1. Introduction The topic of data protection in the People’s Republic of China (PRC) attracts a lot of attention because of the rapid development of the Chinese economy, in particular the spectacular development of its technological infrastructure. The related legislative activity in recent years has now made this a hot topic in both legal and business circles. The effort to build up a regulatory framework was initiated by the promulgation of the Decision on Strengthening Internet Information Protection (‘the NPC Decision’) by the Standing Committee of the National People’s Congress (NPC) in December 2012, which took immediate effect. Although the eleven general principle articles outlined by the Decision are not in the form of law, they lay down the cornerstone for further development of the Chinese data protection regime. This Decision forms the basis for the government to create more detailed administrative rules and since the Decision was instituted, several new regulations have been made in 2013 and 2014 which further substantiate the legal framework on data protection in China.
For full details of the general data protection regime in the PRC, please see the Guidance Note ‘China – Data Protection Overview here.
This note will focus on the topic of data protection in the financial sector.
1. Managing personal data in the financial services
In the financial sector, data protection efforts started slightly earlier due to the high sensitivity of personal data in this field as well as the rapid development of electronic banking. General banking laws, such as the PRC Law of Commercial Banks, last revised on 27 December 2003, the Law on Supervision of the Banking Industry, last revised on 31 October 2006 and the Anti-money Laundering Law promulgated on 31 October 2006, stipulate the confidentiality obligation of banks towards their customers. In connection with the confidentiality obligation, the regulators, including both the People’s Bank of China (PBoC) and the subsequently spun-off China Banking Regulatory Committee (CBRC), issued several rules stressing the topic of data security and protection. Among these rules, the most important ones concerning data protection are the PBOC Notice Requesting Financial Institutions to Properly Conduct Personal Financial Information, circulated on 21 January 2011 (Circular 17), and another supplementary notice circulated on 27 March 2012 (Circular 80). These two notices go beyond confidentiality requirements and function as a cornerstone legal basis to analyse data protection issues in the PRC financial sector. The major principles spelled out by the PBoC in these two notices are quite similar to those in the Decision of the NPC, but they have more detail and are more industry specific.
On top of these, some industrial rules also play a role. The Payment and Clearing Association of China (‘PCAC’) issued its Technical Guidance regarding Individual Information Protection (‘Technical Guidance’) on 1 July 2016. Although the Technical Guidance does not have mandatory binding legal effect, it sets comparatively high and more detailed criteria for members of the association to follow. More importantly, the Technical Guidance not only applies to banks that have joined the PCAC, but also third-party payment institutions. According to the information on the official website of PCAC, which was last updated on 4 August 2016, the membership of PCAC has a very broad coverage including:
7 payment and clearing institutions 93 banks incl. big state-owned banks such as BoC and ICBC. and foreign-invested banks such as Standard Chartered and Deutsche Bank 238 third-party payment institutions such as Alipay and Tenpay , and financial companies and other entities in the banking industry.
1.1 Scope of Information
The NPC Decision defines personal data as ‘electronic information which can be used to identify a citizen’s individual identity or concerns personal privacy.’ Circular 17 provides for more detail. Besides defining personal information in the financial field to be personal information obtained, processed and stored by financial institutions in the banking sector when they conduct business or access the credit registries, payment systems or other systems of PBoC, it further lists the examples below of personal financial information:
personal identity information, such as name, gender, nationality, ethnicity, type, number and duration of ID document, occupation, contact details, marital status, family status, home or work address and photo; personal property information, such as personal income, real estate owned, vehicles owned, tax payments, payments made into public funds; personal account information, such as account number, date when account was opened, opening bank, account balance, account transactions; personal credit information, such as credit card repayment situation, loan repayment situation and other information which is generated during personal economic activities and may reflect credit status; personal financial transaction information, including personal information obtained, stored and kept by financial institutions in the banking sector when conducting intermediary business such as payment settlement, wealth management, safe deposit box, and personal information generated during the process when their customers – via these financial institutions – conduct business transactions with insurance companies, securities companies, funds companies and futures companies; derivative information, including information reflecting individual preferences which was generated from processing and analysis of the original information (such as personal consumption habits and investment willingness); other personal information obtained and stored when establishing business relationships with individual persons.
