OPINION – Seven Impacts of the Personal Information Protection Law on China’s financial Industry

By Qi Lyu

Expert in financial law, founder of Beijing Finlegal [email protected] 

While the whole world began regulating personal data tightly, the environment in China was described as “uniquely restrictive”. China’s Personal Information Protection Law (PIPL) has been regarded as the Chinese version of the European Union’s General Data Protection Regulation (GDPR), while even stricter than the latter. The requirements by the law have impacted on the whole financial industry, where sensitive data is highly concentrated. The watchdog emphasised and scrutinized it as an annual focus and has in August launched a special 3-month project for the industry to self-correct itself. The Chinese financial world is being pushed to actively analyse, appraise, and execute the legal requirements. Here are their major concerns in operation.

1- The survival of new credit reporting agencies with personal data

Credit reporting agencies (CRA), as outside supporters, play a significant role in the process of banking due-diligence. But in China, only three agencies have so far been licenced to engage in personal credit reporting business. Except for the earliest one subordinating to the Central Bank, the other two are basically privately-owned, who suffer the toughest hindrances because of their incapacity to obtain individual consent before processing personal information. However, information processed by CRA is largely classified as sensitive data, which necessitates specific and prior consent for each processing purpose under the PIPL. For CRA newcomers, it is hard to find their lawful starting point to accumulate their personal database, let alone deliver it to financial customers.

2- The Possibility of cross-marketing within a financial institution or a group

Due to the sensitive nature of most financial personal data, financial firms are not allowed to process this data beyond their original service purpose. The restriction is based on the specific business rather than the internal legal entity or financial group, although it is permissible under GDPR. This would make the highlighted cross-marketing impossible. For example, you can not sell a wealth management product to your loan customer without first obtaining his ante-consent for such a category of product with a reasonable explanation of rationale and necessity.

3- The contradiction over the personal information archiving period

There are opposing viewpoints regarding the retention period of archives containing personal information. PIPL keeps the shorter the better principle as long as the process purpose is achieved, while the trend for the financial industry is the longer the better, with many financial institutions storing it permanently. China’s Anti-laundry Money Law requires at least a 5-year archive period after the completion of the financial transaction, as well as no less than 150 regulatory documents requiring various durations and varied calculations. The store period of PIPL derives from the consumer’s right to be forgotten and permits exemptions only to otherwise stipulations by law and regulations, while the foregoing files are most regulatory documents. Which concern prevails is undetermined.

4- The reporting duty to the regulators and notification duty to the customer

The PIPL specifies two strings of rather strict restrictions over the government: only legislation and regulations are authorised to stipulate processing personal information with consent, and even so, a notification is still needed by both the provider and recipient. However, the actual procedure works totally differently, as no notice has been given in the case of a regulatory requirement. Maybe the whole industry is waiting for the first customer complaint or lawsuit over this issue to make the practical rule clear.

5. The duty of security appraisal for cross-border personal data flow

The PIPL demands a (Cyberspace Administration of China)-led security assessment for cross-border data transfer to companies with a certain volume of personal information. Banks are obviously among them since their credit cards and debit cards support tonnes of overseas transactions every day. But should all 4000 Chinese banks take part in such an assessment, or should only be for those card settlement entities such as Unionpay, Master, or Visa? There has been no response, and no authority has claimed responsibility.

6. The cost of guaranteeing consumer rights

Many kinds of rights have been listed in the PIPL including but not limited to the right to inquire, to copy, to delete, etc. There was a related case that happened and scared the financial industry. A customer requested that a luxury e-merchant offer and copy all of the seller’s personal information, from historic orders to browser records, automated decision making, the names of SDK, the receipt name, and so on. The seller wanted to limit these to the customer’s profile column but was denied by the court. The seller also argued it would be a huge cost for the whole industry. The courts decided the customer’s rights prevailed. What if this occurred to a bank? The bank may not even be able to gather all the information it holds while sparsely stored. To fulfill this duty, the financial firm has to store all information in a centralized IT system and employ a suitable managerial scheme.

7. The ambiguity over each body’s regulatory scope

The PIPL legislative landscape features multiple authorities undetermined for the financial industry, which enables CAC (Cyberspace Administration of China), MIIT (the Ministry of Industry and Information Technology ), MPS (Ministry of Public Security), PBOC ( the People’s Bank of China) ,or each financial regulatory authority, or even all of them, to sanction a financial institution for the violation of PIPL. In the event of any unfinalized issue, say for instance, the appraisal of the legitimacy of a financial app, financial firms are always confused with whom to report to.