Key takeaways from draft data regulation issued by China’s CB

The People’s Bank of China (PBOC) issues the draft Regulation on Data Security Management for PBOC Business Areas (Draft Regulation) for public consultation until 24 August 2023. On top of China’s data regime established in the recent years, the Draft Regulation sets out more specific requirements for banks, payment institutions and credit agencies, etc (for the ease of understanding, “China” in this article refers to the mainland of the People’s Republic of China, excluding Hong Kong and Macau SARs and Taiwan region).

This Draft Regulation applies to the data processing activities conducted within China in connection with the business areas regulated by the PBOC, including, among others, cross-border CNY business, inter-bank market transactions, payment and clearance, digital currency, credit business, and anti-money laundering activities. “Data” defined under the Draft Regulation refers to online data collected and processed in the said areas, excluding any information involving state secrets.

For foreign bank branches and foreign-invested banks operating in China, the Draft Regulation may provide practical guidance on data security and compliance standards, while on the other hand it also poses great challenges for data processors (in this Draft Regulation, “data processor” refers to the organisation conducting data processing activities).

Understanding the complexity of China’s data regime

Currently China has three major laws regulating data and cybersecurity issues, which are the Cybersecurity Law (CSL) effective from 2017, the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), both took effect in 2021. These three laws establish the overarching principles for network and data security (covering both personal data and non-personal data), as well as personal data and privacy protection. In addition, there are lower level administrative regulations, sectoral rules, national and industrial standards, which provide more detailed rules for specific sectors, business areas or data types.

It has been a fairly dynamic and complex area of law which has unavoidably brought in challenges to understand in depth and comply with. PBOC, according to its explanatory note, intends to use this Draft Regulation to connect the dots.

• Most principles provided in the CSL, DSL and PIPL are very high-level. The Draft Regulation proposes more specific implementation procedures, such as the identification of “important data”(ie, such data of which the alteration, damage, leakage, illegal acquisition or use may harm the national security or public interests).
• The Draft Regulation excludes state secrets and offline paper records from its applicability scope, of which the processing shall adhere to the rules set out under China’s laws on state secret protection and document archives.
• Some provisions under the Draft Regulation refer to relevant industrial standards, where more practical and technical guidance are available.
• The Draft Regulation clarifies other regulatory concerns for certain processing activities. For example, where a data processor entrusts a third party to process data on its behalf, such entrusted processing shall be deemed as “IT outsourcing” and comply with the relevant regulations (for example, rules on selection and supervision of outsource providers).

Data classification and the scope of “important data”

Pursuant to the DSL, data shall be classified as normal data, “important data” and “core data” (ie such data concerning national security, the lifeline of national economy, people’s livelihood and major public interests), and “important data” and “core data” merit higher standard of protection. The DSL provides that regional and sectoral regulators shall formulate catalogues of “important data”, but the catalogues for financial sectors haven’t been published to date.

• The Draft Regulation clarifies that the PBOC will organise data processors to identify the “important data” and “core data” stored in their information systems, and determine the specific catalogue of “important data” based on the reports submitted by data processors.
• It continues to specify a series of obligations for “important data” processors, concerning appointment of data security officer, provision of important data to other processors, annual risk assessment, etc.
• In addition to the normal, “important” and “core” data classification. The Draft Regulation also requires data processors to categorise data into five sensitivity levels, in accordance with the criteria set out in the “relevant industrial standard”, ie JR/T 0197-2020 Financial Data Security – Guidelines for Data Security Classification. Detailed security rules for data with different sensitivity levels are also specified under the Draft Regulation, for example on account verification, data storage, transmission, etc.

Though not a focus of this Draft Regulation, it is worth noting that transferring any “important data” out of China is subject to the “security assessment” organised by China’s cyberspace regulator, which is in essence an administrative approval and may take typically several months to complete. Once the scope of “important data” becomes clearer, banks shall take prompt actions to achieve compliance.

