Limiting the misuse of credit data

本文原為2011年5月10日，本會投書蘋果日報"應立法規範個資大怪獸—聯合徵信中心"一文，後經同意英文台北時報翻譯後，登載在2011年5月16日Taipei Times

By Lai Chung-chiang and Chiu E-ling 賴中強，邱伊翎
(Lai Chung-chiang is deputy president of the Taiwan Association for Human Rights. Chiu E-ling is the director of media and publication for the association.)

TRANSLATED BY JULIAN CLEGG

Following the signing of agreements with China about financial cooperation across the Taiwan Strait, Chinese financial concerns have been eagerly seeking ways to start up and develop business operations in Taiwan. The Financial Supervisory Commission (FSC) has so far given its approval for four major Chinese banks — the Bank of China, Bank of Communications, China Construction Bank and China Merchants Bank — to set up representative offices in Taiwan.

The Cross-Strait Economic Cooperation Framework Agreement includes a commitment to lift restrictions on cross-strait financial services. According to this commitment, representative offices established by Chinese banks in Taiwan may be upgraded to branch banks one year after they are set up. That means the four Chinese banks may, if they wish, commence banking operations in Taiwan in September. When they do that, they can then join the Joint Credit Information Center (JCIC) as member institutions.

The predecessor of today’s JCIC was set up by the Bankers’ Association of Taipei in 1975. Its original function was to serve as a center for collecting, processing and exchanging credit data among the member institutions of the bankers’ association. In 1992, the JCIC was transformed into a non-profit foundation. In March 1993, the Ministry of Finance assigned the JCIC the task of setting up a nationwide credit database, whereupon the center began to put on file the credit data of customers of financial institutions.

It was not until 1995 that Taiwan instituted the -Computer-Processed Personal Data Protection Act (電腦處理個人資料保護法), the purpose of which was to regulate the collection, processing and use of personal data by government and non--government agencies.
As fraud has become an increasingly serious problem in recent years, the government last year amended this act and changed its title to the Personal Information Protection Act (個人資料保護法). The amended law seeks to regulate a wider range of situations under which personal data could be unscrupulously collected and divulged by non-government agencies, and by means other than computers.
The problem is that the monster that had already come into being before these personal data protection laws were drawn up has never been brought into question. When applying for a credit card or loan, people probably don’t look very carefully at the fine print, one line of which asks applicants to give consent for the bank to obtain data about them from the JCIC.

Furthermore, data about people’s loans and credit will be registered with the JCIC and kept on file in its databank for reference by other banks. The basis on which the JCIC can collect people’s credit data is “personal consent,” but this “informed consent” is also indirect, unobvious and generalized.

Although the JCIC uses computers’ auditing function to prevent its staff from looking up personal credit data for illegitimate purposes, its mode of operation still largely relies on self-regulation by its member institutions. The fact is that the JCIC does not require financial institutions to ask their customers to sign a written consent form or agreement. All a financial institution has to do is go online and check the box that says “the person’s consent has been obtained.” Once they have done that, they can access and download the data.

It can be seen from past cases where the FSC imposed penalties that there have been numerous instances of banks making illegal inquiries about personal data or divulging it to others. Taiwanese banks and local branches of overseas banks alike have been caught breaking the rules, but the only penalty the JCIC can impose is to temporarily suspend the offending institution’s right to look up data, which is hardly enough to deter institutions from breaking the rules.
If Taiwanese banks have broken the rules so often, how can we trust Chinese banks to abide by the system of their own accord? Perhaps now is the time for us to reconsider this -monster, which was born before the laws on personal data protection came into existence.

If one considers the various laws in Taiwan, one will find that the Personal Information Protection Act is too general. It only provides the most basic standards for regulating ordinary situations. As to the Regulations Governing Authorization and Administration of Service Enterprises Engaged in Interbank Credit Information Processing and Exchange (銀行間徵信資料處理交換服務事業許可及管理辦法), the emphasis of this law is on setting standards for consent, but it says very little about how data is to be processed and used, and it has no penalty guidelines.

In the US, although there is no single centralized credit information center such as exists in Taiwan, there are still various laws, such as the Fair Credit Reporting Act and the Consumer Credit Protection Act, that regulate the conditions under which institutions may legally gain access to consumers’ credit data, and these laws place the burden of proof of not having transferred the data for other purposes on the institution. They also lay out the procedures to be followed when there is a dispute about data.

In Taiwan, a single non--governmental foundation has credit data on almost every person and company in the country in its hands, giving it a national monopoly on such information. Such an institution could not exist in other countries. Isn’t it about time we put a law in place to monitor and regulate it?