Jiang Xiangyu: Research on Legislation and Supervision of Financial Data Protection in China

2026年4月15日 | admin | cc

Original Jiang Xiangyu Shanghai Law Society

Jiang Xiangyu, director of the Financial Law Research Association of Shanghai Law Society, secretary-general of the Special Committee on Fund Law, senior consultant of Shanghai Xieli Law Firm, doctor of law.

First, the concept and scope of financial data

Regarding data and information, academic and practical circles have different understandings on the use of concepts. In the discussion of most researchers at home and abroad, "data" emphasizes the characteristics that can be automatically processed by machinery and equipment, while "information" emphasizes the transmission of content. Although these two words are semantically different, and countries have different choices when expressing related meanings in legislation, because data protection is inseparable from the use of information technologies such as computers and networks, the two concepts of "data" and "information" are often common. Sometimes it is difficult to distinguish data from information. Information always depends on data storage and transmission, especially in the digital environment, information is transformed into meaningless data "0" and "1", which can only be read and understood by a specific system. In this case, data and information are equivalent. The concept of "data" is used uniformly here.

At present, there is no clear definition of financial data in China’s legislation. Generally speaking, financial data is data collected and used by financial institutions. For personal financial data, Article 27 of the Implementation Measures of the People’s Bank of China for the Protection of Financial Consumers’ Rights and Interests stipulates: "Personal financial information as mentioned in these Measures refers to personal information obtained, processed and kept by financial institutions through business or other channels, including personal identity information, property information, account information, credit information, financial transaction information and other information that reflects certain situations of specific individuals." The "Trial Measures for the Protection of Personal Financial Information (Data)" drafted by the People’s Bank of China pointed out that personal financial information "refers to natural person information obtained, processed and preserved by financial institutions through business or other channels, including but not limited to natural person identity information, property information, account information, credit information, financial transaction information and other information reflecting certain situations of specific natural persons, but excluding natural person information that cannot be identified or associated with specific individuals after technical processing and cannot be recovered". The Technical Specification for the Protection of Personal Financial Information issued by the People’s Bank of China on February 13, 2020 stipulates that "personal financial information" refers to personal information obtained, processed and saved by financial institutions through providing financial products and services or other channels, mainly including account information, identification information, financial transaction information, personal identity information, property information, loan information and other information that reflects certain situations of specific individuals.

What is a financial institution has always been controversial. From the data controller’s point of view, in addition to traditional licensed financial institutions, financial institutions should also include new licensed financial institutions related to the Internet and local financial organizations (institutions). The Technical Specification for the Protection of Personal Financial Information stipulates that "financial institutions refer to licensed financial institutions supervised and managed by the national financial management department and related institutions involved in personal financial information processing".

According to the focus of data supervision, financial data can be divided into three parts: personal financial data, important financial data and other financial data. Personal financial data and important financial data are regulated by special legislation and subject to special regulatory requirements, while other financial data are mainly subject to general data supervision laws and regulations. Personal financial data is a part of personal data and the most sensitive part of financial data, because it involves all kinds of personal sensitive information. Personal financial data comes from many financial activities, such as securities, banking, insurance, macroeconomic supervision, etc., including static basic personal information of customers and dynamic transaction data obtained by financial institutions in the transaction process. As for the important data in financial data, because it is of great significance to national financial security and risk prevention, it also needs to be highly concerned and valued, and its scope and protection methods should be clarified as soon as possible.

The Technical Specification for Personal Financial Information Protection classifies personal financial information into C3, C2 and C1 according to the sensitivity from high to low according to the influence and harm caused by unauthorized viewing or unauthorized change of information. C3 information is mainly user authentication information. Once this kind of information is viewed or changed without authorization, it will cause serious harm to the information security and property security of the subject of personal financial information. C2 category information mainly refers to personal financial information that can identify the subject identity and financial status of specific personal financial information, and key information used for financial products and services; Category C1 information mainly refers to the information assets within the institution, and mainly refers to the personal financial information for internal use of financial institutions. "Financial institutions" should first identify the personal financial information involved in the daily operation process, classify it according to the sensitivity of "C3, C2, C1" in the Code, and try to link and coordinate it with the internal existing data assets classification. In addition to the classification of personal financial information with the above sensitivity according to the Code, it is especially necessary to pay attention to the high-sensitivity information that may be generated by the correlation, combination or analysis of low-sensitivity information.

