Introduction

Article 28.1 of the Personal Information Protection Law of PRC (“PIPL”) defined sensitive personal information in a “summarizing + listing” manner. Previously, Article 3.2 of the national standard Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) defined “personal sensitive information” in a similar way. Comparing the two definitions, “credit information” is listed by the latter, but not by the former. Does personal credit information belong to sensitive personal information? An affirmative answer seems easy to make. First, the leakage of credit information can bring telecom fraud including so-called “credit repair” pitfalls, falling within Article 28.1 of PIPL’s definition of easily leading to “harm to personal or property safety” once leaked. Second, since Article 28.1 of PIPL does not exhaustively list all types, it is reasonable to refer to the judgment of the above-mentioned national standard, based on the systematic interpretation logic. Third, credit information often includes transaction information, e.g., borrowing and lending records, since they can help identify the credit status of enterprises and individuals. Given that bank transaction records are considered by the legislature as financial account information listed under Article 28.1, the same shall be true for credit information.

The problem arises. On the one hand, once credit information is characterized as sensitive personal information, according to Articles 28 and 29 of PIPL, information processors can only process it under an individual’s “separate consent” with “specific purposes”, “sufficient necessity”, and “strict protection measures”. First, “specific purposes” require that only specific occupations under specific business circumstances can process corresponding types of sensitive personal information, which disables non-credit institutions to collect credit-related transaction records in other businesses, and reduces the possibility for credit institutions to obtain credit information from other providers. Second, “sufficient necessity” points to “no processing unless necessary”, and credit agencies may thus be forbidden to collect individual transaction records beforehand for possible future credit assessment. Third, “separate consent” requires a strict distinction between credit information and other information before processing to obtain individual instead of blanket consent for personal credit information, significantly increasing the cost of credit analysis.

On the other hand, credit institutions have a social responsibility to facilitate financing. The Opinions on Advancing the High-quality Development of the Construction of the Social Credit System in Furtherance of the Shaping of a New Development Pattern, issued by the General Office of the CPC Central Committee and the State Council, requires “promoting financial services for the real economy with a solid credit foundation”, and “developing inclusive finance and increasing the scale of credit so as to solve financing difficulties of micro, small and medium-sized enterprises and individual industrial and commercial households.” Article 23 of the Law of PRC on the Promotion of Small and Medium-Sized Enterprises (“SME”) also stated that “the state supports credit agencies in developing credit products and services for the financing of SMEs.” Credit is the basis of financing, and the difficulty of SME financing arises from information asymmetry. Since SMEs are usually controlled by individual managers and owners and have no perfect governance structure, banks mainly rely on the personal credit of managers and owners to reasonably infer the creditworthiness of their corporations, and even directly issue relationship loans to or seek guarantees from managers and owners. Thus, it is crucial for solving SME financing difficulties to increase credit institutions’ access to the personal credit information of SME managers and owners. In March 2023, the Resolution of the First Session of the Fourteenth National People’s Congress on the Implementation of the 2022 Plan for National Economic and Social Development and on the 2023 Plan for National Economic and Social Development reemphasized the target to “step up the sharing and application of credit information to facilitate fundraising for MSMEs”.

Then the paradox exists between the legal obligation of credit institutions to protect personal credit information as sensitive personal information and their social responsibility to facilitate financing. The strict obligation in processing personal credit information will deter credit institutions from accessing the credit information of SME managers and owners, increasing information asymmetry in SME financing. Should such a conflict exist? Should personal credit information be classified as sensitive personal information? In a more general sense, is the standard for sensitive personal information in Article 28 of PIPL reasonable? How should personal credit information be protected by PIPL? It is even more important to clearly answer these questions, with PIPL coming into force for nearly two years.

This essay tries to reconstruct the position of personal credit information in PIPL based on a comparative look and a theoretical reanalysis. Part Ⅱ looks at extraterritorial theory and practice to demonstrate the necessity to balance personal credit information protection and financing facilitation. Part III argues that the definition in Article 28.1 of PIPL is unreasonable and the protection of personal credit information as sensitive personal information is neither socially beneficial nor, in fact, conducive to personal information protection. Part Ⅳ denies personal credit information as sensitive personal information by a stricter interpretation of Article 28(1).