Yi Gang: Speech – Hong Kong FinTech Week 2021

Speech by Mr Yi Gang, Governor of the People's Bank of China, at the Hong Kong FinTech Week 2021, 3 November 2021.

The views expressed in this speech are those of the speaker and not the view of the BIS.

Central bank speech  | 
13 December 2021

Thank you Eddie for inviting me. I'm glad to participate in the Hong Kong Fintech Week, and share with you some of my observations on personal data protection.

With the rapid development of fintech, the issue of personal data protection has come to the fore.

Fintech has developed rapidly over the past decade. Technologies such as AI (A), big data (B), cloud computing (C), distributed ledger (D) and e-commerce (E) have been increasingly integrated into the financial sector, making financial services more inclusive, convenient and efficient.

Big Data is at the heart of the above-mentioned technologies. The companies that have large data traffic could accumulate data, and acquire new customers. They could enjoy steady data flow if customers remain loyal. As a result, bigtechs have increasingly gained an upper hand in assessing, using and storing data.

And that leads to the issue of personal data protection. Protection of personal privacy is a must, when each and every move of us has a record in data. Some bigtechs have either collected data without permission or misused them. There are also cases of customer data leakage. Therefore, it is urgent to strengthen personal data protection.

Drawing on international experiences, we have strengthened personal data protection.

Many jurisdictions have adopted legislation to protect personal data. For example, the EU issued the General Data Protection Regulation (GDPR) in 2018, which defines the rights of individuals and the responsibilities of data processing entities. The GDPR provides a useful reference for other economies.

China attaches great importance to data protection legislation. Relevant laws and regulations were issued as early as 1992, which laid out obligations of financial institutions in protecting customer data. This year, the Data Security Law and the Personal Information Protection Law were promulgated in June and August respectively. A legal framework for personal data protection has taken shape.

Personal data protection is also high on the agenda of the People's Bank of China. Since 2005, the PBOC has introduced regulations on data protection in the areas of anti-money laundering, consumer protection and credit information. Recently, we have focused on cracking down on excessive collection of consumer data and "unfair clauses", which require consumers to hand over personal information in exchange for financial services. At the same time, financial institutions are required to collect, use and store information for legitimate purposes and in strict accordance with the principles of lawfulness and minimum necessity, to protect privacy when using personal information for commercial purposes.

On September 30th, the PBOC issued the Administrative Guideline for the Credit Information Business. It defines personal credit information, and regulates credit information business, from data collection to processing and sharing. Fintech companies are also required to carve out their personal credit information units, and provide such services to financial institutions through licensed entities.

Going forward, we will continue to improve the legal framework for personal data protection in the financial sector and strengthen regulation accordingly.

Lastly, let me share some thoughts with you on strengthening personal data protection.

First, a sound legal and regulatory framework is the cornerstone of personal data protection. With a legal system up and running, regulation will be carried out by government agencies in China on a level ground in accordance with law.

Second, the ultimate purpose for data protection is to promote its proper usage. On the premise of protecting personal privacy, we will try to define data ownership in a more accurate manner, facilitate data transactions and promote fairer use of data, to unleash the vitality and innovation capacity of market players.

Third, data protection calls for international cooperation. Given the cross-border, cross-sector and cross-region nature of fintech, national authorities, including the legislative, the judicial and the administrative bodies, should strengthen domestic and international coordination in such fields as anti-trust, data and consumer protection. In particular, we should join hands to set standards for personal data protection.

Ladies and gentlemen, let's work together to better address the challenges posed by fintech to personal data protection, and harness its power for good.

Thanks.