Article 33 of the Implementation Measures of the People’s Bank of China for Protecting Financial Consumers’ Rights and Interests (issued in 2016, “2016 Implementation Measures“) reads:
Individuals’ financial information collected within China shall be stored, processed and analyzed within the territory of China. No financial institution shall provide the financial information on domestic individuals abroad, unless it is otherwise prescribed by any law, regulation or the People’s Bank of China.
Where a domestic financial institute, for the purpose of handling cross-border business and as authorized by the related subjects, transmits relevant individual’s financial information collected within China to any overseas institute (including the head office, parent company or branch companies, subsidiaries and other affiliated institutions required for completing the business), it shall comply with laws, administrative regulations and the provisions of relevant regulatory departments, and by taking such effective measures as signing agreements and conducting on-site inspection, require overseas institutes to keep confidential the obtained individuals’ financial information.
The first paragraph provides a universal prohibition of cross-border data transfer. Even with data subjects’ consent, financial institutes are not allowed to transfer “financial personal data” out of China. The second paragraph provides an exception for the circumstances where a financial institute transfers data outside of China for the purposes of “cross-border business”, provided that (i) customer consents are given, (ii) the institute is in compliance with applicable regulations and (iii) appropriate measures of data security haven been taken.
To understand this provision, one needs to clarify the meanings of two key terms: “personal financial information” and “cross-border business”.
Personal Financial Information
Article 27 of the 2016 Implementing Measures provides a definition for the “personal financial information”:
“… refers to personal information being obtained, processed or stored by financial institutes through their business operation or other channels, including personal identity information, asset information, account information, credit information, financial transaction information and other information that can reflect certain situation of a specific person. ” (underlines added)
To understand the underlined terms , one must know that this Article 27 is derived from a regulation issued by the People’s Bank of China (“PBoC“) in 2011, titled Notice on Well-Protection of Personal Financial Information (“2011 Notice“). The 2011 Notice sets out the basic framework on the protection of “personal financial information” in China. Its first section has summarized various categories of personal financial information and enlisted more specific items under each category. As you will read below, the names of these categories are reused in Article 27 of the 2016 Implementing Measures.
- “personal identity information”, including a person’s “name, gender, nationality, ethnic, ID document and its number and expiration time, occupation, contact information, marital status, family status, residential address and occupational address, portraits etc.” [Note: in China, regulators like to end lists with “etc”, so that they will have chances to add items when needed]
- “personal asset information”, including a person’s “income situation, ownership to real properties and vehicles, amount of tax, amount of provident fund, etc.”
- “personal account information”, including “account numbers, date of account opening, bank name, account balance, transaction information, etc.”
- “personal credit information”, including a person’s “record of repayment of credit cards, record of repayment of loans, as well as any other information being formed during economic activities conducted by a person, so long as such information can reflect the person’s credit status.”
- “personal information of financial transactions”, including “personal information obtained, stored or retained by financial institutes through their intermediary businesses such as payment settlement, asset management, safe deposit box and others, as well as personal information generated during a customer’s transactions with third party institutes (insurance company, fund company, futures company, etc. ) through banks”
- “derivative information”, “including information that are generated from analysis and processing of original data and can reflect a specific person’s situation”, and
- “other information obtained or retained by banks during the process of business with customers”.
Apparently, these terms have been reused in the 2016 Implementing Measures. Given both documents were issued by the PBoC, it is reasonable to interpret “personal financial information” under the 2016 Implementing Measures with the reference of the above provisions. In fact, the 2011 Notice had also provided that personal financial information collected within China is required to be stored, processed and analysed within the territory of China. Banks in China are not permitted to transfer the personal financial information of Chinese citizens to any other country without the approval of the PBoC except if permitted by separate rules or regulations.
In light of the above, when one wants to clarify if certain data fall into the the scope of “personal financial information”, he/she should refer to the 2011 Notice. Given the above broad lists (plus those “etc”), any personal data collected, retained or generated by financial institutes could be found falling into the basket.
The second paragraph of Article 33 of the 2016 Implementing Measures seems having provided an exception against the general prohibition of the cross-border transfer of “personal financial information”. The wording of the paragraph is quite interesting (and ambiguous). It does not directly affirming the exception by using the language like “domestic financial institute are allowed to transfer personal financial information to an overseas institute with the following conditions…” Instead, it uses a very strange logic by saying that a domestic financial institute should do this this this and that that that before it transfers personal financial data to an overseas institute. One of those conditions is that the transfer of data should be “for the purpose of dealing with cross-border business”.
It remains very unclear what the “cross-border business” means. If it is the “business of the institute who is going to send data out of China”, or the “business of any institute including the sender and the recipient”; if it must be the “financial business” or any business? Further clarification is needed…