IP address and UDID.

In its judgment, the court held Article 7(1) to be valid.  The court agreed with Alibaba that, when Article 7(1) was read in conjunction with Articles 6(2) and 6(3), the scope of data that Alibaba was licensed to use under Article 7(1) did not include "private personal data" and as such, there was no infringement upon Mr. Zhou's right to freedom of communication, his rights of personality or his right to privacy.  Further, the court rejected Mr. Zhou's request to invalidate Article 7(1) under the standard form clause plea as it did not exempt the party providing the standard clause from liability; did not increase the liabilities of the other party, or did not deprive the other party of its principal rights.

Issue 2 – perpetual data retention

The second and the third claims were interwoven.  The second claim questioned the validity of Article 6(5) of the User Agreement, which confers on Alibaba the right to keep user data indefinitely following termination.  The third claim was that the User Agreement was deficient in not granting Mr. Zhou the right to have data generated during his usage of the app erased.  By way of background, under Article 54 of the Contract Law, an agreement may be invalidated by the court under certain circumstances (namely, if the contract was entered into as the result of a major mistake, or was manifestly unconscionable at the time it was entered into, or was entered into contrary to a party's true intentions through fraud, coercion or taking advantage of the party's vulnerability).  In its defence, Alibaba argued that this clause was not in breach of Article 54 of the Contract Law and should not be invalidated, and that Alibaba has no obligation to delete Mr. Zhou's data.  

In its judgment, the court held that Mr. Zhou had not made out a claim under Article 54 of the Contract Law.  The court further held that there was no legal basis to support Mr. Zhou's request to have Alibaba delete the data generated during Mr. Zhou's usage of the app, as the retention of Mr. Zhou's data was not in violation of any laws or regulations, nor did it violate the parties' agreed method of collection and use of such data.  It is interesting to note that unlike the Baidu case (see here), the court did not take into account the non-binding standard, the 2013 China Standardization Administration’s Guidelines of Personal Information Protection within Information System for Public and Commercial Services on Information Security Technology ("Guidelines").  The Guidelines specifically state that personal information should be immediately deleted where the data subject has legitimate reasons to request that his or her personal information be deleted.  This tends to show that the court did not find even any persuasive value in the Guidelines.

Reading between the lines – "browse wrap" and implicit consent 

The ruling in this case is significant not just for the issues expressly considered in the reasons, but also for the court's apparent endorsement of practices which are typical in the industry for achieving consumer acceptance of terms and conditions and taking data protection consents in the online and mobile contexts. 

It appears from the judgment that the User Agreement did not require Mr. Zhou's explicit consent for the collection and use of his data, for example by presenting an empty tick-box by which he could explicitly acknowledge his agreement to the User Agreement at the time of downloading the app. Further, the User Agreement provides that once a user downloads and uses the software, the user is deemed to have accepted the terms and conditions of the User Agreement, including the privacy policy.   The approach of deemed acceptance of terms by virtue of use is known as "browse wrap." The usage of "browse wrap" is widespread.  Internet companies are generally reluctant to implement more rigorous contract formation procedures on the basis that members of the cyberspace community lack any ability to interact and negotiate contractual terms with each other; hence more formal procedures would impede internet-user activity, disrupt the user experience and deter consumers from using the service.

The court did not raise any question or make any comment on this "browse wrap" approach to obtain users' consent. Reading between the lines then, the court appears to be acknowledging that the "browse wrap" approach to consumer acceptance of standard-form agreements is valid under Chinese law.  It also shows that the court is in sync with China's agenda to develop a mature e-commerce environment.

Implications for businesses

The importance of online and mobile marketing and sales cannot be underestimated in the Chinese context, where e-commerce volumes now reportedly exceed RMB1 trillion every quarter. 

Securing binding and enforceable terms and conditions is important from a risk management perspective, and in the "big data" era, information about your consumers is an increasingly valuable asset and so data privacy policies must work.

The Hangzhou court's judgment is a helpful step forward in clarifying these issues in the Chinese context. 

There is however much to watch for in terms of further development.  With the passage of the Cyber Security Law, which comes into effect 1 June, 2017, operators of "critical information infrastructure" will be required to store personal information and other important data within China (see here).

Further, the Cyberspace Administration of China is reportedly drafting a standard on personal data collection norms, expected to be released for comments before the end of this year.

The only certainty at this stage is that your business's internet presence in China will need to be carefully and continuously assessed as the regulatory landscape evolves.

Download PDF Back To Listing