Financial data covers two parts in content, one is the original information collected in various ways in business activities, and the other is the secondary information obtained after the original information is analyzed, sorted and processed by big data. When defining financial data, we should not be limited to the data itself, but should comprehensively consider the process of data generation, conversion, use, transmission, storage, encryption, decryption, destruction, etc. In this process, financial data has undergone different forms of evolution, under the control of different subjects, and plays different forms of functions.

Second, the background and characteristics of financial data protection

(1) Financial data protection and confidentiality obligations of financial institutions’ customers

The financial industry attaches natural importance to data protection. Compared with other fields, the financial industry’s protection of data can be said to be earlier and stronger than other fields in terms of ideas and measures. Because it involves the safety of personal assets, the financial industry has put forward higher requirements for the confidentiality obligation of financial institutions at the beginning of its formation (financial data can basically be included in the scope of "sensitive information"), and the financial supervision department has always regarded the confidentiality obligation as the focus of financial supervision. This was formed before the era of big data. For example, financial institutions are required to keep confidential the identity data, account information and transaction information of customers, and shall not provide or allow inquiries to the outside world unless otherwise stipulated by laws and regulations. The People’s Bank of China also emphasizes the protection of personal information/data from the perspective of protecting the rights and interests of financial consumers.

However, these traditions of keeping confidential the customer information of financial institutions and protecting the rights and interests of financial consumers are in different dimensions from the protection of customer information and data in the era of big data. After entering the era of big data, customer information has been generally informationized and digitized, and the tradition of confidentiality of customer information and the protection of financial consumers will inevitably extend to the protection of customer financial information and data. Article 23 of the Trial Measures for the Protection of Personal Financial Information (Data) of the People’s Bank of China stipulates that "financial institutions shall establish and improve the personal financial information protection system in the whole life cycle according to the laws, regulations and rules on personal information protection, data security and network security and the provisions of relevant competent departments."