Data sharing between processors

In addition to collecting data directly from individual and corporate clients, in practice banks, payment institutions and credit agencies may share data on a frequent and regular basis. On top of the principles set out under higher level laws, the Draft Regulation clarifies more specific requirements relating to such data sharing.

• Data provider and data recipient must set out in written agreement the purpose, manner, scope and volume of data sharing, the allowed retention period, the conditions for onward provision to third party, and the data recipient’s obligation to report data breach incidents.
• Data sharing agreements, the relevant internal assessments and approvals, and records of risks identified and remediation actions shall be retained for at least three years.
• Entrusting a third party to process data on behalf of the data processor shall be deemed as IT outsourcing activity and comply with the relevant regulations.
• Before sharing any “important data”, the data provider must conduct a risk assessment, taking into account the purpose and manner of data sharing, the potential security risks, the integrity and compliance status of the data recipient, the data sharing agreement and the security measures to be taken.
• Sharing of “core data” shall be approved by a state-level coordination office.
• In case a data processor needs to provide data to other party due to the reasons of merger, division, dissolution or declaration of bankruptcy, it must notify the relevant individuals and organisations of the information about the data recipient and evaluate whether the provision of data will violate any agreed confidentiality requirements between the data processor and the relevant organisations (eg, the processor’s corporate clients).

Cross-border data transfer

The Draft Regulation reiterates the “security assessment” requirement for certain cross-border data transfers set out under the higher level laws – ie a prior “security assessment” must be cleared, if (i) any “important data” is to be transferred out of China; (ii) the personal data exporter has been identified as an operator of critical information infrastructure; (ii) the personal data exporter processes personal data of more than 1 million individuals; or (iv) the personal data exporter has transferred the personal data of 100,000 individuals or the sensitive personal data of 10,000 individuals out of China since 1 January of the previous year.

• Further, the Draft Regulation requires data processors to calculate or estimate the accumulated volume and scale of outbound transfer in the previous two years by 31 January of each year. The results of such calculation or estimate, as well as the contact details or the relevant overseas recipients, shall be retained for at least three years.
• The Draft Regulation clarifies that the PBOC is responsible for handling data access requests from international organisations and foreign financial regulators. Without the approval from the PBOC and other relevant competent authority, data processors must not provide data stored within China to any such international organisations or foreign financial regulators.

Automated processing

Algorithms and artificial intelligence have become the key words in the tech sector. The Draft Regulation also touches upon automated decision-making and generative artificial intelligence technology.

• When providing automated decision-making services to individuals based on generated data, the data processors are required to disclose the purpose of processing, the basic status of source data and the logic of processing, so as to enhance the transparency of decision-making.
• Data processors shall establish risk assessment and control strategy for data processing algorithms, clarifying mitigation measures for explainability and vulnerability risks, and prepare alternatives to automated decision-making by algorithms.
• In addition, when data processors use automated collection methods to collect data from other data processors, they shall abide by the latter’s data access control protocols. Data processors shall establish data access control protocols to clarify whether their disclosed data can be automatically collected, and employ effective technical measures to ensure that publicly disclosed data is not tampered with.

More pieces in the jigsaw

According to the PBOC’s explanatory note, it will formulate another regulation on personal data protection for the business areas within its regulatory authority. China’s other financial regulators may also promulgate data-related regulations, which include the State Administration of Financial Regulation (formerly the China Banking and Insurance Regulatory Commission) and the State Administration of Foreign Exchange. Furthermore, mobile applications and online platforms of banks are also subject to the supervision of telecom and cyberspace regulators. Again, it remains essential for banks to understand the interplay of China’s multi-layer data legislations.

According to the Draft Regulation, where necessary the PBOC may enter into cooperation agreements with other regulators, to set out their coordination framework for data security supervision. We hope this can help to certain degree address the potential overlapping supervision among multiple regulators in this space and we recommend closely following up development of this draft.