Authors: Carolyn Bigg, Amanda Ge and Venus Cheung
On July 24, 2023, the People’s Bank of China (“PBOC”) released the Measures for the Management of Data Security in the Business Areas Falling into PBOC’s Jurisdiction (Draft for Comment) (“Draft Measures”) for public consultation, which closes on August 24, 2023.
The Draft Measures regulate the processing of electronic data collected and generated during the course of business activities that are under the supervision and management of PBOC (“Regulated Data”). Regulated Data includes personal and non-personal data categories, but state secrets are specially carved out from the scope of Regulated Data. Financial institutions and other organizations (“Data Handlers”) processing Regulated Data with the territory of China must comply with the requirements of the Draft Measures.
Such regulated processing activities mainly include those carried out in the following business areas: monetary policy, cross-border RMB transactions, inter-bank transactions, comprehensive financial industry statistics, payment and clearing, currency management and digital RMB, treasury management, credit collection and anti-money-laundering.
Key obligations of Data Handlers when processing Regulated Data include:
Data categorization and grading: Regulated Data shall be categorized based on the underlying business contexts. Regulated Data shall be graded into three grades (namely ordinary, important and core) based on its potential impact to national security. Within each grade, Regulated Data shall further be divided into five different levels according to its sensitivity and availability. The categorization and grading shall be recorded in catalogues and updated regularly. Where Regulated Data is in unstructured formats, or where Regulated Data falling into different categories or grades is processed in the same context, the Data Handler shall implement technical and organizational measures applicable to the category or grade requiring a higher protection level. This is not dissimilar in practice to existing guidelines around categorization of “financial data”.
Full life cycle protection: Data Handlers must obtain the consent of individuals or organizations before processing their Regulated Data (howsoever the data was collected or obtained). Access controls, storage media, backups, encryption, transfer controls and retention period must be determined based on the category, grade and level of Regulated Data. The data protection level cannot be reduced even in the context of intra-group processing. Regular training and periodic audits shall be conducted to ensure the effectiveness of data security measures in place. In general, the compliance obligations of a Data Handler processing Regulated Data at level three or above are significantly heavier the others. At a high level, we anticipate financial institutions will already be doing this, so it will be interesting to see whether more granular security standards will be subsequently published and whether they impose higher requirements than, say, current international best practice standards.
Cross-border data transfer: The Draft Measures do not provide new requirements regarding cross-border transfer of Regulated Data. Instead, the Draft Measures only briefly state that existing rules regarding data localization and cross-border data transfers (e.g. under the PIPL and related measures) continue to apply, save that in addition PBOC’s approval is required if a Data Handler plans to share any Regulated Data with any international organizations or foreign financial services administrative authorities. This latter measure could create practical difficulties when balancing regulatory requests for information.
Detailed technical requirements: The Draft Measures focus on the effectiveness of technical measures implemented to protect Regulated Data. In addition to the basic MLPS (multi-level cybersecurity protection regimes) requirements, the Draft Measures also set out detailed technical requirements concerning data input protocols, watermarks must be used, interface technical specifications, data recovery time and resilience testing requirements, etc. Data Handlers are also required to classify data incidents into different levels and implement level-specific incident responsive measures. Again, it will be interesting to see whether more granular requirements or standards are to be published subsequently, and how they align with current international best practices.
Since the issuance of the PRC Data Security Law (“DSL”), sectoral authorities have been formulating rules to regulate data security matters within their respective jurisdictions. The Draft Measures reflects PBOC’s approach in implementing the DSL requirements within the financial services industry. The focus is in particular on the establishment of data categorization and grading systems within the industry, and the formulation of category and grade specific data security requirements. Data Handlers must record and report their internal data categorization and grading results, which will form the basis for PBOC’s formulation of important data catalogue(s) for this industry – which themselves are highly anticipated.
Before the Draft Measures, PBOC has issued several important financial data security standards, such as the Guidelines on Data Security Classification for Financial Data Security (JR/T 0197-2020) and the Specification on Data Life Cycle Security for Financial Data Security (JR/T0223-2021). The Draft Measures requirements in general are consistent with those earlier standards.
Next steps: Assuming there will not be significant changes to the Draft Measures before they are implemented, it is time for Data Handlers to start – if they have not already done so as part of PIPL compliance programmes – thoroughly mapping out their Regulated Data processing activities, covering both personal data and industry or business data. Based on the mapping results, data categorization and grading work must be started to form the basis for establishment of data protection framework and supporting policies and procedures once the Draft Measures are finalised and come into force.