The Technical Specification for Personal Financial Information Protection issued by the People’s Bank of China on February 13, 2020 puts forward comprehensive and systematic system requirements for financial institutions’ financial data protection obligations, which is of symbolic significance. The regulation requires financial institutions to establish a personal financial information protection system, clarify their work responsibilities and standardize their work processes. The management scope of the system should cover the institution, outsourcing service institutions and external cooperation institutions, and ensure that relevant systems are issued and communicated to employees of the institution and external cooperation parties. Relevant systems should at least include personal financial information protection management regulations, daily management and operation procedures, management of outsourcing service institutions and external cooperation institutions, internal and external inspection and supervision mechanisms, emergency handling procedures and plans. The specification also stipulates specific requirements: 1. Formulate regulations on the protection and management of personal financial information, and put forward the guidelines, objectives and principles for the protection of personal financial information of this institution. 2. Carry out classified management of personal financial information. Corresponding security strategies and safeguards should be implemented for personal financial information with different categories and sensitivities. 3. Establish daily management and operation process. Specific protection requirements should be put forward for the collection, transmission, storage, use, deletion and destruction of personal financial information, and the timeliness management regulations of personal financial information should be formulated to ensure compliance with laws and regulations and relevant regulations of the competent departments of the industry. 4. Establish a hierarchical authorization management mechanism for information systems. Under the premise of not affecting the performance of legal obligations such as anti-money laundering, the authority and scope of use of personal financial information of personnel of this institution shall be formulated, and a special authorization approval process shall be formulated.5. Establish management norms and systems for desensitization of personal financial information (such as shielding, de-labeling, anonymization, etc.), and clarify desensitization rules, desensitization methods and use restrictions of desensitized data of personal financial information at different sensitive levels. 6. Establish a personal financial information security impact assessment system according to relevant national and industry standards, and conduct personal financial information security impact assessment regularly (at least once a year). 7. Establish a management system for outsourcing service institutions and external cooperation institutions, including but not limited to: a. Review and evaluate the relevant outsourcing service institutions and external cooperation institutions during the life cycle of personal financial information, and assess whether their personal financial information protection ability meets the requirements of the state, industry authorities and financial institutions; restrict outsourcing service institutions and external cooperation institutions from retaining C2 and C3 information through agreements or contracts; If it is really necessary to keep the payment account number and other information in C2 information due to business needs such as clearing, error handling, etc., financial institutions should clarify their confidentiality obligations and responsibilities, implement security control measures according to security requirements, and keep relevant information on file for future reference; For outsourcing service agencies, external cooperation agencies and their personnel who may access personal financial information, financial institutions should require outsourcing service agencies and external cooperation agencies to convey personal financial information protection security requirements to relevant personnel, sign confidentiality agreements with them, and supervise the implementation of the agreements. B the database storing personal financial information should not be handed over to an external cooperative organization for operation and maintenance.C the implementation of personal financial information protection measures of outsourcing service institutions and external cooperation institutions shall be confirmed regularly, including but not limited to external information security assessment and on-site inspection. D. If it is otherwise stipulated by national laws and regulations and the competent department of industry, it shall be implemented in accordance with relevant requirements. 8. Establish a personal financial information security inspection and supervision mechanism. We should establish a daily inspection mechanism and workflow for personal financial information security, regularly evaluate the shortcomings in personal financial information management, and adjust the inspection mechanism and workflow in time. 9. Personal financial information disclosure and other related incidents should be incorporated into the emergency response mechanism of institutional information security incidents, and special processes and plans should be formulated. Regularly evaluate emergency handling processes and plans, timely safeguard and effectively respond to personal financial information security incidents, and reduce the losses and adverse effects caused by security incidents. 10. Establish personal financial information complaints and complaint handling procedures, clarify the complaint and complaint acceptance departments and handling procedures, and accept and verify the personal financial information collected by financial institutions when the subject of personal financial information requests correction or deletion, and handle it according to the requirements of the state and industry authorities. 11 clear personal financial information sharing, storage, use and destruction of the period, with the ability to control the timeliness of personal financial information storage.

(2) The traditional protection concept of financial institutions and digital economy and digital finance.

There is competition between the requirements of customer data confidentiality in the traditional financial industry and data protection in the data age. However, under the traditional financial services, financial institutions’ security obligations mainly focus on protecting customers’ personal and property safety, preventing customers’ funds from being lost or stolen, and protecting customers’ financial information. In the era of big data and artificial intelligence, customers’ information security (data security) and capital security have gradually become the focus, and information security (data security) has become the core content of financial institutions’ security obligations. The traditional concept of protecting financial data can no longer be used. While ensuring data security, the sharing and use of financial data is of increasing significance to the business development and risk control of the financial industry, that is, data-driven artificial intelligence will play an increasing commercial value. In the era of big data sharing and rational use, data-driven is also facing the problem of protecting personal information, and the financial field urgently needs to integrate the concept of data protection in the era of big data and artificial intelligence.

At the same time, in view of the fact that financial data protection usually involves personal sensitive information and is highly accurate, especially information such as account data, transaction data and credit data may be used by counterparties or the outside world, which may cause possible economic losses to customers. At the same time, due to the magnitude and complexity of financial industry data, the actual risk of financial data leakage is greater, and higher requirements are put forward for risk control, information security and data protection capabilities and technical processing means of financial data.

(C) changes in financial data controllers

With the advent of the digital economy, excluding the financial supervision department, the controllers of financial data are not limited to traditional licensed financial institutions, such as banks, securities companies and insurance companies. Large technology companies and Internet companies have entered the financial field. For example, Alibaba Group and Tencent Company have obtained numerous financial licenses, and Ant Financial has been included in the pilot scope of the national financial holding company, which can carry out new financial services that combine finance with the Internet, such as payment services, online banking and online insurance. There are hundreds of millions of users in these companies, and the amount of personal financial data and important data collected is huge. The reasonable sharing and use of the massive data they control can bring huge positive benefits to the society. However, from another perspective, Internet companies are also faced with the problem that risk preference and risk culture need time to accumulate when they enter the financial field. The combination of Internet and finance is essentially a financial business, which requires strict financial supervision, and this concept needs time to be truly recognized by Internet companies. Therefore, if these large Internet platform enterprises are not subject to necessary financial supervision or monopolize data for their own fields to form "data islands", it will bring great potential risks to public interests and personal privacy.

