Chinese law specifies personal financial information (“PFI”) in the way of definition and enumeration as follows: 

1.Institutional Identity

The scope of PFI depends on the definition of financial institutions, since PFI is regarded as personal information (“PI”) collected and used by financial institutions in the process of providing financial products or services. 

In 2011, the People's Bank of China (the “PBOC”) promulgated the Notice Regarding the Effective Protection of Personal Financial Information by Banking Institutions (the “Notice on PFI”), which defines PFI as PI obtained, processed and stored by banking financial institutions. In 2020, the PBOC issued the Personal Financial Information Protection Technical Specification (the “PFI Specification”). The PFI Specification applies to licensed financial institutions supervised by China’s financial regulatory authorities and, more broadly, institutions processing PFI.

2.Types of PFI

The Notice on PFI and the PFI Specification also enumerate PFI. The enumeration of PFI includes personal identity information, personal property information, personal account information, loan information, financial transaction information, derived information, authentication information and other information.

The Notice on PFI establishes the framework of cross-border transfer of PFI in China, namely, the storage, processing and analysis of PFI shall be located within the territory of China. In addition, cross-border transfer of PFI is prohibited in principle, and there are some exceptions of the prohibition, but the Notice on PFI does not specify any exception.

In 2011, the Shanghai Branch of the PBOC promulgated the Notice Regarding the Effective Protection of Personal Financial Information by Banking Financial Institutions, which sets up exceptions to allow cross-border transfer of PFI. It requires that the financial institutions shall transfer PFI only for business needs and must obtain customers’ consent, ensure confidentiality, and transfer PFI to affiliated institutions only. In addition, according to the Guidelines for the Management of Money Laundering and Terrorist Financing Risks of Corporate Financial Institutions (Draft) issued by the PBOC in 2019, domestic corporate financial institutions can provide overseas clearing agents with customer identity information and transaction background information after obtaining the authorization of their customers, when cross-border transfer is necessary for anti-money laundering and anti-terrorist financing.

We understand that, currently, the exception rules are the compliance path for cross-border transfer of PFI. Financial institutions shall ensure that:

(1)The cross-border transfer is to meet business needs;

(2)The cross-border transfer is under customers’ authorization;

(3)Confidentiality of PFI is not undermined; and

(4)PFI is transferred to the overseas affiliates, or PFI is transferred to the overseas entities’ affiliates located within China.

Chinese law has restriction on cross-border transfer of PI and important data collected by critical information infrastructure operators (“CIIO”). Art. 37 of the  Cybersecurity Law (the “CSL”) stipulates that CIIO shall store PI and important data collected and produced during operations within the territory of China. When it is really necessary to provide PI and important data to overseas operators due to business needs, security assessment shall be conducted in accordance with the measures formulated by the Cyberspace Administration of China in concert with relevant departments of the State Council. 

In terms of the definition of critical information infrastructure (“CII”), according to Art. 18 of the Regulations on Protection of Critical Information Infrastructure Security (Draft) and Art. 3.1 of the Guidelines for the Security Inspection and Evaluation of Critical Information Infrastructure (Draft), the CII refers to the network facilities and information systems that may seriously endanger national security, national economy, people's livelihood and public interests if they suffer destruction, malfunction or data leakage, and both drafts of regulations take the financial sector as an example of CII. Therefore, chances are high that the cross-border transfer of PFI will be restricted, if these two drafts are officially promulgated.

With respect to important data, apart from Art. 37 of the CSL, the Administrative Measures for Data Security (Draft) also has strict requirements on the cross-border transfer of important data. Even if the important data is collected by network operators other than CIIO, it is necessary to conduct security risk assessment of cross-border transfer of important data and report to the regulatory authorities for approval. Art. 28 of the Data Security Law (Draft) (the “DSL”) stipulates that all the processors of important data shall conduct risk assessment regularly and submit the assessment reports to authorities.

Important data refers to data that may directly affect national security, economic security, social stability, public health and safety once leaked. Important data does not include personal information under Art. 38 of the Administrative Measures for Data Security (Draft). However, large-scale of PFI may reflect China’s trends of financial and economic development after aggregation, integration and analysis, thereby negatively affecting financial security. Therefore, large-scale of PFI may be defined as important data, and thus restricted from cross-border transfer.

1.The Integration of Specialized Regulations and General Regulations

As mentioned above, the financial regulations set out the requirement of localization and the prohibition of cross-border transfer. On the contrary, the general regulations remove the requirement of localization and specifies the compliance requirements for cross-border transfer. However, there is a trend that these opposite rules are being integrated. Taking the PFI Specification as an example, the PFI Specification adheres to the localization rules under financial regulations, as well as the general principle of the prohibition of cross-border transfer with exceptions. In addition, the PFI Specification also incorporates the compliance requirements under the general regulations, that is, the PI controllers shall get PI subjects’ consent, conduct self-assessment, pass regulatory authorities’ assessment, and sign the standard contract terms for cross-border transfer. Even if the PFI Specification is not mandatory, it is an important reference of best practices in the financial industry.

2.The Rules for Cross-border Transfer of PI under the Draft Personal Information Protection Law

Chinese law has no specified detailed rules for cross-border transfer of PI, but the Personal Information Protection Law (Draft), which sets out rules for the cross-border transfer of PI, may be promulgated in the near future and apply to cross-border transfer of PFI. According to the press, the Personal Information Protection Law (Draft) may request that, before the cross-border transfer of PI, the processor shall inform PI subjects, get PI subjects' consent and: (1) pass the security assessment；(2) obtain PI protection certification by a professional organization； (3) sign the agreement on cross-border transfer with the overseas PI recipients to meet the PI protection standards, or (4) meet other requirements stipulated by laws.

3.Data Security Audit and Export Control under the DSL

Since the DSL applies to all types of data, including PFI, the DSL will also affect cross-border transfer to some extent after it comes into effect. According to the press, the DSL stipulates the security audit of data activities that may affect national security, and the data of controlled items shall be subject to the export control system. These two rules are likely to apply to cross-border transfer of PFI which is relevant to national security or under export control.