The Mist of “Personal Financial Data” in China

Article 33 of the Implementation Measures of the People’s Bank of China for Protecting Financial Consumers’ Rights and Interests  (issued in 2016, “2016 Implementation Measures“) reads:

Individuals’ financial information collected within China shall be stored, processed and analyzed within the territory of China. No financial institution shall provide the financial information on domestic individuals abroad, unless it is otherwise prescribed by any law, regulation or the People’s Bank of China.

Where a domestic financial institute, for the purpose of handling cross-border business and as authorized by the related subjects, transmits relevant individual’s financial information collected within China to any overseas institute (including the head office, parent company or branch companies, subsidiaries and other affiliated institutions required for completing the business), it shall comply with laws, administrative regulations and the provisions of relevant regulatory departments, and by taking such effective measures as signing agreements and conducting on-site inspection, require overseas institutes to keep confidential the obtained individuals’ financial information.

The first paragraph provides a universal prohibition of cross-border data transfer.  Even with data subjects’ consent, financial institutes are not allowed to transfer “financial personal data” out of China.  The second paragraph provides an exception for the circumstances where a financial institute transfers data outside of China for the purposes of “cross-border business”, provided that (i) customer consents are given, (ii) the institute is in compliance with applicable regulations and (iii) appropriate measures of data security haven been taken.

To understand this provision, one needs to clarify the meanings of two key terms: “personal financial information” and “cross-border business”.

Personal Financial Information 

Article 27 of the 2016 Implementing Measures provides a definition for the “personal financial information”:

“… refers to personal information being obtained, processed or stored by financial institutes through their business operation or other channels, including personal identity information, asset information, account information, credit information, financial transaction information and other information that can reflect certain situation of a specific person. ” (underlines added)

To understand the underlined terms , one must know that this Article 27 is derived from a regulation issued by the People’s Bank of China (“PBoC“) in 2011, titled Notice on Well-Protection of Personal Financial Information (“2011 Notice“). The 2011 Notice sets out the basic framework on the protection of “personal financial information” in China. Its first section has summarized various categories of personal financial information and enlisted more specific items under each category.  As you will read below, the names of these categories are reused in Article 27 of the 2016 Implementing Measures.

  • “personal identity information”, including a person’s “name, gender, nationality, ethnic, ID document and its number and expiration time, occupation, contact information, marital status, family status, residential address and occupational address, portraits etc.” [Note: in China, regulators like to end lists with “etc”, so that they will have chances to add items when needed]
  • “personal asset information”, including a person’s “income situation, ownership to real properties and vehicles, amount of tax, amount of provident fund, etc.”
  • “personal account information”, including “account numbers, date of account opening, bank name, account balance, transaction information, etc.”
  • “personal credit information”, including a person’s “record of repayment of credit cards, record of repayment of loans, as well as any other information being formed during economic activities conducted by a person, so long as such information can reflect the person’s credit status.”
  • “personal information of financial transactions”, including “personal information obtained, stored or retained by financial institutes through their intermediary businesses  such as payment settlement, asset management, safe deposit box and others, as well as personal information generated during a customer’s transactions with third party institutes (insurance company, fund company, futures company, etc. ) through banks”
  • “derivative information”, “including information that are generated from analysis and processing of original data and can reflect a specific person’s situation”, and
  • “other information obtained or retained by banks during the process of business with customers”.

Apparently, these terms have been reused in the 2016 Implementing Measures.  Given both documents were issued by the PBoC, it is reasonable to interpret “personal financial information” under the 2016 Implementing Measures with the reference of the above provisions.  In fact, the 2011 Notice had also provided that personal financial information collected within China is required to be stored, processed and analysed within the territory of China. Banks in China are not permitted to transfer the personal financial information of Chinese citizens to any other country without the approval of the PBoC except if permitted by separate rules or regulations.

In light of the above, when one wants to clarify if certain data fall into the the scope of “personal financial information”, he/she should refer to the 2011 Notice.  Given the above broad lists (plus those “etc”), any personal data collected, retained or generated by financial institutes could be found falling into the basket.

