Asian-mena Counsel: Data + Cyber Security Special Report 2020Published in
Jingtian & Gongcheng partners Yuan Lizhi, Hu Ke and associate Wang Beining take us through the details of the regulatory framework.
How does Chinese law define personal financial information?
Chinese law specifies personal financial information (“PFI”) as follows:
1. Institutional Identity
The scope of PFI depends on the definition of financial institutions, since PFI is regarded as personal information (“PI”) collected and used by financial institutions in the process of providing financial products or services.
In 2011, the People’s Bank of China (the “PBOC”) promulgated the Notice Regarding the Effective Protection of Personal Financial Information by Banking Institutions (the “Notice on PFI”), which defines PFI as PI obtained, processed and stored by banking financial institutions. In 2020, the PBOC issued the Personal Financial Information Protection Technical Specification (the “PFI Specification”). The PFI Specification applies to licensed financial institutions supervised by China’s financial regulatory authorities and, more broadly, institutions processing PFI.
2. Types of PFI
The Notice on PFI and the PFI Specification also enumerate PFI. The enumeration of PFI includes personal identity information, personal property information, personal account information, loan information, financial transaction information, derived information, authentication information and other information.
What are the regulatory rules and requirements for cross-border transfer of personal financial information under Chinese law?
The Notice on PFI establishes the framework of cross-border transfer of PFI in China, namely, the storage, processing and analysis of PFI shall be located within the territory of China. In addition, cross-border transfer of PFI is prohibited in principle, and there are some exceptions of the prohibition, but the Notice on PFI does not specify any exception.
In 2011, the Shanghai Branch of the PBOC promulgated the Notice Regarding the Effective Protection of Personal Financial Information by Banking Financial Institutions, which sets up exceptions to allow cross-border transfer of PFI. It requires that the financial institutions shall transfer PFI only for business needs and must obtain customers’ consent, ensure confidentiality, and transfer PFI to affiliated institutions only. In addition, according to the Guidelines for the Management of Money Laundering and Terrorist Financing Risks of Corporate Financial Institutions (Draft) issued by the PBOC in 2019, domestic corporate financial institutions can provide overseas clearing agents with customer identity information and transaction background information after obtaining the authorisation of their customers, when cross-border transfer is necessary for anti-money laundering and anti-terrorist financing.
We understand that, currently, the exception rules are the compliance path for cross-border transfer of PFI. Financial institutions shall ensure that:
- The cross-border transfer is to meet business needs;
- The cross-border transfer is under customers’ authorisation;
- Confidentiality of PFI is not undermined; and
- PFI is transferred to the overseas affiliates, or PFI is transferred to the overseas entities’ affiliates located within China.
What is the impact of the regulatory requirements for critical information infrastructure and important data on the cross-border transfer of personal financial information?
Chinese law has restrictions on cross-border transfer of PI and important data collected by critical information infrastructure operators (“CIIO”). Art. 37 of the Cybersecurity Law (the “CSL”) stipulates that CIIO shall store PI and important data collected and produced during operations within the territory of China. When it is really necessary to provide PI and important data to overseas operators due to business needs, security assessment shall be conducted in accordance with the measures formulated by the Cyberspace Administration of China in concert with relevant departments of the State Council.
In terms of the definition of critical information infrastructure (“CII”), according to Art. 18 of the Regulations on Protection of Critical Information Infrastructure Security (Draft) and Art. 3.1 of the Guidelines for the Security Inspection and Evaluation of Critical Information Infrastructure (Draft), the CII refers to the network facilities and information systems that may seriously endanger national security, the national economy, people’s livelihood and public interests if they suffer destruction, malfunction or data leakage, and both drafts of regulations take the financial sector as an example of CII. Therefore, the chances are high that the cross-border transfer of PFI will be restricted, if these two drafts are officially promulgated.
With respect to important data, apart from Art. 37 of the CSL, the Administrative Measures for Data (Draft) also has strict requirements on the cross-border transfer of important data. Even if the important data is collected by network operators other than CIIO, it is necessary to conduct security risk assessment of cross-border transfer of important data and report to the regulatory authorities for approval. Art. 28 of the Data Security Law (Draft) (the “DSL”) stipulates that all the processors of important data shall conduct risk assessment regularly and submit the assessment reports to authorities.
Important data refers to data that may directly affect national security, economic security, social stability, public health and safety once leaked. Important data does not include personal information under Art. 38 of the Administrative Measures for Data Security (Draft). However, large-scale of PFI may reflect China’s trends of financial and economic development after aggregation, integration and analysis, thereby negatively affecting financial security. Therefore, large-scale of PFI may be defined as important data, and thus restricted from cross-border transfer.
|Chloe Xu is deputy general manager and general counsel for Baiyin International Investment Ltd, based in Beijing:
“In the finance sector we see continuing legislative efforts by the Chinese government in preparation for the further opening-up of the country’s financial market to foreign investors. One focus is to strengthen the protection of PFI to better secure local consumer rights as well as national security in the current digital world. We therefore expect more stringent and detailed requirements to be introduced on the cross-border transfer of personal financial information (“PFI”).
“Our company does not engage in the finance business directly, therefore many of the rules may not directly apply to us, but we often work with the Chinese banks on cross-border financing deals that may involve cross-border transfer of PFI. I feel that it’s necessary for our in-house team to keep abreast of these requirements and best practices, which will enhance our understanding of the lender’s thinking, the data issues etc, and thus better facilitate cross-border financing transactions between parties.”
What are the developing regulatory requirement trends for cross-border transfer of personal financial information in China?
1. The integration of specialised regulations and general regulations
As mentioned above, the financial regulations set out the requirement of localisation and the prohibition of cross-border transfer. On the contrary, the general regulations remove the requirement of localisation and specifies the compliance requirements for cross-border transfer. However, there is a trend that these opposite rules are being integrated. Taking the PFI Specification as an example, the PFI Specification adheres to the localisation rules under financial regulations, as well as the general principle of the prohibition of cross-border transfer with exceptions. In addition, the PFI Specification also incorporates the compliance requirements under the general regulations, that is, the PI controllers shall get PI subjects’ consent, conduct self-assessment, pass regulatory authorities’ assessment, and sign the standard contract terms for cross-border transfer. Even if the PFI Specification is not mandatory, it is an important reference of best practices in the financial industry.
2. The rules for cross-border transfer of PI under the Personal Information Protection Law
Chinese law has no specified detailed rules for cross-border transfer of PI, but the Personal Information Protection Law (Draft), which sets out rules for the cross-border transfer of PI, may be promulgated in the near future and apply to cross-border transfer of PFI. According to the press, the Personal Information Protection Law (Draft) may request that, before the cross-border transfer of PI, the processor shall inform PI subjects, get PI subjects’ consent and: (1) pass the security assessment, or (2) obtain PI protection certification by a professional organisation, or (3) sign the agreement on cross-border transfer with the overseas PI recipients to meet the PI protection standards, or (4) meet other requirements stipulated by laws.
3. Data security audit and export control under the DSL
Since the DSL applies to all types of data, including PFI, the DSL will also affect cross-border transfer to some extent after it comes into effect. According to the press, the DSL stipulates the security audit of data activities that may affect national security, and the data of controlled items shall be subject to the export control system. These two rules are likely to apply to cross-border transfer of PFI which is relevant to national security or under export control.