SHANGHAI (Reuters) – When William Zhang’s car insurance was about to expire in March, he didn’t need to look far for renewal options. In the two months before the policy was up Zhang received calls almost daily from insurers trying to sell him a new one.
Since his initial policy was from Ping An Insurance Group, it was natural the company had been in touch.
“What confuses me is how other insurance companies knew about it,” said Zhang, a 26-year-old government employee from Shandong. Three other car owners told Reuters that they had experienced the same problem.
Personal data has become widely available in China and can be scooped up for pennies by insurance companies, banks, loan sharks, and scammers alike, according to sellers and financiers interviewed by Reuters.
In May, China introduced its most comprehensive data protection laws to date, tightening restrictions on the sharing of private data held by financial institutions and other firms.
“Personal information leaks are risky,” said Susan Ning, a partner at the law firm King & Wood Mallesons in Beijing. “Such information can facilitate other crimes,” she added.
Insurers often buy numbers from shadowy online data sellers, who themselves have acquired the information illegally, according to people in the industry.
Some companies illegally buy information from the department of motor vehicles, car licensing authorities, car sellers, or from police stations, said Michelle Hu, a partner at Boston Consulting Group who has been a consultant on insurance deals.
By entering keywords like “personal data” or “cellphone data”, in Chinese, Reuters found more than 30 groups created for the purpose of selling and buying personal information on Tencent’s instant messaging service QQ and Baidu’s forum site Tieba.
Baidu declined to comment. In a statement emailed to Reuters, Tencent said it was “committed to the protection of user privacy and maintaining data security”.
Information sellers post ads in the online groups and negotiate with buyers through private messages on QQ or WeChat.
Five sellers offered to sell Reuters lists from financial institutions of “people who need loans”, “people who need insurance”, and “Shanghainese men aged between 30 to 50”.
The price of such information varied among sellers, ranging from 300 yuan ($43.64) to 2,800 yuan for 100,000 people.
A sample list included individuals’ birth dates, car and home ownership status, and mortgage information, in addition to names and telephone numbers.
Reuters was unable to verify the authenticity of the information.
Three loan agents who sell mortgages for three leading Chinese lenders said customer information was often sold by bank employees.
Some internet companies also provide access to sensitive personal information for a fee, according to Reuters’ communications with two such platforms.
Duoku Technology, a Wuhan-based firm, for example, operates a personal information search platform.
For 5 yuan, Duoku returns the ID picture of any Chinese citizen whose name and ID number are provided. For 3 yuan, the site returns data about a person’s cellphone usage.
Reuters verified that both services worked. The person whose ID picture was requested did not know how the services obtained his photo or telephone bills.
When asked where Duoku collected or purchased the information, a spokeswoman at Duoku Technology who identified herself as Ms. Li, said much of the data was bought from online merchants and sold to banks and insurance companies.
“Financial institutions use our service for risk management purposes only,” she said.
Hours after Reuters first published the story Duoku Technology emailed to say their website has removed the products set out above and in future will not be selling to individuals.
Law and order
Data privacy has also become a major issue around the world, with companies like Facebook criticized for harvesting and selling users’ personal data without their explicit consent. Online scammers are also common in other countries.
In China, a proliferation of online financial platforms and users has led to a surge in the sharing of personal data, despite legislative efforts to protect consumers in recent years, experts say.
Under current laws, personal information sellers can face up to seven years in prison and a fine, while buying personal data can be punished by fines and up to three years in prison. Corporations are subject to similar legal punishments.
Despite such censure, around 90% of phone scams stem from personal information breaches, according to a Union Pay report in May.
“Central to this problem is the high economic benefits associated with personal information trade and the low costs of violating relevant laws,” said Ning.
“For some individuals with authorization, others’ personal information is just a few clicks away.”
Other reasons behind personal data breaches include a lack of security measures on some websites, and ambiguous terms in certain contracts regarding the use of personal information, said Ning.
“China has a large population and data privacy cases cover a broad range, so it can be quite difficult to investigate,” Ning said.
New guidelines for companies on handling personal data were issued by regulators in May that included the hiring of compliance officers and getting explicit consent from consumers when collecting personal information.
The European Union’s new rules on privacy protection – the General Data Protection Regulation – took effect the same month.
The EU regulations – which will impact Chinese firms whose products or services are sold in the European Union – appears to be more restrictive than the Chinese ones. The Chinese guidelines allows for silent or implied consent, for example, whereas the European rules do not.
($1 = 6.8740 Chinese yuan renminbi)
(By Engen Tham; Reporting by Engen Tham and Shanghai newsroom; Additional reporting by Shu Zhang in Beijing; Editing by Philip McClellan)