Data Collection and Processing in China: Personal Financial Information (Part 1)

* This article is reproduced from Practical Law with the permission of the publishers.

China's financial sector is undergoing a digital transformation and financial institutions are processing large amounts of personal financial information (PFI) in their daily operations. The PFI processing should comply with the following three levels of rules and national standards:

General rules on data protection, including:

• the Data Security Law of the PRC 2021;
• the Cybersecurity Law of the PRC 2016 (with effect from 1 June 2017); and
• the PI Protection Law of the PRC 2021 (2021 PIPL).

General rules on financial data protection. For example:

• the Measures for the Administration of Client Identification and Retention of Client Identification Data and the Transaction Records 2007 (2007 Client Data Retention Measures); and
• the Personal Financial Information Protection Technical Specification (JR/T 0171-2020) (2020 PFI Specification).

Special requirements for specific financial institutions. For example:

• the Guidelines on Classification and Hierarchy of Securities and Futures Data (JR/T 0158-2018); and
• the Guidelines on Data Governance for Banking Financial Institutions 2018 (2018 Banking Finance Data Governance Guidelines).

In order to provide an overview of the regulatory framework governing PFI processing activities in China, we prepared this three-part article covering the following topics:

• Basic Introduction of PFI: PFI and SPI, PFI Collection and Processing, Legal Basis for Processing
• PFI Processing Activities: PFI Storage, Third Party Processing, PFI Cross-Border Transfer
• Data Security Management: Rights of Individuals, Accountability, Legal Enforcement

Below is the first part of the series.

PFI and SPI

PFI refers to personal information (PI) acquired, processed and preserved by financial industry institutions through the provision of financial products and services or other channels, specifically including account information, identification information, financial transaction information, personal identification information, property information, lending and borrowing information, and other information reflecting certain circumstances of a particular individual (2020 PFI Specification).

The 2020 PFI Specification divides PFI into the following seven categories:

• Personal financial account information.
• Subject identification information.
• Personal financial transaction information.
• Personal identity information.
• Personal financial property information.
• Personal borrowing and lending information.
• Personal derivative information and other PI.

Sensitive PI (SPI) is PI that, if leaked or illegally used, could easily lead to infringement of a natural person's human dignity or endangerment of the personal and property safety of the individual, including information on biometrics, religious beliefs, specific identities, medical care and health care, financial accounts, whereabouts and trajectories, as well as the PI of minors under the age of 14 (Article 28, 2021 PIPL).

Processors of SPI must comply with more stringent rules.

Special Categories of PFI

Financial institutions should comply with additional requirements if they process special categories of PFI such as personal credit information and payment-sensitive information.

Personal Credit Information

Personal credit information is defined as:

"basic information, lending information, and other relevant information that is collected in accordance with the law and provided as a service for financial and other activities and that is used to identify and judge the credit status of enterprises and individuals, as well as the analysis and evaluation information that is formed on the basis of the aforesaid information" (Article 3, Measures for the Administration of Credit Collection Businesses 2021 (2021 Credit Collection Measures), with effect from 1 January 2022).

Personal credit information is divided into the following categories:

• Basic PI (that is, information on the identification, occupation, and residential address of a natural person).
• Personal credit transaction information.
• Information on an individual's credit status.
• Alternative data.

Payment-Sensitive Information

Payment-sensitive information is important information involving the privacy and identification of the subject of payment, including, among others:

• Bank card magnetic channel data or chip equivalent information.
• Card verification codes.
• Card expiry dates.
• Bank card passwords.
• Network payment transaction passwords.
• Other personal financial information used to authenticate payment.

(Article 49, Barcode Payment Specification (Trial) 2017, with effect from 1 April 2018.)

PFI Collection and Processing

Extraterritorial Effect

Offshore financial institutions are subject to the 2021 PIPL if they process the PI of onshore individuals outside of China for the purpose of either:

• Providing products or services to the onshore individuals.
• Analysing and assessing the behaviour of onshore individuals.

(Article 3, 2021 PIPL.)

