The People’s Bank of China (“PBOC”) circulated the draft Trial Measures on the Protection of Personal Financial Information & Data (“Draft Measures”) within the PRC banking system on September 10, 2019 in order to elicit comments from banks.1 Reportedly, the Draft Measures, if enacted in its current form, set forth that financial institutions are prohibited from (a) obtaining personal financial information (“PFI”) from any third party illegally engaged in the personal credit investigation business and (b) securing consent from personal information (“PI”) subjects through “a blanket consent arrangement for collecting, processing, using or transferring personal financial information and data (“PFID”) to a third party”. Further, banks must terminate any cooperation with third-party data providers who cannot guarantee the legitimacy of the data source.
Under the current regulatory framework and the Cybersecurity Law (“CSL”) in particular, network operators (“NOs”)2 have specific obligations and requirements in relation to PI and data protection. For instance, NOs may not disclose, tamper with, or damage any PI they have collected and they are prohibited from passing on PI unless the data subject’s consent is provide.3 Further, PI and “important data” gathered or produced by critical information infrastructure operators during operations in the PRC must be stored inside the country.4 Looking ahead, specific rules are expected to be formulated to detail NOs compliance requirements, given that the CSL offers only high-level requirements.
To date, we have witnessed the regulatory authorities, and particularly the Cyberspace Administration of China (“CAC”), issuing various data securities related (draft) regulations and rules to provide detailed implementation rules for certain issues stipulated under the CSL or to fill in the void, whereby each of the regulatory authority has established their roles and jurisdiction for cybesecurities issues. For example, the CAC released the Draft Administrative Measures for Data Security on May 28, 2019, the Draft Measures for the Security Assessment for Cross-border Transfer of PI on June 13, 2019 and the Provisions on the Cyber Protection of PI of Children on August 22, 2019, addressing hotly debated issues in relation to cross-border transfer of data and PI. Similarly, the Ministry of Public Security circulated the Regulations on Cybersecurity Multi-level Protection Scheme for public comment on June 27, 2018, with the aim of enhancing the Multi-level Protection Scheme for cybersecurity.
Similar to the above moves, the reported Draft Measures indicate that the PBOC is trying to integrate its role vis-à-vis PFI protection into the regulatory framework established by the CSL. The Draft Measures are expected to set forth detailed practicable implementation rules on PFID issues that will supplement the PBOC-promulgated Implementing Measures of Protection of Financial Consumers’ Rights and Interests (“2016 Measures”). Based on the information available at this stage, we would like to bring your attention to the following items:
1. The 2016 Measures broadly define PFI as “individuals' information obtained, processed and retained by financial institutions through conducting business operations or other channels, including the information on personal identity, property, accounts, credit and
financial transactions and other information reflecting the conditions of a particular individual”.5 Given the timing of the promulgation of the 2016 Measures (contemporary with the CSL) and its general approach, the PBOC intended the 2016 Measures to impose stricter rules on financial institutions, with a broader scope of PFID when compared with PI under the CSL. Also addressing banking-oriented issues, the Information Security Technology – PI Security Specification (draft) promulgated on February 1, 2019 sets out examples of PFID including bank account, identification information (code), deposit information (including the amount of deposits, records of receipts and payments, etc.), real estate information, credit loan records, credit reference information, records of transactions and consumptions, flow records, etc., and information about virtual property (such as virtual currency, virtual transactions, and CD-keys for games). It is likely that the PBOC will impose more onerous requirements and obligations on financial institutions in the Draft Measures.
2. The title of the Draft Measures specifically addresses the concept of “Data”, which was not explicitly covered in the 2016 Measures. This echoes the “important data” requirements under the CSL and means that PBOC is trying to keep its own banking regulatory scheme in line with the CAC’s approach to capture data and PI issues in parallel. With that in mind, the Draft Measures are expected to draw a clear line between PFI and personal financial data, and to regulate the PI and data issues comprehensively under a more detailed regulatory scheme.
3. In terms of timing, it is reported that the final version of the Draft Measures will be promulgated by the end of 2019, according to the PBOC’s official timetable. To put this into a broader context, the PI Protection Law (“PIPL”) and Data Security Law (“DSL”) will be submitted and deliberated by the 13th Standing Committee of the NPC, according to its Legislation Plan. We anticipate that the PBOC will amend or replace the Draft Measures to reflect the principles and maintain consistency with the PIPL and DSL, after they become available.