China Tightens Oversight of Personal Data Collection as Privacy Concerns Mount

Amid growing concern in China over the use and abuse of personal data, the People’s Bank of China (PBOC) has proposed new regulations to tighten oversight of businesses that collect personal and corporate credit information, vowing to improve data privacy protection as demand for such services surges.

A draft of the rules (link in Chinese) published on Monday builds on a decision by the State Council at a Nov. 25 meeting (link in Chinese) to encourage the credit reporting system and crack down on malpractice as part of a broader policy to promote the development of the system. The draft will be open for public feedback until Feb. 10.

The new regulations, which have been in the works since 2016, are aimed at improving the transparency of credit reporting and protecting the legal rights of individuals and companies, the PBOC said in an explanation accompanying the publication of the draft.

“The credit reporting industry has been growing rapidly and has entered the digital era, with new types of businesses emerging,” the PBOC said. “However, the lack of clear regulations has led to problems such as ambiguous credit reporting boundaries and inadequate measures to protect the rights and interests of those whose data are being collected.”

Individuals and corporations “must be guaranteed their legitimate rights and interests which include the right to know, consent, withhold consent, and complain,” the explanation said. “(We must) prevent the abuse of personal and corporate credit information, safeguard the security of credit information, and prevent data leakage.”

Banks and other financial institutions that provide loans to companies and individuals rely on credit reports to help them decide how risky a potential customer is and whether it can pay back its debts. In addition to gathering their own data, they are also allowed to tap into the PBOC’s own credit reporting system, the Credit Reference Center (CRC), which is used to primarily pool data from banks and other traditional lenders. They can also access information from Baihang Credit Scoring, a central bank-backed company set up in 2018 that collects information from lending channels outside the traditional financial system such as online lending.

 Read more 
Chinese Credit Reporting Firm Punished for Operating Without a Proper License

Financial institutions are supposed to feed their credit information into databases run by the CRC and Baihang and in turn get access to the data for their own lending and risk-management activities. There are also other platforms providing corporate credit information services based on publicly available data, such as Qcc.com and TianYanCha.com.

The updated rules give a clearer definition of credit information and mention specific data categories including what’s known as alternative data (替代数据), such as telecommunications records, to reflect the changes in the sources and methods used for personal data collection.

Credit reporting companies are defined as businesses that handle data used to check personal and corporate creditworthiness. These companies should abide by the principle of “collecting as little information as possible and only collecting necessary information,” and must not gather information illegally, according to the draft.

When collecting personal data, companies should tell individuals how the data will be used and ask for their consent. If they want to collect non-public corporate information, they should also obtain the consent of the businesses they are investigating. Institutions that obtain personal credit information from credit reporting companies should only use the data for the purpose that has been agreed by the individuals, and the purpose should be clear and specific, the draft regulations stipulate.

Individuals whose data are collected by credit reporting companies have the right to request the companies to provide their full credit reports, according to the draft.

Reflecting the rapid growth in consumer credit and online lending platforms, demand for personal information has surged over the past few years as financial institutions try to gauge the creditworthiness of borrowers, many of whom don’t have traditional credit records. That’s given rise to unethical or illegal data-collection activities and there have also been cases of data being leaked. In 2019, Kaola Credit, the credit rating service of payment company Lakala Payment Co. Ltd., was accused of illegally storing and selling users’ personal data for millions of dollars. Beijing-based Kaola Credit was among seven companies caught up in a police crackdown on illegal use of personal data in Huai’an, East China’s Jiangsu province.

Just last month, the PBOC handed out a record penalty to Pengyuan Credit Service Co. Ltd., a domestic credit reporting company, for conducting personal credit checks without a license.

The PBOC first issued regulations for managing the credit reporting industry in March 2013 (link in Chinese) when internet finance and big data were in their relative infancy. But the rise of fintech companies has led to significant changes in how personal information is being collected. The type of personal information being gathered is also expanding as lenders try to build up a better credit profile of borrowers. Sources of alternative data include social network activity, telecoms and messaging data, e-commerce transactions, non-credit financial transactions on mobile apps and even browser data.

As in many countries, laws and regulations in China have failed to keep up with the fast-paced changes although that’s now being addressed.

The nation’s first Civil Code, which went into effect on Jan. 1, devotes a whole chapter to the right to privacy and protection of personal information and in October last year, a draft law on personal information protection was released for public feedback. The PBOC is also planning to include alternative data companies in its supervision framework for the credit reporting industry, according to a report of a meeting (link in Chinese) attended by Deputy Governor Chen Yulu in December.

The PBOC said the draft regulations are based on the Civil Code (民法典), the central bank law, which is currently being revised, and the 2013 version of the credit reporting rules.

Regulators have been cautious about granting more licenses for personal credit reporting due to concerns over data privacy. However, there are signs the central bank is changing its stance. The CRC and Baihang are struggling to meet growing demand created by the booming retail finance sector, a source familiar with the issue told Caixin (link in Chinese). Neither agency is market-oriented enough and Baihang has failed to meet market expectations, the source said.

The PBOC said on Dec. 25 it had approved (link in Chinese) an application from Pudao Credit to undertake personal credit reporting. Its shareholders include state-owned financial company Beijing Financial Holdings Group Ltd. and the fintech arms of e-commerce giant JD.com Inc. and smartphone-maker Xiaomi Corp.

Contact reporter Guo Yingzhe (yingzheguo@caixin.com) and editor Nerys Avery (nerysavery@caixin.com)

Download our app to receive breaking news alerts and read the news on the go.