Protection of personal financial information in China

October 2011

Contacts

Introduction

China does not have a comprehensive national law protecting the privacy of personal data. The current legal regime is based on a plethora of laws and regulations lacking in coherent implementation guidelines.

In response to growing consumer awareness and business needs, industry specific authorities in China are stepping up their efforts to develop personal data protection regimes dealing with issues arising from sector specific operations.

In the banking sector, the People’s Bank of China (PBOC) issued a Notice to Urge Banking Financial Institutions to Protect Personal Financial Information (Notice) at the beginning of this year. Banking financial institutions in China (including foreign invested commercial banks) (Banks) are required to observe these rules when collecting, processing and storing personal financial information (PFI) (as defined in the Notice) during the course of their business and while accessing the PBOC’s credit reference system, payment system or other system. The Notice has been in effect since 1 May 2011.

The Notice, among other things, prohibits Banks from storing, processing or analysing outside China any PFI which has been collected in China, or providing PFI collected in China to an offshore entity. This requirement will impact on a Bank’s operations, including offshore outsourcing practices.

We set out below the key requirements of the Notice.

Notice - Key issues

The Notice contains a broad definition of “PFI”

PFI is very broadly defined in the Notice and includes:

  1. personal identity information1
  2. personal property information2
  3. personal account information3
  4. personal credit information4
  5. personal financial transaction information5
  6. derivative information6; and
  7. other personal information acquired or stored in the process of developing business relationships with individuals.

Protection of PFI

The following are the salient provisions of the Notice in relation to the protection of PFI:

  1. Purpose and manner of collection of PFI
    1. PFI should be collected by means which are lawful and fair;
    2. PFI irrelevant to the business transaction in question should not be collected; and
    3. Banks are prohibited from requiring customers to consent to their use of PFI for marketing purposes or sharing of PFI with third parties, as a precondition for establishing any business relationship with them.
  2. Use of PFI
    1. PFI can only be used for the purpose for which the PFI was collected.
    2. Banks are prohibited from:
      1. selling PFI - this is an absolute prohibition and cannot be ratified by customer consent;
      2. providing PFI to any third party unless such provision is required by law or is necessary for the business purpose for which the PFI was initially collected and is with the written consent of the person whose PFI is being provided;
        If the relevant consent is obtained through a standard form contract, the Bank must explicitly describe the scope and circumstances under which such PFI is to be provided to third parties. The potential consequences and risks associated with such consent should be: a) indicated in language that can be easily understood; b) presented in a prominent manner; and c) drawn to the customer’s attention prior to signing the contract.
      3. using PFI for marketing activities of the Bank if the customer to whom the PFI pertains objects to such use;
      4. storing, processing or analysing outside China any PFI which has been obtained in China, or providing PFI to an offshore entity, unless the laws of China or the PBOC provide otherwise7;
    3. Banks may only use PFI acquired from PBOC’s credit reference system, payment system or any other systems for the purposes specified by such systems. This cannot be ratified by customer consent. China has separate rules for the regulation of PBOC’s credit reference system and the use of data collected from such systems. Non-compliance with these rules may attract fines or criminal sanctions.
  3. Security of PFI
    1. Effective measures must be taken to ensure the security of PFI;
    2. An internal control system must be established to assign clearly the level of authority required for business units and persons to have access to PFI to ensure that there is no unauthorised disclosure or use of PFI;
    3. Employees who have access to PFI must provide a written assurance to their employers acknowledging their obligation to protect the confidentiality of PFI; and
    4. Banks must notify the local branch of the PBOC promptly of any instances of security breach or unauthorised disclosure of PFI8.
  4. Business outsourcing arrangement
    Banks are required to examine and evaluate the ability of an outsource service provider to protect PFI before engaging such service provider. The service agreement between the service provider and the Bank must impose obligations on the service provider to protect the confidentiality of the PFI and to destroy the PFI upon termination of the service contract.

Violation of the requirements under the Notice

Violation of the requirements under the Notice will entitle the PBOC to order the relevant Bank to rectify its non compliance and require the Bank to punish the responsible officers.

The judiciary can intervene if the Bank’s violation constitutes a crime9 . It should be noted that any non permitted disclosure (i.e. sale or illegal provision) of PFI will constitute a crime. This requirement only applies to specific industry sectors including the financial sector.

^Back to top

Recommendations to Banks

To ensure compliance with the requirements in the Notice, Banks should consider:

  1. raising awareness and educating their employees about the importance of PFI security and confidentiality;
  2. maintaining a logging and reporting system to restrict access to PFI;
  3. reviewing PFI collection practices, consent forms/ standard form contracts, and outsourcing service contracts to ensure compliance;
  4. segregating data to ensure that no data is transferred to third parties or used for other purposes unless prior consent from the data subject has been obtained with respect to such transfer or use; and
  5. assigning a PFI compliance officer to audit internal procedures and to attend to data security breaches in a timely manner.

Our specialist intellectual property and technology team has in-depth experience in advising on all aspects of data protection and privacy issues throughout the Asia-Pacific region. We regularly advise banks and financial institutions on compliance with the complex data protection regulatory framework in China. If you would like further information or have any questions please contact our Norton Rose Asia IPT team.

Endnotes
  1. Personal identity information includes a person’s name, gender, nationality, ethnic group, occupation, contact information, marital or family status, and photographs, etc.
  2. Personal property information includes a person’s income status, immovable property, vehicle, taxes, and amounts paid towards the provident fund, etc.
  3. Personal account information includes a person’s account number, the point of time when the account was opened, account balance, and account transactions, etc.
  4. Personal credit information includes information about a person’s credit card payment, loan repayment, and other information about economic activities which may indicate his/her personal credit status.
  5. Personal financial transaction information includes personal information acquired, stored and retained by Banks in the course of offering intermediary services (i.e. payment and settlement operation, financial management, deposit safe custody services), or generated in the course of business that customers carried out through the Banks with third-party institutions, such as insurance companies, securities companies, etc.
  6. Derivative information refers to consumption preferences, investment intent and other specific personal information gathered by processing or analysing the primary data.
  7. This requirement has caused concern among many Banks, and we understand the Shanghai branch of the PBOC has subsequently issued a notice to the Banks in Shanghai to clarify this specific requirement, stating that, notwithstanding the requirement:
    1. a branch office set up by a foreign bank that does not have any presence in China as independent legal person may rely on its headquarter, other branch offices or affiliated companies located offshore to store, process or analyse outside China any PFI which has been obtained in China provided that a) the customer has given written consent to this arrangement; and b) the aforementioned offshore entities have taken corresponding protection measures to ensure the security of the PFI, and the headquarter of such branch office undertakes corresponding legal liabilities for non-compliance with such security requirement; and
    2. a Bank may provide PFI to its headquarter, parent company, branch offices or subsidiaries located offshore provided a) the provision is for the purpose of serving customer’s business needs; b) the customer has given written consent to such provision; and c) the Bank warrants that the aforementioned offshore entities to whom the Bank has provided PFI shall keep the PFI confidential.
  8. Reporting must take place on the same day of the occurrence of the security breach. If a supervising bank discovers instances of unauthorised disclosure in a subordinate organisation, it must report the incident to the local branch of the PBOC within 7 working days of discovering the breach.
  9. The Seventh Amendment to Criminal Law promulgated in 2009 makes it an offence for employees in certain industry sectors (including financial sector) to sell or otherwise unlawfully provide to third parties the personal data of any citizens obtained in the course of such employees performing their duties. The directors or responsible officers of a company which sells or otherwise unlawfully provides to third parties the personal data of its clients may also be criminally liable.
^Back to top