PBOC Issues over $5.5M in Fines to Big State-owned Banks for Consumer Data Breaches, New Draft Law on Personal Information Issued


The Chinese central bank is stepping up the regulation of consumer data breaches by domestic financial institutions with the issuance of huge fines to the regional branches of state-owned lenders, and the drafting of a new law on data protections.

On 21 October the Jilin municipal office of the People’s Bank of China (PBOC) announced that it had issued the local branch of a big state-owned bank with a fine of 12.23 million yuan (approx. USD$1.83 million) for offences including “infringing the right of consumers to have their personal information protected, and breaching money laundering provisions and disclosing customer information.”

The branch head incurred a fine of 17,500 yuan, while selected staff members received fines of 30,000 yuan.

On the same date three branches of another big state-owned bank were fined a total of 24.53 million yuan (approx. $3.67 million) for regulatory breaches in relation to consumer data, while Beijing also issued the draft version of the “People’s Republic of China Personal Information Protection Law” (中华人民共和国个人信息保护法) for the solicitation of opinions for the public.

The draft marks the first time that China has produced a specialist law on personal information protections, and will be open to opinions until 19 November 2020.

Domestic experts say that the fines and draft law are part of broader efforts by regulators to address long-standing inadequacies in data protections for Chinese financial consumers.

“At present financial institutions have weak awareness of personal information protection,” said Xiao Sa (肖飒), director of the Bank of China Legal Research Committee, to Securities Daily.

“Financial institutions do not adequately stress the protection of personal information in their current operating models, and this to some extent has been caused by inadequate awareness of social responsibility and excessive pursuit of profit.

“Financial institutions themselves have gaps in their internal controls, and have not established effective internal mechanisms for the protection of consumer information.

“Additionally, financial regulators have not struck sufficiently against illegal usage of personal information in the past, and this has led to many financial institutions not fully understanding the risks of their own conduct.”