INTRODUCTION

1. THE INTRODUCTION OF FINANCIAL INFORMATION IN CHINA

On February 13, 2020, the People's Bank of China issued the Personal Financial Information Protection Technical Specification (hereinafter referred to as the Specification)¹. The Specification defines personal financial information as personal information obtained, processed and preserved by financial institutions through the provision of financial products and services or other channels, including account information, authentication information, financial transaction information, personal identification information, property information, and loans Information and additional information reflecting certain circumstances of a particular individual. The time for feedback issued by the People's Bank of China on the Implementation Measures for the Protection of Financial Consumers' Rights and Interests (Draft for Comment) (hereinafter referred to as the 2019 Implementation Measures) ends on January 25, 2020². Article 27 of the 2019 Implementation Measures first amends the Personal Financial Information of the Implementation Measures for the Protection of Financial Consumer Rights and Interests of the People's Bank of China (hereinafter referred to as the Implementation Measures for 2016) implemented on December 14, 2016³. It is “consumer financial information”, which defines financial information as “buy, use” related information of financial products or services, including personal identification information, property information, account information, credit information, financial transaction information and other related information.

2. ANALYSIS OF STATUS QUO OF THE REGULATION OF CROSS-BODER TRANSMISSION OF FINANCIAL INFORMATION

2.1. Regulation of cross-border transmission of financial information in China

On January 21, 2011, the People’s Bank of China issued the Notice on Banking Financial Institutions Doing a Good Job in Protecting Personal Financial Information (hereinafter referred to as the 2011 Notice)⁴. Article 6 stipulates that personal finance collected in China shall be stored, processed, and analyzed within China. Except as otherwise stipulated by laws, regulations, or the People’s Bank of China, banking financial institutions shall not provide domestic personal financial information overseas.

The Cyber Security Law of the People's Republic of China came into effect on June 1, 2017⁵. Article 31 of the Cyber Security Law proposes that the state should deal with important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other breaches, loss of functions, or data leakage. Key information infrastructure that may seriously endanger national security, national economy, people's livelihood, and public interests, should implement key protection based on the network security level protection system. Article 37 of the Cyber Security Law stipulates that operators of critical information infrastructure should store important personal data, such as citizens' personal information collected and generated during operations within the territory of the People's Republic of China. For the provision to overseas organizations or individuals, the safety assessment shall be carried out in accordance with the methods formulated by the State Network Information Department in conjunction with relevant departments of the State Council.

On June 27, 2018, the Ministry of Public Security announced the Network Security Registration Protection Regulations (Draft for Comment)" (hereinafter referred to as the Protection Regulations)⁶. Article 15 of the Protection Regulations is based on the importance of the network in national security, economic construction, and social life, as well as its damage to national security, economic security, and social security. Factors such as order, public interest, and the degree of harm to the legitimate rights and interests of relevant citizens, legal persons, and other organizations divide the network into five levels of security protection. Accordingly, the Protection Regulations stipulates that network operators should perform different levels of security protection obligations according to different levels of security protection to ensure network and information security. For example, Article 21 requires network operators above the third level to perform general network security protection obligations as stipulated in Article 20, and also fulfill special network security protection obligations, such as establishing a level-by-level approval system. In addition, the Protection Regulations requires network operators to conduct online testing, rating evaluation, security rectification, and security self-examination. In terms of data and information security protection, Article 31 of the Protection Regulations require network operators to establish and implement important data and personal information security protection systems; take protective measures to to ensure that data and information are collected, stored, transmitted, and used securely, and provide security during the destruction process; establish technical measures such as off-site backup and recovery to ensure the integrity, confidentiality, and availability of important data. Without permission or authorisation, network operators shall not collect data and personal information unrelated to the services they provide. They must not violate laws, administrative regulations and the agreement between the parties to collect, use and process data and personal information. Unauthorized access, use, and provision of data and personal information are not allowed.

On July 11, 2018, the People's Bank of China issued the Notice on Strengthening the Management of Cross-Border Financial Networks and Information Services (hereinafter referred to as the 2018 Notice)⁷. The 2018 Notice requires foreign providers to provide cross-border financial networks and information services to domestic users and shall perform performance reports in written form (including electronic documents) to the People's Bank of China within 30 working days before the formal provision of services. The overseas provider shall report to the People's Bank of China in writing on the services carried out in the first half of the year by July 20 and for the previous year by January 20 of the following year. If an overseas provider provides services to a domestic user, and there are major changes in its service content, business rules, or technical means, it shall report to the People's Bank of China in writing within 30 working days before the change. Overseas providers are not allowed to build a dedicated financial network within the country to provide services such as financial information transmission, but they can authorize their institutions established in China to perform relevant reporting obligations. In addition, the 2018 Notice requires domestic users intending to use the services of overseas providers to complete the reporting procedures in advance with the provincial branch of the People's Bank of China where the legal entity of the domestic user is located. Overseas providers and domestic users should join the China Payment and Clearing Association and accept industry self-regulation management. In accordance with the needs of macro-prudential management, the People's Bank of China conducts assessments on the performance of reports by overseas providers and the reports of domestic users, strengthens cross-border financial networks and information security protection, information sharing and supervision, and will register with overseas providers. The local supervisory authority establishes a supervisory cooperation framework and strengthens coordination, communication, and information sharing. This is the specific practice of the Chinese version of the ‘long arm jurisdiction’ principle in the field of financial supervision.