These foreign organisations must designate their onshore presence or appoint a representative in China to be responsible for protecting PI (Article 53, 2021 PIPL).

The Cyberspace Administration of China (CAC) has the authority to sanction offshore institutions. Where offshore institutions endanger the rights and interests of Chinese citizens' PI, or China's public interests and national security, the CAC may include them in a blacklist, publish a public notice of the list, and take measures such as restricting or prohibiting their receiving PI from China (Article 42, 2021 PIPL).

PI Processing Principles

The 2021 PIPL specifies the general principles and rules for PI processing, including:

• Legality, legitimacy, necessity, and integrity.
• Reasonableness, clarity and relevance.
• Minimum in scope.
• Openness, transparency, accuracy and completeness.

Information processing based on individual consent should also fulfil the following principles:

• The PI processed is necessary for the provision of services or the fulfilment of obligations under laws and administrative regulations.
• The processing of PI should be limited to the shortest period and the lowest frequency to achieve the purpose, and should be carried out in a manner that minimises the impact on the rights and interests of individuals.
• Processors should not refuse to provide services to or interfere with the normal use of services by individuals due to their refusal to provide information other than PI necessary for the provision of services.

Notification

Processors should inform data subjects truthfully, accurately, and fully of the following information in a prominent way and in clear and plain language:

• The name of the processor and contact details.
• The purposes of processing, methods of processing, types of PI to be processed, and retention period.
• The option and procedure for individuals to exercise the statutory rights regarding their PI.

Where a processor handles SPI, in addition to the above matters, it should also inform the individuals of the necessity of processing the SPI and the impact on the individual's rights and interests (Articles 17 and 30, 2021 PIPL).

Legal Basis for Processing

Article 13 of the 2021 PIPL sets out the basis on which processors can legally process PI in China.

Consent

Consent is the primary and most common legal basis for processing PI.

Individuals should give their consent voluntarily and explicitly on the premise of being fully informed (Article 14, 2021 PIPL).

Processors need to obtain separate consent from individuals in the following circumstances:

• Providing PI to other processors.
• Publicly disclosing the PI.
• Using personal images and identifying information collected in accordance with the law for the purpose of maintaining public safety.
• Processing SPI.
• Exporting PI abroad.

Financial data regulation emphasises obtaining explicit and written consent from personal data subjects. Specifically:

• Explicit consent refers to the act of the subject of PFI explicitly authorising the specific processing of their PFI by means of a written statement or an affirmative action on their own initiative. Affirmative actions include:
  • actively making a statement in electronic or paper form;
  • actively ticking a box;
  • actively clicking "agree," "register," "send," "call," or "dialling"; and
  • filling in or providing information on their own initiative.

  (Article 3.22, 2020 PFI Specification.)

• Banking and payment institutions are required to obtain the explicit consent of financial consumers or their guardians for processing the consumers' financial information (Article 29, Implementing Measures of the People's Bank of China on the Protection of the Rights and Interests of Financial Consumers 2020 (2020 Financial Consumers Protection Measures)).
• Where a commercial bank inquires into an individual's personal credit report from a personal credit database for specific business purposes, the bank must obtain written authorisation from the individual, which can be obtained by adding the corresponding terms to the applications for loans, credit cards, quasi-credit cards, and guarantees (Articles 12-13, Interim Measures for the Administration of the Personal Credit Information Basic Database 2005 (2005 Personal Credit Data Interim Measures)).
• A credit collection agency should not collect information on an individual's income, deposits, securities, commercial insurance, real estate or tax payments, unless the credit institution clearly informs the subject of the information of the possible adverse consequences of providing such information and obtains their written consent. It is prohibited to collect information on an individual's religious beliefs, genes, fingerprints, blood type, diseases, and medical history, as well as other PI the collection of which is prohibited by laws and administrative regulations. (Articles 13 and 14(2), Regulations on the Administration of the Credit Collection Industry 2013 (2013 Credit Collection Regulations).)

