Rising data use liabilities for telecommunications and technology companies in Asia

The increasing risk of liabilities is driven by the proliferation of the use of data and soaring demand in the use of technology to grow businesses, such as the adoption of artificial intelligence, digital payment and e-commerce. Technology companies engaging in joint ventures and processing of personal data can find themselves liable when providing services under their contracts with other parties or when scaling up their innovative business. Recent court cases and regulatory enforcement actions have highlighted three areas where technology companies are most likely to face potential liability. Several steps can be taken by companies in this sector to mitigate risks and reduce exposure to potential claims.

Unlawful use of web scraping technology

Technology companies behind e-commerce platforms or social media networks could face regulatory penalties if they fail to implement adequate measures to mitigate the risk of unauthorised scraping.

In a recent court case in Shanghai, a software developer was found liable for breaching an e-commerce app’s user agreement and protocol, knowingly circumventing the company’s online security measures, and accessing the company's protected core data through unauthorised and “intrusive” web scraping technology. The ruling is one of the first judgments issued by the Chinese courts declaring the illegality of using web scraping technology unreasonably by a software developer to intrude into a computer information system.

The same issue has not been tested in the courts of Singapore or the Hong Kong Special Administrative Region (SAR). However, there has been regulatory enforcement by the Hong Kong Privacy Commissioner for Personal Data (PCPD). The data protection watchdog in Hong Kong issued an enforcement notice on Singapore-based online marketplace Carousell (28-page / 709KB PDF) for its failure to implement adequate measures to mitigate the risk of unauthorised scraping in 2023.

In October 2024, the PCPD published a global joint statement on data scraping and the protection of privacy to social media platforms (10-page / 177KB PDF), which outlines the key expectations of what organisations should do to prevent unlawful scraping. These efforts lend weight to the argument that the Hong Kong courts may similarly adopt a proactive enforcement approach if an analogous case finds its way to it.

In Hong Kong, the unauthorised disclosure of personal data obtained from the public domain for profit, without the consent of the data user, may lead to a maximum fine of up to HK$1 million (£104,900) and an imprisonment term of five years. In Singapore, unauthorised access to computer programs or data through web scraping, such as by bypassing protection measures, could result in fines up to SG$50,000 (£29,870) and imprisonment for up to seven years, if damage is caused.

Payment fraud via text message

Telecommunications service providers should pay close attention to their contractual obligations to protect the privacy and personal data of their users. They also need to take measures to prevent phishing scams or fraudulent activities, or face legal or regulatory action.

In a recent text message scam case, a court in Shanghai held both the telecommunications service provider and the technology company sending fraudulent text message liable for privacy infringement. In this case, the telecommunications service provider shared the customer’s mobile number without authorisation to a third-party technology company, which sent the fraudulent debt collection text message to the customer. The court ruled that the telecommunications service provider breached its contractual obligations for failing to review the text messages prepared by the scammer company before they were sent. It also found that although the text messages contained an option to unsubscribe, this was irrelevant, and that there was no legitimate reason for the telecommunications service provider to share the customer’s number. As a result, both defendants’ actions violated the customer’s right to tranquility of private life and privacy.   

Whilst courts in Hong Kong and Singapore have not ruled on similar matters, the Monetary Authority of Singapore has implemented guidelines which have required mobile network operators to take responsibility for preventing phishing scams (15-page / 309KB PDF) since December 2024. There is a growing expectation for technology companies and mobile network operators to exert control over transmitted payment-related content. These organisations should review their current systems and properly vet payment-related messages as part of good platform management practices. This will help fulfil their contractual obligations and protect their customers’ privacy and personal data, as well as prevent harm caused by scams.

Unauthorised disclosure of data

In November 2024, the Shanghai No.1 Intermediate People’s Court issued an important judgment under China’s Personal Information Protection Law. The ruling means that third-party intermediaries and information technology service providers may be jointly liable for failing to protect personal data from unauthorised access or disclosure, such as a data leakage. It also highlights the need for businesses to specify third-party service providers’ data protection obligations in contracts.

The claimant in this case, an individual known as Gao, purchased an insurance policy and submitted personal information electronically through a link created by the technology company. The link to the online form was shared with Gao by the insurance brokerage firm. Gao sued the technology company, the brokerage firm and the insurance company after she found out that her personal information, including name, phone number and date of birth, was accessible to anyone who entered her phone number into an online search engine. This was due to an unencrypted and unsecured connection to her online insurance policy.

However, the court only found two of the three defendants - the broker and the technology company – liable. The insurance company was not liable because it had collected Gao’s personal information for a reasonable purpose and contractually obliged the brokerage firm to manage and use it properly. It was held that the insurance company acted appropriately.

The court allocated liability based on evidence of proper conduct and joint decisions on data processing means. The judgment sets out two conditions for third-party intermediaries and service providers to be held jointly liable. They must share the purpose of collecting, using and transmitting personal information, and they must jointly determine the means of data processing.

The court said that the technology company was directly responsible for collecting and handling Gao’s personal data. Even though the technology company implemented encryption measures and made subsequent adjustments to stop the leakage following Gao’s complaint, it remained liable for the breach. The brokerage firm was found liable after the court considered the fact that it had directed Gao to use the technology company’s website for purchasing the insurance policy and submitting personal information, therefore sharing the technology company’s purpose for collecting, using and transmitting personal information. The second condition for joint liability was also met, given the brokerage’s joint determination on data processing methods with the technology provider.   

There are currently no similar judgments from the Hong Kong and Singapore courts on this point, but it is likely that cases of this kind will emerge in these jurisdictions.

Taking measures to mitigate risk

There are several steps that technology companies and businesses can take to mitigate the risk related to data protection and privacy issues as highlighted in the three types of scenarios.

In the context of web scraping, companies, such as the operators of online marketplaces and social media platforms, need to state the original purposes of data use and impose restrictions on further use of personal data that was made publicly available. 

Companies could implement a combination of technical and procedural controls to prevent data scraping, such as using random interface design elements and tools that make automatic data scraping more difficult. These measures are suggested in the Hong Kong PCPD’s global joint statement.

Telecommunications and technology companies should establish a system to ensure effective compliance with contractual obligations and corporate social responsibility. For example, reviewing content prepared by third parties before distribution, if required under the terms of a contract.

For businesses that use technology developed or supplied by third-party providers, it is advised that they should engage suppliers that use encrypted connections and have robust cyber security measures in place. It is also good practice to clearly set out the data protection obligations in contracts with technology providers.

Co-written by Jade Wong of Pinsent Masons.