China’s data-security management must fill holes and be put under microscope, central bank says
- Cross-border financial information will be more intensely scrutinised by Chinese authorities, as a matter of national security
- Foreign companies are already scrambling to assess and change data policies to keep China-related information in China
The authorities who oversee China’s cross-border financial data say it must receive greater state scrutiny, and that clearer boundaries and accountability are needed in data-processing activities that the nation’s central bank engages in.
In draft guidelines posted on Monday, the People’s Bank of China (PBOC) said this enhanced scrutiny and oversight will apply to a number of areas, including currency policies, the cross-border yuan business, interbank transactions, settlements, digital yuan business, and anti-money-laundering operations.
“[The draft] aims to fill gaps in data-security management and guide data-management staff of finance-related companies to legally carry out activities related to China’s central bank,” it says on the PBOC’s website.
The draft is soliciting public feedback until August 24.
Beijing enacted a data-security law in September 2021 that has haunted foreign-funded companies and overseas-listed Chinese companies because of its vague definition of important data and local implementation.
Under the national law, the financial industry, which involves an abundance of cross-border fundraising activities, is one of the sectors required to adhere to specific regulations.
The new draft guidelines, under Article 26, say that those tasked with processing and saving data need to do so in accordance with laws and regulations.
For example, the central bank said: “Data-management people should not split or minimise exported data in order to avoid reporting to authorities. [They] should estimate the data scale and scope of the previous two years before the end of January every year. And they should store their self-assessments, data export reports and results within the expiry of approvals.”
10:57
Boom, bust and borrow: Has China’s housing market tanked?
As for international organisations and overseas financial institutions that request Chinese data, the PBOC offered a boilerplate line about responding in accordance with Chinese laws and global covenants.
“Data processors must not supply data to [international entities] without approval from the PBOC or other government departments,” it added.
DEPA aims to promote a space for members to work together and build up their digital economy.
But analysts say that Beijing will have to clarify its data-security regime to reduce barriers for businesses.
Global consultancy Ernst & Young said that many Chinese and globally operating companies are “hastening to assess” their data-compliance maturity levels and improve their processes.
“Multinational companies face the dilemma of whether to adopt the most stringent data-privacy and -security measures wherever they do business, or follow the least-restrictive guidelines allowed,” the firm added on its website.
“Based on their current business models and future growth plans, companies are carefully assessing their risks and evaluating their options.”
“In the financial services sector, members highlighted challenges in complying with new data-security laws before the deadline introduced by the regulator,” the chamber said.
