Privacy & Information Security Law Blog

On November 15, 2013, the People’s Bank of China (the “PBOC”) issued its Administrative Measures for Credit Reference Agencies (the “Measures”) – eight months after the Administrative Regulations on the Credit Information Collection Sector (the “Regulations”) became effective on March 15, 2013. The Measures, which will take effect on December 20, 2013, were formulated to enhance the supervision and regulation of credit reference agencies and to promote positive developments in the credit information services sector.

The Measures are intended to complement the Regulations, which established a series of rules for the collection, use, processing, disclosure and transfer of personal information by credit reference agencies. The Measures provide more detail, by clarifying and specifying rules for the establishment of credit reference agencies that deal with the personal credit information of individuals (“personal credit reference agencies”). The Measures require a personal credit reference agency to first apply for pre-approval for a License for Personal Credit Reference Business from the PBOC before the agency may incorporate. In contrast, credit reference agencies that deal with enterprises’ credit information may be incorporated first, and then file with the relevant local PBOC counterpart. The Measures also require the personal credit reference agency to comply with a set of technical information security standards with respect to their credit reference business, and undergo regular assessments by a third-party institution that is qualified to assess information security safeguards.

Also pursuant to the Measures, a credit reference agency may be subject to enhanced surveillance by the PBOC (or its local counterpart) under certain circumstances, such as when the agency (1) is involved in a serious data breach incident, (2) shows signs of a possible data leakage, (3) is having major financial difficulties, (4) has been the subject of numerous complaints, or (5) has failed to comply with its reporting and appraisal obligations.

The implementation of these detailed rules for establishing and running personal credit reference agencies (and other compliance requirements) offer yet another example of increased attention to personal information protection issues by the Chinese government.

Read our previous coverage on Chinese personal information protection issues, including our post on the Supreme People’s Court of China passing of the Provisions on the Online Issuance of Judgment Documents by People’s Courts.