China does not have a comprehensive national law protecting the privacy of personal data. The current legal regime is based on a plethora of laws and regulations lacking in coherent implementation guidelines.
In response to growing consumer awareness and business needs, industry specific authorities in China are stepping up their efforts to develop personal data protection regimes dealing with issues arising from sector specific operations.
In the banking sector, the People’s Bank of China (PBOC) issued a Notice to Urge Banking Financial Institutions to Protect Personal Financial Information (Notice) at the beginning of this year. Banking financial institutions in China (including foreign invested commercial banks) (Banks) are required to observe these rules when collecting, processing and storing personal financial information (PFI) (as defined in the Notice) during the course of their business and while accessing the PBOC’s credit reference system, payment system or other system. The Notice has been in effect since 1 May 2011.
The Notice, among other things, prohibits Banks from storing, processing or analysing outside China any PFI which has been collected in China, or providing PFI collected in China to an offshore entity. This requirement will impact on a Bank’s operations, including offshore outsourcing practices.
We set out below the key requirements of the Notice.