Legal Principles, Difficulties and System Construction of Personal Financial Information Protection ()
1. Introduction
With the rapid development of the Internet, once personal financial privacy is leaked, it will spread rapidly and cause irreversible effects. China’s financial regulatory authorities attach great importance to the protection of personal financial information in the financial sector. On the one hand, the People’s Bank of China has issued “Trial Measures for the Protection of Personal Financial Information (Data) (Draft)” to all banks for comments (Yang, 2020) , aiming to improve the security of personal financial information through legislation and safeguard personal financial information rights. On the other hand, the Banking and Insurance Regulatory Commission issued “Notice on Carrying out the Special Rectification Work of the Infringement of Personal Information Rights and Interests by Bancassurance Institution” (hereinafter referred to as the “Notice”); aiming to comprehensively sort out and investigate the problems and loopholes in the personal information protection of the bancassurance industries through law enforcement requirements. More comprehensive provisions for the protection of personal financial information were provided in “The Implementation Measures of the People’s Bank of China for the Protection of the Rights and Interests of Financial Consumers” (hereinafter referred to as “The Measures for the Protection of Financial Consumer Protection”) issued in 2016. At the end of 2019, the Central Bank again revised the Measures and upgraded them to departmental regulations (Xing, 2022) . In addition, Chinese government has enacted a series of laws and regulations, such as the “Civil Code of the People’s Republic of China” (hereinafter referred to as “Civil Code”), the “Personal Information Protection Law of the People’s Republic of China” (hereinafter referred to as “Personal Information Protection Law”) and the “Data Security Law of the People’s Republic of China” (hereinafter referred to as “Data Security Law”). However, the problem of personal financial information protection in the financial industry has not been completely solved due to the nonconformity to the characteristics, laws and development of the financial industry.
Therefore, to respond to the dual appeals of reality and theory, the difficulties and deficiencies in the protection of personal financial information in the current law will be clarified in this paper. Then, the abroad model construction and experience supply of “personal financial information protection”, as well as the institutional mechanism and academic logic of laws in other departments, are referred in this paper. At last, the legislative concepts, basic concepts and corresponding legal systems of “personal financial information protection” should be clarified, so as to provide specific reference plans for the protection of personal financial information under the background of digital economy.
2. Characteristics of Personal Financial Information
2.1. Personal and Public
Personal financial information has both private and public attributes. In the aspect of private attribute, any personal information is necessarily private. According to the legal provisions of Article 33 (3) of the Constitution, Article 1 of the Personal Information Protection Law and Title IV of the Civil Code, the right to personal information in China derives from the provisions of the law on the right of personality. The right of personal financial information, as the extension of the right of personal information in the financial field, also has strong personality interests. In terms of public attributes, personal financial information has strong public attributes, which are embodied in credit investigation, anti-money laundering and cross-border flow of financial data. For example, if a person borrows money from different financial institutions, and the information among financial institutions is isolated and uncirculated, the financial institutions will not be able to fully grasp all the debt information of the borrower, and will not be able to conduct a comprehensive and accurate risk assessment on the loan security, and financial business will not be able to be carried out. On the one hand, the publicity of personal financial information is the basis of public law intervention regulation; on the other hand, it makes up for the deficiency of private law relief. Therefore, according to the private law and public nature of personal financial information, personal financial information protection must adopt the dual protection path of private law protection and public law regulation, which also means that personal financial information protection must also take into account the balance between private law and public law.
2.2. Multi-Control
Multi-party control is an important characteristic of personal financial information, which is embodied in the multi-party control of personal financial information by individuals, financial institutions or financial service institutions and countries. In addition, in specific financial scenarios, personal financial information is also controlled by multiple individuals, multi-party financial institutions or financial service institutions, and multi-party regulatory authorities. The reason why personal financial information is controlled by multiple parties is that personal financial information carries the interests of multiple parties and needs to achieve the balance of interests of three parties. “Tripartite balance” refers to the balance between the interests of individuals for the protection of personal information, the interests of information operators for the use of personal information and the public interests of the state to manage the society. Balance is a state of tension, in which the core interests of each interest subject are protected and realized, and non-core interests are transferred as the condition and basis for other parties to realize their core interests. Balance is not average, which does not mean that the interests of all parties are absolutely equal in all scenarios, but that they transfer their own interests to a certain extent in different scenarios to ensure the overall interest balance.