In recent years, problems such as P2P and risk control outsourcing of financial institutions have emerged in the field of Internet finance. Data companies other than traditional financial institutions or so-called financial technology companies collect and use a large amount of personal financial data by means of illegal data crawlers, helping financial institutions or P2P companies to achieve loan risk control or debt collection without legitimacy, which has caused negative social consequences.

It must be noted that financial data controllers have evolved from traditional financial licensees to new licensed financial institutions born out of internet companies, and even non-financial institutions. Specifically, financial data controllers mainly include three types of subjects: first, traditional financial institutions, including banks, securities companies, insurance companies, etc., involving users’ financial assets, liabilities, and transaction information; Second, third-party organizations, including payment platforms, e-commerce platforms, logistics channels, etc., and their combinations, involve users’ non-financial transaction information (such as shopping, sales, logistics, etc., which is helpful for users’ behavior pattern analysis) and some financial transaction information; Third, platforms involving cross-institutional and cross-platform full transaction data (such as UnionPay, Network Link, etc.) and credit information platforms (such as People’s Bank of China Credit Information, Hundred Banks Credit Information, etc.).

III. Overview of legislation and supervision of financial data

(1) Legislation on overseas financial data

1. Legislative model

With the advent of the digital economy era, it has become an important legislative task for all countries in the world to formulate laws and regulations on data protection. The European Union and the United States are two main representatives of data legislation and have adopted different legislative models. The EU has adopted a comprehensive legislative model for the protection of personal information, with the General Data Protection Ordinance (GDPR) as the core legislation. The GDPR is very strict, which regards data as the basic right of the information subject and establishes the highest protection standard characterized by the right to be forgotten. The United States has adopted legislation in different fields. At the federal level, there is no comprehensive personal information protection bill similar to GDPR. Instead, in addition to the general laws on privacy law and personal information protection, special provisions are made for personal information protection in the financial field, supplemented by strict illegal penalties. If the EU is a model based on "basic data rights", then the United States is a model based on "free market and strong supervision".

2. Overview of legislation in EU and USA

The main financial data-related legislation in EU includes GDPR and Payment Service Directive 2 (PSD2). EU legislation does not give a special definition of financial data, nor does it recognize financial data as a special type of personal data.

The main legislation related to financial data in the United States includes the Gramm-Leach-Bliley Act (GLBA) and the Regulation P: Privacy of Consumer Financial Information (hereinafter referred to as "Regulation P"). GLBA indicates that the U.S. Congress has begun to pay attention to the privacy protection of users’ financial information under the background of the Internet. The fifth chapter of the bill is dedicated to the privacy protection policy of financial institutions, which is applicable to all financial institutions. At the same time, the bill further requires financial institutions to explain in detail how they collect, share and protect personal information of financial consumers. In order to implement the Act, major financial regulators in the United States have issued a series of industry rules and supplementary rules to clarify the restrictions on information flow, the voluntary withdrawal mechanism and the specific requirements for consumer notification clarity. Regulation P stipulates: (1) Financial institutions must inform consumers in a clear, clear and significant way under what circumstances financial institutions will disclose consumer non-public information to affiliated enterprises or non-affiliated third parties; (2) Financial institutions must regularly inform customers of their privacy policies in a clear, clear and significant way; (3) Financial institutions must provide consumers with an election mechanism to prevent personal information from being illegally disclosed to other third parties. All of them are subject to the Federal Reserve Board, Office of the Comptroller of the Currency, Office of the Superintendent of Savings and Loans (OTS)Financial institutions supervised by eight federal regulatory agencies, such as deposit insurance companies, securities exchange maintainers’ association, National Credit Cooperative Administration, Federal Trade Commission and Commodity Futures Trading Commission, shall abide by the P Regulation. At the same time, the above-mentioned regulatory agencies have also specially issued the "Standards for the Security and Confidentiality Protection of Customer Information", which set the security standards for consumers’ personal information and transaction records in terms of management, technology and inspection procedures, so as to specifically implement the information security requirements of GLBA.

