In Part 1 of this blog series (see here), we discussed recent data protection developments in China’s e-commerce sector.  In this post, we discuss recently issued rules aimed at improving data governance in China’s financial sector that could also have data protection implications.  These rules can be categorized as falling into two groups: the first group focuses on general data governance requirements applicable to all financial institutions, and the second group regulates specific types of financial services.

These new rules were published by the China Banking and Insurance Regulatory Commission (“CBIRC”) and People’s Bank of China (“PBOC”) during the first quarter of 2021, and include:

  • Guidelines for Data Capacity-Building in the Financial Industry (“Guidelines”) (official Chinese version available here);
  • Financial Data Security – Data Life Cycle Security Standard (“Standard”) (official Chinese version available here); and
  • Draft Credit Reporting Management Measures (“Draft Measures”) (official Chinese version available here).

Both the Guidelines and Standard provide detailed criteria for financial institutions on the proper collection, use and protection of “financial data,” while the Draft Measures introduce data-related requirements for licensed credit reporting agencies.  All of these new rules include data security requirements for both personal and non-personal data.

Guidelines for Data Capacity-Building in the Financial Industry (“Guidelines”)

PBOC published the Guidelines on February 9, 2021.  The Guidelines provides high-level recommendations for financial institutions aimed at enhancing their capacity to manage and protect data.

The Guidelines emphasize that financial institutions must obtain informed consent from users before collecting and processing their data, and limit the scope of data collection/use to the minimum necessary to fulfill the purpose.  The Guidelines further require financial institutions to implement data classification measures and appropriate protocols to securely store different categories of data.

The Guidelines also require financial institutions to develop and implement a comprehensive data governance strategy, and lists eight factors that should be taken into account when doing so.  For example, among other things, a financial institution needs to maintain an internal data protection program and ensure that employees who have access to data are subject to clearly-defined responsibilities.

Financial Data Security – Data Life Cycle Security Specification (“Standard”)

To provide further guidance to financial institutions on data security and data sharing, on April 8, 2021, PBOC released the Standard, which took effect on the same day.  The Standard aims to strengthen data security in the financial sector and ensure that the sharing of financial data (including personal financial information) between institutions is secure and efficient.

The Standard defines “financial data” broadly to include various types of data that are collected or generated by financial institutions when conducting their daily operations to provide financial services.  Further, “personal financial information” is defined as personal information that financial institutions collect, process and retain when providing financial products or services, whether collected directly from individuals or by other means.  Examples of personal financial information include account details, asset information, financial transaction information, and so forth.

To help ensure the lawful collection and use of financial data, the Standard sets out a set of general principles that would require financial institutions to implement appropriate technical and organizational security measures for financial data in accordance with the risk, and clearly define and allocate roles and responsibilities for internal staff who may have access to financial data.  The Standard requires financial institutions to implement different data security measures based on the classification level of different types of financial data, which is based on the description provided by another standard, the Financial Data Security – Guidelines for Data Security Classification.

According to the Guidelines for Data Security Classification, financial data shall be classified as falling into one of five levels based on their relative impact on national security, the public interest, the interests of the relevant individuals, and the lawful interests of enterprises, if such data is damaged.:

  • Level 1 data, which includes personal information that is voluntarily disclosed by individuals, can be disclosed publicly.
  • Level 2-4 data that includes, for example, user authentication information (e.g. the CVN number and bank password of a bank card, account passwords and biometric information), user identification information and other information collected by financial institutions for their daily operations, require additional safeguards, in light of the associated security risks and the possibility of sharing the data with third parties. Note that the Specification prohibits financial institutions from transferring data classified Level 3 or above to third parties unless they have obtained approval (it is unclear whether this refers to an internal approval or approval from a regulator) and have adopted appropriate technical measures to ensure the data’s confidentiality.
  • Level 5 data must satisfy specific requirements under relevant sectoral rules and regulations. Level 5 data includes data processed by large-scale financial institutions to provide critical services or data that would threaten national security or harm public interests if compromised.

The Standard also requires financial institutions to obtain explicit consent from individuals after informing them of the purpose(s), method(s) and scope of collecting and processing their personal financial information, as well as to limit the collection of personal financial information to what is necessary to provide financial services.

Draft Credit Reporting Management Measures (“Draft Measures”)

Released by PBOC on January 11, 2021, the Draft Measures apply to credit reporting on Chinese businesses and individuals.  The Draft Measures apply not only to credit reporting agencies in China, but also to agencies outside of China that provide credit reports on businesses entities and individuals located in China.  Credit information is defined as “various types of information that are used to evaluate the credit standing of individuals and corporations, including (but not limited to): identity, address, property, payment, performance of legal duty, and analysis or evaluation of the aforementioned information.”

A credit reporting agency is required to collect only the minimum credit information necessary using legitimate means.  When collecting unpublished credit information from a corporation, a credit agency needs to obtain consent through appropriate means.  Moreover, business credit reporting agencies that store or process credit information on more than 500,000 corporations must satisfy the following criteria:

  • obtain Level 3 certification or above under the Multi-Level Protection Scheme (read more about Multi-Level Protection Scheme certification in our prior client alert here);
  • appoint an information security director who shall be the senior executive of the credit reporting agency; and
  • establish a dedicated department responsible for information security management.

The Draft Measures also impose data localization requirements if a credit agency provides credit reporting services in China.  In addition, if a credit agency provides on-demand business credit information of Chinese entities to foreign users, it is necessary to review the identity of the foreign users and the purpose of their usage.   A credit agency shall report to the PBOC if it provides business credit information to foreign users or cooperates with foreign credit reporting agencies; moreover, it is prohibited to provide credit information about a group of corporations in a certain region or industry to a single foreign user.