The China Supreme People’s Court (“Supreme Court”) on November 15, 2021 issued its final judgement in a copyright infringement case about the use of royalty-free software. The Supreme Court upheld the decision of the trial court that the defendant was liable for infringing the software copyright owner’s authorship, but not other rights. The end user licence agreement required all “free” users to include the copyright owner’s logo and links to its website on websites created with the software. The defendant did not include the logo or the links on the websites it created using the software. It is an interesting case as the final compensation awarded, CNY 11,000 (approx USD 1,735) is very low.

Background

The Plaintiff, Changsha Mi Tuo Information Technology Co Ltd (“Mi Tuo”) created the software MetInfo V7.0 (“MetInfo”) which is used to create websites. Mi Tuo has a software copyright registration certificate issued by the State copyright bureau. In practice, users only need to download and install the software and add their content to its templates to set up their websites.

Mi Tuo provides MetInfo in two ways: royalty free subject to agreeing to be bound by the particular End User Licence Agreement (“EULA”); and restriction free subject to a one time fee of CNY 6,999 (approx USD 1,104). The fee also includes some website maintenance advice and trouble shooting help from Mi Tuo.

The Supreme Court, in reviewing the facts of the case, described a two step process – the download to the user’s computer after clicking on the “free download” on Mi Tuo’s web page, followed by a pop up licence agreement when the software was installed on the user’s computer. At the latter point, the user could choose free or paid versions.

Copyright: the EULA for MetInfo includes the following:

This Licence Agreement is the agreement between you (natural person, legal persons or other organisations) and Mi Tuo regarding duplicating, downloading, installation and use of MetInfo. This Licence Agreement also applies to any subsequent update and upgrades. Upon duplicating, downloading, installation or otherwise use MetInfo, it indicates you agree to be bound by all terms of this Agreement. If you do not agree to the terms of this Agreement, please do not duplicate, download, install or otherwise use MetInfo.

The rights licensed to you:

  1. Provided that you are fully compliant with the terms and conditions of this agreement, you may use MetInfo on multiple websites, and no royalty shall be paid for your use.
  2. You may modify MetInfo to make it fit for your own website subject to the constraints and limitations provided in this agreement.
  3. For the website you create with the assistance of MetInfo, you have full ownership of the website content and accordingly, you are solely responsible for it.
  4. Constraints and limitations include: as long as all or part of MetInfo is used to create a website, regardless of extent or purpose or how the software is modified, the copyright logo (PoweredbyMetInfo) and the links to Mi Tuo websites (www.metinfo.cn, www.mituo.com) must be shown on such website, unless otherwise approved by Mi Tuo. The page of the mini Apps set up with MetInfo must contain the copyright logo which cannot be removed or modified. Otherwise it will be treated as breaching this agreement and constitutes infringement.

Further, Mi Tuo has the right to take legal actions to protect its rights and claim for compensation against any website or user for any illegal removal of the copyright logo and the links.

The Defendant, Henan Engineering Construction Association (“HECA”) used the free version of MetInfo to create its official website but it did not include the copyright logo and Mi Tuo’s website links, contrary to the terms of the EULA.

Decision of the Trial Court

The trial court decided the case in favour of Mi Tuo and ordered HECA to:

  1. stop the infringement activities;
  2. pay CNY 11,000 (approx USD 1,735) as compensation to Mi Tuo including CNY 6,000 (approx USD 946) as damages and CNY 5,000 (approx USD 789) as compensation for Mi Tuo’s legal costs; and
  3. make a public apology to Mi Tuo by publishing a statement on its own website for a period of 30 days.

The trial court did not uphold Mi Tuo’s argument that HCEA’s infringement activities went beyond the scope of the authorised licence and had also infringed Mi Tuo’s authorship, right to duplicate, modify, and to obtain remuneration, etc.

The trial court held that when HECA obtained the software, it was already consented to by Mi Tuo so its use of the software to build its own website did not exceed the scope of authorisation by Mi Tuo. Therefore HECA only infringed Mi Tuo’s authorship rights but not the right to duplicate.

Appeal to the Supreme Court

Both parties appealed the decision of the trial court. The appeal was accepted by the Supreme Court on August 16, 2021 and concluded on November 15, 2021. The Supreme Court upheld the decision of the trial court on the compensation awarded to Mi Tuo.

HECA denied infringement and its main arguments were that when clicking the “one click installation” button to download the software and install it on its own computer, the alleged EULA did not pop up. Because Mi Tuo did not put up any obvious notification, this agreement should be regarded as a standard or form contract which increased the liabilities of the user and should be regarded as void according to Chinese law. These arguments were rejected by the Supreme Court.

