In his speech for the 2022 Hong Kong Fintech Week on 31 October, the Chinese central bank’s Governor Yi Gang highlighted privacy protection as one of the top issues to be tackled in the application of central bank digital currencies (or CBDCs).
China is currently running trials of its digital yuan in 23 pilot zones across 15 provincial areas and continues to expand the coverage of its CBDC. How exactly the People’s Bank of China (PBOC) can safeguard personal privacy while rapidly rolling out use of the digital yuan across multiple stakeholders with varying needs for access to data, especially in cross-border payment scenarios, will be a real challenge as the world’s second largest economy looks to fintech innovation as a key driver of further growth.
Managed anonymity
The PBOC proposed the principle of “anonymity for small value and traceability for high value” in its July 2021 white paper, attaching the moniker of “managed anonymity”. However, it is difficult to draw clear lines between small and high values, especially as the central bank also needs to consider different use-cases. Under China’s Personal Information Protection Law (PIPL), financial information amounts to sensitive personal information, so its collection, processing and transfer are subject to a higher level of scrutiny.
It remains to be seen how the PBOC will reconcile the onerous requirements under PIPL and its ambition to deploy the digital yuan in a manner that allows widespread financial inclusion across China.
Cross-border transfer of personal information
China is exploring the application of the digital yuan in cross-border payment scenarios – it is playing an active role in the “m-CBDC Bridge” digital currency project led by the Bank for International Settlement, and is progressing technical testing for cross-border payment between the mainland and Hong Kong SAR.
The cross-border application of digital yuan in consumer transactions would naturally involve cross-border transfers of personal information. The PIPL provides three methods to transfer personal information out of mainland China and they are either burdensome (namely the data export security assessment) or pending further implementation rules (namely the standard contract and cross-border processing certification schemes).
Query if exemptions or fast-track channels may be introduced by the PBOC to circumvent the broad obligations under China’s growing web of data laws.
Implementing rules and industry standards
In his speech, Governor Yi Gang mentioned that the PBOC will ensure personal information security through use of advanced technologies and strict data management mechanisms. However, the necessary implementing rules and industry standards are still pending. As the special task force for making financial industry standards, TC180 will no doubt have a say about the framework for privacy protection connected to the digital yuan.
However, with financial institutions with cross-border operations only just having completed (or being just about to complete) their responses to the China Banking and Insurance Regulatory Commission’s comprehensive campaign on cross-border data flows, the timetable for formulating these may be pushed out to at least 6 months or more.
We will endeavor to keep you posted on any substantial developments on the topic of China’s CBDC. Watch out for our Fintech Legal Outlook 2023 coming soon.