Cross-border Transfer of Personal Financial Information

Authors: Yuan Lizhi / Hu Ke / Wang Beining

(This article was first published on Data + Cyber Security Special Report 2020: Asian-mena Counsel, authorised reprint)

Question 1: How does Chinese law define personal financial information?

Chinese law specifies personal financial information (“PFI”) in the way of definition and enumeration as follows: 

1.Institutional Identity

The scope of PFI depends on the definition of financial institutions, since PFI is regarded as personal information (“PI”) collected and used by financial institutions in the process of providing financial products or services. 

In 2011, the People's Bank of China (the “PBOC”) promulgated the Notice Regarding the Effective Protection of Personal Financial Information by Banking Institutions (the “Notice on PFI”), which defines PFI as PI obtained, processed and stored by banking financial institutions. In 2020, the PBOC issued the Personal Financial Information Protection Technical Specification (the “PFI Specification”). The PFI Specification applies to licensed financial institutions supervised by China’s financial regulatory authorities and, more broadly, institutions processing PFI.

2.Types of PFI

The Notice on PFI and the PFI Specification also enumerate PFI. The enumeration of PFI includes personal identity information, personal property information, personal account information, loan information, financial transaction information, derived information, authentication information and other information.

Question 2: What are the regulatory rules and requirements for cross-border transfer of personal financial information under Chinese law？

The Notice on PFI establishes the framework of cross-border transfer of PFI in China, namely, the storage, processing and analysis of PFI shall be located within the territory of China. In addition, cross-border transfer of PFI is prohibited in principle, and there are some exceptions of the prohibition, but the Notice on PFI does not specify any exception.

In 2011, the Shanghai Branch of the PBOC promulgated the Notice Regarding the Effective Protection of Personal Financial Information by Banking Financial Institutions, which sets up exceptions to allow cross-border transfer of PFI. It requires that the financial institutions shall transfer PFI only for business needs and must obtain customers’ consent, ensure confidentiality, and transfer PFI to affiliated institutions only. In addition, according to the Guidelines for the Management of Money Laundering and Terrorist Financing Risks of Corporate Financial Institutions (Draft) issued by the PBOC in 2019, domestic corporate financial institutions can provide overseas clearing agents with customer identity information and transaction background information after obtaining the authorization of their customers, when cross-border transfer is necessary for anti-money laundering and anti-terrorist financing.

We understand that, currently, the exception rules are the compliance path for cross-border transfer of PFI. Financial institutions shall ensure that:

(1)The cross-border transfer is to meet business needs;

(2)The cross-border transfer is under customers’ authorization;

(3)Confidentiality of PFI is not undermined; and

(4)PFI is transferred to the overseas affiliates, or PFI is transferred to the overseas entities’ affiliates located within China.

Question 3: What is the impact of the regulatory requirements for critical information infrastructure and important data on the cross-border transfer of personal financial information?

Chinese law has restriction on cross-border transfer of PI and important data collected by critical information infrastructure operators (“CIIO”). Art. 37 of the  Cybersecurity Law (the “CSL”) stipulates that CIIO shall store PI and important data collected and produced during operations within the territory of China. When it is really necessary to provide PI and important data to overseas operators due to business needs, security assessment shall be conducted in accordance with the measures formulated by the Cyberspace Administration of China in concert with relevant departments of the State Council. 

In terms of the definition of critical information infrastructure (“CII”), according to Art. 18 of the Regulations on Protection of Critical Information Infrastructure Security (Draft) and Art. 3.1 of the Guidelines for the Security Inspection and Evaluation of Critical Information Infrastructure (Draft), the CII refers to the network facilities and information systems that may seriously endanger national security, national economy, people's livelihood and public interests if they suffer destruction, malfunction or data leakage, and both drafts of regulations take the financial sector as an example of CII. Therefore, chances are high that the cross-border transfer of PFI will be restricted, if these two drafts are officially promulgated.

With respect to important data, apart from Art. 37 of the CSL, the Administrative Measures for Data Security (Draft) also has strict requirements on the cross-border transfer of important data. Even if the important data is collected by network operators other than CIIO, it is necessary to conduct security risk assessment of cross-border transfer of important data and report to the regulatory authorities for approval. Art. 28 of the Data Security Law (Draft) (the “DSL”) stipulates that all the processors of important data shall conduct risk assessment regularly and submit the assessment reports to authorities.

Important data refers to data that may directly affect national security, economic security, social stability, public health and safety once leaked. Important data does not include personal information under Art. 38 of the Administrative Measures for Data Security (Draft). However, large-scale of PFI may reflect China’s trends of financial and economic development after aggregation, integration and analysis, thereby negatively affecting financial security. Therefore, large-scale of PFI may be defined as important data, and thus restricted from cross-border transfer.