2.3. High Sensitivity and High Value
Personal financial information has high sensitivity and high value, which belongs to the strengthening end of the “two-sided strengthening, three-sided balancing”, and is also an important reason why personal financial information should be protected by special legislation. According to the Personal Information Protection Act, personal financial information can be classified into general personal financial information and sensitive personal financial information. The Personal Information Protection Act establishes different regulation methods and protection levels through different classifications. According to the classification of the Civil Code, personal financial information can be divided into financial privacy and general personal financial information. The Civil Code determines different legal interests of civil law and relief modes of private law through different classifications. Although sensitive personal financial information has been listed by way of classification, there is no exact definition of financial privacy in law and it must be analyzed on a case-by-case basis. However, this does not mean that the two classification methods are repetitive and conflicting. The significance of these two classification methods, sensitive information and non-sensitive information, private information and non-private information, is reflected in the different levels of the elements of tort liability, namely, the infringement act and the types of civil rights and interests infringed. Therefore, determining whether personal financial information is sensitive is a prerequisite for judging whether an act is illegal. In the era of big data, open bank has set off the second wave of fintech, which represents the future development direction of modern financial industry. In essence, it is to realize financial data sharing, take data as production factors and valuable assets, and rely on the new legal system arrangement and computer network intelligent technology. Financial data and financial resources are reintegrated and allocated in a market-oriented way, so as to discover potential financial demand, create new financial demand, encourage financial innovation, realize value sharing and value creation. Therefore, personal financial information has high value.
3. The Legal Dilemma of Personal Financial Information Protection
3.1. Some Concepts Are Not Yet Clear
1). The scope and processing subject of personal financial information are unintelligible. Although personal financial information have been stipulated through the method of “definition & enumeration” in Article 28 of the “Financial Consumer Protection Act”, and Article 1 of the “Notice” and the “Specifications”, there are significant differences in the specific content. And it is difficult to specify a comprehensive overview of personal financial information at the legal level. For example, the financial information of consumers in Article 28 of the “Finance and Consumer Protection Act”, on one side, is based on the legal relationship of financial consumption. For another, there is limitation on the subject, which only refers to “consumer information processed by banks and payment institutions through business operations or other legal channels”. Similarly, the personal financial information stipulated in Article 1 of the “Notice” is limited to “personal financial information obtained, processed and stored by banking financial institutions when conducting business, or through access to the People’s Bank of China’s credit investigation system, payment system and other systems”. Therefore, the current processing entities of personal financial information mostly refer to banking financial institutions and non-bank payment institutions. Not all the financial institutions and other market entities that provide financial products or financial services have been covered yet. More comprehensive regulations on personal financial information were made in the “Specifications”, but it is unclear whether financial institutions are involved in financial supervision and management departments. In China, as of December 2020, there are 28 national standards and 79 industry standards related to personal financial information security, but no mandatory standard (Zeng, 2022) . The “Specifications” is with no direct legal force in nature, nor can be directly used as the legal basis for judicial decisions. Though it can be cited by administrative organs in activities or parties in contracts, so as to work with corresponding legal effects. To sum up, the scope of personal financial information and the processing subject of personal financial information are indistinct in conceptions, which will cause an impact on the public law regulation and private law relief of personal financial information.
