Article 33 of the Implementation Measures of the People’s Bank of China for Protecting Financial Consumers’ Rights and Interests (issued in 2016, “2016 Implementation Measures“) reads:
Individuals’ financial information collected within China shall be stored, processed and analyzed within the territory of China. No financial institution shall provide the financial information on domestic individuals abroad, unless it is otherwise prescribed by any law, regulation or the People’s Bank of China.
Where a domestic financial institute, for the purpose of handling cross-border business and as authorized by the related subjects, transmits relevant individual’s financial information collected within China to any overseas institute (including the head office, parent company or branch companies, subsidiaries and other affiliated institutions required for completing the business), it shall comply with laws, administrative regulations and the provisions of relevant regulatory departments, and by taking such effective measures as signing agreements and conducting on-site inspection, require overseas institutes to keep confidential the obtained individuals’ financial information.
The first paragraph provides a universal prohibition of cross-border data transfer. Even with data subjects’ consent, financial institutes are not allowed to transfer “financial personal data” out of China. The second paragraph provides an exception for the circumstances where a financial institute transfers data outside of China for “cross-border business.” There are two conditions to apply this exception, (i) customer consents are given, (ii) the institute complies with applicable regulations, and (iii) appropriate measures of data security have been taken.
To understand this provision, one needs to clarify the meanings of two key terms: “personal financial information” and “cross-border business.”
Personal Financial Information
Article 27 of the 2016 Implementing Measures defines “personal financial information”:
“… refers to personal information being obtained, processed or stored by financial institutes through their business operation or other channels, including personal identity information, asset information, account information, credit information, financial transaction information and other information that can reflect certain situation of a specific person. ” (underlines added)
To understand the underlined terms, one must know that this Article 27 is derived from a regulation issued by the People’s Bank of China (“PBoC“) in 2011, titled Notice on Well-Protection of Personal Financial Information (“2011 Notice“). The 2011 Notice sets out the basic framework on the protection of “personal financial information” in China. Its first section has summarized various categories of personal financial information and enlisted more specific items under each category. As you will read below, Article 27 of the 2016 Implementing Measures reused this “checklist”:
- “personal identity information,” including a person’s “name, gender, nationality, ethnic, ID document and its number and expiration time, occupation, contact information, marital status, family status, residential address and occupational address, portraits, etc.” [Note: in China, regulators like to end lists with “etc.”, so that they will have chances to add items when needed]
- “personal asset information,” including a person’s “income situation, ownership to real properties and vehicles, amount of tax, amount of provident fund, etc.”
- “personal account information,” including “account numbers, date of account opening, bank name, account balance, transaction information, etc.”
- “personal credit information,” including a person’s “records of repayment of credit cards, records of repayment of loans, as well as any other information being formed during economic activities conducted by a person, so long as such information can reflect the person’s credit status.”
- “personal information of financial transactions,” including “personal information obtained, stored or retained by financial institutes through their intermediary businesses such as payment settlement, asset management, safe deposit box, and others, as well as personal information generated during a customer’s transactions with third party institutes (insurance company, fund company, futures company, etc. ) through banks.”
- “derivative information,” “including information that is generated from analysis and processing of original data and can reflect a specific person’s situation,” and
- “other information obtained or retained by banks during the process of business with customers.”
These terms have been incorporated into the 2016 Implementing Measures. Given both documents were issued by the PBoC, it is reasonable to interpret “personal financial information” under the 2016 Implementing Measures with the reference of the above provisions. The 2011 Notice had also provided that personal financial information collected within China is required to be stored, processed, and analyzed within the territory of China. Banks in China are not permitted to transfer the personal financial information of Chinese citizens to any other country without the approval of the PBoC except if authorized by separate rules or regulations.
In light of the above, when one wants to clarify if specific data fall into the scope of “personal financial information,” he/she should refer to the 2011 Notice. Given the above broad lists (plus those “etc.”), any personal data collected, retained, or generated by financial institutes could be found falling into the basket.
The 2020 Standard
February 13, 2020, a committee under the PBoC issued an industrial standard (recommended standard) titled Technology Specification for Protection of Personal financial Information (the “2020 Standard“). Section 3.2 of the 2020 Standard provided a general definition for “personal financial information”:
“personal information obtained, processed and stored by financial institutions through the provision of financial products and services or other channels … including account information, authentication information, financial transaction information, personal identification information, asset information, credit information and other information reflecting certain facts of a particular individual.”
Section 4.1 of the 2020 Standard further illustrated examples of each of the above categories of personal financial information:
- Account information refers to accounts and account-related information, including but not limited to payment account numbers, bank card track data (or Chip equivalent information), bank card validity period, securities account, insurance account, account opening time, account opening institution, account balance, and payment mark information generated based on the above information.
- Authentication information refers to information used to verify whether the subject has access or use authority, including but not limited to bank card password, prepaid card payment password; personal financial information subject login password, account query password, transaction password; card verification code ( CVN and CVN2), dynamic password, SMS verification code, password prompt question answer, etc.
- Financial transaction information refers to various types of information generated by the personal financial information subject during the transaction process, including but not limited to the transaction amount, payment record, overdraft record, transaction log, transaction voucher; securities entrustment, transaction, position holding information; policy information, Claim information, etc.
- Personal identification information refers to personal basic information, personal biometric information, etc… (There are further explanation on what is “basic information,” “personal biometric information”
- Asset information refers to the information of asset of the subject of personal financial information, which is collected or generated by financial institutions in the process of providing financial products and services, including but not limited to personal income status, real estate status, vehicle status, tax payment, provident fund Deposit amount, etc.
- credit information refers to the information generated by the personal financial information subject in the financial institution’s lending business, including but not limited to credit, credit card and loan issuance and repayment, guarantee situation, etc.
Comparing this definition with the one in the 2016 Implementation Measures, one may find the “authentication information” is a newly added category. In other words, since 2020, it is clear that credential data, such as password, an answer to security questions and card verification codes are subject to personal financial information.
The second paragraph of Article 33 of the 2016 Implementing Measures seems to have provided an exception against the general prohibition of the cross-border transfer of “personal financial information.” The wording of the paragraph is quite interesting (and ambiguous). It does not directly affirm the exception by using the language like “domestic financial institute are allowed to transfer personal financial information to an overseas institute with the following conditions…” Instead, it uses a bizarre logic by saying that a domestic financial institute should do this this this and that that that before it transfers personal financial data to an overseas institute. One of those conditions is that the transfer of data should be “to deal with cross-border business.”
It remains very unclear what the “cross-border business” means. If it is the “business of the institute which is going to send data out of China,” or the “business of any institute including the sender and the recipient,”; if it must be the “financial business” or any “business?”
Like many other provisions, the 2016 Implementing Measures did not provide clarification on this vagueness. As such, regulators retained a wide discretion to decide whether transferring certain data would constitute a violation.