Question 4: What are the development trends of the regulatory requirements for cross-border transfer of personal financial information in China?

1.The Integration of Specialized Regulations and General Regulations

As mentioned above, the financial regulations set out the requirement of localization and the prohibition of cross-border transfer. On the contrary, the general regulations remove the requirement of localization and specifies the compliance requirements for cross-border transfer. However, there is a trend that these opposite rules are being integrated. Taking the PFI Specification as an example, the PFI Specification adheres to the localization rules under financial regulations, as well as the general principle of the prohibition of cross-border transfer with exceptions. In addition, the PFI Specification also incorporates the compliance requirements under the general regulations, that is, the PI controllers shall get PI subjects’ consent, conduct self-assessment, pass regulatory authorities’ assessment, and sign the standard contract terms for cross-border transfer. Even if the PFI Specification is not mandatory, it is an important reference of best practices in the financial industry.

2.The Rules for Cross-border Transfer of PI under the Draft Personal Information Protection Law

Chinese law has no specified detailed rules for cross-border transfer of PI, but the Personal Information Protection Law (Draft), which sets out rules for the cross-border transfer of PI, may be promulgated in the near future and apply to cross-border transfer of PFI. According to the press, the Personal Information Protection Law (Draft) may request that, before the cross-border transfer of PI, the processor shall inform PI subjects, get PI subjects' consent and: (1) pass the security assessment；(2) obtain PI protection certification by a professional organization；(3) sign the agreement on cross-border transfer with the overseas PI recipients to meet the PI protection standards, or (4) meet other requirements stipulated by laws.

3.Data Security Audit and Export Control under the DSL

Since the DSL applies to all types of data, including PFI, the DSL will also affect cross-border transfer to some extent after it comes into effect. According to the press, the DSL stipulates the security audit of data activities that may affect national security, and the data of controlled items shall be subject to the export control system. These two rules are likely to apply to cross-border transfer of PFI which is relevant to national security or under export control.

数据隐私与网络安全专栏往期文章

1. 《网络安全法》的出台改变了什么？——条文解析企业的网络安全义务和法律合规新需求

2. 您的公司有数据保护官了吗？

3. 个人信息安全——“用户同意”之浅析

4. 记账理财APP的个人信息合规挑战

5. GDPR之“用户数据可携权”评析（一）——认识“用户数据可携权”

6. GDPR之“用户数据可携权”评析（二）——“用户数据可携权”实务运用的若干问题

7. GDPR之“用户数据可携权”评析（三）——“数据可携权”视角下的数据之争

8. 网安法第37条背景下的境外证据开示与数据出境问题

9. 对“数据共享合法化”的分析与思考系列之一：以《关于欧洲企业间数据共享的研究》为起点

10. 对“数据共享合法化”的分析与思考系列之二——欧盟B2B数据共享的案例研究

11. GDPR在看着你吗——GDPR第2条和第3条（适用范围）详解

12. 欧盟《统一数据保护条例》（GDPR）适用问答

13. 中国企业的GDPR合规挑战

14. 对“数据共享合法化”的分析与思考系列之三——欧盟B2B数据共享的案例研究

15. 银行业金融机构数据治理中的个人信息保护

16. 从《网络安全等级保护条例（征求意见稿）》看等保1.0到等保2.0的重要变化

17. 《网络安全等级保护条例（征求意见稿）》与《信息安全等级保护管理办法》的条

18. 放弃or坚持——出海游戏公司如何应对GDPR？

19. 标准合同条款：欧盟个人数据出境的常规路径之一

20. 欧盟《隐私与电子通信条例》（e-Privacy Regulation）草案介绍

21. 当资本运作遇到网络安全：尽调该怎么做？

22. 电信和互联网行业网络安全大检查来临，你准备好了吗？

23. 企业如何开展网络与数据安全事件应急演练？

24. 银行业金融数据出境的监管框架与脉络

25.  App个人信息保护专项治理暴雨将至，你的屋顶会漏吗？

26. 实施已满三月，区块链新规“回头看”

27. 网约车与电商法的适用五题

28. 网约车行业数据保护的规则及其特点

29. 企业如何应对数据泄露

30. 金融集团数据整合：“信息孤岛”攻坚战

31. 联邦学习能否解决金融数据整合难题？

32. APP安全认证实操十问十答

33. APP收购攻略

34. 关于个人信息保护法草案的七个疑问

合伙人

021-2613 6222

yuan.lizhi@jingtian.com

袁立志律师先后从上海对外经贸大学和新加坡国立大学取得国际法硕士和国际商法硕士学位。2017年加入竞天公诚。

袁律师是IAPP（国际隐私专家协会）会员，通过CIPP/E资格认证。袁律师代表竞天公诚律师事务所，作为全国信息安全标准化技术委员会成员，参与多项信息安全技术标准的起草和修订。袁律师兼任华东政法大学数字法治研究院特聘研究员，华东师范大学法学院实务导师。

