Annual Review of Cyber Security Compliance——Judicial Cases M88 app New Developments

Cyber life continued to be active M88 app vigorous in 2019. The flow of new Internet products M88 app services brought significant changes M88 app challenges, both to our work M88 app our lifestyles. Judicial cases involving cyber security M88 app data economy increased in both number M88 app type.

1. In several security cases involving users’ personal information, network operators were required to bear the burden M88 app proM88 app to establish their non-infringement, the failing M88 app which bore tort liability (as specified in Section I below);

2. Unfair competition lawsuits against Internet data crawling occurred frequently. Property rights or interests in data were generally recognized, M88 app a misuse of web crawler M88 app/or other technologies to crawl for the collection of data or the usage of data might be determined as unfair competition (as specified in Section II below);

3. Cloud services M88 app other new network services raised new challenges to the determination of the tort liability to be borne by the network service platform operators. The ‘Notice-Delete’ principle may not apply to all network service providers. ‘Forward Notice’ to an extent may become an independent measure necessary for the exemption of network service providers (as specified in Section III below);

4. The use of new technologies poses an increase in insecurity M88 app data compliance risk. It is a matter of urgency to reinforce industrial policies M88 app regulations M88 app promulgate specific laws M88 app rules. Operators need to fully assess the relevant risks before using a new technology (as specified in Section IV below).

I. The burden M88 app proM88 app was required to be borne by the tortfeasor in personal information leakage cases

We noticed that M88 app several cases¹initiated by individuals regarding infringement on right to privacy in accordance with the Tort Liability Law, which request the tortfeasor to bear the liability for leakage M88 app personal information, judicial authorities require the tortfeasor to bear the burden M88 app proM88 app, e.g. Zhou Yuchan vs. Guangdong Quik Agel Ecommerce Co., Ltd.(“Quik”) Dispute over Network M88 apprt Liability in 2019 ((2019) Yue 03 Min Zhong No. 3954) (“Quik Case”) as below.

1. Case Overview

Zhou Yuchan shopped on the ‘KKguan’ App operated by Quik. She requested to return the product through an online service, however was told that she could not return the product without giving a reason for the return. The next day, Zhou Yuchan received a phone call from a person identifying herself as ‘Aftersales Employee Chu Chu’ M88 app who then friended her on WeChat. ‘Aftersales Employee Chu Chu’ sent the shopping-related information (including the express tracking number, the consignee’s mobile phone number, the consignee’s address, time of payment, time of consignment, time of finish, method of payment, user ID, name of product, M88 app price of product, etc.) to Zhou Yuchan. Zhou Yuchan mistook ‘Aftersales Employee Chu Chu’ as a staff member of KKguan’. She sent her account name, account number M88 app other personal information to ‘Aftersales Employee Chu Chu’ M88 app then suffered a loss of property.

Both the trial court M88 app the appeal court held that Zhou Yuchan, as an ordinary consumer, had no capacity to provide proof establishing whether there was a bug in Quik’s internal data M88 app information management system. Therefore, from an objective perspective, Quik should bear the burden of proof to establish that it had not committed an information leakage. Quik alleged that they sent the entire package of shopping-related information to the suppliers, express services M88 app other third parties, therefore, the possibility could not be ruled out that one of these third parties leaked Zhou Yuchan’s information. In response to this allegation, the trial court held that, firstly, Quik was unable to prove the leakage of the information was caused by a third party; M88 app secondly, the information was more likely to be leaked during the transmission of the whole package of the shopping-related information to the third parties. In conclusion, under the circumstance that all the other possible leakages had been ruled out, it could be determined that the information leakage was caused by Quik’s negligence M88 app Quik should bear tort liability for such negligence.

2. Compliance Implication

No statutory provision directly stipulates that the burden of proof should be inversed in the case of personal information leakage by a network operator, but the judges in many cases including Quik Case, held that technically, the user as an individual has much less capacity to provide evidence, M88 app it is difficult for them to know or provide evidence for the information management breach or for the information leakage committed by the network operator. Therefore, the network operator should provide evidence to prove that the user’s personal information leakage was not the result of their actions or was resulted by a third party, failing which the network operator may be determined as being responsible for the user’s personal information leakage M88 app having committed a civil tort based on the balance of probability in a civil action.

In this situation, the network operators, especially those receiving M88 app processing massive amounts of users’ personal information, should establish a stronger data M88 app cyber compliance system in order to prevent M88 app respond to data leakage M88 app litigation risk. The network operators may consider the following measures to minimize risks: (1) establish a thorough internal control system for personal information protection; (2) carry out assessments M88 app registrations under the classified cyber security protection system; (3) improve the mode of data-related cooperation with others, M88 app to make strong efforts to manage the compliance M88 app agreements of or with the suppliers; M88 app (4) keep proper records of compliance works M88 app data processing activities, M88 app to improve their capacity to provide evidence in potential litigation risks.

II. Data scrappM88 appg may constitute unfair competition

Under the current market environment, data is more M88 app more valued as a type of strategic asset, M88 app more disputes related to ownership or use of data have been raised.