Cross-border business

The second paragraph of Article 33 of the 2016 Implementing Measures seems having provided an exception against the general prohibition of the cross-border transfer of “personal financial information”.  The wording of the paragraph is quite interesting (and ambiguous). It does not directly affirming the exception by using the language like “domestic financial institute are allowed to transfer personal financial information to an overseas institute with the following conditions…” Instead, it uses a very strange logic by saying that a domestic financial institute should do this this this and that that that before it transfers personal financial data to an overseas institute.  One of those conditions is that the transfer of data should be “for the purpose of dealing with cross-border business”.

It remains very unclear what the “cross-border business” means.  If it is the “business of the institute who is going to send data out of China”, or the “business of any institute including the sender and the recipient”; if it must be the “financial business” or any business?   Further clarification is needed…

 

Thailand’s Privacy Law Passed

On the last day of February 2019, Thailand’s National Legislative Assembly finally approved its long-pending draft Personal Data Protection Act (the “TH PDPA”). After the royal endorsement (which is usually a formal procedure), the law is expected to be published within a couple of weeks.

Heavily affected by the EU General Data Protection Regulation (“GDPR”), the TH PDPA entitles data subjects the right to delete, in addition to other rights that are usually provided in other jurisdictions. Also, the TH PDPA will apply not only to companies located in Thailand, but also overseas companies which collect, use, or disclose personal data of subjects in Thailand, specifically for advertisements and “behavior monitoring.” This extraterritorial effect would no doubt increase the burden of compliance for a multinational company, provided that it targets the Thai data subjects.  This is also quite similar to the GDPR.

A Personal Data Protection Committee will be established to enforce compliance with the TH PDPA.  That said, the law provides a one-year grace time for enterprises to prepare the compliance of it.

 

Vietnam – New Cyber Security Law in effect on 1 January 2019

The Vietnamese Parliament has passed its new Cyber Security Law on June 12, 2018 with overwhelming votes. The law has been in effect from January 1, 2019.

The law has seven chapters and 43 articles. It sets out responsibilities for the actions of relevant agencies, organizations and individuals to safeguard “national security” and “social order”. The key points of the law are set out below:

(i) Domestic and foreign companies that provide network-related services in Vietnam must have a user information stored in the territory of Vietnam.

(ii) Foreign companies providing Internet-related services in Vietnam need to establish offices in Vietnam.

(3) Domestic and foreign companies who provide network-related services in Vietnam are required to verify user registration information; they also need to provide the legal enforcement agencies with users’ information.

(4) Provisions on prohibiting the use of cyberspace to incite opposition to the state, distort the history, undermine the national unity, defame religion, or spread false and indecent information.

While Vietnam is also a Socialist country, its people enjoys relatively higher freedom of internet access than that of China. Social media like Facebook and Twitter are generally not blocked.  In fact, Vietnam ranks the 7th largest population of Facebook users among all countries.
Vietnam Facebook User

 

香港的金融牌照制度 | Financial License Authorites in Hong Kong

香港是一个金融之都。金融牌照发放主体很复杂。在这里列一下:

  1. 香港金融管理局(HKMA,以下简称金管局)

1.1 认可机构

  • 银 行 
  • 有 限 制 牌 照 银 行 ;及 
  • 接 受 存 款 公 司 

根 据 《 银 行 业 条 例 》 , 认可机构包括银行、有限制牌照银行及接受存款公司 ,形成三级发牌制度。 有限制牌照银行及接受存款公司在接受存款的金额及存款期上都受限制 ,同时只有银行才可经营支票及 储蓄户口的业务 。至于可以从事的 贷款或投资业务种类方面 ,各级认 可机构之间并没有分别 。

1.2. 認可機構證券業務員工

这是对个人发放的牌照。認可機構證券業務員工紀錄冊載有現任及前任有關人士的資料,即在香港從事證券業務及/或《證券及期貨條例》所界定的其他受規管活動的認可機構現任及前任僱員。

1.3. 儲值支付工具持牌人

儲值支付工具牌照是发给类似八达通、支付宝等钱包业务的牌照。

1.4. 虚拟银行牌照

  1. 放債人牌照:警务处、公司注册处、法庭

任何人在香港經營放債人業務必須領取放債人牌照。放債人的領牌事宜及放債交易受香港法例第163章《放債人條例》規管。

  • 放债人法庭:負責就放債人牌照申請作出裁定及發出牌照。
  • 放债人注册处处长(现由公司注册处处长兼任):負責處理放債人牌照,牌照續期及在牌照上簽註的申請;並備存放債人登記冊以供公眾查閱。
  • 警務處處長:負責執行《放債人條例》,包括審查放債人牌照、牌照續期及簽註的申請,以及調查有關放債人的投訴。
  1. 汇款业务牌照—由海關關長發出