Mi Tuo’s main arguments were that the trial court erred on identifying the various components of copyright infringed. HECA’s infringement had gone beyond the authorised scope of the EULA and had infringed various rights including authorship, the right to duplicate, modify, and to obtain remuneration, etc. Further, the compensation awarded by the trial court is too low, its claim of CNY 70,000 (approx USD 11,040) should be supported.

Review of key issues

Did HECA infringe the copyright of Mi Tuo by not showing the copyright logo and website links?

In this case, the trial court held that the use of MetInfo by the HECA did not infringe the copyright of Mi Tuo because it had obtained the consent of Mi Tuo to download and install the software – the consent is implied by offering a free download. However, removal of the copyright logo without approval of Mi Tuo infringed its right of authorship.

The Supreme Court held that HECA had obtained the consent of Mi Tuo to use the MetInfo software but it breached the EULA when it removed the copyright logo and this infringed the authorship right of Mi Tuo.

The Supreme Court also held that downloading and duplicating the software and the necessary modification is still within the scope of the EULA. Removing the logo and the links mainly infringed the authorship, but not other rights of Mi Tuo. Accordingly, the Supreme Court rejected Mi Tuo’s argument that HECA had infringed the other components of its copyright.

Consequences of HECA’s infringement

The Supreme Court held that it was difficult to calculate Mi Tuo’s actual losses arising from the free use of its software contrary to its EULA.

The trial court decided to use the royalty charged by Mi Tuo for a similar product (ie. one time payment of CNY 6,999 (approx USD 1,104) to determine the damages and ordered CNY 6,000 (approx USD 946) as damages. The trial court also allowed part of the legal costs incurred by Mi Tuo to be reimbursed by HECA – CNY 5,000 (approx USD 789).

The Supreme Court upheld the overall amount of compensation to be awarded to Mi Tuo but commented that HECA had acted in bad faith in the copyright infringement and the damages should be a little higher, for example CNY 10,000 (approx (USD 1,577). The Supreme Court continued that the legal costs should be a little less, for example CNY 2,000 (approx USD 315). The amount determined by the trial court was justified overall and was affirmed.

Comment

This is an unusual case on many grounds.

Very few cases rise to the level of the Supreme Court. Even fewer relatively small commercial disputes. The limited damages awarded could not justify the expense and time involved and it may be, as media speculation suggests, that Mi Tuo had a wider agenda.

On any analysis it looks like Mi Tuo achieved a Phyrric victory. Not only with immediate effect in this case, but likely to impact other cases based on their EULA and business method.

The facts as reported do not make it clear why the two step process: free download, followed after installation by a “choose your licence” step was implemented by Mi Tuo. One explanation open is to maximise the number of downloads. Another is likely breach of the EULA.

The Supreme Court found that Mi Tuo had more than 700 similar cases running for copyright infringement and more than 500 additional cases to be filed. A quick online search indicates that Mi Tuo has many ongoing actions against its end users.

Chinese litigators often have a fee based on the amount of damages sought. Chinese media reports indicate that Mi Tuo had sought large amounts in other matters – in at least one case CNY 50,000 (Approx USD 7,936).

According to an interview by a local newspaper in September 2021 with the actual owner of Mi Tuo, Mr YANG Haijun, Mi Tuo’s original intention was to settle with the end users so they become paid users but Mi Tuo was forced into litigation.

Mi Tuo was also accused by many as “fishing” for court action. Many end users ended up involved in court action for infringement without understanding why.

On any analysis, and leaving aside any punitive element, it is difficult to see any basis for the damages for a EULA breach to greatly exceed the nominated licence fee for unrestricted use.

Take-aways

  • The use of “click to accept” EULA is common practice in China and elsewhere. To be effective they need to comply with the law and take account of human behaviour.
  • One click agreements usually limit the rights of end users, and as such, they need to be given some prominence, often blocking further action until accepted. Chinese law provides for the validity of these provided that terms that exclude or limit the main responsibilities of the software provider are adequately brought to the attention of the end user.

WEI Xin & PENG Wei

#If you would prefer to have articles in printable PDF format, please let us know by email#.

