China’s central bank, the People’s Bank of China or PBoC, released a set of draft administrative measures on data security management (Draft Measures) on Monday. Divided into eight chapters, the Draft Measures are open for public consultation until 24 August.
Some key takeaways are set out below. If you have comments to be submitted for the consultation, or need an English translation, please reach out to our team!
1. Implementing function rather than game-changing
The Draft Measures constitute low-level department rules that follow the requirements of China’s key upper-level laws, including the Cybersecurity Law, Data Security Law (DSL), and Personal Information Protection Law (PIPL). Their explanatory notes state that the Draft Measures chiefly seek to further articulate these existing rules and refine specific provisions for the financial services industry, without materially contradicting previous legislative trends or adding to the industry’s compliance burden.
Comfortingly for cross-border service operators, the explanatory notes emphasise that no additional compliance obligations are imposed under the Draft Measures in relation to localisation of “important data” (whatever it may be) and completing China’s newly-launched data export security assessment procedure.
While the Draft Measures may seek to avoid over-regulation, the explanatory notes endorse PBoC’s existing Financial Data Security – Data Security Classification Guide (JR/T 0197-2020) and Financial Data Security – Data Lifecycle Security Code (JR/T 0223-2021). Institutions may be disappointed that they should continue to refer to those standards, where applicable, even if amendments to them can be expected to be expediated to align terminology and other content with the Draft Measures.
2. Scope of application
The Draft Measures apply to data processing activities carried out by a data processor operating in mainland Chinese banking verticals under the PBoC’s supervision. According to the explanatory notes, these are mainly monetary policy operations, cross-border RMB business, interbank market transactions, comprehensive financial industry statistics, payment and clearing, currency management and digital RMB, treasury management, credit reporting, and anti-money laundering.
For those institutions of which the PBoC is not the principal regulator, the Draft Measures may still apply if part of their activities are under its supervision. For example, all financial institutions conduct anti-money laundering activities for which the processing of data will be caught by the Draft Measures, but they may be regulated by the National Financial Regulatory Administration (e.g. as a trust company) or the China Securities Regulatory Commission (e.g. as a securities company). These institutions will need to reconcile compliance with multiple data rules when the Draft Measures are adopted.
3. Data-focused – but not just personal information
The Draft Measures focus on data protection instead of personal information protection. The explanatory notes explain that personal information is a special type of data, and the Draft Measures defer to the personal information protection requirements under other laws, regulations and PBoC rules when it comes to personal information issues.
Interestingly, the notes also indicate that the PBoC may in the future issue other department rules on personal information protection.
4. Data circulation encouraged
The Draft Measures encourage the development of data circulation and innovation – a concept promoted in December last year by the State Council's foundational Opinions on Building a Basic Data System to Better Play the Role of Data Elements.
The proposed rules specifically push the use of a privacy-preserving computation to provide a viable technological method to extracting greater analytical value from the data accumulated within the wider market. Nonetheless, when developing data innovation programs, financial institutions must ensure data that they generate remains under their control and the risks are managed.
5. Data classification
In line with other rules, the Draft Measures support in-scope organisations determining an overall process for data security management. This system should involve implementation of granular and differentiated security management and technical measures.
More specifically, the Draft Measures introduce a new approach to data classification. Based on data availability, the classification references whether data is available at a required level of performance. By doing so, the PBoC requires its regulated institutions to understand the necessary redundancy of different types of data to ensure business continuity.
In addition, the Draft Measures imply that the PBoC will issue a long-awaited classification standard through which “important data” can be identified. In-scope institutions will be obliged to identify important data (as well as “core data” and “general data”) and submit a catalogue of this to the PBoC.
6. Enforcement cooperation to be increased
With the ongoing convergence of industry verticals in the digital economy, the Draft Measures seek to foster cooperation among different government departments. PBoC may conduct joint enforcement inspections or refer illegal activities (known or suspected) to other relevant departments.
This shows the increasing enforcement trend under the China National Data Security Work Coordination Mechanism that was brought to prominence with the launch of the DSL in 2021.
7. Data exports controlled to overseas authorities
Both the DSL and PIPL require organisations to obtain regulatory approvals before submitting data or personal information to foreign judicial or law enforcement authorities. Industry had concerns that it was unclear which domestic authorities they should approach to obtain the approval. The Draft Measures clarify that this is the PBoC, though it is not clear if the Cyberspace Administration of China would be “the other relevant authority” that a regulated institution needs approval from.
8. Monitoring negative public opinions
In a world where social media has heightened the risk of businesses being villainised for poor data security – as equally as other operational malpractice – the Draft Measures propose that regulated institutions monitor negative public opinion on their data security practices. As well as regularly inspecting sentiment towards their own data compliance and the data risks posed by service providers, agents, and other data recipients, regulated institutions must be proactive in brand management in this regard.
AI and data analytics will be key to financial services institutions satisfying these requirements, but businesses will need to observe privacy law and ethical safeguards when gathering and assessing customer opinions.