(B) Overview of China’s financial data protection legislation

At present, there is no separate legislation on personal information protection and data protection in China, and the Cyber Security Law and related laws in the financial industry only make some general and principled provisions. The specific legislation of financial data protection is mainly reflected in departmental regulations and national standards. For example, in December 2016, the Implementation Measures of the People’s Bank of China for the Protection of Financial Consumers’ Rights and Interests was promulgated, which clearly required financial institutions to establish and improve various internal control systems for the protection of financial consumers’ rights and interests. The third chapter of the measures stipulated the institutional framework for the protection of personal financial information in the form of a special chapter. Although China’s legislation has initially regulated the protection of personal financial information, due to the new problems and risks caused by the era of big data, the pace of legislation is slightly lagging behind the development of the times. In the era of big data, financial information has a more dynamic and broad trend, including non-content metadata in addition to general financial information, which is not involved in traditional information protection legislation. Specifically, the current situation of China’s financial data legislation mainly has the following characteristics:

(1) The legal provisions on financial data are mainly reflected in the policy documents and departmental rules of the financial supervision department, and a preliminary normative system has been formed, but the level is not high and it is distributed in various departmental laws, which is relatively scattered.

(2) The legislative idea is to legislate mainly from the traditional perspective and concept of customer information confidentiality in financial business, rather than from the perspective of personal information protection from the aspects of information collection, control, processing and sharing, which is insufficient for the legislative supply of digital finance.

(3) The provisions on the rights and obligations of financial data protection are generally comparative, and the binding and legal consequences of legislative implementation are relatively extensive, and the actual implementation and supervision are weak.

It is noteworthy that the specialized legislation "Personal Information Protection Law" and "Data Security Law" have been included in the 13th legislative plan of the National People’s Congress Standing Committee (NPCSC) and are expected to be promulgated soon. The People’s Bank of China has also issued the "Trial Measures for Personal Financial Information (Data) Protection (Draft)" for comments. The above problems need to be solved after the top-level design of Personal Information Protection Law and Data Security Law is completed.

At present, the specific legal norms, policy documents and standards related to financial data protection in China are summarized as follows:

1. Legal level

At the legal level, there are provisions on the protection of financial data: Civil Code (draft for comment), General Principles of Civil Law, Network Security Law, Consumer Protection Law, Electronic Commerce Law and Criminal Law. Among them, the Cyber Security Law provided the most comprehensive legal provisions for data security and personal information protection before the promulgation of the Personal Information Protection Law and the Data Security Law. The Cyber Security Law is conceptually in line with the current international rules and the legislation on personal information protection in Europe and America, and incorporates the main principles of personal information protection, including the principle of clear purpose, the principle of consent and choice, the principle of minimum sufficiency, the principle of openness and transparency, the principle of quality assurance, the principle of ensuring security, the principle of subject participation, the principle of clear responsibility and the principle of disclosure restriction.

In addition, legislative documents at the legal level include the Decision of the Standing Committee of the National People’s Congress on Strengthening the Protection of Network Information adopted in 2012, the Criminal Law Amendment VII adopted in 2009, and the Criminal Law Amendment IX adopted in 2015. At the same time, the national legislature has scattered departmental laws on the protection of financial data in the separate financial laws of securities, banks, funds, insurance and other industries, mainly from the perspective of customer confidentiality. For example, Article 6 of the Law on Commercial Banks stipulates: "Commercial banks should protect the legitimate rights and interests of depositors from any unit or individual." Article 29 stipulates: "Commercial banks should follow the principle of … keeping depositors confidential when handling personal savings deposit business. For personal savings deposits, commercial banks have the right to refuse any unit or individual to inquire, freeze or deduct, except as otherwise provided by law. " Paragraph 1 of Article 5 of the Anti-Money Laundering Law stipulates: "Customer identity information and transaction information obtained by performing anti-money laundering duties or obligations according to law shall be kept confidential; It shall not be provided to any unit or individual except in accordance with the law. " Article 41 of the Securities Law revised in 2019 stipulates: "Securities trading places, securities companies, securities registration and settlement institutions, securities service institutions and their staff shall keep investors’ information confidential according to law, and shall not illegally buy, sell, provide or disclose investors’ information. Securities trading places, securities companies, securities registration and settlement institutions, securities service institutions and their staff shall not disclose the business secrets they know.