Under the above, Circular 17 gives a very broad and precise definition of personal data in the banking field. In particular the definition also covers derivative information, which will have an impact on data mining activities conducted in the banking sector.
In this aspect, the Technical Guidance further pushes one step forward. It defines personal information as ‘computer information that is processible by information systems, is related to a specific individual, and can be used to identify a specific individual independently or combined with other information,’ which shall – besides those examples outlined under Circular 17 – also cover personal data processed by third-party payment institutions, such as personal information collected from a consumer’s online payment transactions. The Technical Guidance addresses the different sensitivity of different personal information:
non-sensitive personal information: the leakage of such information does not have negative impact on the data subject. sensitive personal information: the leakage / falsification of such information will have negative impact on the data subject. Such information is further classified into high-, medium-, and low-sensitive personal information according to the level of negative impact on the property of the data subject after the leakage / falsification / destruction of such information.
1.2 Data Collection
The first principle addressed by Circular 17 is that data collection shall follow the principle of ‘legitimacy and reasonableness’. Information irrelevant to the business transaction in question shall not be collected and information shall not be collected by unfair means. In this aspect, Circular 17 is very similar to the NPC Decision which stipulates that when collecting personal data during the course of business, the principles of being ‘legitimate, proper and necessary’ shall be followed. These principles are also very close to those of ‘transparency, legitimate purpose, proportionality’ under the European Union Data Protection Directive (Directive 95/46/EC).
When further compared with the NPC Decision, a slight difference arises as regards prior consent requirement. According to the Decision, when collecting personal data, the rules on collection and use state that the purpose, method and scope of collection shall be disclosed and prior consent of the data subject shall be obtained. Due to the fact that, to establish business relationships with banks, customers will in any event need to sign off the submission of their personal data for regulatory purposes, Circular 17 does not explicitly stress the prior consent requirement, but rather focuses on ‘due process’. This provides that when a financial institution in the banking sector receives written authorisation or consent from its customers using standard terms and conditions, this shall specify to what extent such authorisation or consent applies to the personal financial information to be provided by the customers. Possible consequences connected with such authorisations or consents shall be made in plain language and be put in an obvious place in related agreements, which shall be brought to the attention of the customers when they sign such agreements.
The Technical Guidance adds some more requirements which shall be followed by the consenting process. E.g. the personal information collected shall not go beyond the necessary scope of information needed in the related transaction. This principle is very similar to the principle of necessity under the NPC Decision. Another principle under the Technical Guidance relates to disclosure. According to this principle, the collection party shall inform the data subject the scope, users, and the way of use of the personal information beforehand either before collection or before further processing of data. The Technical Guidance requires that due security means shall be implemented to protect the collection of personal information either online or offline.
1.3 Data Security and Confidentiality
Strict confidentiality and data security are priority obligations to be fulfilled by banks when dealing with personal information of their customers. Circular 17 stipulates that banks shall establish and improve a complete internal control system. Required data breach prevention measures include:
carefully eliminating processes which may result in a personal financial information breach; specifying responsibilities of each department and of staff at all levels and implementing classification of personal financial information so that it can only be accessed by staff who have a genuine need to do so; improving security and technical controls to ensure that personal financial information is not disclosed during collection, transmission, processing, storage and use; strengthening the training of personnel and requiring them to sign a confidentiality undertaking; evaluating the data protection competence of service providers when outsourcing, and ensuring that all contracts with these providers include an obligation similar to that imposed on the bank, including an obligation to destroy, on termination of the contract, the personal financial information received via the outsourcing.
