A judge from the Beijing Internet Court (BIC) joined an online program upon invitation by chinacourt.org, a court news portal, to explain personal information protection on Dec 2.

On the program, Judge Yan Jun gave a detailed introduction of a typical case concerning personal information protection and explained the gradient protection rule on personal information. She also explained provisions in the Personal Information Protection Law covering topics such as apps that request personal information collection, collection rules for minors’ personal information, tweeting marketing messages, using users' images for automated decisions, and rules on facial information collection. She also offered advice on how to prevent leaks of personal information and protect related rights.

Online alumni avatar photo case

The plaintiff Sun searched his name on Baidu in 2018 and found that Baidu had taken a photo of him from his school's alumni website and included it in its search results. Sun then notified Baidu and asked it to delete the photo, but received no response.

Sun claimed that the photo together with his name was private and constituted personal information. As the alumni website, the source of the photo, had already shut down, Baidu's behavior constituted infringement. So Sun sued Baidu to the BIC alleging that Baidu had infringed on both his right to privacy and his personal information rights.

Upon investigation, although the alumni website was no longer accessible, the photo could still be accessed by the search engine's crawler, as the precise server address at which the photo was stored was still reachable. Thus, Baidu could still access the information on its search engine.

The court determined that Baidu's search behavior disclosed Sun's information beyond Sun's authorization. To determine Baidu's tort liability, the premise should be that Baidu was at fault. 

Sun's notice for deletion to Baidu was a key point. Before Sun sent the notice, Baidu as an online search service provider had no subjective fault in accessing and providing the information involved and did not commit infringement. But after receiving Sun's notice, Baidu failed to respond and take any necessary action to prevent further damage when it was capable of doing so, thus committing infringement. The court’s final judgment was that Baidu should compensate Sun for economic losses and related expenses. 

Distinguishing types of personal information and clarifying boundaries of specific behaviors

The case above is a typical case involving public personal information infringement. The newly implemented Personal Information Protection Law has tiered protection rules on personal information which are divided into sensitive, general and public categories. The type of personal information should be firstly distinguished when clarifying the  boundaries of personal information processing and determining whether the processing behavior is illegal. 

In this case, the type of information Sun had put online needed to be determined in order to further determine whether the involved behavior was illegal or not. Objectively, Sun’s information was stored on an open server, which means the information was public. But when Sun uploaded the information, he did not authorize it to be public and only allowed it to be available to his classmates. Thus, the information was not legally public and the processing of it should follow the authorization rule.

It needs to be considered that it is hard for subsequent information handlers to determine whether it is legal to make certain information public. In the case of crawlers used by search engines, there are realistic challenges and technological barriers in checking the legitimacy of information sources. Thus, the responsibilities of the initial handlers of information should be emphasized and the fault determination of subsequent information handlers should be adjustable. The "harbor rule" should apply to some neutral technology service providers.