The fact that online platforms provide enterprise account authentication not only helps businesses carry out their operations, it also enhances the consumer experience.

However, some users obtain certification materials submitted by well-known enterprises through illegal means and apply for certification themselves so they can use the good reputation of others to promote their own online stores. How can enterprises whose certification materials are misused protect their rights? Should the relevant online platforms bear liability in such cases? 

Case summary

The plaintiff, surnamed Wei, was the legal representative of an arts and crafts sales company. Between December 2019 and January 2020, Wei applied for enterprise certification on an online shopping platform, paid the corresponding fees and obtained certification. In December 2020, Wei paid the renewal fee for the certification. In January 2021, Wei's company received a call from the administration for industry and commerce saying that there had been a complaint about false advertising and suspected fraud regarding their products. It was then that Wei found there was another account claiming to represent his company on the same platform. Wei filed a complaint to the platform and, from the information subsequently disclosed, Wei found that his original identity documents, business licenses and other materials used for enterprise certification were used to re-certify another enterprise account owned by a citizen surnamed Guo, whom he did not know. Since he had never shared certification details with others, Wei believed the shopping platform had intentionally leaked these materials. Wei decided to take a case against both Guo and the platform to the Beijing Internet Court (BIC).

Wei claimed that both Guo and the platform had misused his personal information and had infringed upon his right to privacy. He requested a public apology from both defendants, and compensation from both parties for losses incurred, including legal expenses and damages for stress.

Guo did not show up for the hearing, while the online platform argued that it had not infringed upon the plaintiff’s rights. As a platform information service provider, it had fulfilled its legal obligations and should not be liable for the infringement, its representative argued.

Main considerations

As stipulated in China's Civil Code, privacy is the undisturbed private life of a natural person and his private space, private activities, and private information that he does not want to be known to others. Unless otherwise provided by law or expressly consented to by the right holder, no organization or individual shall act to infringe upon other people’s privacy. A natural person’s personal information is protected by law. Any organization or individual that needs to access others' personal information must do so in accordance with the law and guarantee the safety of such information, and may not illegally collect, use, process or transmit their personal information, or illegally trade, provide or publicize such information.

A natural person enjoys the right to their name. No organization or individual may infringe upon another's right to their name or an entity name by means such as interference, misappropriation or impersonation.

In this case, the certification materials involved included the plaintiff's name, date of birth, ID number and address. The ID number, in particular, is a form of personal information of a private nature. The defendant Guo's unauthorized use of that information constituted an infringement on the plaintiff's rights to privacy and the sole use of their personal information. Furthermore, by using the plaintiff's identification documents for account authentication, the defendant Guo used the plaintiff's personal information to apply for enterprise certification, which constituted the use of the plaintiff's name, thereby also infringing upon the plaintiff's right to their name.

As Article 1038 of the Civil Code stipulates, "an information processor shall take technical measures and other necessary measures to ensure the security of the personal information he collects and stores, and prevent the information from being leaked, tampered with or lost. Where a person's personal information has been or is likely to be leaked, tampered with or lost, he shall take remedial measures in a timely manner, notify the natural persons concerned in accordance with the regulations and report to the relevant competent authorities."

In this case, although there was no evidence indicating that the platform intentionally provided the certification materials to Guo, evidence showed that the certification materials used by the plaintiff and Guo, including the positioning, angle and brightness of photographs, and hand-written annotations, were very similar. Therefore, it was highly probable that the materials used by Guo were from the certification materials stored by the platform.

Despite the court's repeated requests, the platform failed to submit evidence proving they had taken the necessary protection measures to ensure the security of the certification materials collected and stored during the occurrence of the infringement. Additionally, since the certification service was a paid one, the platform's duty of care was greater. Therefore, in accordance with Article 1197 of the Civil Code and Article 6 of the Provisions of the Supreme People's Court on Several Issues concerning the Application of Law in the Trial of Civil Disputes Involving the Infringement of Personal Rights through Information Networks, the platform was at fault for the infringement and should bear joint liability, the court found.

Details of the judgement

The BIC ordered defendant Guo to issue an apology through the platform account, and compensate the plaintiff to the tune of 2,000 yuan ($275) for stress caused and 8,000 yuan for expenses incurred. The platform was found jointly liable with Guo for the 10,000 yuan  compensation fee.

The plaintiff appealed the judgement, but the court upheld the original judgement at the retrial. The judgement has now taken effect.

Tips from the judge

Online business activities would be impossible without permission to use personal information. China's laws, such as the Civil Code and the Personal Information Protection Law, define the legal obligations of online platform operators who act as personal information processors to ensure the security of users’ personal information. Large-scale internet platforms, including the platform involved in this case, have a huge number of users and complex business types, where users' personal information is susceptible to illegal acts such as leaking, tampering and impersonation. Therefore, it is even more important to establish a comprehensive system for safeguarding personal information, enhance technical measures and effectively fulfill legal responsibilities. If an online platform operator is able to take necessary technical measures to protect users' personal information but fails to do so, the operator is at fault if an infringement occurs and should bear joint liability with the infringing entity.

When engaging in civil activities, civil entities should follow the principles of fairness, honesty and integrity. "Grey area services" on the internet such as "verifying corporate accounts without requiring business licenses" often trigger illegal use of others' personal information. Business operators should consciously resist the "high-profit temptation" of such illegal activities, operate in good faith according to the law, win customers with high-quality products and services, and establish good corporate images and reputations.