More than half of Chinese internet finance lenders are failing to comply with data privacy regulations, research has found, raising risks for investors as China steps up the implementation of laws to protect consumer data.
The breaches include collecting phone numbers from users’ contact lists, which can be used to mount harassment campaigns and shame users into repaying debts.
The survey of 200 finance apps by Renmin University and Nandu Personal Data Protection Research Centre, a Beijing think-tank, ranked 111 apps as having “low” compliance.
It found that almost half — 95 apps — wanted to read users’ text messages, while 97 of them wanted access to users’ contact lists, despite such access not being necessary for the app’s functioning.
By asking users for such information, the app providers are brushing against the country’s new personal information security standard to be implemented on May 1, which specifies that companies should seek the minimum information needed to make their apps work.
“Investors should certainly expect more government scrutiny on their business model from a data protection perspective,” said Luo Yan, special counsel at the Covington & Burling law firm in Beijing.
Among the worst-scoring companies in the report are two of the world’s largest banks, Bank of China and China Construction Bank. Other offenders named were Yidai Credit, which is backed by SoftBank China, and the New York-listed Qudian.
Many apps lacked a privacy agreement that was available upon registration to explain what user data would be protected, leaving the user with little recourse if their details were leaked or misused.
Although all the apps surveyed collect sensitive financial data, most also ask for permission to access user data that is not needed for the functioning of the app, the report found.
For example, more than half of the Android apps — including that of Bank of China — wanted microphone access, despite none having a voice input option, the researchers found.
“The attitude of the vast majority of [companies] is ‘no matter whether we need the data or not, let’s collect it first and then decide’,” said Nadiya Ni, lead author of the report.
Internet finance companies have a history of using personal information to shame debtors into repayment. Intrusive techniques to hound debtors — such as one debt-collecting “granny gang” who shamed and intimidated borrowers into repayment — have blossomed in the absence of a comprehensive credit-scoring system.
Bank of China said its app “strictly follows the laws and protects the rights of users”, adding that the installation process notifies users about its data collection policies and users sign physical copies of agreements when they open online accounts.
Qudian said it “attaches great importance to personal data protection and has built a strict personal information protection system”. The group’s user agreement states that the company protects personal data, “unless we get [users’] approval or we have to provide it because of legal obligations”.
China Construction Bank and Yidai did not respond to requests for comment.