In Part 1 of this blog series (see here), we discussed recent data protection developments in China’s e-commerce sector. In this post, we discuss recently issued rules aimed at improving data governance in China’s financial sector that could also have data protection implications. These rules can be categorized as falling into two groups: the first group focuses on general data governance requirements applicable to all financial institutions, and the second group regulates specific types of financial services.
These new rules were published by the China Banking and Insurance Regulatory Commission (“CBIRC”) and People’s Bank of China (“PBOC”) during the first quarter of 2021, and include:
- Guidelines for Data Capacity-Building in the Financial Industry (“Guidelines”) (official Chinese version available here);
- Financial Data Security – Data Life Cycle Security Standard (“Standard”) (official Chinese version available here); and
- Draft Credit Reporting Management Measures (“Draft Measures”) (official Chinese version available here).
Both the Guidelines and Standard provide detailed criteria for financial institutions on the proper collection, use and protection of “financial data,” while the Draft Measures introduce data-related requirements for licensed credit reporting agencies. All of these new rules include data security requirements for both personal and non-personal data.