(By Gao Tianyi and You Yunting) Data buyers often focus on several potential legal concerns in web-scraped data, particularly relating to the Computer Fraud and Abuse Act (CFAA) in the United States. But a recent case in China between Weibo and Maimai demonstrates that even where the CFAA does not apply and vendors are using an Open API, risks may still exist if the buyers fail to acquire and use data appropriately.
Weibo is one of China’s largest social media platforms and has over 530 million monthly active users, according to China Internet Watch. Maimai is a China-based professional social-networking platform, which was initially modelled on LinkedIn. In July 2019, Maimai had 25 million monthly active users.
Weibo’s operating company (Beijing Micro Dream Network Technology Co., Ltd.) and Maimai’s operating companies (Beijing Taoyou Tianxia Technology Co., Ltd. and Beijing Taoyou Tianxia Technology Development Co., Ltd.) initially entered into a developer agreement for Weibo Open platform to cooperate with each other through the Weibo Open API. In the US, Facebook also establishes an open platform for third-party developers, through which they can login in, look for friends, like company pages, etc., similar to the function Weibo has provided for Maimai.
The substantial issue in this case is whether it is legal for Maimai, a third-party developer, to grab data more than that authorized by Weibo in violation of the developer agreement and without permission from Weibo users.
In this case, the court established a “triple authorization principle”, only by which a complete chain of rights for grabbing data through Open API can be achieved:
first, the platform shall be authorized by users to acquire their personal information;
second, a third-party developer shall be authorized by the platform;
finally, the third-party developer shall be authorized by the users.
Maimai was held to have committed infringement because it overstepped the limited authorization to grab partial data from Weibo and damaged users’ legitimate rights and interests without their authorization.
Another point of concern was that the court held that Maimai constituted unfair competition because Weibo was entitled by users to use their data, but Maimai’s unauthorized act prejudiced Weibo’s commercial resources and competitive opportunities. In Maimai’s defense, it proposed that Weibo had no right to claim its own rights and interests regarding its users’ data. However, the court rejected such defense, reasoning that although such data belonged to users, Weibo enjoyed a reasonable right to use its users’ data within their authorization.
Finally, many Chinese internet companies, like those in US, are facing antitrust investigations. From our perspective, if Maimai had made a defense under antitrust law and had proven that it was authorized by users to grab their data from Weibo, the judgment of this case might have been different since Weibo was in essence abusing its market dominance by lawsuit.
In the case, Weibo argued that Maimai had acquired the occupational and educational information of Weibo users beyond the agreed range of the developer agreement and that after termination of their cooperation, Maimai failed to promptly delete Weibo user information that it acquired. Accordingly, Weibo filed a lawsuit against Maimai and said that:
- Maimai illegally acquired and used Weibo user information, including profile photos, names, occupational information, educational information, custom tags and Weibo contents;
- Maimai illegally acquired and used the corresponding relationships between Weibo users and the contacts in address books of Maimai registered users’ mobile phones;
- Maimai imitated the way Weibo recognized and demonstrated VIP users;
- Maimai published defamatory comments.
The court of first instance decided that the first, second and fourth acts constituted unfair competition while the third act did not. In appeal, the court of second instance upheld the court of first instance for different reasons. This judgment has come into effect since the end of 2016.
Since the third and fourth act have nothing to do with personal information protection and data security, this article will only introduce and analyze the judgment and reasoning of the first and second acts.
Ⅰ Whether the acquisition and use of Weibo user information constituted unfair competition
Given that Weibo lacked evidence to prove that Maimai bypassed Open API to acquire its occupational and educational data, the court first confirmed that Maimai did use Open API, not web-scraping, to acquire its users’ occupational and educational information during their partnership.
To judge whether Maimai’s action constituted unfair competition in accordance with Article Two of the Anti-Unfair Competition Law, the court proposed another three conditions in the following besides “no specified provisions by law”, “actual damages suffered by other operators” and “violation of good faith principle and commercial morals”:
Firstly, “technological measures harming consumers’ interests”;
Secondly, “probability of disrupting competitive orders and triggering vicious competitions”；
Thirdly, “evidence to override presumption of justifiable technology and prove the opposite”.
Therefore, the court held that Maimai’s acquisition and use of its users’ occupational and educational information on Weibo not only ignored the Developer Agreement and the cooperative mode through Open API between each other, but also disrupted competitive orders within the internet by improperly using such information, and that Maimai’s acquisition and use of non-Maimai user’s information on Weibo without permission from the users violated not only the Developer Agreement but also the general commercial morals to be observed by internet enterprises when using user information, destroying the basic principles for the cooperation and development through Open API to a certain extent.
In considering Maimai’s defense that Weibo cannot claim its own rights and interests against a third-party application using its users’ data, the court responded that Maimai usurped Weibo’s competitive advantages without justification and prejudiced Weibo’s commercial resources so that Weibo, as data provider in the cooperation through Open API, could claim its own legitimate rights and interests.
Ⅱ Whether acquisition and use of the corresponding relationships between Weibo users and the contacts in address books of Maimai users’ mobile phones constituted unfair competition
The court of second instance first confirmed how Maimai acquired its user relationships. Considering no evidence proving that Maimai acquired such relationships by collaborative filtering algorithm, and the experts’ opinion from both parties that it is impractical to extensively and accurately acquire such relationships by collaborative filtering algorithm, the court held that Maimai acquired such relationships by matching phone numbers and other precise information similar to phone numbers with user information on Weibo.
To expound on why such acquisition and use constituted unfair competition, the court of second instance primarily reasoned that, since it is a generally accepted corporate practice to ask for users’ permission and guarantee users’ right to free choice when acquiring and using user information in the internet, Maimai’s acquisition and display of such relationships was neither permitted by users nor admitted by industry practices; therefore, Maimai violated the Developer Agreement and disrupted the fair competitive order in markets by acquiring relevant information of Weibo (and non-Maimai) users and displaying such information in Maimai without permission from users and authorization from Weibo.