China Banking Regulator Intensifies Enforcement on Data Protection

China’s banking regulator to intensify enforcement actions on personal information protection

China Banking and Insurance Regulatory Commission (CBIRC) plans to initiate an enforcement campaign on personal information protection within the year, in order to urge banks to implement the Personal Information Protection Law (PIPL) took effect last November. Given the law’s extra-territorial effect, foreign banks with or without presences in mainland China may be impacted.

On 15 March, the World Consumer Rights Day, CBIRC held a press conference where Guo Wuping, head of its Financial Rights Protection Bureau, stated that CBIRC will initiate an enforcement campaign within this year, to urge banks and insurance companies to implement the PIPL and use personal information in a compliant way (more details available via the link).

The purposes and reasons of this move were also indicated under a risk alert published by CBIRC on 14 March, which pointed out that some financial institutions and Internet platforms’ violations of the PIPL have posed significant risks to the rights and interests of financial consumers.

Typical violations mentioned in the risk alert include excessive collection of personal information, implied or bundled consent, using personal information for purposes outside the scope consented by the consumers, and improper collection of personal information from external sources (more details available via the link). The risk alert also indicated that CBIRC is likely to prioritise the enforcement actions on personal banking business, though it will likely also look at corporate banking business and internal management of banks.