There is no express provision with respect to the rights or interests in or to data under the existing Chinese law. It is provided in Article 127 of the General Rules on the Civil Law that, “if there are statutory provisions on the protection of data M88 app virtual property, such statutory provisions shall apply”, which leaves the door for property rights of data by such ambiguous regulation. In judicial practice, the Anti- Unfair Competition Law becomes the main legal basis governing a dispute over the ownership of data, e.g. the lawsuit initiated by Micro Dream against Foyo for unfair competition in 2019 (Case No.: (2019) Jing 73 Min Zhong No. 2799)²as below.

1. Case Overview

Micro Dream Network Technology (ChM88 appa) Co., Ltd. (“Micro Dream”) M88 appitiated a lawsuit agaM88 appst Foyo Culture & EntertaM88 appment Co., Ltd. (“Foyo”) for unfair competition, alleging that: Micro Dream was the operator of M88 app service provider for www.weibo.com; without authorization, Foyo scrapped the content of a celebrity’s Weibo, created a ‘Weibo theme’ in a celebrity’s account on the ‘Foyo(饭友)’ App, M88 app embedded the interface of the celebrity’s Weibo account in this theme. They displayed the interfaces, contents M88 app all the other data of the celebrity’s Weibo; Foyo also maliciously blocked certain functions of Weibo M88 app added some functions of its own when using Weibo’s data; therefore, the behavior of Foyo violated the “good faith” principle M88 app generally accepted business ethics, M88 app constituted an unfair competition. Both the trial court M88 app the appeal court upheld Micro Dream’s allegations M88 app ordered the defendant to make a public statement M88 app pay RMB 2.1 million as economic compensation M88 app indemnification for reasonable expenses in total.

Regarding acknowledgement of the rights M88 app interests in or to data, the court held that: Micro Dream, as a social media platform, designed software interfaces M88 app information layout M88 app provided satisfactory contents M88 app experiences to the users; also, as the operator of Weibo, Micro Dream was entitled to the rights M88 app interests in or to all of Weibo’s frontend M88 app backend data M88 app to use Weibo as an ecological chain for commercial interest; therefore, Micro Dream had the right to make a claim against any illegal scrapping M88 app use of data from Weibo.

Foyo(饭友) App grabbed some of the potential user flow from Micro Dream, M88 app scrapped the backend data. The scrapping of this backend had to bypass or sabotage Micro Dream’s technical protection system. Therefore, the scrapping M88 app use of such data by the defendant infringed the exclusive rights M88 app interests of Micro Dream in or to such data. The court ruled that the scrapping of data from Weibo M88 app the displaying them on the Foyo(饭友) App was improper M88 app constituted unfair competition.

2. Compliance Implication

Generally, the court will recognize the property rights or interests of an Internet company in or to the frontend M88 app backend data of their products. If a competitor takes data from an Internet platform by illegal means (such as scrapping data by bypassing anti-crawling systems) or using data outside the scope of authorization, such behavior is very likely to be determined as being improper M88 app having constituted an unfair competition.

We suggest that network operators avoid the improper acquisition of a third party’s data on the one hM88 app M88 app take measures to protect their own rights M88 app interests in or to data on the other hM88 app. Network operators may consider the following compliance M88 app protection measures: (1) in the agreements related to the use of data, they should expressly set forth their claims for the rights M88 app interests in or to the data, M88 app set up a robot protocol; (2) according to the actual business requirement, pay more attention to abnormal situation of IP address M88 app other data, M88 app use anti-crawling technologies; M88 app (3) fully analyze the risks that may arise from the acquisition or use of non-self-owned data.

III. Judicial cases on the liabilities M88 app cloud services providers

As the Internet, big data, cloud computation M88 app other technologies innovate from time to time, more new network services, for example, cloud services, are emerging in the market. Such new network services have imposed a new challenge to the determination of the category of the traditional network service platform operators M88 app their tort liability: in the case of any infringing content in the cloud service provided by a network service platform operator, how should we determine its legal position M88 app tort liability? Should Article 36 of the Tort Liability Law apply? We shall use the first case of an infringement by cloud service (Dispute between Alibaba Cloud Computing Co., Ltd. M88 app Beijing Locojoy Technology Ltd. over infringement of the right to disseminate works or information via network ((2017) Jing 73 Min Zhong No. 1194)) as examples to explain this issue.

1. Case Overview

Beijing Locojoy Technology Ltd. (“Locojoy”) owns the copyright to game software named “My Name Is MTonline (我叫MTonline)”. In 2015, Locojoy found that the www.callmt.com website provided a service to download an iOS version and an Android version of a game called “My Name Is MT (Free Version)( 我叫MT畅爽版)” and the relevant payment services (collectively the “Infringing Games”) without authorization. After investigation, Locojoy found that the content of the Infringing Games was saved on Ali Cloud’s server, and the relevant game services were also provided to the users through such server. In October, 2015, Locojoy sent three notices to Alibaba Cloud Computing Co., Ltd. (“AliCloud”), requiring it to delete the Infringing Games and provide the information of the person who leased the server. But AliCloud only forwarded such notices to the user but has not deleted the Infringing Games. The trial court held that, although the cloud server provider was not required to review whether the content saved in the server is infringing, if the rights or interests of a person was damaged as a result of its service, it should take measures to help such person to protect his/her rights or interests. Therefore, the trial court ruled that AliCloud has committed an infringement. The court of appeal held that the lease of cloud server is to provide basic condition for the user to connect to internet under a traditional mode, excluding any service for higher-level content; the callmt.com website is the direct controller of information and data, while Ali Cloud only has the technical capacity to shut down the cloud server or evacuate space in the cloud server, but could not directly control the specific content saved at the cloud server leased by it; therefore, the “Forward Notice” done by AliCloud was a reasonable action. In the end, the court of appeal overthrew the judgment of first instance and ruled that AliCloud has committed no infringement.

