Data Collection and Processing in China - Personal Financial Information (Part 2)

* This article is reproduced from Practical Law with the permission of the publishers.

China's financial sector is undergoing a digital transformation and financial institutions are processing large amounts of personal financial information (PFI) in their daily operations. The PFI processing should comply with the following three levels of rules and national standards:

General rules on data protection, including:

• the Data Security Law of the PRC 2021;
• the Cybersecurity Law of the PRC 2016 (with effect from 1 June 2017); and
• the PI Protection Law of the PRC 2021 (2021 PIPL).

General rules on financial data protection. For example:

• the Measures for the Administration of Client Identification and Retention of Client Identification Data and the Transaction Records 2007 (2007 Client Data Retention Measures); and
• the Personal Financial Information Protection Technical Specification (JR/T 0171-2020) (2020 PFI Specification).

Special requirements for specific financial institutions. For example:

• the Guidelines on Classification and Hierarchy of Securities and Futures Data (JR/T 0158-2018); and
• the Guidelines on Data Governance for Banking Financial Institutions 2018 (2018 Banking Finance Data Governance Guidelines).

In order to provide an overview of the regulatory framework governing PFI processing activities in China, we prepared this three-part article covering the following topics:

• Basic Introduction of PFI: PFI and SPI, PFI Collection and Processing, Legal Basis for Processing
• PFI Processing Activities: PFI Storage, Third Party Processing, PFI Cross-Border Transfer
• Data Security Management: Rights of Individuals, Accountability, Legal Enforcement

Below is the second part of the series. Read the first part in this series here.

PFI Storage

Article 19 of the 2021 PIPL requires PI to be stored for the shortest period necessary to achieve the purposes for which it was processed.

Retention Requirements

There are statutory storage period requirements specific to various businesses of the financial sectors, including:

• Financial institutions. Financial institutions that must comply with anti-money laundering compliance obligations must maintain customer identification and transaction records for at least five years from the year in which the transaction was recorded (Article 29, 2007 Client Data Retention Measures).
• Banking financial institutions. To monitor suspicious transactions, banks and payment institutions should keep transaction information for at least five years (Article 4, Circular of the People's Bank of China on Matters Relating to Strengthening Payment and Settlement Management to Prevent New Types of Illegal Crimes in Telecommunications Networks 2016).
• Fund-raising institutions. The retention period for relevant information should not be less than ten years from the date of termination of the liquidation of the fund (Article 11, Measures for the Administration of Fund-Raising Behaviour of Private Investment Funds 2016 (2016 Fund-Raising Administrative Measures)).
• Non-bank payment institutions. For suspicious transactions or illegal and criminal activities being investigated by judicial authorities involving user identity information and other information, and if the relevant investigation has not been concluded on the expiration of the prescribed minimum retention period, payment institutions should retain the information until the investigation has ended (Guidelines on Risk Prevention in Payment Institutions' Internet Payment Businesses 2013).

For customers' online payment business activities, payment institutions should promptly handle the customer's identity and true wishes after confirming their identity and keep true and complete operation records for at least five years from the effective date of the operation (Article 16, 2015 Non-Bank Payment Measures).

• Credit institutions. The retention period for adverse PI collected by credit institution is five years from the date of termination of the adverse behaviour or event. After the retention period expires, credit collection agencies must delete the adverse PI from its external services and applications (Article 20, 2021 Credit Collection Measures).
• Securities companies. The retention period for client information of securities companies should not be less than 20 years from the cancellation of the account. Client information on the same medium with different retention periods should be retained for the longest period. If the various types of information of the same client are stored in different media, at least one type of client information should be stored in accordance with the above requirements. The securities company should adopt a combination of online hot backup and offline backup to store the electronic client information. (Article 6.2, Code for the Management of Client Information of Securities Firms 2014 (2014 Securities Firms Information Code).)

Technical Requirements

Additional technical requirements may apply. For example:

• Financial industry institutions. Category C3 personal financial information held by financial industry institutions must be encrypted and stored (Article 6.1.3, 2020 PFI Specification).
• Banking financial institutions. In accordance with the national requirements on file management and electronic data management, banks and payment institutions should take technical and other necessary measures to appropriately store the collected consumer financial information in a safe place to prevent the information from being lost, destroyed, leaked, or tampered with (Article 34, 2020 Financial Consumers Protection Measures).
• Fund-raising institutions. Fund-raising institutions should properly preserve records and other relevant information relating to investor suitability management and other private fund-raising operations (Article 11, 2016 Fund-Raising Administrative Measures).
• Network payment operators. The identification data should be stored separately from basic information data. The original information and the summary of personal biometric information should be stored separately. At least two methods should be selected from local backup, off-site backup, or off-site media backup. The identity identification data is backed up and stored. (Article 10.1.2, Information Security Technology Guidelines on Data Security for Network Payment Services (Draft for Public Comments) 2021 (2021 Network Payment Data Security Draft Guidelines).)
• Non-bank payment institutions. If the validity period of the customer's bank card needs to be stored for special business needs, it must be encrypted (Article 20, 2015 Non-Bank Payment Measures).
• Credit institutions. PI collected as sample data by credit institutions should be anonymised (Article 20, 2021 Credit Collection Measures).