The E-Commerce Law was promulgated and implemented on January 1, 2019⁸. Article 25 of the E-Commerce Law stipulates that relevant authorities should take necessary measures to protect the security of data information provided by e-commerce operators, and personal information, privacy and business secrets are kept strictly confidential and may not be disclosed, sold or illegally provided to others. Article 30 requires e-commerce platform operators to ensure the security of e-commerce transactions. It stipulates that they should ensure network security and stable operation, prevent illegal and criminal activities, and formulate emergency plans to effectively respond to network security incidents. Article 31 requires operators of e-commerce platforms to record and store information on goods and services, as well as information on transactions, for at least three years from the completion of the transaction. In addition, the E-Commerce Law embodies China's support and intention to promote the development of cross-border e-commerce, establishing customs, taxation, entry and exit inspection and quarantine, payment settlement and other management system regulations that meet the characteristics of cross-border e-commerce. The export management department shall promote the construction of comprehensive services and supervision systems for cross-border e-commerce customs declaration, tax payment, inspection and quarantine in accordance with the law, optimize the supervision process, promote the realization of information sharing, mutual recognition of supervision, mutual assistance in law enforcement, and improve cross-border e-commerce services and regulatory efficiency. In addition, in terms of cross-border e-commerce cooperation, the E-commerce Law in Article 73 proposes that the country promote the establishment of cross-border e-commerce exchanges and cooperation with different countries and regions, participate in the formulation of international e-commerce rules, and promote electronic The development of international mutual recognition systems such as signatures and electronic identities and the promotion of the establishment of a cross-border e-commerce dispute resolution mechanism. Regarding punishment, the E-Commerce Law works with the provisions of the Cyber Security Law, and the relevant competent departments are responsible for taking punitive measures within a time limit for violations of the above-mentioned provisions, including ordering business rectification and imposing administrative fines.

Article 34 of the People's Bank of China Financial Consumer Rights Protection Implementation Measures (Draft for Comment) (hereinafter referred to as the 2019 Central Bank Implementation Measures) was issued by the Central Bank on December 27, 2019⁹. The storage, processing and analysis of information shall be carried out in China. If providing consumer financial information overseas is necessary for business needs, it should meet the following conditions: 1) necessary for processing cross-border business; 2) written authorization from financial consumers; 3) information recipient for completion Related institutions necessary for the business (including the head office, parent company or branch, subsidiary, etc.); 4) by signing agreements, on-site verification and other effective measures, overseas institutions are required to keep the financial information of consumers obtained confidential; 5) comply with laws and regulations and other relevant regulatory authorities.

On March 6, 2020, the State Administration of Market Supervision and Administration and the National Standardization Management Committee issued the Information Security Technology Personal Information Security Code¹⁰ (hereinafter referred to as the Security Code), which stipulates the collection, storage, use, deletion, etc. The regulations on the cross-border transmission of personal information in the Security Specifications are not detailed but simply stipulate that the personal information collected and generated during operations in China is provided overseas, and the personal information controller should follow the relevant national regulations and relevant Standard requirements. However, the Security Code does not specify what the relevant national regulations and standards are, which adds some uncertainty to the cross-border transmission of personal information.

On May 19, 2022, the Cyberspace Administration of China issued “Measures for the Security Assessment of Outbound Data Transfer”¹¹. It stipulates that in these circumstances the data processor shall apply to the national cyberspace administration for the security assessment of the outbound data transfer through the local provincial cyberspace administration: 1) the data processor provides important data abroad; 2) the critical information infrastructure operator or the data processor that has processed the personal information of over one million people provides personal information abroad; 3) the data processor that has provided the personal information of over 100,000 people or the sensitive personal information of over 10,000 people cumulatively since January 1 of the previous year provides personal information abroad; 4) Any other circumstance where an application for the security assessment of outbound data transfer is required by the national cyberspace administration. Also, in article 5, it stipulates that the data processor shall conduct a self-assessment of the risks. It mainly focuses on the legality, legitimacy and necessity of the purpose, scope and method; the size, scope, type, and sensitivity of the data to be transferred abroad, and the risks that the outbound data transfer may endanger national security, public interest, or the lawful rights and interests of individuals or organizations; the responsibilities and obligations that the overseas recipient undertakes to assume, and whether the overseas recipient's management and technical measures and capabilities, among others, to perform its responsibilities and obligations can ensure the security of the data to be transferred abroad; the risk that the data may be tampered with, destroyed, divulged, lost, transferred, illegally obtained, or illegally used, among others, during and after the outbound data transfer; and whether the channels for the protection of personal information rights and interests are smooth, among others; and whether data security protection responsibilities and obligations are fully agreed upon in the contract to be concluded with the overseas recipient in relation to the outbound data transfer or any other legally binding document, among others. These Measures are a set of review standards and procedures for data transfer.