2). Classification of personal financial information is vague. In Article 28 of the “Personal Information Protection Act”, the definition of sensitive personal information has been clarified and the types of sensitive personal information have been listed, among which financial accounts are stated as sensitive personal information. Furthermore, sensitive personal information in the financial field is refined in the “Specification”, to be divided into three categories as C1, C2, and C3. Classified regulations are adopted to clarify the regulatory measures for different categories. The regulations on sensitive personal financial information are relatively comprehensive, whereas that on financial privacy are very vague. The essence of financial privacy is actually the extension of privacy theory in financial field. In the information age, information privacy has become the main object of privacy protection compared with physical privacy (He, 2017) . In Article 1034 of the “Civil Code”, personal information is clearly distinguished into general personal information and private personal information. The two types are handled in accordance with personal information protection law and privacy rights respectively. However, in the financial field, there is no certain classification of what financial privacy yet. The blurred classification of financial privacy may lead to dilemma in the protection of personal financial information. In one aspect, there are difficulties in private law remedies for the protection of personal financial information. The blurred classification of personal financial information on financial privacy may make it hard to judicially identify “financial privacy” in private law relief. In addition, there is tension between the protection of “financial privacy” and the utilization of personal financial information. Large amount of private law remedies for “financial privacy” may be aroused by the uncertainty of definition, scope and standards for financial privacy. As a result, the use of personal financial information will be hindered, which is not conducive to the development of financial activities. In summary, the undifferentiated classification of personal financial information between financial privacy and non-financial privacy may be detrimental to the protection and development of personal financial information.
3.2. Difficulties in Private Law Remedies
1). Damage results are not easy to quantify. In a civil damages lawsuit for personal financial information infringement, the individual must first prove that the processing behavior of the personal information processor has caused damage in the first place. According to the certainty principle of damage, its occurrence is a must, with objective existence to cause substantial harm. Personal information damage is intangible, latent, unknown, and hard to assess, so it is doubtful whether it meets the “certainty” standard (Tian, 2021) . In other words, besides the loss directly caused by the infringement, the damage caused by the infringement of personal financial information also includes the unknown risks caused by the infringement. These risks are with characteristics of latency, uncertainty and unevaluability for not causing substantial damage yet. Accordingly, the leakage of personal financial information did not bring deterministic losses, but increased the risk of future damage. Judicial practice in the United States faces the same issue. Those realities put federal courts in a tough spot: do federal courts flood the courts by encouraging individuals to take proactive measures to protect themselves from potentially significant financial losses and grant standing based off of a future risk of identity theft? Or do courts protect the judicial systems from a flood of litigation dealing with the growing issue by not granting standing to plaintiffs until actual identity theft occurs (Jameson Steffel, 2020) ? In the context of personal financial information infringement, employees of financial institutions can easily obtain personal financial-related information out of their position convenience, resulting in the leakage of personal financial information. According to statistics in the “White Paper on Research on Crimes of Employees of Financial Institutions in China (2021)” jointly released by China Judicial Big Data Research Institute and other institutions, as the legislation on personal information protection to be strengthened contentiously in China, the cases of employees in financial institutions violating citizens’ personal information are also increasing (Wan, 2022) . However, the punishments of personal financial information infringement cases are tend to be administrative penalties mainly. There are certain obstacles in civil damage compensation for personal financial information infringement, which is related to the intangible nature of the damage.
2). The causality is hard to be proven. In the situation of personal financial information infringement, the progress of personal financial information contains several steps such as collection, storage, use, processing, transmission and provision. Moreover, various technologies such as algorithms and big data analysis are also involved in this procedure. It is difficult for the defendant to match the damage with the specific data leakage behavior one by one, especially in the condition of the concealed “perpetrator” of personal data damage and the proliferation of multi-party data collection within the Internet of Things era. In addition, the leaked data can be abused indefinitely, which causes the damage degree, proof of causality and the quantification of liability assessment to become obstacles for personal data damage litigation relief (Liang & Liu, 2022) . Under the superposition of multiple factors, there is a huge information asymmetry between personal financial information processors and individuals. For individuals, it will be tough to have the ability to prove causality even if they suffer infringement. Moreover, enterprises will inevitably keep the processing of big data strictly confidential, as it is the core competitive asset of enterprises; which objectively makes it arduous for individuals to prove causality. At the same time, due to the limited risk of prosecution, the profitability of data theft will continue to propel its prevalence (Justin H. Dion & Nicholas M. Smith, 2019) .
