China’s Central Bank Rules for Treatment of Personal Information Effective

The People’s Bank of China (PBOC) issued the Administrative Measures for Credit Reference Agencies – eight months after the Administrative Regulations on the Credit Information Collection Sector became effective (on March 15, 2013). Those Measures took effect on December 20, 2013, and focus on the supervision and regulation of credit reference agencies in China. The Measures complement and tie in with the Regulations, which established a series of rules for the collection, use, processing, disclosure and transfer of personal information by entities in this sector, by specifying rules for the establishment of credit reference agencies that, by definition, deal with the personal credit information of individuals. In general, the Measures can be seen as a demonstration of the Chinese government’s increased attention to personal privacy protection issues and its intention to regulate this area across many sectors. The Measures require the credit reference agencies to comply with a set of technical information security standards with respect to their business, and to undergo regular assessments by a qualified assessment institution to assess information security safeguards. In additions, a credit reference agency may be subject to increased scrutiny by the PBOC (or its local counterpart) if the PBOC deems that there are circumstances that may endanger the rights and interests of the personal information owner. This would include a serious data breach incident, indications of a possible data leakage, being the subject of numerous complaints, or failure to comply with PBOC reporting and appraisal obligations. The PBOC and its local counterpart have broad powers to increase the frequency or scope of reporting requirements and to increase the frequency of security assessments, in addition to ordering credit reference agencies to take corrective action. If a credit reference agency wishes to close its business, the agency must submit an exit plan to the PBOC in advance and ensure that it disposes of its information database pursuant to the requirements in the Regulations.

Tip: This latest development is specific to credit reference agencies, but is a further sign that China’s regulatory authorities are getting serious about data privacy both generally and in specific sensitive sectors that affect individuals and consumers.