CHANG TSI
Insights
Recently, the Supreme People’s Court of China released the 47th set of guiding cases. This marks the first batch of guiding cases specifically concerning the judicial protection of data rights, aiming to address core issues in the digital economy, such as determining data ownership, utilizing data products, protecting personal information, and transferring platform accounts.
China has yet to establish a comprehensive and specialized legal system for data protection. The types of data rights and methods of protection are still in the exploratory stage, with relevant regulations scattered across intellectual property and competition-related laws, the Civil Code, the Personal Information Protection Law, the Data Security Law, and the Cybersecurity Law. Existing laws are insufficient to provide clear and comprehensive guidance for disputes arising from issues such as data ownership, circulation and transactions, profit distribution, and security assurance. In judicial practice, data not covered by copyright law or other intellectual property laws is typically protected under the Unfair Competition Law. Most commercial data disputes are concentrated in the internet industry. Although there are no public data, the Supreme People's Court has indicated that the number of data-related cases handled by courts nationwide has increased significantly in recent years, with the number of first-instance cases concluded in 2024 being twice that of 2021.
This batch of guiding cases summarizes and refines mature adjudication rules to promote more uniform standards for adjudicating data-related cases. Below are the key rulings of these six guiding cases.
The court held that platform operators have operational interests in data collections formed through substantial human and material resources, which possess scale effects and independent commercial value, and such interests should be protected by law. The defendant’s unauthorized scraping substantially replaced the original platform’s services, disrupting market competition order, and was thus considered an act of unfair competition under the general clause (Article 2) of the Anti-Unfair Competition Law (AUCL). Notably, the newly revised AUCL, which will come into effect on October 15, 2025, includes a specific provision (Article 13, Paragraph 3) targeting unfair competition acts that infringe upon data rights. Therefore, future cases may be adjudicated in accordance with this provision.
The court held that providing “account linking” services, where user-authorized synchronization of data from other platforms is involved, does not constitute unfair competition. While the plaintiff platform has legally protected interests in their data, it cannot prevent users from reasonably processing or transferring their own data. The defendant’s “account linking” function, provided with user authorization, facilitates users’ processing of their own data. The data is sent only to the user’s own account instead of entering the defendant’s public data resources. This does not harm the core interests of other operators nor disrupt market competition order, and is therefore legitimate.
The court held that data processors who collect publicly available data in accordance with the law and use lawful methods to process and form data products for reasonable use, without causing harm to the rights and interests of enterprises, do not constitute infringement. In this case, the defendant’s product ex-factory prices were publicly available data involving no trade secrets such as product costs or manufacturing processes. The court emphasized that data information not classified as state secrets, personal information, or trade secrets should generally be allowed to flow freely since excessive control may lead to data barriers.
The court held that an APP forcing users to provide non-essential profile information (such as occupation) during login, without which they cannot use the service, constitutes infringement of personal information rights. The Personal Information Protection Law stipulates that “necessity for the conclusion or performance of a contract” is a statutory exception to obtaining individual consent, which must be determined based on relevant provisions and the type of service. In this case, the defendant’s collection of user profile information was not necessary for providing online education services. Moreover, the absence of a “refuse” option or alternative login methods resulted in non-voluntary “consent,” violating the principles of “minimum necessity” and “voluntary consent.”
The court held that collecting users’ credit information to provide “pay-after-use” credit services is “necessary for the conclusion or performance of a contract” and does not constitute infringement. In the context of credit services, assessing user creditworthiness is essential to deciding whether to provide advance payment services and controlling risks. The defendant in this case collected information in the least intrusive manner and fulfilled the obligation of clear notification, making the act lawful.
The court held that merely giving account passwords is insufficient to fulfill a transfer of rights in the enforcement of platform account transfer. To ensure the executing party can fully and independently control the account and exercise account rights, it is necessary to lawfully modify the account’s real-name verification information and bound mobile number. If the subject of enforcement refuses to cooperate, the court may, upon application, require the platform operator to assist in the enforcement.
