New regulations on data privacy and security unveiled by China's central bank
PBOC Issues Comprehensive Data Security Rules for Financial Sectors
The People's Bank of China (PBOC) has issued a long-awaited set of data security rules, known as the PBOC Data Rules, on May 1, 2025. These rules aim to regulate data security in the business areas supervised by the PBOC, marking a significant step towards enhancing data protection in China's financial sectors.
The PBOC Data Rules apply to licensed financial institutions, institutions approved by the PBOC, and institutions recognized by the PBOC. These entities, referred to as Data Handlers, must ensure legal authorization for data collection, maintain strong data security management, notify relevant stakeholders as required, and comply fully with the detailed PBOC Measures by the stipulated dates.
Data Handlers must adopt various security protection and management measures when collecting Business Data, which refers to network data generated and collected within the PBOC supervised business areas. They are also required to fulfill notification duties, likely informing relevant parties about the collection, use, or processing of the Business Data.
The business areas covered by the PBOC Data Rules include monetary credit, macro-prudential oversight, cross-border RMB, inter-bank market, comprehensive statistics of the financial industry, payment and settlement, RMB issuance and circulation, treasury management, credit investigation and credit rating, and anti-money laundering.
Data Handlers are subject to various obligations when managing the entire lifecycle of Business Data. This includes account authority management, data collection, storage, processing, transmission, provision, cross-border data export, data disclosure, data deletion, outsourcing, and safety technical requirements.
Under the PBOC Data Rules, Data Handlers of important data shall conduct a risk assessment once a year and submit the risk assessment report for the previous year to the PBOC or its local counterpart before 15 January each year. They are also required to strengthen their risk monitoring of Business Data processing activities and fulfill the required reporting or assessment/audit procedures.
The PBOC Data Rules classify Business Data into three levels: general data, important data, and core data. "Important data" refers to data of specific fields, specific groups, or specific regions, or data reaching a certain level of accuracy and scale, which, if tampered with, destroyed, leaked, or illegally accessed or used, may directly endanger national security, economic operation, social stability, public health, and security. "Core data" refers to important data with high coverage in fields, groups, or regions, or with high accuracy, a relatively large scale, and a certain depth, which, if illegally used or shared, may directly affect political security.
The PBOC Data Rules and the NFRA Data Rules, issued by the PBOC's sister regulator, the National Financial Regulatory Administration in December 2024, share similar definitions for "core data" and "important data." Both fall within the "important data" category under China's existing cybersecurity and data privacy regime, and therefore processing these data will be subject to stringent requirements and obligations.
Financial institutions and relevant entities subject to these rules had to ensure full compliance by June 30, 2025, indicating the regulatory seriousness of these obligations. The PBOC Data Rules took effect on 30 June 2025.
In the event of a Business Data security incident, Data Handlers shall immediately adopt disposal measures, inform the users on a timely basis, and report the incident as per PBOC's requirements in a timely, accurate, and complete manner. Data Handlers of important data shall conduct emergency drills for Business Data security incidents at least once a year.
In summary, the PBOC Data Rules aim to ensure legal authorization for data collection, maintain strong data security management, notify relevant stakeholders as required, and comply fully with the detailed PBOC Measures by the stipulated dates. This covers a wide range of financial institutions and business sectors under PBOC supervision.
Financial institutions and relevant entities across China's banking-and-insurance sector must adhere to the PBOC Data Rules, particularly those deemed as Data Handlers, as they collaborate with banking-and-insurance data. Failure to ensure legal authorization for data collection, uphold strong data security management, and comply with all detailed PBOC Measures may lead to severe consequences, as dictated by the stipulated dates in the PBOC Data Rules. Additionally, Data Handlers must classify Business Data according to the defined levels, which include 'important data' and 'core data', to ensure correct processing and necessary reporting in line with stringent requirements and obligations under China's cybersecurity and data privacy regime.