2. Administrative regulations and departmental rules

Administrative regulations and departmental rules that provide for the protection of financial data mainly include: real-name registration system Provisions on Personal Deposit Accounts (Order No.285 of the State Council), Measures for the Administration of RMB Bank Settlement Accounts (Order No.5 of the People’s Bank of China [2003]), Measures for the Administration of Customer Identification and Customer Identity Information and Transaction Records of Financial Institutions (Order No.2 of the People’s Bank of China [2007]), Interim Measures for the Administration of Basic Database of Personal Credit Information (Order No.3 [2005] of the People’s Bank of China), Regulations on the Administration of Credit Information Industry (Order No.631 of the State Council), Regulations on the Protection of Personal Information of Telecommunications and Internet Users (Order No.24 of the Ministry of Industry and Information Technology), Measures for the Assessment of Exit Safety of Personal Information and Important Data (Draft for Comment) (April 2017), Guidelines on Information Disclosure of Business Activities of Information Intermediaries in peer-to-peer lending (No.113 [2017] of the Banking Commission), Guidelines on Data Governance of Banking Financial Institutions (No.22 [2018] of the Banking Commission), Measures for the Supervision and Management of Financial Services of Commercial Banks (Order No.6 of China Banking and Insurance Regulatory Commission in 2018) and Provisions on the Management of Financial Information Services (issued by the Internet Office in December 2018).

In May 2019, the Internet Information Office issued several draft regulations for comments, all of which involved the protection of financial data, including: Measures for Network Security Review (draft for comments), Measures for Data Security Management (draft for comments) and Measures for the Administration of Personal Information Exit (draft for comments). In addition, the People’s Bank of China issued the Trial Measures for the Protection of Personal Financial Information (Data) (Draft) and the Implementation Measures for the Protection of Financial Consumers’ Rights and Interests (Draft) in 2019.

3. Policy document level

Policy documents related to the protection of financial data mainly include: Notice of the People’s Bank of China on the Protection of Personal Financial Information by Banking Financial Institutions (Yinfa [2011] No.17), Notice of Shanghai Branch of the People’s Bank of China on Issues Related to the Protection of Personal Financial Information by Banking Financial Institutions (Yinfa [2011] No.17), Notice of the People’s Bank of China on Banking Financial Institutions to Further Protect Customers’ Personal Financial Information (Y.F. [2012] No.80), Notice of the People’s Bank of China on Further Strengthening the Security Management of Credit Information (Y.F. [2018] No.102), Notice of China Banking Regulatory Commission on Strengthening the Customer Information Management of Electronic Banking (Y.J.F. [2011] No.86), Circular of the General Office of the People’s Bank of China on the Special Inspection of Personal Financial Information Protection in 2013 (No.131 [2014] of the Bank of China) and Notice of the People’s Bank of on Printing and Distributing the Implementation Measures for the Protection of Financial Consumers’ Rights and Interests of the People’s Bank of China (No.314 [2016] of the Bank of).

4. National standards and industry standards.

National standards and industry standards related to financial data protection mainly include: Information Security Technology Personal Information Security Specification (GB/T 35273—2020, issued by State Administration of Markets and State Standardization Administration on March 6, 2020), Personal Financial Information Protection Technical Specification (issued by China People’s Bank and National Financial Standardization Committee on February 13, 2020), and Payment Information Protection Technical Specification (GB/T 35273—2020).

IV. Overview of Financial Data Protection Supervision in China

China has implemented strict supervision and strong supervision in the financial sector for a long time, and the requirements for licensed operation in the financial sector have always been stronger than those in other fields, and it adheres to the regulatory idea of separate operation. In banking, securities, insurance and other financial fields, ministerial-level financial supervision departments have been established with the People’s Bank of China as the central bank, such as China Banking and Insurance Regulatory Commission and China Securities Regulatory Commission.