全称为:金錢服務經營者(即匯款代理人和貨幣兌換商)牌照

根據打擊洗錢條例,海關關長是有關當局,負責監管金錢服務經營者(即匯款代理人和貨幣兌換商),監督持牌金錢服務經營者在客戶盡職審查及備存紀錄的責任和其他發牌規定的合規情況,以及打擊無牌經營金錢服務。

  1. 證券牌照—由證監會發出

下列為《證券及期貨條例》所界定的受規管活動:

牌照 受規管活動 例子
第1類 證券交易 • 為客戶提供股票及股票期權的買賣/經紀服務

•為客戶買賣債券

•為客戶買入/沽出互惠基金及單位信託基金

•配售及包銷證券
第2類 期貨合約交易 • 為客戶提供指數或商品期貨的買賣/經紀服務

•為客戶買入/沽出期貨合約
第3類 槓桿式外匯交易 • 以孖展形式為客戶進行外匯交易買賣
第4類 就證券提供意見 • 向客戶提供有關沽出/買入證券的投資意見

•發出有關證券的研究報告/分析
第5類 就期貨合約提供意見 • 向客戶提供有關沽出/買入期貨合約的投資意見

•發出有關期貨合約的研究報告/分析
第6類 就機構融資提供意見 • 為上市申請人擔任首次公開招股的保薦人

•就《公司收購、合併及股份購回守則》提供意見

•就《上市規則》的合規事宜為上市公司提供意見
第7類 提供自動化交易服務 • 操作配對客戶買賣盤的電子交易平台
第8類 提供證券保證金融資 • 為買入股票的客戶提供融資並以客戶的股票作為抵押品
第9類 提供資產管理 • 以全權委託形式為客戶管理證券或期貨合約投資組合

•以全權委託形式管理基金
第10類 提供信貸評級服務 • 就公司、債券及主權國的信用可靠性擬備報告

理解GDPR的跨境效力其实很简单 – It’s simple to understand the extra-territorial effect of GDPR

calm to GDPR《欧盟数据保护条例》(GDPR)已于2018年5月25日生效。在此之前(乃至直至现在),隐私律师为此已经忙碌了很久。由于GDPR具有某种“域外效力”,位于欧盟之外的企业也总会担心,希望了解自己在欧洲之外的生意是否收到影响。
The EU General Data Protection Regulation (GDPR) has come into force on 25 May 2018.   Before the day (and maybe until today), privacy lawyers have been busying in advising their clients on how to comply with the new law .  In particular, since GDPR implies certain “extra-territorial effect”, enterprises located outside of EU are also seeking advice from their counsels on whether the the new regulation would impact their business outside of Europe.

香港電腦保安事故協調中心 (HKCERT) 在一篇帖子里列出了GDPR适用于非欧洲企业的一些例子:
In their post, HKCERT has listed a few examples where a non-EU company’s service would be considered under GDPR’s umbrella.

  1. 未在欧洲设立任何分支机构的一间公司,通过建立于美国服务器的网站向在欧洲内的个人提供免费的社交服务——GDPR适用
    A Company without any EU subsidiaries offering free social media services via a website hosted in US to individuals in the EU – GDPR applies
  2. 酒店预订服务,使用cookies追踪过往顾客(包括身在欧盟的顾客)的浏览历史,以便定向投放广告——GDPR适用
    Hotel book business using cookies to track past customers’ (including EU-based customers) browsing in order to target specific hotel adverts to them – GDPR applies
  3. 一家香港的鲜花速递公司允许身处于欧洲的个人通过该公司的网站在香港订购鲜花并送达香港本地的收件人。而送花的费用是以欧元计价——GDPR适用
    HK flower delivery company allowing individuals in the EU to make orders for fulfilment only in HK. The price for the flower delivery services is denominated in an EU currency – GDPR applies

  4. 香港的零售公司使用网站接收预订并送货。身处欧洲的个人可以访问网站,但网站是英文的。订单是以港币计价,送货范围仅限香港地址—— GDPR不适用
    HK retailer with a website for orders/deliveries. The website is accessible to individuals in the EU in English. The currency is the HK dollar and the address fields only allow HK addresses – GDPR doesn’t apply

那么,究竟应该掌握什么规律,才可以简单确定GDPR的跨境效力呢。很简单:如果你的企业不在欧洲,并且不以身处于欧洲的个人为目标消费者,那么GDPR就管不了你。
Put it in simple, the extra-territorial effect of GDPR is limited. If your company is not targeting individuals who are physically staying in the territory of Europe, GDPR won’t apply to your business.