4. System Construction of Personal Financial Information Protection
4.1. Clarify the Scope, Processing Subject and Judgment Standard of Personal Financial Information
1). To expand the scope and processing subject of personal financial information. In terms of processing subject of personal financial information, it should be expanded from banking financial institutions and non-bank payment institutions to financial institutions and financial regulatory authorities. The financial institutions here refer to licensed financial institutions supervised and managed by the national financial management department, as well as other relevant institutions including the progress of personal financial information. In addition, the processing subject of personal financial information should also contain financial supervision departments, specifically financial supervision departments and other organizations authorized by laws and regulations to manage public affairs. In terms of the scope of personal financial information, it should not be limited to the legal relationship of financial consumers, but should also include the relationship between individuals and financial regulatory authorities, as well as the legal relationship between individuals and other financial market infrastructure. Personal identity information, personal property information, as well as personal account information and other personal financial information should be included in personal financial information. Moreover, the above personal financial information shall not be limited to personal financial consumption information, but also contains personal information in the regulatory authority and financial market infrastructure. The significance of expanding the subject and scope of personal financial information lies in 2 aspects. On the one side, the securities industry, insurance industry, and other financial industries and financial regulatory departments will be covered by expanding the subject of processing personal financial information, with which the individuals can get comprehensive protection for financial information. Hence it can not only ensure that the strength gap between individuals and financial industry institutions to be effectively regulated by the law, but also be beneficial to standardizing the information processing behavior of financial regulatory agencies. Generally speaking, it is conducive to the realization of the purpose for personal financial information protection. On the other side, expanding the processing main body of personal financial information is in line with the trend of mixed operation in the financial industry, and is favourable for the data sharing of financial holding companies. Thus the overall strength of China’s financial industry will be enhanced, and the sharing and utilization of personal financial information will be promoted by the range expanding.
2). Clarify the judging criteria for financial privacy. In China, the legislative practice of private information and personal information went through the process from unification to dualization. Nevertheless, to establish the privacy testing standard of personal information, and separate the private personal information that within the protection range of privacy from all identifiable information is an important problem faced by the judiciary (Zhang & Shi, 2022) . In the financial field, financial privacy refers to the right to control and dispose the financial asset information and credit information one owns (Li & Miao, 2019) . Clarifying the standard of financial privacy is the key for solving the problem of financial privacy identification. Both subjective and objective aspects should be included in the standard of financial privacy. Subjectively, individuals have a reasonable expectation that they do not want their privacy to be known to others. The “reasonable expectation theory of privacy” was firstly established by the Supreme Court of the United States in Katev. United States in 1967, which has been applied and proved in many countries around the world to be a more feasible method of judging privacy rights (Zhang, 2021) . In the “reasonable expectation theory of privacy”, it is required that the obligee does not want his privacy to be exposed, and has reasonable expectation. In other words, such expectation is legitimate. Specifically, this privacy must not be disclosed to the public society; whereas this does not mean that it cannot be disclosed to a small proportion of people. Objectively, privacy is related to individuals, but not to society and others. However, the “reasonable expectation theory of privacy” mentioned above contains the subjective requirement of a natural person reasonably believes that certain information is private. It is still related to the uncertainty of the concept of privacy, and the private information will be “contaminate” by such characteristic to be generalized (Zhu, 2022) . As a result, this theory needs to be judged in combination with the “theory based on scenario”, which means that the judgment of privacy must be combined with specific application scenarios. To determine whether the flow of information is reasonable and legal through individual case evaluation, it is conducive to avoid undesirable effect on legal logic, industrial development, social interaction, and public interest caused by rigid standard setting (Xu & Sun, 2021) . In specific application scenarios, judicial practice can be combined with the classification and the subjective and objective factors of the obligee mentioned in the “Specification”. Among them, C3, C2 and C1 are sensitive information. The disclosure of such content may cause certain property losses, so they are easier to be identified as financial privacy. Hence, the judgment standard of financial privacy shall be both subjective and objective. Subjectively, individuals have legitimate reasonable expectations of not liking their privacy to be known by others. Objectively, the judgment of privacy must be combined with specific application scenarios; C3 and C2 can be identified as financial privacy by referring to the classification in the Specification.
