Oct 30, 2019 08:24 PM

In Depth: China’s Big Data Clampdown Leaves Online Lenders in a Bind

Under the law, both sellers and buyers of illegally collected data can be held liable. Photo: VCG
Under the law, both sellers and buyers of illegally collected data can be held liable. Photo: VCG

Police are once again clamping down on companies that operate in the shadowy intersection between internet finance and big data, raising the stakes after two years of intermittent crackdowns on China’s big data industry, multiple sources have told Caixin.

Authorities have come down much harder on the industry this time around. Since early September, multiple big data and data-scraping companies, as well as online lenders, in Beijing, Shanghai, Shenzhen and Hangzhou have come under investigation, with even company executives and founders getting caught up in probes, the sources said. That’s different from in the past, in which investigators mostly just questioned lower-level employees.

The intensifying crackdown is significant because of the role that these big data companies have played in gathering borrowers’ personal information — some of which has been obtained illegally — that has at times been used by debt collectors that employ shady practices.

On Oct. 21, for example, police raided the Hangzhou office of Hong Kong-listed online credit card management platform 51 Credit Card Inc., which authorities accused of contracting debt collectors that harassed and intimidated borrowers, and even impersonated government employees. Users had cited malicious debt collection methods such as exposing users’ contacts and harassing families and friends.

Data dredging

The recent wave of investigations was triggered after some loan sharks were found using borrowers’ personal information, such as location information, to help them collect unpaid debts, which in at least one case led to a death. Much of such wrongdoing is made possible by data scraping, or web crawling, a process of using computer programs to automatically scour the internet to collect data, including personal information like names, phone numbers and email addresses. It is legal to use data scraping to dredge up publicly available information. However, it’s illegal to use the technology to obtain nonpublic, sensitive personal information without consent.

But even if the data is gathered from authorized sources, data-gathering companies still must obtain clear consent from individuals, a law professor at the People’s Public Security University said.

Companies have figured out ways to get that consent in some cases. One common practice is for online lending apps to demand users accept — often unknowingly — lengthy user agreements that include terms such as authorizing the extraction of users’ contact lists and allowing the apps to use users’ personal information to work with third parties.

Online lending platforms can put that data to use in many ways. They can use the data to manage risk — such as by identifying fraudulent borrowers — or to market their loans and collect debts by calling or texting the contacts they acquired.

Getting bigger

Big data companies engaging in data gathering, mining and analysis have burgeoned in China since 2013, coinciding with the boom of the internet finance industry, which provided the big data industry with an eager customer base.

Along with emerging online lending companies, traditional banks have increasingly come to rely on big data companies to get customers’ data. Many small banks had relied entirely on big data companies for risk management, said an employee of Industrial and Commercial Bank of China Ltd.’s credit card department.

Big data companies usually obtain data via web crawling or purchase it from other data sources, said an executive with the credit card division of a commercial bank. But their data gathering practices are subject to mounting legal concerns because it is unclear whether the information was legally gathered.

“The biggest concerns are the sources of the data and the access to many sensitive personal data,” said Han Honghui, a data security expert, adding that many big data companies are gathering individuals’ locations, IP addresses and other private information when analyzing their credit records, which can be deemed illegal under China’s cybersecurity law.

Broader clampdown

The Cybersecurity Law, enacted in 2017, shook up the big data industry by setting strict requirements on how companies can collect and use personal information.

The most recent wave of investigations has shaken up many data-driven “financial risk managers” including high-profile ones like Tongdun Technology Co. Ltd. and Bairong Yunchuang Technology Co. Ltd., industry sources told Caixin.

Hangzhou-based Tongdun Technology, founded in 2012, is one of the first of dozens of big data startups to pop up and became darlings of the financial industry.

The company has won more than $200 million in investment in several rounds of fundraising since 2013. Its investors include a number of high-profile firms such as IDG Capital and Temasek Holdings Pte Ltd.

According to a product document seen by Caixin, Tongdun’s database consists of millions of pieces of data from e-commerce providers, public security departments, courts and telecom operators. Nowhere does it mention whether any of the data had been gathered with user consent.

Caixin has learned that industry group the National Internet Finance Association of China has recently issued window guidance that instructs online financial platforms to check if the data they use is in full compliance with the law.

Beijing’s local financial regulator is also conducting a blanket probe of all big data companies in the region to see whether they illegally gather personal information online. The companies are required to submit a commitment letter promising not to engage in such activities, and those that conduct such activities are required to report and correct them as soon as possible.

The China Banking and Insurance Regulatory Commission’s Beijing branch issued a formal document earlier this month specifying what financial institutions can and cannot do with big data. The new rules bar financial institutions from working with debt collectors that employ illegal collection methods, such as intimidation.

Under the law, both sellers and buyers of illegally collected data can be held liable. That leaves financial companies with a difficult choice. “Our team has been discussing if we should go ahead and use the data. Given that most internet finance platforms use such data, we’d put ourselves at a disadvantage if we didn’t,” the manager of a joint-stock bank’s credit card department told Caixin.

“But if we use it, we’re encouraging illegal behavior,” the manager said.

Han Wei, Hu Yue and Denise Jia contributed to this report.

Contact reporters Timmy Shen (, Twitter: @timmyhmshen) and Isabelle Li (, and editor Michael Bellart (

You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code