On the evening of April 4, 2019, the 30 person forum on “Personal Information Protection and Data Governance” and UIBE’s Digital Economy and Law Innovation Research Center jointly organized the “Data Disputes: Dialogue between Judges and Scholars” seminar in Room 729, Ningyuan Building of UIBE. Senior judges from the China Institute of Applied Jurisprudence of the Supreme People’s Court, Beijing Haidian District People’s Court, Beijing the First Intermediate People’s Court, scholars from Renmin University of China, Beijing Foreign Studies University, Institute of Law of China Law Society, UIBE Law School, as well as experts from the Ministry of Industry and Information Technology, China Academy of Information and Communication Technology (CAICT), Meituan Dianping, Covington & Burling LLP, Microsoft China and other specialists gathered together to discuss current data disputes.

Participants on the seminar thoroughly deliberated on heated issues relating to current data disputes and data governance, and reached consensus in many aspects. Participants considered that, based on the symbiotic relationship between enterprises and users and the nature of data itself, it should be clear that enterprises have certain legitimate rights and interests on the data collected and used commercially in their own business activities. In the era of digital economy, the acquisition and utilization of user data is an important way for enterprises to gain competitive advantages and commercial resources. Take the platform enterprise that provides social services as an instance, the users’ address list itself is a highly competitive product, which is the basis of enterprise operation. If we randomly give free rein to the behavior of crawling and stealing of enterprise data, the field of data utilization would turn out to be a savage world, following the laws of the jungle. For the protection of rights and interests of enterprise data, even if the data rights cannot be positively constructed, it should be affirmed that the enterprise has the right to decide the authorization and use of its own data. For example, for competitors in the same industry, enterprises shall be able to effectively control and restrict the access to and use of their own data. In addition, from the perspective of maintaining social public interests and market competition order, the state shall take administrative law enforcement measures at the level of public law so as to punish and control data theft and other illegal acts.

The first session of the seminar was a keynote speech on “Reviewing Cases of Data Disputes at Home and Abroad”. Mr. Xu Ke, Executive Director of UIBE Digital Economy and Law Innovation Research Center, firstly introduced 12 types of disputes in the whole life cycle of data, including data collection, data abuse, data transaction, data sharing, data crawling, theft and disclosure, data monopoly, cross-border data and so on. At present, China’s courts has reached a basic consensus on disputes of data sharing and data crawling. In terms of data sharing, the rights and obligations of all parties should be specified through data sharing protocol (Open API Protocol), and damages to the rights and interests of users’ personal information should also be avoided in the meantime. The case Sina Weibo v. Maimai is the exact embodiment of this kind of judicial thinking, which establishes the principle that a third party shall adhere to the Triple-Authorization Principle of “user authorization + platform authorization + user authorization” when it obtains users’ information through Open AI. When it comes to data crawling, the interests of the original data collectors shall be respected, whereas market competition and public value should be taken into consideration simultaneously.

Later, Mr. Ding Yuxiang, the Second Division Associate Chief Judge of the First Intermediate People’s Court, elaborated on “Difficulties and Solutions in Judicial Protection of Personal Information”. He took the cases Pang Pengli v. China Eastern Airlines and Qunar.Com and Mr. Ren v. Baidu as the breakthrough point, summed up four difficult points in personal information protection in judicial cases, namely the cause of action, the illegality of behavior, the causality, as well as the liability.   

Mr. Huang Yantong, assistant researcher at the Institute of Law of the Center for International Economic and Technological Cooperation of the Ministry of Industry and Information Technology, gave a wondeful speech on the topic of “Brief Analysis on Judgments Relating to Data Crawler in the United States”. According to the provision 1030 (a) (5) (A) (2008) of the 1986 Computer Fraud and Abuse Act (CFAA) of the United States, whoever has knowingly accessed a computer without authorization or exceeds authorized access, and by means of such conduct has obtained information from a protected computer; or the defendant “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”, shall bear civil or criminal liability. Based on a series of cases relating to data crawler disputes in the United States, Huang Yantong explained in detail on the understanding of those important definitions in judgements, such as “unauthorized”, “exceed authorized access”, “a protected computer”, etc. He pointed out that in a large number of judicial cases in the United States, website statements, user agreements, and terms of use can all be used to confirm the website platform’s own rights and interests of the data. Huang Yantong also analyzed the particularities of the 2017 HiQ Labs v. Linkedin case. In addition, under the background that American judicial circle did not pay much attention to the data ownership, Mr. Huang raised a question on the definition of this specific concept. For example, in the case of bankruptcy liquidation, as an important means to safeguard the interests of creditors, the transaction of data assets actually did not arouse enough attention and discussion on data property rights among judges and lawyers. It seemed that the actual controllers of the data have the substantial right to conduct data transactions, and the standard of Qualified Buyer was also set up by them to protect consumer privacy. Finally, he pointed out that this kind of judicial thinking did have certain enlightenment to judicial practices in China.