4.2. Improve the Private Law Relief System
Equal emphasis on public law and private law, as well as preferential allocation of rights are the principles that should be stuck to when it refers to the improvement of the private law relief system for personal financial information. Some scholars believe that the existing rules are lack of systematization, and with low level of effectiveness. The problems of information protection obligations in financial institutions and the accompanying damage compensation are not able to be solved at the legal level. In that case, the private law protection of personal financial information is still with a lot of obstructs (Zhang, 2019) . Besides, effective protection is failed to be provided with the private law protection model of relief after the event (Zheng, 2021) . In spite of that, the protection of personal financial information must be implemented through two dimensions of both public law and private law. First of all, the ignorance of private law remedies may make it difficult to compensate for personal losses, thereby the enthusiasm of individuals to participate in remedies would be inhibited. The important means of public law regulation is administrative punishment, but with this, the relief after the event cannot be provided to individuals to make compensation for personal losses. In the second place, the weakening of private law relief may cause increase on the moral hazard for personal financial information processors; as a consequence, a large number of illegal information processing behaviors may be induced. With the reduction of private law relief activities, the chances of illegal information processing activities being discovered is also reduced. As a result, the illegal cost of personal financial information processors is lowered, and in turn the personal financial information processors are encouraged to violate the law. In addition to this, due to the huge differences in information asymmetry, unequal strength, and proof ability between individuals and personal financial information processors, adopting a tilted allocation of rights can reduce the individual’s burden of proof as a plaintiff to a certain extent, and can effectively protect private law. The effective implementation of the relief system, and then personal financial information processors will thus have greater incentive to invest in information security and to prevent information misuse. (ORMEROD P C, 2019) .
1). Establish the civil liability for risks. The determination of damage in personal information infringement cases has become a dilemma in judicial practice, on the ground of that personal information infringement does not show direct damage, but more of a risk that personal information may be illegally used in the future. Plaintiffs’ lack of success may be due in large part to the intangible nature of these harms (David Bier, 2019) . In order to deal with the uncertainty in personal information infringement, risk civil liability can be used as an institutional solution to solve the difficulty of loss identification. The reason is: on aspect, Risk as Harm (Danielle K. Citron & Daniel Solove, 2018) . No matter in “Personal Information Protection Law” of China or the “General Data Protection Regulation” of European Union, even the viewpoint that “adopt the framework of public law should be adopted for the regulation of risks and the protection of personal information” emphasized in the academic circles (Ding, 2018) , the risk assessment is all regarded as an important public law regulatory tool. Form this it can be seen that the risk control of personal information has become the consensus of public law regulation. In that way, the point of view of risk control should also be taken in the protection of private law, otherwise it will lead to deviations between public law and private law protection; For another aspect, it is a must that the risks are in accordance with certainty standards. The standards for risk of personal information infringement must be established, and it can only be called as “risk damage” when the corresponding legal standards are met. In the case of personal financial information infringement, the establishment of risk civil liability is more conform to the needs of judicial trials. Some scholars believe that the risk liability of personal financial information is the adverse legal consequence which should be bore with financial companies in violation of their risk obligations (Xu & Li, 2022) , but the scope should not be limited to financial enterprises, but should also include other personal financial information processing entities such as financial infrastructure. The standards and classifications of sensitive personal financial information have been clarified in the “Specifications”, thus the risks caused by the infringement of sensitive personal financial information are more likely to be identified as “risk damage” by the judiciary based on the scenario theory. For financial institutions, although personal financial security standards are non-mandatory standards, the applicable effect at the level of public law in the field of financial administrative supervision was formed after being authorized or invoked by the departmental regulations of the People’s Bank of China, China Securities Regulatory Commission, and China Banking and Insurance Regulatory Commission (hereinafter referred to as the “one bank and two commissions”). Correspondingly, the various contents of the corporate service documents of financial institutions also need to be in conformity with the normative requirements mentioned above. For example, according to the “Guidelines for Data Governance of Banking Financial Institutions”, it is stipulated that the collection and use of data by banking financial institutions involving personal information shall be in line with the corresponding national standards (Zeng, 2022) . As a consequence, the applicable effect of the scope and classification of sensitive personal financial information has formed due to the citation of the “one bank and two commissions”. What’s more, the obligation to protect sensitive personal financial information undertaken by banking financial institutions is advantages to the establishment of risk civil liability for personal financial information protection legislation.