For financial data supervision, the whole network security legislation and personal information protection and data security legislation mostly highlight the role of the network information department. Article 8 of the Network Security Law stipulates: "The national network information department is responsible for coordinating network security work and related supervision and management work. The State Council telecommunications authorities, public security departments and other relevant organs shall be responsible for network security protection, supervision and management within their respective functions and duties in accordance with this Law and relevant laws and administrative regulations. " Therefore, China’s thinking on financial data supervision is to emphasize the unified supervision of the departments such as network information, public security, and industrial information, and also to give full play to the advantages of industry supervisors or regulatory departments in different industries. Because financial data and financial business are closely related, the protection of financial data can be included in the existing financial business supervision, that is, it is included in the scope of supervision by the existing financial supervision departments, so it is likely to form the problem of data protection supervision concurrence in the field of financial supervision in the future (it may also occur in other fields).

At present, the supervision of financial data in China is as follows:

(1) Functional supervision of data security and protection

From the legislative point of view, the network information department is responsible for the supervision of personal information security, and the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of National Security, and the State Secrecy Bureau all have the right to punish issues involving personal information security within their scope of duties according to relevant legislation.

(B) the financial sector supervision

1. From the perspective of financial industry supervision, the financial supervision departments of traditional financial institutions such as securities, banks and insurance are in a favorable position and can supervise and punish the financial data protection of financial institutions on a daily basis.

2. Financial supervision of Internet enterprises and technology enterprises. In practice, a large number of financial data controllers are not financial institutions, but large-scale technology companies and Internet enterprises. If such enterprises engage in financial licensing business such as payment, credit and insurance, they will control and process financial data, and their supervision should be subject to departmental supervision according to the types of financial business they are engaged in.

(3) Supervision of competition order involving data competition

In the process of sharing and using financial data, it is easy to produce "data islands" and unfair competition behaviors, and national and local market supervision departments, including anti-monopoly departments, have the right to investigate and punish them.

It can be seen that if only the financial supervision department supervises financial data, there will be a lack of professional knowledge in the field of data, and if it is completely supervised by the network security protection department such as the Network Information Office, it may lose consideration of the financial attributes of data; At the same time, the entry of large-scale technology companies and internet companies into the financial sector has increased the complexity and potential risks of supervision, and also posed new regulatory challenges to the data competition in the data age.

Therefore, in the Personal Information Protection Law and the Data Security Law being formulated, the first thing to be solved is the confusion of the legal system caused by the current decentralized legislation on personal data protection, and the general issues of personal data protection are clearly defined to enhance the stability of legal application and the predictability of legal results. At the same time, the coordination of financial data supervision should also be stipulated, and it is imperative to establish an effective financial data supervision mechanism oriented to the future of digital economy.

Article 5 of the Measures for the Administration of Data Security (Draft for Comment) stipulates that under the leadership of the Central Cyber Security and Informatization Committee, the national network information department shall coordinate, guide and supervise the security protection of personal information and important data, which is more practical. For financial data supervision, the national network information department can coordinate, guide and supervise, and the competent supervision department of the financial industry conducts daily supervision.

In addition, the supervision of financial data should play the role of industry associations, which can encourage financial institutions to provide financial privacy protection higher than legal standards by promoting core enterprises to conclude self-discipline conventions on financial privacy protection. In order to avoid the self-discipline convention becoming a mere formality, trade associations can join relevant enterprises in the self-discipline convention to voluntarily accept the supervision and inspection of the association, assess the implementation of the privacy policies of financial institutions, and announce the terms of the inspection results to the public, so as to improve the transparency of the implementation of the self-discipline convention and privacy policies, thus forming public pressure on financial institutions to improve their privacy protection level.

Shanghai Law Society welcomes your contribution.

fxhgzh@vip.163.com

Related links

Original title: Jiang Xiangyu: Research on Legislation and Supervision of Financial Data Protection in China.

Read the original text