OPINION – Seven Impacts of Personal Information Protection Law on China’s Financial Sector

By Qi Lyu

Financial law expert, founder of Beijing Finlegal Corp.

[email protected]


As the world has begun to tightly regulate personal data, the environment in China has been described as “uniquely restrictive”. China’s Personal Information Protection Law (PIPL) has been considered China’s version of the European Union’s General Data Protection Regulation (GDPR), although it is even stricter than the latter. The requirements of the law have had an impact on the entire financial sector, where sensitive data is highly concentrated. The watchdog highlighted and reviewed this as an annual goal and in August launched a special 3-month project for the industry to self-correct. The Chinese financial world is driven to actively analyze, evaluate and enforce legal requirements. Here are their major concerns in operation.

1- The survival of new credit bureaus with personal data

Credit reference agencies (CRAs), as external supporters, play an important role in the banking due diligence process. But in China, only three agencies have so far been allowed to engage in personal credit reporting activities. With the exception of the oldest subordinate to the Central Bank, the other two are essentially private, which suffer the most severe hindrances due to their inability to obtain individual consent before processing personal information. However, the information processed by the ARC is largely classified as sensitive data, which requires specific and prior consent for each processing purpose under the PIPL. For CRA newcomers, it is difficult to find their legal starting point for accumulating their personal database, let alone delivering it to financial clients.

2- The possibility of cross-marketing within a financial institution or a group

Due to the sensitive nature of most financial personal data, financial companies are not permitted to process this data beyond its original service purpose. The restriction is based on the specific business rather than the internal legal entity or financial group, although it is permitted under the GDPR. This would make highlighted cross-marketing impossible. For example, you may not sell a wealth management product to your lending client without first obtaining their prior consent for such class of product with a reasonable explanation of its purpose and need.

3- The contradiction on the duration of archiving of personal information

Views differ on how long records containing personal information should be kept. PIPL retains the principle of the shorter the better as long as the process objective is met, while the trend for the financial industry is the longer the better, with many financial institutions storing it permanently. China’s anti-money laundering law requires an archival period of at least 5 years after the completion of the financial transaction, as well as no less than 150 regulatory documents requiring various durations and calculations. PIPL’s retention period derives from the consumer’s right to be forgotten and only allows for deviations where otherwise required by law and regulation, whereas the foregoing files are mostly regulatory documents. The prevailing concern is undetermined.

4- The duty to report to regulators and the duty to notify the customer

The PIPL specifies two strings of fairly stringent restrictions on government: only law and regulation are allowed to stipulate the processing of personal information with consent, and even so, notification is still required by both provider and recipient. However, the current procedure works in a completely different way, as no notice has been given in the case of a regulatory requirement. Maybe the whole industry is waiting for the first complaint or complaint from a customer about this to clarify the rule of thumb.

5. The duty of security expertise for cross-border flows of personal data

The PIPL requires a security assessment conducted by the (Cyberspace Administration of China) for cross-border data transfer to companies with a certain volume of personal information. Banks are obviously one of them since their credit and debit cards support tons of foreign transactions every day. But should all 4,000 Chinese banks participate in such an assessment, or should it only concern card settlement entities such as Unionpay, Master or Visa? There was no response and no authority claimed responsibility.

6. The cost of guaranteeing consumer rights

Many types of rights have been listed in the PIPL, including but not limited to the right to investigate, copy, delete, etc. There was a related case that happened that scared the financial industry. A customer asked a luxury e-retailer to offer and copy all of the seller’s personal information, from historical orders, to browser records, to automated decision making, SDK names, receipt name, etc The seller wanted to limit them to the customer profile column, but the court refused. The vendor also argued that it would be a huge cost to the entire industry. The courts decided that the rights of the customer prevailed. What if it happened to a bank? The bank may not even be able to gather all the information it holds even though it is poorly stored. To fulfill this obligation, the financial company must store all the information in a centralized IT system and use an appropriate management scheme.

7. Ambiguity on the regulatory scope of each organization

The PIPL legislative landscape includes several undetermined authorities for the financial sector, which allows the CAC (Cyberspace Administration of China), MIIT (Ministry of Industry and Information Technology), MPS (Ministry of Public Security), the PBOC (People’s Bank of China), or each, if not all, financial regulatory authority to sanction a financial institution for violating the PIPL. When there is an unfinished issue, for example, assessing the legitimacy of a financial application, financial firms are always confused about who to report to.

About Charles D. Goolsby

Check Also

A Tribute to Veterans Day November 2022 | Issue 200 – The Jersey LLC has arrived | Cadwalader, Wickersham & Taft LLP

[co-authors: James Gaudin, Daniel Healy]* On 1 September 2022, the Limited Liability Companies (Jersey) Act …