2). Establish the causality. The presumption of fault liability for infringement of personal information was established in the Article 69 of the “Personal Information Protection Law”, but it is still hard to avoid the dilemma of proving the causality. Facing this problem, there are three options in the academic circle. The first point is to invert the causality. Some scholars have pointed out that the mismatch between the right holder’s burden of proof for causality and his proof ability makes the behavior of disclosing private information more likely to be connived. It is more reasonable for the information controller to bear the burden of proof for causality (Liu, 2019) . The second point is to establish the equivalent system of causality. A number of scholars believe that factors such as signs of information misuse, the nature of information processors, big data and automation technology, as well as multiple processors should be considered, and the plaintiff (information subject) need to prove the conditional relationship according to the standard of reasonable probability. If the conditional relationship is established, then the defendant (information processor) is expected to further certify that there is no equivalence between the processing behavior and the damage according to the standard of high probability (Tian & Zhang, 2022) . The third point is to adhere to the high probability standard. A quantity of scholars insist that although “causality” is of great significance for the determination of the subject of infringement, the needs of accountability can be fully met by the traditional theory of causality (Chen, 2019) . It’s believed in this paper that establishing a system of comparable causality is an effective way as the solution for this problem. The reasons are shown as bellow: First of all, as an inclined configuration of individual rights can be achieved with the inversion of causality, it is harmful to the use demand of personal information by personal information processors. The increasing operating costs of personal information processors may even lead to the risk of excessive litigation. And secondly, if the traditional theory of causality is not adjusted, it will not be favorable to adapting to the characteristics of personal information infringement cases; in consequence, the balance of the relationship between individuals and personal information processors will be difficult to reach. Ultimately, the standard of reasonable probability is utilized in the causality, with which the provisions of the Civil Procedure Law on the distribution of the burden of proof is not change. The plaintiff still needs to put forward corresponding evidence to demonstrate that the defendant has a high possibility of divulging personal information (Cheng, 2021) . An effective solution would thus enable consumers to obtain the information they need to figure out whether or not they can—and should—bring suit, without unduly burdening breached companies (Lauren M. Lozada, 2019) . Relevant causality is also conducive to achieving a balance between the proof capabilities of individuals and personal information processors, as a reparation for the unequal proof capabilities caused by factors such as information asymmetry and technical capabilities. In the scenarios of personal financial information infringement, not all scenarios should be applied with the equivalent causality proof standard. The application of standard should be depending on distinguished scenarios. Firstly, when the processor of personal financial information is a financial entity that makes use of big data technology or automated decision-making technology, such as financial regulatory authorities, financial industry institutions and financial basic infrastructure; a comparable causal proof standard shall be adopted for the balance of the proof capabilities between the two parties. Secondly, if the processor of personal financial information is an individual; according to the scenario theory, the proof capabilities of both parties are roughly balanced without adoption of big data technology or automated decision-making technology. Under such circumstance, the high probability standard in the traditional causality should be used. Thirdly, if there are many financial information processors and it is difficult for an individual to determine the cause of the damage, an equivalent causal proof standard needs to be adopted.
5. Conclusion
The legal normative systems on the protection of personal financial information including “Personal Information Protection Law”, “Civil Code”, “Financial Consumer Protection Law” and “Notice” and so on … has been established in China. Even so there are still a series of legal problems in the protection of personal financial information. As a special type of law for the personal information protection law in the financial field, the personal financial information protection law should be instituted in line with the rules and features of the financial industry, with which to effectively solve practical problems in the financial field. The formulation of personal financial information protection law should be adhered to the legislative concept of equal emphasis on protection and utilization. The problem of personal financial information protection could be solved by introducing a certain degree of inclined protection methods through the two dimensions of public law and private law. In terms of the unclear scope of information and processing subjects in the Personal Financial Information Protection Law, and the legal issues of ambiguous classification of personal financial information, the scope and processing subjects of personal financial information should be expanded, and the criteria for judging financial privacy should be clarified. A system of risk civil liability and equivalent causality should be established in the personal information protection legislation. In short, there is far-reaching significance for the development of China’s financial industry with the enactment of China’s Personal Financial Information Protection Law; as it is the institutional cornerstone for the rapid development of China’s financial industry in the new era.
Funding
This paper is one of the results of the project “Research on Conflict Coordination of Data Privacy Rules in Digital Trade” (202265) funded by the University of International Business and Economics Graduate Student Research Innovation Fund.