CBIRC to intensify enforcement on personal information protection

China Banking and Insurance Regulatory Commission (CBIRC) plans to initiate an enforcement campaign on personal information protection within the year, in order to urge banks to implement the Personal Information Protection Law (PIPL) took effect last November. Given the law’s extra-territorial effect, foreign banks with or without presences in mainland China may be impacted.

On 15 March, the World Consumer Rights Day, CBIRC held a press conference where Guo Wuping, head of its Financial Rights Protection Bureau, stated that CBIRC will initiate an enforcement campaign within this year, to urge banks and insurance companies to implement the PIPL and use personal information in a compliant way (more details available here). The purposes and reasons of this move were also indicated under a risk alert published by CBIRC on 14 March, which pointed out that some financial institutions and Internet platforms’ violations of the PIPL have posed significant risks to the rights and interests of financial consumers. Typical violations mentioned in the risk alert include excessive collection of personal information, implied or bundled consent, using personal information for purposes outside the scope consented by the consumers, and improper collection of personal information from external sources (more details available here). The risk alert also indicated that CBIRC is likely to prioritise the enforcement actions on personal banking business, though it will likely also look at corporate banking business and internal management of banks.

Background

Being China’s first comprehensive law on personal information protection, the PIPL not only applies to all processing activities that take place within mainland China, but also has extra-territorial effects on for example overseas processing of personal information of mainland China-based individuals for the purpose of offering products or services to, or for analysing and assessing the behaviour of such individuals.
The PIPL shares many key concepts from the EU General Data Protection Regulation (GDPR), though at the same time maintains its unique features to reflect local regulatory and business needs. Major legal requirements under the PIPL include (without limitation to):

• Separate consent – though the PIPL recognises several legal bases for personal information processing, a separate informed consent is still required under several circumstances, such as sharing personal information with other processors (ie equivalent to “controllers” under the GDPR), providing personal information to overseas recipients, and processing sensitive personal information, etc.
• Various requirements for cross-border data transfer – depending on the nature of the processor and the volume of data involved, it needs to satisfy different conditions before transferring personal information out of mainland China, including for example clearing a “security assessment” with the competent authority, obtaining certification by designated agencies or entering into a standard form transfer agreement with the overseas recipients.
• DPIA for a wide range of activities – processors are required to conduct personal information protection impact assessments (DPIAs) for a wide range of scenarios including the processing of sensitive personal information, using personal information for automated decisions, entrusting third parties to process personal information, sharing personal information with other processors, publishing personal information, cross-border data transfer and other activities that may have material impact on data subjects.

Consequences of non-compliance

The PIPL significantly raises the level of penalties which can be imposed for illegal personal information processing activities. Violations can lead to an administrative fine of up to 5% of the annual turnover or RMB 50 million (approx. £5.6 million). An administrative fine of up to RMB 1 million (approx. £112,150) can be imposed to the person-in-charge or other personnel directly responsible. In serious cases, violations may trigger criminal liabilities.

The banking sector has been targeted for strict oversight on personal information protection by relevant regulators, such as the CBIRC and the People’s Bank of China (PBOC), even prior to the promulgation of PIPL. Along with heavier compliance obligations and penalties imposed by the new law, stringent enforcement is likely to follow. Earlier in January 2022, a Hong Kong- headquartered bank with presences in multiple mainland cities was fined RMB 16.74 million (approx. £2 million) by PBOC’s Shanghai Branch for violating rules of credit information collection and processing.