Introduction

Personal data is getting increased attention globally. China has enacted a new law to regulate the collection, storage, and use of personal data. It comes as China has turned its attention to technology, Internet and other areas of business where personal data is collected. China is not alone in this: there is increased attention being paid to personal data in many jurisdictions, including, most recently, the US where reports indicate that the FTC is considering strengthening privacy rules. (Alternative link)

Internet related business has probably made greater strides in China than just about anywhere. On-line purchases are the first choice for the aspiring middle class and young people. Almost anything can be delivered to your door. Any city is alive with delivery vehicles of one sort or another. This activity has brought with it many different forms of payment, primarily by phone Apps.

Concurrently, of course, this unification of personal, commercial, and financial data has fuelled a huge trade in and based on personal data collected by whatever available means.

This is the context for the new law. China has decided that this trade based on personal data, Internet based or not, must be regulated.

The Personal Data Protection Law

The Standing Committee of China’s National People’s Congress adopted the Personal Information Protection Law (“Law”) on August 20, 2021, with effect from November 1, 2021. It is a substantial piece of legislation with 74 Articles set out in 8 Chapters. Previously there were only guidelines and regulations governing collected personal data. The Law formalises and unifies the approach to these issues. The Law lacks detail in some of its provisions and the implementing regulations are expected to be put in place to provide this.

Application of the Law

The Law applies to:

  1. any activities in China processing the personal data of an individual; and
  2. any activities outside China processing the personal data of an individual in China where the activities are for:
  • providing products or services to an individual;
  • analysis or evaluation of the behaviour of an individual; or
  • meeting other circumstances provided by law.

Processing” includes activities to collect, store, use, process, transmit, provide, disclose, or delete personal data.

Personal data as defined in the Law only refers to data that can be used to identify a person. Anonymized personal data is expressly excluded from the scope of the Law.

Processing Requirements

Personal data must be processed:

  • lawfully and in good faith, securely to prevent any unauthorized access to, leakage of, or tampering with, or loss;
  • for a specific and reasonable purpose and only to the necessary extent;
  • according to publicized rules in an open and transparent way; and
  • properly to ensure that the personal data is accurate and complete for the purpose.

Consent

Except for specific circumstances provided by law – necessary for the conclusion or performance of contract where the individual is a party; fulfilling a statutory responsibility; responding to a public health emergency; etc; personal consent is required for processing an individual’s personal data.

Consent should be voluntary, explicit, and on a fully informed basis. The individual may withdraw consent at any time, but only with prospective effect.

Consent from parents or legal guardian is necessary for individuals under the age of 14 for any of their personal data.

Major Obligations of the Data Processor (“Processor”)

Except as provided by law, or in an emergency, the Processor is required to inform an individual, truthfully, accurately and completely using clear and easily understandable language of the:

  • name and contact details of the Processor;
  • purpose and methods of processing personal data, type of personal data to be processed and how long the data will be kept;
  • rights of the individual whose data is collected and how to exercise them; and
  • other matters to be informed as required by law.

Personal Data Protection Officer

The Processor must designate a personal data protection officer (“Protection Officer”) once the personal data it collects has reached a threshold amount. This is not defined by the Law and is likely to be clarified by the implementing regulations or by the National Cyberspace Authority (“NCA”).

The Protection Officer is responsible for supervising the processing of personal data and the actions taken by the Processor to safely protect it.

If a Processor is located outside China, it should either establish a specific body in China or designate a representative there. It is required to submit the name of the body or the name of the representative and their contact details to the NCA.

The Law is silent on appointing an individual to this role. Directly employing a Chinese individual from offshore can be risky for the offshore employer.

Evaluate the Impact on Personal Data Protection

Before proceeding with the following activities, the Processor is required to evaluate their impact on personal data protection:

  • processing sensitive personal data such as biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other data of an individual;
  • use of personal data in automated decision making;
  • engaging a third party to process the personal data on its behalf or providing personal data to other Processors, or disclosing personal data;
  • transmitting personal data to offshore; or
  • other activities provided by law.

Additional Obligations for Major Processors

Processors that provide important Internet platform services, have a huge user base or operate a complex type of business (none defined yet), have the following obligations to:

  • establish a sound personal data protection and compliance system;
  • formulate and set out the policies to be followed;
  • set up an independent body composed mainly of external members to supervise their protection of personal data;
  • develop platform rules in accordance with the principles of transparency, fairness and impartiality;
  • these rules should specify the standards for processing personal data and the obligations to protect personal data to be met by the product or service providers operating on their platform;
  • stop providing service to product or service providers operating on their platforms which seriously breach the laws or regulations for the processing of personal data; and
  • publish social responsibility reports on protection of personal data regularly and accept public scrutiny.

