Editor’s Note — DCC.
Public-data authorized operation (公共数据授权运营) is one of the most active growth areas in China’s data-element market. Wang Qinglan’s case study illustrates one of its most common failure modes: an operator with public-data rights treats those rights as a general license to do anything with the data, missing that other regulatory regimes — here, the credit reference business licensing regime — apply on top of the public-data framework. This is short for a Wang piece (under 1500 words in the original) but the analytical pattern is generally useful for overseas counsel advising on public-data products.
The case
A state-affiliated auction company in a Chinese city holds the operating right to vehicle license-plate auction data. (The license-plate auction system is how the city allocates a capped number of new license plates each year.) Winning bidders’ personal data — name, contact information, payment information, vehicle details — flows through the auction platform.
A bank approaches the auction company with a proposal:
- The auction company gives the bank the personal data of winning bidders.
- The bank uses the data to design a targeted credit product for new vehicle purchasers — license-plate winners are a high-creditworthiness segment.
- The bank pays the auction company RMB 12 million per year in revenue share.
The auction company agreed.
Wang’s question: was the auction company’s conduct compliant?
The two failures
Failure 1 — No individual consent under PIPL
The first issue is PIPL. The auction company’s public-data operating right lets it process the auction data on behalf of the government grantor for the authorized purpose (typically, running the auction platform and providing official services). It does not vest the auction company with general consent to share the personal data of winning bidders with third parties for unrelated commercial purposes.
PIPL Article 13 requires a lawful basis for each processing activity. The most common bases — individual consent, contract necessity, legal obligation — would have to be re-grounded for the bank-sharing activity. None of them obviously applied here.
If the auction company had not obtained individual consent from each winning bidder authorizing the bank-sharing, the sharing was unlawful. On the facts of the case, the company had not. That alone makes the transaction non-compliant.
But the deeper problem follows.
Failure 2 — No credit reference business license
The auction company’s conduct also constitutes credit reference business (征信业务), and credit reference business is a licensed activity in China. Operating it without a license is unlawful — and the auction company did not have one.
This is the part overseas counsel most often miss when advising on Chinese public-data deals. Public-data authorized operation does not exempt the operator from sector-specific licensing requirements. Other regulatory regimes — credit reference, banking, insurance, healthcare, geographic data — stack on top of the public-data framework.
The legal anchors:
- Article 2 of the Credit Reference Industry Regulation (《征信业管理条例》) defines credit reference business as “the collection, organization, retention, processing of credit information about enterprises, public institutions, and individuals, and provision of that information to information users.”
- Article 3 of the Credit Reference Business Administrative Measures (《征信业务管理办法》) further specifies that credit reference business serves financial and similar activities — to identify and evaluate the creditworthiness of enterprises and individuals.
- Article 5 of the Credit Reference Business Measures: “Financial institutions may not engage in commercial cooperation to obtain credit reference services with market entities that have not obtained the lawful credit reference business qualification.”
That last article is the bank’s exposure too. By contracting with the unlicensed auction company for credit-reference-purpose data, the bank also violated the regulation.
The two licensing tracks
A critical operational detail in the regulation:
- Personal credit reference business (个人征信业务) — requires a license from the PBoC. Setting one up requires PBoC approval; the regulator has, in practice, issued personal credit reference licenses to a small number of institutions.
- Enterprise credit reference business (企业征信业务) — requires filing with the PBoC’s local office. The filing standard is lower than personal credit licensing.
In the case, the auction company was processing individuals’ data for credit purposes — so the licensing track is personal credit reference. No license, no operation. Even if the auction company had separately obtained individual consent under PIPL, the absence of a personal credit reference license would still have made the conduct unlawful.
Wang’s summary: “This company probably stacked both non-compliance buffs to the maximum. Genuinely criminal.”
The operational test
The decisive question — for any business considering a transaction involving downstream financial-activity use of personal data — is “is the use for financial activity?” (是否用于金融活动). If yes, credit reference business licensing/filing applies. Public-data authorized operation does not displace that requirement.
The two-pronged test for credit reference business per the regulation:
- Is the data credit information (信用信息) — information used to identify and evaluate creditworthiness?
- Is the data being used for financial or similar activities?
If both are yes, the activity is credit reference business. The license is required for personal data; filing is required for enterprise data.
Why this matters for overseas teams
Three operational takeaways:
- Public-data authorized operation is one license among many, not a master license. A public-data operator’s permitted operations are bounded by both the public-data authorization terms and every other sector-specific regime that applies to the underlying activity. When the downstream use is financial, the credit reference licensing regime applies separately. When the downstream use is healthcare, the healthcare-data and medical-device regimes apply. When the downstream use is education, education-sector PI rules apply. Public-data status is not a shortcut around sector-specific rules.
- Foreign entities partnering on Chinese public-data products should map the downstream-use regulatory stack before structuring the deal. A China subsidiary acquiring or licensing a public-data product for cross-border use must satisfy: (a) the public-data authorization terms; (b) PIPL consent / contractual basis requirements for any PI in the data; (c) any sector-specific licensing applicable to the downstream use; (d) cross-border export pathway requirements if the data leaves China.
- The case is also a reminder of the criminal exposure. Criminal Law Article 253-1 — sale and provision of citizen personal information without consent or in violation of regulations — applies. The PI Audit Measures and the 2026 PI Special Action (six high-risk sectors including finance) put financial-data flow on the regulator’s enforcement priority list. Foreign-invested banks and financial-services providers in particular should treat this case as a leading enforcement risk.
The underlying point in Wang’s piece is that public-data authorized operation is a permission, not an immunity. The auction company’s mistake was treating the authorization as a general license — and the credit reference licensing regime caught up with that mistake.
— Wang Qinglan (王青兰), 案例分析 | 公共数据授权运营后提供给金融机构是否须取得征信业务资质? (Case Analysis — After Public-Data Authorized Operation, Does Providing to Financial Institutions Require Credit Reference Business Qualification?), 青兰数据观察 WeChat Official Account, April 11, 2024. Original article (Chinese).
Not legal advice. The above is DCC’s structured summary of Wang’s commentary; not a verbatim translation. The author’s views are her own and do not represent her employer.