2.2. Regulation of cross-border transmission of financial information in the EU

On May 25, 2018, the Directive 95/46/EC “General Data Protection Regulation” (hereinafter referred to as GDPR) was officially implemented¹². In order to fully protect the personal data protection rights of EU residents, GDPR will be extended to all controllers and processors related to EU residents 'personal data, that is, EU residents' personal data is also protected by GDPR outside the EU. Although GDPR is an EU regulation, it applies to all enterprises processing the data of EU residents, regardless of the enterprise’s location. This renders GDPR the most influential data protection regulation globally, setting a benchmark for data privacy regulation in other countries and regions. GDPR plays a crucial role in safeguarding personal data privacy and security, enhancing data protection standards, augmenting user control, and prompting enterprises to adopt more rigorous security measures to protect user data. Its far-reaching global impact and stringent punitive measures further reinforce its significance in the realm of data privacy and protection. Therefore, GDPR has set a great model for other countries to follow.

Compared with the Data Protection Directive 1995/46¹³, GDPR has greatly optimized the policy of cross-border transmission of information and further clarified more legal methods of cross-border transmission of information. Article 45 of GDPR stipulates in detail the “appropriateness assessment, qualification review and safeguard measures for the cross-border transmission of information data” (Wu and Huo 2018): 1) the third country should have the protection level stipulated by GDPR before cross-border transmission of information and data; 2) when evaluating the protection level, it is necessary to consider factors such as relevant regulations, respect for human rights, supervisory agencies, and international commitments; 3) after the European Commission ’s assessment, it can decide whether to achieve the level of protection through a bill, and the implementation of the bill should provide for a periodic review mechanism at least every four years; 4) the European Commission should continuously monitor whether third countries or international organizations comply with the Committee ’s compliance Evaluation decision and whether to protect data in accordance with Article 25 (6) of Directive 95/46; 5) when the evaluation object no longer meets a sufficient level of protection, the European Commission will revoke, amend or terminate the aforementioned decision; 6) the European Commission should publish a list of specific regions and specific departments in third countries and international organizations on the “European Union Bulletin” and its website.

However, it should be pointed out that, for the purpose of preventing financial crimes such as money laundering and preventing financial risks, many EU financial supervision laws have set clear requirements for the processing and control of customer data by financial institutions (Wang 2018a). For example, the “European Financial Instruments Market Directive II”¹⁴ (MiFID II) and “IFRS 9”¹⁵ have emphasized the obligations of banks and other financial institutions for customer data collection, processing and reporting. This may conflict with GDPR, so the financial industry may face a dilemma in compliance.

3. DIFFICULTIES AND OBSTACLES IN THE CROSS-BODER TRANSMISSION OF FINANCIAL INFORMATION

3.1 Conflict between the obligation of confidentiality of financial information and cross-border transmission and information sharing

3.2. Discussion of whether the provision of “Domestic Storage and Operation” applied to financial information is reasonable

After the Cyber Security Law, the Cyberspace Administration of China issued the “Regulations on the Protection of Critical Information Infrastructure Security (Draft for Comments)” (hereinafter referred to as the Protection Regulations) on July 10, 2017¹⁶. The definition and scope of protection are defined as satisfying the conditions of “in case of damage, loss of function, or data leakage, which may seriously endanger national security, national economy, people ’s livelihood, and public interest”. Such cases shall be regarded as CII. Government agencies and industries such as energy and finance are included as typical CII sectors. It can be seen that according to the provisions of the Cyber Security Law and its supporting measures, personal information and important data generated and collected by the financial industry should be included in the protection scope of CII.

4. THE IMPROVEMENT OF REGULATIONS FOR CROSS-BORDER TRANSMISSION OF FINANCIAL INFORMATION

4.1 Improvement of China's legal regulations on the cross-border transmission of financial information.

4.2. Promoting the synergy between the self-regulation of the financial industry and government regulations

4.3. Coordinated development at the international level for cross-border transmission of financial information.

CONCLUSION