News

Recently, the Beijing No. 4 Intermediate People's Court released a report on the adjudication of personal information protection cases and highlighted notable precedents, among which a case involving unauthorised access to a cloud storage account warrants attention. In this instance, Mr Xiao discovered login records from unknown devices on his personal cloud storage account, alongside unfamiliar folders appearing within the storage space. After exhausting multiple complaint channels to request detailed login records for the period of unauthorised access from a technology company, all attempts proved unsuccessful, prompting Mr Xiao to initiate legal proceedings. The appellate court ultimately ruled that the technology company must provide Xiao with a complete copy of the login records for his cloud storage account during the specified time period within a designated timeframe.

Following this ruling, Zhao Zhanling, a special researcher at the Intellectual Property Research Centre of China University of Political Science and Law and partner at JAVY Law Firm, was interviewed by Beijing Traffic Radio to provide an in-depth analysis of issues related to personal information security.

In fact, ‘abnormal logins’ are not uncommon occurrences. In October 2024, a woman in Guangzhou experienced photo leaks after failing to unlink her cloud storage account when cancelling her phone number. In September 2024, Alibaba Cloud Drive suffered a ‘catastrophic’ vulnerability where users creating new folders encountered the system loading other users' private photographs, including selfies and family images.

In Zhao Zhanling's view, an abnormal login does not necessarily signify a data breach. At the very least, it serves as a warning for users to remain vigilant about their personal information security. It prompts users to promptly assess whether their account may have been compromised and whether further action is required. If users determine, based on their own judgement, that the issue was not caused by their own actions, they should immediately contact the network service provider. They should temporarily freeze the account or promptly change their password, alter security verification methods, and take other measures to control the account. This prevents others from gaining control or accessing it, thereby protecting their information and other rights and interests from harm.

Does a user encountering such activity possess the right to request the cloud storage provider to disclose login details during the anomalous period? Attorney Zhao clarifies that demanding disclosure of abnormal login information constitutes both a statutory right of the user and a legal obligation of the personal information processor—namely, the technology company. The Personal Information Protection Law grants users numerous rights, including the right to request access to their personal information, obtain copies thereof, and demand the deletion of such information by the processor. Account login details, including records of unusual access, fall within the scope of personal information. Therefore, users possess the legal right to request processors to provide details of unusual logins, enabling them to determine whether such activity originated from themselves or criminal actors.

The Personal Information Protection Law stipulates that personal information processors providing critical internet platform services, possessing substantial user bases, or engaging in complex business operations must establish robust compliance systems for personal information protection in accordance with national regulations. They are required to establish independent oversight bodies, primarily composed of external members, to monitor personal information protection practices. The primary challenge in implementing this system lies in defining what constitutes a large-scale online platform. In September this year, the Cyberspace Administration of China released the ‘Regulations on the Establishment of Personal Information Protection Oversight Committees by Large-Scale Online Platforms (Draft for Comment)’. This document clarifies the identification mechanism for large-scale online platforms, operational rules for oversight committees, eligibility criteria for external members, and mechanisms for checks and balances on member duties, further advancing the establishment of personal information protection oversight committees by large-scale online platforms.

In summary, personal application accounts, serving as digital alter egos in the digital age, warrant stronger protection. Beyond individuals adopting measures such as file encryption, setting cloud storage permissions, implementing multi-factor authentication for cloud access, adopting robust real-name verification, and monitoring login devices and records, platforms must not perpetually adopt a reactive approach of ‘closing the stable door after the horse has bolted’. Instead, they should systematically establish mechanisms for pre-emptive prevention, real-time response, and post-incident remediation, complemented by robust oversight frameworks. Only then can navigating the ‘cloud’ truly be worry-free.