袁律师的执业领域为网络与数据法、公司法律事务。袁律师曾为多家知名企业提供网络与数据法律服务，包括金融机构、汽车制造商、智能硬件制造商、文化娱乐企业、互联网企业、数据服务商、云服务商、医疗机构等，承办了一系列前沿的、富有挑战性的项目，积累了丰富的实践经验，是该领域的知名专家 。

袁律师荣获2020年The Legal 500亚太地区TMT（电信、媒体与科技）领域“特别推荐律师”，并名列LEGALBAND中国顶级律师排行榜“网络安全与数据”第一梯队。

袁立志律师历史文章

1. 债权催收行业法律研究报告（上）

2. 债权催收行业法律研究报告（下）

3. 欧盟《统一数据保护条例》（GDPR）适用问答

4. 中国企业的GDPR合规挑战

5. 当资本运作遇到网络安全：尽调该怎么做？

6. 个人信息委托处理是否需要个人授权？

7. 企业如何开展网络与数据安全事件应急演练？

8. 银行业金融数据出境的监管框架与脉络

9. App个人信息保护专项治理暴雨将至，你的屋顶会漏吗？

10. 实施已满三月，区块链新规“回头看”

11. 网约车与电商法的适用五题

12. 网约车行业数据保护的规则及其特点

13. 企业如何应对数据泄露

14. 金融集团数据整合：“信息孤岛”攻坚战

15. 联邦学习能否解决金融数据整合难题？

16. APP安全认证实操十问十答

17. APP收购攻略

合伙人

010-5809 1182

hu.ke@jingtian.com

胡科律师的执业领域为争议解决（尤其是跨境商事和知识产权争议的诉讼和仲裁）以及网络安全和数据保护。

胡律师代表国内外客户处理了许多重大、复杂的国内或涉外诉讼案件，主要涉及公司、股权、合资、金融、贸易、不动产、能源、知识产权以及不正当竞争等领域，也涉及跨境送达或取证、外国判决的承认和执行等前沿问题。

胡律师在仲裁方面的经验非常丰富。他经常代理客户处理在中国国际经济贸易仲裁委员会、北京仲裁委员会、香港国际仲裁中心、新加坡国际仲裁中心、国际商会仲裁院、斯德哥尔摩商会仲裁院以及联合国国际贸易法委员会规则下进行的国内外仲裁案件，以及外国仲裁裁决在中国的承认和执行。2018年、2019年，他连续被国际知名法律杂志Who’s Who Legal评选为“国际仲裁未来领袖”之一；2019年，他被Chambers & Partners评为争议解决领域的“潜质律师”。

在公司治理、股权、合资纠纷领域，胡律师参与了许多关系企业生死存亡或广受舆论关注的重大纠纷，深受客户信赖。他熟悉中国公司法、证券法和三资企业法在理论和实践中的发展，除了帮助客户妥善处理各类复杂、疑难、棘手的合同争议、公司争议和实践难题，还多次成功帮助客户争夺知名企业的控制权。

在知识产权和竞争法领域，胡律师协助客户处理专利、商标权、著作权、商业秘密、不正当竞争、技术转让相关的各类纠纷，具有在最高人民法院和京、沪、粤等地各级法院以及境内外仲裁机构代理知产案件的经验，其中许多案件是具有全国重大影响或具有开创性意义的典型案件。

胡律师也就客户的日常经营、信息隐私和网络安全、碳减排等法律和合规事务提供咨询服务。

胡科律师历史文章

010-5809 1211

wang.beining@jingtian.com

王蓓宁毕业于清华大学，获得法学学士和经济学学士学位，并作为交换生在荷兰乌特勒支大学学习。王蓓宁掌握SQL、Python等编程语言，并通过特许金融分析师（CFA）一级考试。在加入竞天公诚之前，王蓓宁在一家NASDAQ上市的大数据企业工作，作为数据咨询师参与多个头部企业的数据分析项目。王蓓宁的执业领域为网络与数据法、TMT、公司法律事务。

王蓓宁历史文章

本文观点仅供参考，不可视为竞天公诚律师事务所及其律师对有关问题出具的正式法律意见。如您有任何法律问题或需要法律意见，请与本所联系。

This article is for your reference only and not to be deemed as formal legal advice given by Jingtian & Gongcheng or its lawyers. Please contact us directly for formal legal advice or further discussion about the relevant issues.