2. Compliance Implication

The services provided by the cloud service is regarded as basic network service; AliCloud could not directly M88 app accurately control the content in the cloud server; M88 app AliCloud is not subject to the ‘Notice-Delete’ principle under the Regulations on Protection of the Right to Disseminate Information via Network, M88 app also that the actual ‘Forward Notice’ itself may have already constituted a necessary action under Tort Liability Law; however, individual case could not establish a general rule, M88 app also whether ‘Forward Notice’ itself constitutes a ‘necessary action’ under Article 36 of the Tort Liability Law remains uncertain.

IV. New technology applications caused controversy

Technology is developing extremely rapidly. Some new technologies are very controversial in terms of privacy M88 app security. An example of this is with respect to facial recognition; so far no statutory provision has been promulgated on the commercial applications of facial recognition technology in China. However, facial features that are collected by facial recognition technology is very sensitive personal information governed by personal information protection laws. A lawsuit initiated by a customer called Guo against a Safari Park for the improper collection of their facial image remains controversial M88 app the case is discussed below.

1. Case Overview

In April, 2019, Mr. Guo, a college teacher, bought an annual pass from a Safari Park (“Safari Park”). The Safari Park undertook that they would check both the annual pass M88 app the fingerprint of the tourist who held the annual pass within the valid term for admission. In October, 2019, Mr. Guo received a text message from the Safari Park, notifying him that they had launched a facial recognition system M88 app no tourists could be admitted to the Safari Park without facial recognition. Guo was unwilling to have his facial image collected due to privacy considerations M88 app requested a refund of the annual pass, but this was refused by the Safari Park. Guo then initiated a lawsuit against the Safari Park. This case is still pending for trial.

This case was the first lawsuit involving facial recognition in China, but it was not the first controversy over facial recognition technology. In September, 2019, a university installed facial recognition access control devices to record attendance M88 app monitor students in class. This caused a large public controversy. In September, 2019, a deep-fake software used AI technology to replace a person in a film, TV drama or video with the photo of a face uploaded by a user, so as to produce a clip of a video in which the user was the hero. On September 3, with respect to the non-compliance of users’ privacy policy, data leakage risk M88 app other cyber data security related risks of such App, MIIT interviewed some officers M88 app ordered them to collect M88 app use the users’ personal information in accordance with the applicable laws M88 app regulations M88 app take stronger measures to protect cyber data M88 app users’ personal information.

2. Compliance Implication

Many new technologies are not mature themselves; therefore there is no well-established mode for prevention of their potential compliance risk in practice or for cooperative arrangements with third parties. Considering the rapid development of technologies, we suggest that the operators using new technologies should (1) conduct full technical M88 app legal assessments on the compliance of new technologies, M88 app take or establish a series of measures M88 app systems to minimize their legal risks; (2) during the cooperation with third parties, carefully assess their technical capacity M88 app cyber security protection capacity, M88 app execute strict confidentiality agreements with them to set forth responsibilities for data security; (3) adopt strict risk controls M88 app public strategies in trial operation; M88 app (4) adjust the compliance measures in response to the problems found in operation.

1.Shen Jin vs Shanghai Ctrip Commerce Co., Ltd. Dispute over Tort Liability ((2018) Jing 0105 Min Chu No. 36658); M88 app Pang Lipeng vs Beijing Quna IT Co. Ltd. Dispute over Privacy((2017) Jing 01 Min Zhong No. 509).

2. Please also see the unfair competition lawsuit initiated by Tencent against ByteDance((2019) Jin 0116 Min Chu --- Civil Determination No. 2091); M88 app the unfair completion dispute between Ant Financial M88 app Qichacha ((2019) Zhe 8601 Hang Bao No. 1), if necessary.

3. Article 36 Internet users M88 app Internet service providers shall assume tort liability if they utilize the Internet to infringe upon the civil rights M88 app interests of others. If an internet user commits tortious acts through internet services, the infringee shall be entitled to inform the internet service provider to take necessary measures, including, inter alia, deletion, blocking M88 app unlinking. If the Internet service provider fails to take necessary measures in a timely manner upon notification, it shall be jointly M88 app severally liable with the said Internet user for the damage increase. If an internet service provider is aware that an internet user is infringing on the civil rights M88 app interests of others through its internet services M88 app fails to take necessary measures, it shall be jointly M88 app severally liable with the said internet user for such infringement.