Commercial banks and protection of personal information

Protecting clients’ personal information is one of the most fundamental principles of banks and other financial institutions. With the successive promulgation of the Civil Code, the Data Security Law and the introduction of the Personal Information Protection Law (PIPL), the scope, principle and legal consequences of personal information protection have been further clarified.

While commercial banks enjoy certain built-in advantages in collecting massive amounts of personal information from clients, the use, storage and public disclosure of such information have been heavily scrutinised by regulators when appraising the banks’ performance of their duties to protect the data. Such duties also represent potential civil, administrative and even criminal liability risks to commercial banks.

PRINCIPLES OF PROCESSING

Personal information is divided by law into two categories: general personal information applicable across the board, and personal financial information unique to the financial industry. Article 1034 of the Civil Code provides the definition of personal information. Personal financial information, on the other hand, includes account information, identifying information, financial transactions, personal identification, property information, borrowings and loans and other information reflecting the financial status of the subjects, according to the Personal Financial Information Protection Technical Specification, an annex to the Notice by the People’s Bank of China Regarding Issuance of a Financial Industry Standard and Effective Technological Management of Personal Financial Information Protection.

Regarding the basic principles commercial banks use to process personal information, a new article was added to the Laws of Commercial Banks to address “personal information protection and data security”, which stipulates that when collecting, storing and using personal information, commercial banks must abide by laws and administrative regulations and follow the principle of what is “lawful, legitimate and necessary”. They must also obtain personal consent and explicitly state the purpose, method and scope of collecting, storing and using such information.

The principle of necessity requires that there must be an explicit and rational purpose for processing personal information. Only the minimal amount of information needed to meet the designated purpose should be collected, and it should be processed in a manner that has the least impact on the personal interests of the subject. Commercial banks may not process any personal information unrelated to the stated purpose, nor collect any personal information unrelated to their business operations.

In terms of obtaining personal consent, commercial banks should note that personal consent should be given voluntarily and explicitly by well-informed subjects:

• Where required by laws or administrative regulations, separate or written consent should be sought after for processing certain information;
• In the case of any changes to the purpose, method or scope of personal information processing, banks should re-obtain personal consent; and
• When processing personal information of minors under the age of 14, consent must be given by their parents or other guardians.

Consent for personal information processing may be withdrawn after it has been given. Personal information processors should establish a system where such consent may be withdrawn with relative ease. This however will not affect the validity of personal information processing prior to the withdrawal.

LEGAL CONSEQUENCES

Administrative liability

Administrative penalties for banks related to personal information protection often involve their illegal inquiries, the divulging or trading of client information, or insufficient security management. Administrative penalties for commercial banks illegally providing or selling personal information, or divulging such information out of negligence, include compliance audit, corrections and fines. These are set out under the law including the Anti-Money Laundering Law, the Law of Resident Identity Cards, the PIPL, the Regulation on the Administration of Credit Investigation Industry, the Implementation Measures of the People’s Bank of China for Protecting Financial Consumers’ Rights and Interests.

Civil liability

Articles 1182 and 1183 of the Civil Code provide that if infringement on a natural person’s personal information causes any property damage, compensation will be made according to the damages sustained. If it causes serious mental distress, the victim will be entitled to compensation for any pain and suffering. Apart from compensation, the victim may also request a formal apology from the bank and restoration of personal information, along with other civil liabilities under article 179 of the Civil Code.

In addition, the PIPL has set out rules for presumption of fault and joint liability in personal information processing. In other words, personal information processors unable to prove their innocence must assume compensation and other infringement liabilities. Where two or more personal information processors are involved in an infringement, they must assume joint and several liabilities.

Criminal liability

Under article 253 of the Criminal Law (2017 Amendment), an infringement of a citizen’s personal information, as in the illegal sale or provision of a citizen’s personal information, is a criminal offence. Infringers may be subject to a fine, or imprisonment of not more than three years or criminal detention in addition to a fine in serious cases; or imprisonment of five to seven years in addition to a fine in particularly serious cases. Illegally selling or providing a citizen’s personal information obtained in the course of performing duties or providing services will trigger the heavier penalties.

Personal information in this context refers to various types of information electronically or otherwise recorded that, individually or when combined with other information, could identify a specific natural person or reflect the activities of a specific natural person. These include, but are not limited to, name, ID number, contact information, address, account and password, asset status and whereabouts.

Yao Xiaomin is a partner and Wang Yao is an associate at Lantai Partners