* This article is reproduced from Practical Law with the permission of the publishers.
China's financial sector is undergoing a digital transformation and financial institutions are processing large amounts of personal financial information (PFI) in their daily operations. The PFI processing should comply with the following three levels of rules and national standards:
General rules on data protection, including:
General rules on financial data protection. For example:
Special requirements for specific financial institutions. For example:
In order to provide an overview of the regulatory framework governing PFI processing activities in China, we prepared this three-part article covering the following topics:
Below is the first part of the series.
PFI refers to personal information (PI) acquired, processed and preserved by financial industry institutions through the provision of financial products and services or other channels, specifically including account information, identification information, financial transaction information, personal identification information, property information, lending and borrowing information, and other information reflecting certain circumstances of a particular individual (2020 PFI Specification).
The 2020 PFI Specification divides PFI into the following seven categories:
Sensitive PI (SPI) is PI that, if leaked or illegally used, could easily lead to infringement of a natural person's human dignity or endangerment of the personal and property safety of the individual, including information on biometrics, religious beliefs, specific identities, medical care and health care, financial accounts, whereabouts and trajectories, as well as the PI of minors under the age of 14 (Article 28, 2021 PIPL).
Processors of SPI must comply with more stringent rules.
Financial institutions should comply with additional requirements if they process special categories of PFI such as personal credit information and payment-sensitive information.
Personal Credit Information
Personal credit information is defined as:
"basic information, lending information, and other relevant information that is collected in accordance with the law and provided as a service for financial and other activities and that is used to identify and judge the credit status of enterprises and individuals, as well as the analysis and evaluation information that is formed on the basis of the aforesaid information" (Article 3, Measures for the Administration of Credit Collection Businesses 2021 (2021 Credit Collection Measures), with effect from 1 January 2022).
Personal credit information is divided into the following categories:
Payment-Sensitive Information
Payment-sensitive information is important information involving the privacy and identification of the subject of payment, including, among others:
(Article 49, Barcode Payment Specification (Trial) 2017, with effect from 1 April 2018.)
Extraterritorial Effect
Offshore financial institutions are subject to the 2021 PIPL if they process the PI of onshore individuals outside of China for the purpose of either:
(Article 3, 2021 PIPL.)
These foreign organisations must designate their onshore presence or appoint a representative in China to be responsible for protecting PI (Article 53, 2021 PIPL).
The Cyberspace Administration of China (CAC) has the authority to sanction offshore institutions. Where offshore institutions endanger the rights and interests of Chinese citizens' PI, or China's public interests and national security, the CAC may include them in a blacklist, publish a public notice of the list, and take measures such as restricting or prohibiting their receiving PI from China (Article 42, 2021 PIPL).
PI Processing Principles
The 2021 PIPL specifies the general principles and rules for PI processing, including:
Information processing based on individual consent should also fulfil the following principles:
Notification
Processors should inform data subjects truthfully, accurately, and fully of the following information in a prominent way and in clear and plain language:
Where a processor handles SPI, in addition to the above matters, it should also inform the individuals of the necessity of processing the SPI and the impact on the individual's rights and interests (Articles 17 and 30, 2021 PIPL).
Article 13 of the 2021 PIPL sets out the basis on which processors can legally process PI in China.
Consent
Consent is the primary and most common legal basis for processing PI.
Individuals should give their consent voluntarily and explicitly on the premise of being fully informed (Article 14, 2021 PIPL).
Processors need to obtain separate consent from individuals in the following circumstances:
Financial data regulation emphasises obtaining explicit and written consent from personal data subjects. Specifically:
(Article 3.22, 2020 PFI Specification.)
Necessity for Contract Conclusion or Performance
Among other basis, processors may process PI where the processing is necessary to conclude or perform a contract to which the individual is a party (Article 13, 2021 PIPL).
Specific to the financial sectors:
(Articles 16 and 18, Insurance Law of the PRC 2015.)
Additionally, when selling life insurance products, insurers should, after obtaining the policyholder's consent, record the key aspects of the sales process with live synchronised recording (Article 6, Interim Measures for the Administration of Traceability of Insurance Sales Behaviour 2017 (2017 Insurance Sales Traceability Interim Measures)).
Necessity for Human Resources Management
Processors may process PI where the processing is necessary to implement human resources management in accordance with the labour rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law (Article 13, 2021 PIPL).
Human resources management involves scenarios such as job searching, daily management of employees (including employee medical checkups), and so on. Employers may come into contact with employees' PI such as name, date of birth, ID card number, address, phone number, email address, and others. Employees' SPI includes biometrics, religious beliefs, specific identities, medical and healthcare data, financial account numbers, and whereabouts.
Specific to the financial sectors:
Necessity for Discharging Legal Duties
Processors may process PI where the processing is necessary for the performance of statutory duties or obligations (Article 13, 2021 PIPL).
Specific to the financial sectors:
Part 2 of this this three-part series will provide further details on PFI processing activities in China. If you require any further assistance, please contact James Gong at [email protected].