需要澄清的是:GDPR并不管EU国家公民在EU范围外接受服务时,提供自己的个人信息的情况——只要这些信息的采集和处理过程均是在 EU境外完成。例如,下面这些例子中,服务提供者并不需要将 GDPR作为其处理EU护照持有者的个人信息时的准则,而只需要遵守服务提供当地的法律:
It is important to clarify that GDPR does not apply to the collection and process of a EU passport holder’s personal data when the personal data is collected and processed outside of EU.  For examples, in the following cases, service providers don’t need to take GDPR as the standard for the processing of personal data collected from a EU passport holder, but just need to consider the local laws where the service is provided:

  • 一家日本旅行社为一名通常居住于以色列的法国人提供旅行服务;
    a Japanese company offering tourism services to French expats living permanently in Israel;
  • a mobile APP recommending restaurants in Hong Kong, which enables a UK passport holder to book table and receive discounts.
    一个推荐香港的餐厅的手机APP,可以让身处香港的英国人通过预定餐厅或者获得优惠。

事实上,GDPR其实根本不考虑国籍(其第二条已经说得很清楚了)。GDPR考虑的是在欧盟范围内的任何数据主体的权利。所以,一位旅居于德国的叙利亚难民也拥有与欧洲护照持有者相同的权利。如果你的公司瞄准了在欧洲留学的中国学生,那么你也要以GDPR作为自己的隐私权政策标准。
In fact GDPR never considers citizenship (according to its Article 2).  It simply protects the rights of data subjects for anyone living in the territory of EU. Therefore, a refugee living in Germany will enjoy the same right to the EU passport holders. If your company targets Chinese students studying in Europe, then you should take GDPR as the standard of your privacy policy.

GDPR的跨境效力,其实主要是体现在其对在欧洲营业的企业的规管:只要你的营业地是在欧洲,或者是只要收集信息的主体位于欧洲,那么不管你收集的是来自哪里的个人信息,你都需要符合GDPR的要求。更多的例子可以参考这里
The extra-territorial effect of GDPR is mainly reflected in its effects to the companies who are operating in the territory of EU.  Namely, if a data collector/controller is located in EU, then it shall comply with GDPR, without considering whose data will be collected and where the data will be originated.  See more examples here.

合规过程不易,但思路应当保持简洁。
The process of compliance is not easy, but its concepts should be kept simple.

Key Points of Singapore’s New Cybersecurity Act 2018

On 5 February 2018, the SG Parliament has passed the Cybersecurity Bill after it is significantly revised based on results of public consultation.  Below is a note of key points in the new law:

Critical Information Infrastructure (“CII”)

The new law limited the definition of CII to computers or computer systems that have been expressly designated as such by the Commissioner of Cybersecurity (“Commissioner”).

Its owner is defined to be legal owner or co-owner, which does not include someone who effective control or responsibility for its continuous functioning.  However, the Act introduces a mechanism allowing a person who has received a notice from the Commissioner designating a computer or computer system as a CII to request that the notice be instead sent to a third-party after showing that only that person has effective control over and the right to change the system.

Any change in beneficial or legal ownership (including any share in such ownership) must be reported not later than seven days after the date of change in ownership.   This is more practical than the bill, in which the change of ownership should be reported 90 days prior to the change.

The Act requires audits at least once every two years and risk assessments once a year.

The Cybersecurity Act requires owners of CII to report “prescribed” cybersecurity incidents or any other incidents specified by the Commissioner.

The Act removes vaguer reference to “recommended technical standards” in the context of the standard of performance expected from owners of CII.

Under the Cybersecurity Act, penetration testing and managed security operations centre (“SOC”) monitoring services cannot be performed without a licence.  A company does not require a separate license if a related company already has such a license.

A licensee must now only keep records for three years.

Any person to whom a notice for information is issued (by the Commissioner) is not obliged to disclose information protected by law, contract, or the rules of professional conduct.