As reported in the Wall Street Journal, the share prices of China-based, US-listed online brokerages Futu and Up Fintech fell sharply last week due to investor concerns that these businesses could face tightened regulatory scrutiny from Chinese regulators as the new Personal Information Protection Law (PIPL) is set to go into effect in China on 1st November. 

These brokerages help Chinese citizens invest in overseas stocks such as in the United States and Hong Kong. Accounts are opened once investors submit their personal information and other personal details such as ID cards, bank details and tax-related records. Concerns were voiced by a Chinese media outlet around the flow of such personal information of the account holders, and whether such practices would be in violation of PIPL.

The news didn’t come as a surprise. These online brokerage businesses need to collect such personal information for the purpose of opening accounts and to provide data as part of overseas reporting requirements. But questions do remain if both the collection and the transfer of data to other countries, such as the United States, would soon violate the Chinese law. We anticipate more and more companies with international operations and a need for data sharing or data transfers will come under the scrutiny of the regulators in light of the Data Security Law (DSL) and PIPL.

PIPL, which complements the DSL in regulating cyberspace and personal data, requires companies to obtain individual consent to collect sensitive personal information such as biometrics, medical health, financial records. For businesses that illegally collect personal information, regulators can suspend or terminate the provision of their services. The DSL also stipulates that any transfer of Important Data will also need approval from the Chinese government.

As 1st November draws closer, companies that do collect personal information as part of their business operations, and especially those who also have international exposures that may need to transfer data beyond Chinese internet borders will need to consider the impact of the new laws and ensure they have policies, system (re)designs in place to comply with data gathering, processing, storage, access and transfer requirements and best practices.