Necessity for Contract Conclusion or Performance

Among other basis, processors may process PI where the processing is necessary to conclude or perform a contract to which the individual is a party (Article 13, 2021 PIPL).

Specific to the financial sectors:

• In concluding an insurance contract, the policyholder must truthfully inform the insurer about the subject matter of the insurance or the insured. If they do not and that information is sufficient to influence whether the insurer would agree to underwrite the insurance or to increase the premium rate, the insurer can terminate the contract. The insurance contract should at least include:
  • the name and domicile of the insurer, the policyholder, and the insured; and
  • the name of the beneficiary of a life insurance.

  (Articles 16 and 18, Insurance Law of the PRC 2015.)

  Additionally, when selling life insurance products, insurers should, after obtaining the policyholder's consent, record the key aspects of the sales process with live synchronised recording (Article 6, Interim Measures for the Administration of Traceability of Insurance Sales Behaviour 2017 (2017 Insurance Sales Traceability Interim Measures)).

• Commercial banks are not required to obtain written authorisation from the person when making enquiries about personal credit reports during post-loan risk management of issued personal credits (Article 13, 2005 Personal Credit Data Interim Measures).
• Non-bank payment institutions should open the corresponding class I, II, or III payment accounts through face-to-face verification, or multiple cross-verification with the required number of external channels (Article 11, Measures for the Administration of Network Payment Business of Non-Bank Payment Institutions 2015 (2015 Non-Bank Payment Measures), with effect from 1 July 2016).

Necessity for Human Resources Management

Processors may process PI where the processing is necessary to implement human resources management in accordance with the labour rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law (Article 13, 2021 PIPL).

Human resources management involves scenarios such as job searching, daily management of employees (including employee medical checkups), and so on. Employers may come into contact with employees' PI such as name, date of birth, ID card number, address, phone number, email address, and others. Employees' SPI includes biometrics, religious beliefs, specific identities, medical and healthcare data, financial account numbers, and whereabouts.

Specific to the financial sectors:

• Financial institutions must obtain an employee's past employment history to determine whether they meet the statutory requirements for employment (for example, qualifications, experience, moral character, and other elements).
• Commercial banks should verify the PI of the relevant personnel in the information technology department, including valid identity documents, academic certificates, work experience and professional qualifications and so on, and review the moral character of information technology employees to ensure that they have the appropriate professional conduct (Article 9, Guidelines on IT Risk Management in Commercial Banks 2009 (2009 IT Risk Management Guidelines)).
• For fund selling institutions, the person in charge of the fund sales business department should be qualified as a fund practitioner and have more than two years of working experience in the fund business or more than five years of working experience in a financial institution (Article 8(4), Measures for the Supervision and Administration of Institutions Selling Publicly Raised Securities Investment Funds 2020).

Necessity for Discharging Legal Duties

Processors may process PI where the processing is necessary for the performance of statutory duties or obligations (Article 13, 2021 PIPL).

Specific to the financial sectors:

• The processing of PFI is necessary to fulfil legal obligations, including identity verification, assistance with enquiries, and common reporting standard (CRS) compliance.
• Identity verification is required throughout all aspects of financial transactions, either to safeguard the authenticity and security of the transaction itself or to meet regulatory requirements such as anti-money laundering, anti-cheating, and anti-fraud.
• Financial institutions operating deposit business in accordance with the law must notify the competent authorities of the information on individuals' deposits in accordance with the relevant laws or administrative regulations, as well as the requirements of the competent authorities' enquiry (Circular on Administrative Provisions on Financial Institutions' Assistance in Enquiry, Freezing and Withholding Work 2002).
• For CRS compliance, to combat cross-border tax evasion, the following PI may be transferred to different regions or countries:
  • personal financial accounts (including accounts, account balances, and other information, as well as name, date of birth, age, gender, and place of residence captured at the time of opening the account); and
  • asset information (including deposit accounts, escrow accounts, funds with cash or insurance contracts, and annuity contracts).

Part 2 of this this three-part series will provide further details on PFI processing activities in China. If you require any further assistance, please contact James Gong at [email protected].