Circular 80 further requires that all banks conduct an internal data protection audit and education campaign. The result of this internal audit shall be submitted to the PBoC.
These detailed requirements are part of the traditional confidentiality obligation under the general banking laws. Due to the sensitivity of the industry, the regulators have already established a detailed legal framework including industrial standards regarding financial data security. The latest developments in this regard are the three recommended standards regarding IT security introduced to the industry on 6 July 2012.
Also the Technical Guidance mentions different encryption measures to be implemented for the protection of personal information, depending on different level of sensitivity.
With regard to the data security, it is worth noting that the CBRC has launched the so-called DeIOE campaign in the financial sector, which aims at reducing the use of information systems provided by foreign suppliers such as IBM, Oracle, and EMC, and increasing the use of ‘secure and controllable information technologies’ (‘SCIT’). The CBRC published the corresponding rules – the Guiding Opinions on Strengthening the Banking Network Security and Information Technology Construction through the Application of Safe and Controllable Information Technologies – on 26 December 2014 and issued a separate guidance to banks on the standards of SCIT. Although such De-IOE campaign is not directly relating to the protection of personal financial information, it raises challenges to banks in this regard: when replacing existing IT systems with the SCIT, they need to guarantee that the SCIT are able to provide sufficient protection to the personal financial information.
1.4 Data Use
Both Circular 17 and Circular 80 aim at providing more specific guidance on the use of personal financial information. Banks in general are not permitted to alter personal financial information without authorisation or to use personal financial information unlawfully. Use of personal financial information must conform to the purpose of collection as disclosed and agreed, and the activities below are explicitly prohibited:
selling personal financial information; providing personal financial information to third parties (except as otherwise consented to by the data subject for handling related transactions or permitted by law or the rules of the PBoC); using personal financial information for marketing activities if the data subject objects to this ; making customer authorisation for the use of personal information for marketing or consent to transmit personal information to third parties a condition for establishment of a business relationship, unless the business relationship requires such prior authorisation or consent; abuse of or checking personal information in the credit registry, payment system or other systems contrary to the stated purpose of its use.
Some of the above prohibitions can also be seen under the other data protection rule (e.g. sales of personal information to others and provision to third parties). However, the stress on prohibition of abuse of banks’ data rich position is an issue specific to China. Due to the fact that China has a very high deposit rate, banks are in a very data rich position and become easy targets of data breach cases. The statutory segregation of commercial banking business and investment banking business (similar to the US’s Glass-Steagall Act) creates further incentives for commercial banks to make use of their customer data in cooperation with third parties (e.g. for marketing of investment products) to generate more profits. Circular 17 explicitly addresses this concern.
The Technical Guidance adds further stricter – though not compulsory – rules on the protection of personal information when accessing, presenting, and using personal information, taking into consideration the principles of ‘business necessity’ and ‘minimum authority.’ Especially regarding high- and medium- sensitive personal information, the following rules are provided:
access of information media (incl. electrical and other media) shall be strictly restricted; suspicious activities shall be examined and be controlled through real time monitoring; and related communication behaviors, key transactions, and use activities shall be recorded.
2. International Data Transfers
A very important issue to be noted regards cross border transfer of data. Circular 17 requires the storage, processing and analysis of personal financial information to be conducted within the territory of the PRC. No personal financial information shall be transferred overseas unless permitted by law and the PBoC rules (e.g. for conducting international transactions). Compared with requirements under the more general PRC data protection regime, this requirement is unique to the financial sector. Although cross border data transfer is already a very sensitive issue in the EU, it is not yet a concern under the more general rules on data protection (e.g. the NPC Decision and the newly revised Consumer Protection Act). From the Chinese perspective, this requirement is driven more by national security concern than by privacy protection concerns.