Third Party Processing

The 2021 PIPL divides processing activities into the following three categories:

• Joint processing.
• Entrusted processing.
• Providing PI to another PI processor.

Joint Controllers

If a joint controller infringes on the PI rights and interests causing damage, the joint controller should be jointly and severally liable in accordance with the law. The joint controllers should agree on their respective rights and obligations. The data subject is entitled to exercise the rights against any of the controllers. (Article 20, 2021 PIPL.)

If the controller provides PI to other recipients, it should inform the individual of the name or names of the recipients, contact information, the purpose of processing, the method of processing, and the types of PI, and should obtain the individual's separate consent. The receiving party should handle PI within the scope of the informed purpose of processing, method of processing, and types of PI. If the receiving party changes the original purpose and method of processing, it should obtain the individual's consent again. (Article 23, 2021 PIPL.)

Controller and Processor

Where a controller entrusts the processing of PI, it should agree with the processor on the purpose of processing, the time limit, the method of processing, the type of PI, the protection measures, and the rights and obligations of the two parties, and should supervise the processor's activities in the processing of PI (Article 21, 2021 PIPL).

Additionally, the following sector-specific requirements apply:

• All IT outsourcing contracts of commercial banks should be reviewed and approved by the IT risk management department, the legal department, and the IT management committee (Article 9, Guidelines on Outsourcing Risk Management for Banking Financial Institutions 2010).
• The board of directors and senior management of a banking financial institution should formulate and approve the IT outsourcing strategy and consider the IT outsourcing management processes and systems (Article 13, Guidelines on Supervision of IT Outsourcing Risks for Banking Financial Institutions 2021).

Providing PI to Separate Processors

If a controller provides PI to other recipients, it should inform the individual of the name or names of the recipients, contact information, the purpose of processing, the method of processing, and the types of PI, and should obtain the individual's separate consent. The receiving party should handle PI within the scope of the informed purpose of processing, method of processing, and types of PI. If the receiving party changes the original purpose and method of processing, it should obtain the individual's consent again. (Article 23, 2021 PIPL.)

Additionally, the following sector-specific requirements apply:

• Financial holding companies and their holding institutions should ensure legal compliance, risk control, and written authorisation from customers when sharing customer information within the group (Article 23, Pilot Measures for the Supervision and Administration of Financial Holding Companies 2020).
• Credit institutions should obtain the written consent of the data subject and agree on the purposes for which the information is to be used if the information is to be used by a third party to inquire about PI, which may include the examination of borrowing, the processing of credit cards, or the application for a job (Article 18, Regulations on the Administration of the Credit Industry 2013 (2013 Credit Industry Regulations)).
• Institutions engaged in credit business should obtain the written consent of the subject of the information to provide credit information to the basic database of financial credit information or other subjects (Article 29, 2013 Credit Industry Regulations).

PFI Cross-Border Transfer

If a data controller intends to export any PI outside China, the export must go through one of the following prescribed routes:

• Passing a security assessment organised by the CAC (see Practice Note, Cross-Border Data Transfers: Data Export Security Assessment in China).
• Obtaining PI protection certification by an authorised certification institution in accordance with the CAC's provisions (see Practice Note, Cross-Border Data Transfers: PI Protection Certification in China).
• Entering into a standard contract formulated by the CAC (see Practice Note, Cross-Border Data Transfers: Standard Contract for PI Exports (China)).

Additionally, the export of any PI outside China to a foreign recipient must comply with the following requirements under the 2021 PIPL, regardless of whether the data export triggers the thresholds for the above routes:

• Informing individuals of the name and contract information of the foreign recipient, the purpose and method of the processing, the categories of PI to be exported, and the mechanisms by which individuals may raise rights requests to the foreign recipient (see Notification in the first part of the series).
• Obtaining individuals' separate consent, which means that the consent to the export should:
  • be informed, freely given, unambiguous, and withdrawable; and
  • onot be bundled with the consent to the data controller's other processing activities.

  (See Consent in the first part of the series).

• Conducting a PI protection impact assessment (PIPIA) (see Practice Note, Chinese Standard Contract for PI Exports: How to Conduct a PIPIA?).
• Taking necessary measures to ensure that the foreign recipient's processing activities comply with the relevant requirements of the 2021 PIPL, which may involve signing an agreement with the recipient.

Moreover, the following sector-specific requirements apply:

• Securities institutions. The export of documents and information relating to securities activities requires the consent of the securities regulatory authorities under the State Council and the relevant competent authorities under the State Council (Article 177, Securities Law of the PRC 2019).
• Credit institutions. Credit bureaus should carry out the necessary examination of the identity and use of information of overseas recipients to ensure that the information after export:
  • is used for reasonable purposes, such as cross-border trade and investment and financing; and
  • does not jeopardise China's national security.

(Article 40, 2021 Credit Collection Measures.)

Part 3 of this three-part series will provide further details on PFI data security management. If you require any further assistance, please contact James Gong at [email protected].