China: CBIRC will Strengthen Protection of Consumers Personal Information
On 19 May 2022, the China Banking and Insurance Regulatory Commission ("CBIRC") issued the draft Administrative Measures for Protection of Consumer Rights and Interests by Banking and Insurance Institutions (《银行保险机构消费者权益保护管理办法(征求意见稿)》) ("Draft Measures") for public consultation.
In this article we highlight the key provisions of the Draft Measures and set out our observations.
Background
Amid growing concerns over infringement upon rights of financial services consumers, the central government of China decided to strengthen protection of consumers in the financial industry and hence issued an official opinion in 2015 (“Opinion”), setting out requirements for the financial institution to protect consumer rights. The Opinion lays down eight basic rights of financial consumers, including, amongst others, the right to information security.
The People’s Bank of China (“PBOC”) promulgated measures to implement the Opinion in 2016 and released an updated version in 2020. These measures include a dedicated chapter on protection of consumers’ financial information.
The CBIRC and its predecessors released several official circulars and opinions on consumer protection and intensified its regulatory efforts after the central government issued the Opinion. In particular, information security has become one of the key areas where the banking and insurance institutions will be scrutinised. However, so far the CBIRC has yet to promulgate a regulation on consumer protection.
On the other hand, a series of national laws and regulations have taken effect in the past a few years, which have established a regulatory framework of data protection and cyber security in China, most notably the Personal Information Protection Law (“PIPL”), the Data Security Law and the Cyber Security Law. The ministries are also obliged to implement the requirements under these laws in their respective industries.
In the Draft Measures, the CBIRC has put an emphasis on the information security right and tried to reflect these requirements under recent data protection laws and regulations. Please see below chart for a timeline of key laws and legislations.
Highlights
I. Scope
Unlike the PIPL that may apply via its extra-territorial effect, the Draft Measures only apply to banking and insurance institutions that are legally established within the territory of China and provide consumers with financial products or services. As such, banking and insurance institutions that are not incorporated in China will not be subject to the Draft Measures even if they provide services to consumers in China, although the extraterritorial effect of the PIPL may apply.
Besides, the Draft Measures apply to a larger scope of financial institutions than just commercial banks and insurance companies, which includes any financial institutions that accept deposits from the public, trust companies, consumer finance companies, automotive finance companies, wealth management companies, insurance companies and insurance intermediaries.
II. Requirements consistent with PIPL
The Draft Measures adopt important principles and requirements stipulated in the PIPL. In particular, the Draft Measures have provided for data protection obligations on banking and insurance institutions, which those on personal information processors under the PIPL.
In below table, we set out a comparison of the corresponding obligations under the Draft Measures and the PIPL.
| PIPL | Draft Measures |
| Formulate internal management system and operational procedures. | Improve internal management systems. |
| Implement classified management of personal information. | Implement full-cycle multi-level and classified management and control of consumers’ personal information. |
| Agree with third parties upon terms relevant to processing when sharing personal information | Agree with partners upon terms relevant to data when sharing personal information of consumers |
| Reasonably determining authorisation of personal information processing. | Effectively monitor abnormal processing activities via authorisation control process |
| Regularly conducting security education and training for practitioners. | Establish an internal training mechanism for consumer protection for practitioners and improve employees' awareness of consumer rights protection. |
| Regularly conduct compliance audits of personal information processing activities. | Formulate an audit plan for consumer protection, incorporate consumer protection into the scope of annual audit, and ensure that the audit covers relevant departments and first-level branches of the institution in a five-year cycle |
| Establish convenient channels and procedures for individual to exercise their rights. | Establish and improve smooth complaint channels. |
III. Special requirements
The Draft Measures have also provided for a series of special data protection requirements that are specific to the banking and insurance industry.
Use of boilerplate clauses
When using boilerplate clauses to obtain consent of consumers to personal information processing, the banking and insurance institutions must specify the scope of personal information and details of the processing and highlight, in a conspicuous manner, the content that has a material impact on the consumers. This reflects the requirement under the consumer protection laws that clauses materially impacting consumers should be highlighted to the consumers.
Banking and insurance institutions should review and revise their boilerplate clauses to ensure they comply with the requirement.
Processing in debt collection
Banking and insurance institutions are prohibited from disclosing detailed debt information and sensitive personal information to parties that are not obligated to repay debt, in the absence of legal procedures or consent of the consumers. This is apparently prompted by cases in recent years where debt collectors used consumers’ personal information to forcibly collect debt via illegal means.
Consent
The Draft Measures require banking and insurance institutions to obtain explicit consent from consumers and not to refuse to provide financial products or services to consumers on the ground that the consumers refuse to give their consent unless the personal information is essential for the financial products or services.
The Draft Measures seem to contemplate consent as the sole legal ground on which banking and insurance institutions may process personal information. However, the PIPL provides for multiple legal grounds for processing personal information, which provides flexibility to processors in circumstances where obtaining the consent may not be necessary or feasible.
For instance, banking institutions may collect personal information to fulfil their anti-money laundering obligations under the law, and a requirement to obtain consent from the consumers may render it difficult for the banking institutions to perform their legal obligations.
Data export
The Draft Measures omit to provide for export of personal information. Interestingly, the PBOC also deleted provisions on data export in its 2020 measures. This seems to an intended move of the regulators to avoid any inconsistency with the data export regulations under the PIPL that are still being developed.
Conclusion
The CBIRC released the Draft Measures in the context of intensified regulatory efforts of the financial regulators to protect consumer rights and a fast-developing data protection regime in China. The Draft Measures incorporated many data protection obligations of the PIPL and at the same time set out a series of special requirements specific to the banking and insurance industry. Banking and financial institutions should be prepared to implement such requirements under the Draft Measures which are expected to be finalised in the near future.
