Based on the official statistics, during 2024, the CAC interviewed 11,159 website platforms, imposed warnings or fines on 4,046 website platforms, ordered 585 websites to suspend or update relevant functions, took down 200 Apps and took administrative actions on 40 mini-programs. The CAC also conducted joint enforcement actions together with the Ministry of Industry and Information Technology and revoked the licenses or shut down 10,946 websites and closed 107,802 accounts.

The following violations are of particular concern to these enforcement activities:

• Failure to maintain relevant network logs as required by law or to promptly address security risks (such as system vulnerabilities), resulting in illegal and regulatory issues such as system attacks, tampering, and data leaks;
  
• Failure to clearly display privacy notices in Apps, obtain necessary consent to process personal data, or provide convenient methods to opt out or de-register accounts;
  
• Failure to conduct required recordal or filing for AI models or features built into Apps or mini-apps; and
  
• Unreasonably requiring consumers to scan QR codes or perform facial recognition that is not necessary to provide the underlying services.

Around the same time, the National Computer Virus Emergency Response Center, which is an institution responsible for detecting and handling computer virus outbreaks and cyber attacks under the supervision of the Ministry of Public Security, published a list Apps that violated the personal data protection laws in the following areas:

• Failure to provide data subjects with all the required information about the processing (e.g. name and contact details of the controller, categories of personal data processed, purposes of the processing, retention period, etc.) in a prominent place and in clear and understandable language; in particular, failure to provide such information about any third party SDK or plugin is also considered a breach of the law;
  
• Failure to provide data subjects with the required details about any separate controller (e.g. name, contact information, categories of personal data processed, processing purposes, etc.) or to obtain the separate consent of data subjects before sharing their personal data with the separate controller;
• Failure to obtain the separate consent of data subjects before processing their sensitive personal data;
  
• Failure to provide users with the App functions to delete personal data or de-register accounts, or to complete the deletion or deregistration within 15 business days; or setting unreasonable conditions for users to de-register accounts;
  
• Failure to formulate special rules for processing the personal data of minors (under the age of 14) or to obtain parental consent before processing the personal data of minors; and
  
• Failure to take appropriate encryption, de-identification and other security measures, taking into account the nature of the processing and its impact on the rights and interests of data subjects.

The above enforcement focuses are also consistent with the audit points highlighted in the newly released personal data protection audit rules (see our article here). We expect the same enforcement trend to continue into 2025. Companies that process personal data in China or in connection with business in China are advised to review their compliance status with the requirements of Chinese law and take remedial action in a timely manner.

In its judgement of 11 July 2024 (C-757/22), the European Court of Justice (‘ECJ’) ruled that the violation of a controller’s information obligations under Art. 12 and 13 GDPR, can be subject to a representative action under Article 80(2) GDPR.

Facts of the case

Meta Platforms Ireland Limited (“Meta“) provides users of  Facebook with free games from third-party providers (known as the “App Center”). When accessing the App Center, users were informed that by using certain games, the third-party provider will collect their personal data and has permission to publish this data. The user was also informed that, by using the applications concerned, they accepted general conditions of those applications and the relevant data protection policies.

The Federation of German Consumer Organizations (Verbraucherzentrale Bundesverband – “VZBV“), brought an action before the Regional Court of Berlin (Landgericht Berlin), claiming that the information provided to users by the games in the App Center was unfair, particularly in relation to the failure to obtain valid consent from users in compliance with data protection law. It further argued that the information by means of which the applications were given permission to publish certain personal information on behalf of users constituted a general condition which unduly disadvantaged those users.  

The Landgericht Berlin upheld the action and Meta appealed this decision before the Higher Regional Court of Berlin. This appeal was dismissed and Meta then further appealed to the Federal Court of Justice. The Federal Court of Justice did not rule out the possibility that the VZBV might have lost its prior right of action during the proceedings following the entry into force of the GDPR. As a result, the German Federal Court of Justice temporarily suspended the proceedings and referred a question to the ECJ for a preliminary ruling on the interpretation of Article 80 (1) and (2) and Article 84 (1) GDPR. In its judgment of 28 April 2022 (Meta Platforms Ireland C-319/20), the ECJ ruled that Article 80 (2) GDPR must be interpreted as not precluding a national provision that allows an association to bring an action to protect consumer interests due to a violation of personal data protection through unfair commercial practices or the use of ineffective general terms and conditions, provided that the data processing in question may affect the rights of natural persons under the GDPR.

However, the judgment did not address whether a violation of the information obligation under Article 12 (1), first sentence, and Article 13 (1)(c) and (e) GDPR constitutes a breach “as a result of processing” within the meaning of Article 80 (2) GDPR. Consequently, the German Federal Court of Justice has once again suspended the proceedings and referred this specific question to the ECJ for clarification.

Decision

The ECJ held that where processing of personal data is carried out in breach of the data subject’s right to information under Articles 12 and 13 GDPR, the infringement of that right to information must be regarded as an infringement of the data subject’s rights ‘as a result of the processing’, within the meaning of Article 80(2) GDPR. The ECJ further held that it therefore follows that the right of the data subject, under the first sentence of Article 12(1) and Article 13(1)(c) and (e) GDPR, to obtain from the controller, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, information relating to processing, constitutes a right whose infringement allows recourse to the representative action mechanism provided for in Article 80(2) GDPR.

Practical note

This ruling by the ECJ will have significant implications for controllers in practice. Data protection notices, such as publicly accessible notices on websites, will be open to scrutiny by consumer protection associations such as the VZBV. There has been an increase in recent years of both consumer and privacy associations scrutinizing potential violations of data protection requirements, with the VZBV, for example, initiating numerous cases before the German courts – particularly recent actions relating to the use of cookies. In a recently published statement, the VZBV has supported the ECJ judgement, stating that the “ruling sends a positive signal to consumers”.

While the review of data protection notices has not been a primary focus of German data protection supervisory authorities thus far, and there have been few enforcement actions in this regard, the ECJ ruling increases the risk of being sued by consumer protection associations due to inadequate data protection notices.

Accordingly, controllers should undertake a thorough review of their data protection notices to ensure compliance with the requirements set out in Articles 12 (1) and 13 or 14 of the GDPR. In particular, controllers should ensure that data protection notices comply with the requirement under Article 12 (1) GDPR, to provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, to which the ECJ expressly refers in its judgement.