More than half of Chinese internet finance lenders are failing to comply with data privacy regulations, research has found, raising risks for investors as China steps up the implementation of laws to protect consumer data.


The breaches include collecting phone numbers from users’ contact lists, which can be used to mount harassment campaigns and shame users into repaying debts.


The survey of 200 finance apps by Renmin University and Nandu Personal Data Protection Research Centre, a Beijing think-tank, ranked 111 apps as having “low” compliance.

中国人民大学和北京智库-南都个人信息保护研究中心(Nandu Personal Data Protection Research Centre)对200个金融应用进行的调查显示,111个应用的合规水平为“低”。

It found that almost half - 95 apps - wanted to read users’ text messages, while 97 of them wanted access to users’ contact lists, despite such access not being necessary for the app’s functioning.


By asking users for such information, the app providers are brushing against the country’s new personal information security standard to be implemented on May 1, which specifies that companies should seek the minimum information needed to make their apps work.


“Investors should certainly expect more government scrutiny on their business model from a data protection perspective,” said Luo Yan, special counsel at the Covington & Burling law firm in Beijing.

“投资者肯定应该预计到,政府将从数据保护的角度对他们的商业模式进行更多的审查,” 美国科文顿.柏灵律师事务所(Covington & Burling law firm)驻北京的资深律师罗嫣表示。

Among the worst-scoring companies in the report are two of the world’s largest banks, Bank of China and China Construction Bank. Other offenders named were Yidai Credit, which is backed by SoftBank China, and the New York-listed Qudian.

报告中得分最低的公司包括两家全球大型银行-中国银行(Bank of China)和中国建设银行(China Construction Bank)。其他违规公司包括由软银(中国)(SoftBank China)支持的宜贷网(Yidai Credit)和在纽约上市的趣店(Qudian)。

Many apps lacked a privacy agreement that was available upon registration to explain what user data would be protected, leaving the user with little recourse if their details were leaked or misused.


Although all the apps surveyed collect sensitive financial data, most also ask for permission to access user data that is not needed for the functioning of the app, the report found.


For example, more than half of the Android apps - including that of Bank of China - wanted microphone access, despite none having a voice input option, the researchers found.


“The attitude of the vast majority of [companies] is ‘no matter whether we need the data or not, let’s collect it first and then decide’,” said Nadiya Ni, lead author of the report.

该报告的主要作者Nadiya Ni表示:“绝大多数(公司)的态度是,‘不管我们是否需要这些数据,我们先收集到手再说,然后决定如何使用’。”

Internet finance companies have a history of using personal information to shame debtors into repayment. Intrusive techniques to hound debtors - such as one debt-collecting “granny gang” who shamed and intimidated borrowers into repayment - have blossomed in the absence of a comprehensive credit-scoring system.

互联网金融公司有使用个人信息来羞辱借款人、以促使其偿还贷款的历史。在缺乏全面的信用评分体系的情况下,不停骚扰债务人的侵扰式方法-比如采用羞辱和恐吓方式促使借款人还钱的“大妈讨债团”应运而生 。

The privacy policy of one online lender, Ideal Treasure, stipulates that in the case of non-payment, the company has the right to share data with third parties, “based on their own judgment”. Ideal Treasure said it “began to improve compliance in strict accordance with regulations from 2017”.

网上贷款公司理想宝科技有限公司(Ideal Treasure)的隐私政策规定,如果借款人不还款,公司有权“根据其自己的判断”与第三方分享用户数据。理想宝表示,从2017年开始,公司“开始严格按照监管规定来改善合规水平”。

Bank of China said its app “strictly follows the laws and protects the rights of users”, adding that the installation process notifies users about its data collection policies and users sign physical copies of agreements when they open online accounts.


Qudian said it “attaches great importance to personal data protection and has built a strict personal information protection system”. The group’s user agreement states that the company protects personal data, “unless we get [users’] approval or we have to provide it because of legal obligations”.


China Construction Bank and Yidai did not respond to requests for comment.






  • 010-68890808
  • 010-68890800
  • jiaoxue@cri.cn