Processors’ Shared Responsibility

If two or more Processors share the processing of personal data, they are jointly and severally liable to the individual. Using a subcontract Processor does not relieve the primary contractor of liability.

The Processor is required to regularly audit its operations to ensure compliance with its legal obligations.

Sensitive Personal Data

If the personal data to be processed includes sensitive data such as biometrics, religion, specific identity, medical and health, financial accounts, personal location tracking and the like, the Processor will be subject to stricter rules. Specific consent is required, and very strict protective measures should be in place to protect this data.

Transfer of Personal Data Offshore

A Processor may only transmit personal data offshore as required and necessary, with specific and informed consent from the relevant individual. Data to be provided when obtaining consent includes the name and contacts of the offshore recipient; the purpose and method of processing; the type of data to be processed and transferred; and how an individual can exercise their rights against the offshore recipient, including the procedure for this.

Offshore transfer requires that the Processor meets one or more of the following:

  • pass the cyber security evaluation organised by the NCA;
  • be certified by a professional institution designated by the NCA;
  • have a contract with the offshore recipient to specify their rights and obligations using the standard contract provided by the NCA; and
  • meet other requirements set out by law.

The China Processor sending personal data offshore is responsible for the offshore Processor complying with China’s legal requirements. These include the Chinese security assessments set out in the Law. If these are not met, the personal data must remain on servers located in China.

Individual Rights

As detailed in the Law and subject to its limitations, an individual has a right to:

  • know about and control the use and processing of of their personal data;
  • access and take copies of personal data held;
  • transfer data held to another Processor;
  • correct and complete personal data; and
  • have their personal data deleted once the purpose for which it was provided has been completed. 

Consequences of Breach

The Processor may face both administrative penalties and civil liabilities for breach of their obligations. Administrative penalties could be up to RMB 1 million (Approx USD 155,000); or for serious cases, RMB 50 million (USD 7,752,000) or 5% of the total revenue of the previous year. Further, the individuals whose rights and interests were damaged can seek remedies against the Processor.

The Protection Officer or any other individual directly liable for the breach could face personal liability. Personal liabilities include penalties between RMB 10,000 (Approx USD 1,550) to RMB 100,000 (Approx USD 15,500). Penalties in serious cases go up to RMB 1 million (Approx USD 155,000) or being banned from taking the position as director, supervisor or other senior management or Protection Officer for a period.

Who can take action?

A wide range of aggrieved persons and entities are empowered to take action for misuse of personal data and other breaches of the Law.

Commentary

This article attempts to summarize the key provisions of a substantial piece of legislation. As such it cannot be a substitute for reading and understanding the Law in its complete form.

The Law, as is common with many Chinese laws, is short on the detail required to actually comply with it. Implementing regulations usually provide the essential details and guide administrative bodies on applying the law. In the absence of this supplementary guidance it is difficult for any business to know exactly what they must do to comply with it.

For example, personal data necessary for the conclusion or performance of a contract is an exception for consent, but personal financial data is sensitive personal data, requiring special handling. Which applies to credit card details supplied for a purchase? Is the test necessity?

The Law requires substantial changes in how personal data is collected and processed, imposing obligations that did not really exist before. Businesses will have to develop wholly new methods to comply. Many of the requirements will need software changes, or new software to be effectively implemented. Software takes time to be written and tested, but it is the only practical means to monitor the processing of personal data held in digital form.

The Law imposes very onerous burdens for personal data acquired by businesses located outside China or sent offshore from China for “processing”.

Foreign companies whose business is large enough will need to consider carefully the obligations imposed by the Law. Among them the need to appoint a Protection Officer and ensure their systems are audited. If the data collected meets the threshold, they must also pass the security assessments set out in the Law or store it on servers within China.

Smaller businesses too cannot ignore the provisions of the Law.

Take-aways

  • The Law is comprehensive, but in its present form lacks detail in some key areas. Despite this, prudence suggests that planning for the obligations imposed by it should commence immediately.
  • The obligations imposed upon cross-border transactions are particularly onerous. Dealing with these and the associated costs will have to be managed carefully.
  • Many of the obligations imposed by the Law will require a technical response via software that may not yet exist. The personal data governed by the Law exists in a digital form and can only be monitored and dealt with digitally.
  • Despite any difficulties, there is an obligation to comply. Those that gather and process personal data in or from China need to be preemptive rather than reactionary.

Graham BROWN & PENG Wei

# If you would prefer to have articles in printable PDF format, please let us know by email. #