In this aspect, the Technical Guidance appears to be more relaxed. It does not prohibit the cross border transfer of personal information, but sets strict pre-conditions for such transfer. E.g. personal data shall not be transferred to offshore data receiver without explicit consent of the data subject, explicit provision under regulations, or approval by the in-charge authority. Such offshore data receivers include offshore individuals, organisations / institutions registered offshore, and organisations hosting their servers outside of China.
3. Data Breaches and Notification
Circular 17 imposes a reporting obligation on financial institutions in the banking sector to promptly report a data breach. The statutory deadline is within seven working days and the report shall be submitted to the local branch of the PBoC. It is interesting to note that the PBoC notices impose this obligation on the financial institution as a whole and, in particular, on head office within the same institution, and the seven working days obligation starts at the time when the breach occurs or “at the time when the head office discovers incompliant practice at the branch or department level”. The need to make this distinction is questionable as it may potentially create an argument to defend a failure to report a breach case in time by claiming that the head office was not aware of the incompliant practice of a branch bank.
Administrative measures which PBoC may take in case of a breach include:
requesting senior management to explain the breach; ordering correction of the noncompliant behaviour publicising the case within the banking circle proposing administrative punishment against the senior management and other staff who are responsible transferring the case to the procurator for prosecution
Besides the above, there may also be administrative punishments from other authorities. E.g. the PRC Consumer Protection Law, last revised on 25 December 2012, empowers the State Administration for Industry and Commerce (SAIC) to impose a punishment in a data breach case which damages consumer interest. This punishment may include a warning, confiscation of illegal gains, a fine of 1-10 times the illegal gains (or up to CNY 500,000 (approximately €59,000) in the case of no illegal gain) and even stopping the operation of and deregistering a company in serious cases. It should in particular be noted that the sale or illegal provision of personal data can further trigger a criminal offense under the PRC Criminal Law. Such an offence only applies to few sectors, including the financial sector. An offense might result in a criminal fine plus up to three years in jail.
In this regard, Circular 17 explicitly confirms that the PBoC’s administrative measures do not exclude the application of legal consequences under other laws.
Similar legal consequence is not addressed under the Technical Guidance, since the PCAC is not an administrative authority, but rather a self-regulatory industrial association supervised by the PBoC.
Circular 17 and Circular 80 have so far been the most specific rules and guidance regulating the topic of data protection in the PRC financial sector. However, they are not the only rules, and potential obligations under other relevant rules shall also be noted. For example, the PBoC issued another notice on 1 August 2013 further addressing the topic of protecting consumer rights and interests in the banking sector which reiterates the obligation of financial institutions to protect personal financial information. There are also specific rules regulating the use of data obtained from the nationwide personal credit registry.
More importantly, the rise of the new data protection regime in the PRC, as driven by the NPC Decision, brings more implications for the financial sector. An important aspect is the shift of emphasis from data security to privacy protection, which is becoming more recognised in the PRC, e.g. both the NPC Decision and the revised PRC Consumer Protection Law prohibit spamming activities which also frequently became an issue in the financial sector during recent years when financial institutions spent more efforts in marketing their products. The introduction of the new data protection regime provides more substance to privacy protection, which, although it was covered by existing laws in the past, was difficult to implement due to the excessive generality of the rules. Such a change will no doubt increase exposure of financial institutions to potential complaints and legal action in connection with data protection.
In general, the PRC data protection regime is still very young compared with its western counterpart. Several concepts and issues, which are heatedly discussed in the EU, are not yet a concern in the PRC, e.g. the issue of the potential conflict between a money laundering driven reporting obligation and a confidentiality obligation. Also a considerable amount of detail requires further clarification and interpretation in practice, which is probably not a top priority for the regulators. Despite these points, data protection compliance in the PRC is very relevant for players in the financial sector, in particular considering the increasing exposure caused by new rules and the related legal consequences due to violation of such rules. It is highly recommended that financial institutions revisit their present data protection practices and ensure that they have an effective system of controls. In addition to internal activities, external support will certainly be needed to ensure compliance.