While abundantly available consumer data is regarded as a core advantage for China’s big data and artificial intelligence sectors, data privacy and security has become an increasing concern as data breaches, leaks and hacks, are surfacing with increased frequency.
China’s fast-rising Fintech sector has greatly benefited from the advances in big data technologies, which have helped bring a chunk of the consumer-facing financial services industry online, enable the automation of service operations, targeted marketing, and customer services, and improve business performance.
The finance industry is one of, if not the heaviest user of big data in China. Fintech startups and established financial services are collecting an increasingly wide range of data from online services and conventional channels and applying data analytics technology to varying extents. Considering big data technologies and recent advances in artificial intelligence which has become a major new driver of economic growth, the Chinese government has been heavily promoting them, opening increasingly more data from the public sector to the finance industry. Consumers who have enjoyed the convenience and easier access to financial services provided by fintech are now more comfortable or willing to submit certain types of personal information in exchange of better financial services.
When regulations were absent, internet services tended to collect all kinds of data they could without user consent, and online sales or transfers of data became common with little to no security measures in place.
The leaks and abuses of some types of personal information exposed big problems in online lending and the finance sector in general. Large quantities of online lending records and personal information of borrowers became available for purchase online or even to download for free. In 2016, hundreds of nude selfies of young ladies holding their identity cards that had been obtained by predatory lenders as collateral were leaked online. Excessive or controversial data collection practices such as requirement to access the phone book of borrowers’, enabled harassing and abusive debt collection.
Since the Cybersecurity Law, which lays out broad privacy and security principles of the digital space, went into effect in June 2017, China has issued a series of follow-on regulations and standards on data usage and protection. Personal Information Security Specifications, considered as China’s equivalent to the General Data Protection Regulation (GDPR) by the European Union, was issued in early 2018. Recently regulators released Data Security Management Measures and Measures for the Determination of Violations of Laws and Regulations in Apps' Collection and Use of Personal Information.
Similar to GDPR, China’s regulations and standards address the extent of data collection, conditions for consent, how data is collected, shared or transferred, etc. The Chinese regulations are considered more far-reaching than the GDPR and some requirements are more onerous.
For instance, the definition of sensitive personal information, according to the Personal Information Security Specifications, is much broader than that under the GDPR. The majority of data sets used by Chinese Fintechs or financial services in general fall into this category. Not only does it include what are called alternative data, those newly adopted along with the rise of the latest boom of big data and artificial intelligence such as location data, online accounts and digital assets, and biometric information, but also the primary types of information that have been used by the finance industry, such as bank account information, credit history, credit reports, and payments and financial transaction history. Services providers using these types of data are required to explain one by one the purpose of each type of data and obtain separate consent for each purpose.
Under the Chinese regulations user consent is also required to share data with third parties. Providers of data or data services need to inform their users of the types of the data to be shared and data security capabilities of the third party before obtaining consent, and also bear legal responsibility for data security incidents taking place on the third-party service. As third-party data sources have become necessary to various fintech operations, it means data users have to build and prove their security capability before acquiring data from third parties.
For targeted ads or personalized recommendations based on big data and AI algorithms, Data Security Management Measures requires developers to clearly label these data-driven, automatically delivered content and make it easy for users to opt out. And the Personal Information Security Specifications discourages services providers to use individual profiles but grouped data to generate targeted ads.
Like the GDPR, there are also ambiguities in Chinese data protection regulations with some requirements difficult to implement, like address data minimization. But in reality, it’d be hard to decide the minimum amount of data or time needed for data-driven performance of certain services. For some machine learning-based services, an abundance of data or more historical data is always recommended.
So far it’s unclear how the Chinese regulations and standards will be implemented. But in general they pose a considerable compliance challenge to small and medium-sized fintech companies in terms of technological capability and cost. The days are long gone when a website and an online payment method were enough to set up an online financial service operation. During the recent regulatory crackdown on financial risks of the online finance sector, over the past couple of years, thousands of online financial operators that failed to comply with regulatory rules have shut. It is expected the data protection regulations will help further consolidate China’s Fintech industry.
The Chinese regulations, unlike the GDPR, don’t specify fines or other penalties for failing to comply with them. Penalties will only be issued when a data breach or crime occurs. According to the most recently issued Data Security Management Measures, penalties for security incidents include confiscation of illegal income, suspension of operations or closing websites, cancelling relevant operational permits or business licenses, and criminal penalties.
Tracey Xiang is a tech writer, specializing in ChinaTech, Digital Economy, FinTech and AI.