After this section, participants also discussed topics such as the links and differences between data (rights) and personal information (rights), whether data can be regarded as trade secrets, the possibility and limitation of applying Anti-Unfair Competition Law to data disputes, the risks and obstacles of data portability, and the application and development of the Triple-Authorization Principle.

Mr. Chen Minguang, a scholar from the China Institute of Applied Jurisprudence of the Supreme People's Court, made a comparative analysis between the HIQ v. LinkedIn case and the Dazhong Dianping v. Baidu case. The difference between the two cases lied in the subsequent use of the data by the defendant that often constitutes a substantial substitute for the plaintiff’s service in domestic cases involving data crawling. Under this circumstance, the court may generally determine that this kind of situation constitutes unfair competition according to Article 2 of the Anti-Unfair Competition Law. Whereas in the LinkedIn case, to reuse the data disclosed by LinkedIn in different dimensions, the plaintiff, as a small start-up company, was to some extent in the downstream of the data industrial chain, and LinkedIn has always allowed this kind of utilization at the same time. Even to now, LinkedIn is trying to carry out similar business thus rejecting the plaintiff’s data crawling, which is suspected of abusing market ascendancy.

With regard to the allocation of data property rights, Chen Minguang firstly believes that the first thing to do is to clarify that the inherent basis of property rights consists of not only labor, but also social recognition. Secondly, in light of the characteristics of multi-participation and multi-dimensionality of data property rights, to simply list the types, connotations and methods in the provisions may not meet the requirements of certainty and economy of the law. The method of reverse definition therefore could be taken into consideration, which is to start from formulating appropriate limits on data practitioners from different relevant entities according to the theory of social recognition and the thinking of social priority, such as consumers base on privacy interests, peer competitors and downstream operators base on anti-monopoly and competition protection, and national public rights base on public welfare to impose corresponding obligations on them. Besides, the data property rights of the data practitioners can be freely advanced, so as to achieve maximum social benefits and win support from social recognition.

Mr. Liu Jinrui, the Associate Researcher of Institute of Law of China Law Society, indicated that there is a problem of interest balancing in the protection of personal information rights and interests. It is unrealistic to simply attribute the interests of personal information to individuals. As a matter of fact, the protection of personal information could be divided into two categories: privacy personal information and other personal information. He argued that data can not be regarded as a material object, and the Triple Authorization Principle actually was not necessary in all situations. He further pointed out that in terms of data, the network platform and the users were dependent on each other. As far as the nature of data is concerned, it must rely on a specific platform otherwise the value of it will disappear. Therefore, platform enterprises shall enjoy certain data rights and interests and bear the responsibility for data leakage at the same time. Take the Tencent v. Bytedance case as an example, if Tencent did not bring a suit against Duoshan, many users might suppose that it was Tencent who leaked its own data, and the enterprise shall thus fall into an extremely passive deadlock.

Mr. Yang Dejia, the Fifth Division Chief Judge of Beijing Haidian District People’s Court, analyzed in detail the difference between the LinkedIn case and the Maimai case from the perspective of competition law. Judge Yang pointed out that in the face of disputes arising from data acquisition and utilization, we can not simply rely on an ossified mode of thinking or a one-size-fits-all solution. Nowadays, both the application of technology and the means of competition are constantly changing and developing, and the corresponding patterns of social interest is also trying to seek balance in this dynamic process. Usually, a problem we learn from a case is only a specific issue reflected in the given case itself, and the judicial conclusion summarized from this case is often fitted to settle particular problems of the same kind. Whether those conclusions can be used as universal criteria and applied to the settlement of similar disputes afterwards is still worthy of further consideration. As a matter of fact, such conclusions shall at least go through repeated verifications in more cases, so as to prove the right and overturn the wrong. So far as our current exploration of these problems is only at the initial stage, it is too hasty to make certain that the conclusion of some cases will become the “iron law”, and it does not conform to the law of cognition. In addition, although we are facing new problems arising from the network environment, the formation of these issues are still based on people's behavior patterns and thinking habits in real society. Therefore, when we explore ideas and rules to solve these new problems, we shall review the social experiences and social recognition accumulated by human beings for thousands of years, from which to finally get more inspiration and find true answers. Based on existing rules and experiences, we shall make appropriate adjustments to match the new features of the Internet. In this way, our solutions to the problem of data competition can be easily understood and accepted by the public and relevant practitioners. The truth is that we shall develop ourselves in the practice of inheritance, rather than simply separate history and reality, online and offline. For example, according to our traditional life experience, people can enter into a store at any time during business hours, whereas to sneak in after the store has closed at night would probably be illegal. Besides, even during business hours, one can only shop in the business area from the front door. If someone goes through the back door, clearly noticing the warning that non-staff are not allowed to enter, but still force open the door or climb through the window, such behaviors are undoubtedly suspect. Those acknowledged life experiences and attempts also inspire the judgment of data competition disputes. Similar examples were cited in the case of LinkedIn as well. It is this precise reason that makes the internal logic of the LinkedIn case and Maimai case not contradictory to each other, although they seem to be in opposite directions. In the LinkedIn case, HiQ crawled information which was totally public on the Internet, thus making the court consider such behavior acceptable according to the preceding principle. However, in the Maimai case, Maimai actually exceeded the permission and crawled user data that was not public from Sina’s server, therefore the court believed that such behavior should be prohibited.

Ms. Chen Xiaotong, Assistant Professor of UIBE Law School, discussed that since the provisions on behavior preservation in civil procedure law were relatively abstract, even if in cases of non-intellectual property infringement, it seemed to be lawful and reasonable to refer to the Provisions of the Supreme People’s Court on the Application of Law in Examining Cases of Behavior Preservation in Intellectual Property Disputes to protect the rights and interests of the victims. The authority shall further improve relevant hearing procedures on behavior preservation. At the same time, different standards of proof shall also be applied to the hearing procedure and substantive trial procedure. For example, measures such as transferring the subjective burden of proof to reduce the claimant’s difficulty of proof can be adopted.

Mr. Xiong Bingwan, a researcher of the Future Rule of Law Institute, Renmin University of China, indicated that the analysis of data ownership criteria can be considered from two aspects: users’ multiple and reasonable expectations of data services provided by enterprises, and the consideration required by enterprises in providing various data services. A comprehensive consideration of these two factors can better coordinate the relationship between data labor input standards and data property rights distribution. When users want to use the data that collected and processed by enterprises which is of vital interests to them, it is necessary to further evaluate the cost of enterprises in the process of collecting and organizing such data, as well as whether they have received sufficient consideration. In addition, he took the Friends Chain as an example to explain the reason why the Bundle of Rights Theory was difficult to apply in the field of data.

Ms. Wan Fang, Associate Professor of the Law School of Beijing Foreign Studies University, combined the chain of data flow to analyze the value of specific data to enterprises and the value of the address books. She pointed out that for suppliers providing social services, the users’ address book was itself a highly cohesive competitor, which was the foundation of the social platform. At the same time, the address book also involved the problem of common privacy, such as group photos, and the authorization from a single user may not be enough.

Mr. Fang Yu, Director of the Internet Law Research Center of China Academy of Information and Communications Technology, believes that it is difficult to solve the problem of internet governance only by means of legislation, and judicial process and law enforcement should also be taken into consideration. Legislation relating to the internet should be deliberate on the issue of universality and rationality. Taking off-line and on-line portraits as an example, the problem of delimiting scope and defining rules should be solved under the protection of personal information. On the premise of regulations on personal information protection being more rigid, to compress the scope of personal information is an advisable solution.

Professor Mei Xiaying from UBIE Law School emphasized that the value of data comes from data gap, and data controllers could make more profits from data transactions and data sharing. However, it is difficult to protect data by actively empowering rights. If people can crawl and steal other’s data without restriction, the world would eventually turn into a barbaric place that simply follows the law of the jungle. Therefore, the idea of setting up a defensive right is worth considering, which is not based on data rights but on obligations of public law and relevant penalties.

Finally, the seminar came to a successful end. Although there are more questions than answers in the field of data disputes, and provisions actually lag far behind the reality, each communication between academia and practical circle will further deepen our understanding towards legal issues relating to data disputes, and eventually contribute to the achievement of a rational consensus.