Personal Financial Data Protection and Gover?nance: A Perspective on Data Property Rights ofFinancial Organizations

Keywords： financial data property rights; data credit; financial data profiling; data governance

The Fintech space-like the overall tech space a few years earlier-is evolving at breakneck speed. Financial ser?vices are a highly regulated industry-and for good reason， as it is the lifeblood of a modern economy， and because itdeals with our live savings and data[1]. With the rapid development of the digitization of the financial industry， largeamounts of personal financial data（data and information in this article have the same meaning） and business data aredeposited in the services of financial institutions. However， the unclear property rights of personal financial data andunsound data dissemination norms lead to the stagnation of personal financial data dissemination， and there are oftena large number of missing values in financial data used for credit risk assessment， coupled with the restrictions of in?formation costs， barriers and regulations. Financial institutions do not always have effective access to complete creditapplicant information， making credit risk assessment deviate from the actual level，and cause credit losses and re?source mismatch[2]. From the analysis of penalty cases involving the use of personal financial data by financial regula?tors in 2020①， the problem of illegal use of personal financial data is diversified. This not only amplifies the vulnera?bility of the financial institution system and increases the compliance cost of financial institutions， but also presents acontemporary research issue for financial institutions to comply with the governance of personal financial data. Pleaserefer to Figure 1.

In the face of external regulatory pressure and chang?es in information technology and law， financial organiza?tions have shifted from financial electronics and financialinformation to data and artificial intelligence based fin?tech organizations[3]. The distribution and deep utilizationof personal financial data is changing the financial marketstructure. Financial organizations urgently need to breakthe barriers to the circulation of financial data， allow thesafe and orderly circulation of personal financial data be?tween industries， establish a financial credit risk preven?tion and control system centered on the analysis and re?search of personal financial information， effectively re?duce the service costs and service risks of financial organi?zations， promote the accuracy and efficiency of financialservices， and stimulate the potential commercial value offinancial data.

Personal financial data is a subset of personal data，which derives from individuals and is a precise \"profile\"that can identify a particular subject， such as personalidentity， social status， asset status， and privacy information. There is a theoretical debate whether individuals have le?gal or property rights to personal data. Some scholars argue that individuals should be granted ownership rights to da?ta[4] and usufruct rights[5] or data asset rights[6] to financial organizations， while others consider that personal data aresocial and public in nature， and it is inappropriate to grant individuals dominant rights to data to prevent the under?utilization of personal data for social purposes[7]. Due to the failure of the legal order in the property rights of personaldata， there are controversies in theory， which leads to the problems of unclear property rights， unclear boundaries， in?sufficient utilization and incomplete protection of personal financial data. Most scholars research the use of personalfinancial data from the perspectives of supervision， management and cross-border transmission of personal financialdata， but they cannot avoid the key issue： the configuration of property rights of individuals， organizations and thepublic on personal financial data.Only when the underlying logical issues of personal financial data are clearly sortedout， the protection and utilization of personal financial data can be made logical. To solve the above problems，weneed to find a balance of interests among individuals， financial organizations and the public， consider the safe and or?derly use of personal financial data， face up to the current situation of realistic control of personal financial data， andestablish a financial credit risk prevention system. In the author's opinion， individuals only have a legal interest intheir personal financial data， which is not ownership or right of domination， and can resort to legal protection underArticle 1037 of the Civil Code of the People's Republic of China only if the legal protection of personal informationis breached; financial organizations are entitled to property rights over the personal financial data they actually con?trol and manage， and may use various types of personal financial data collected in the course of services according tocontractual purposes or statutory purposes. Spervisory departments analyze and utilize a certain range of personal fi?nancial data for the purpose of enhancing social governance， safeguarding social public interests and guaranteeingimportant national decisions. This constitutes the theoretical basis for the diversified property rights system and so?cial utilization rules of personal financial data.

1 Properties and Value of Personal Financial Data

1.1 Identifiable to Specific Subjects

Financial data②and financial organization data. Personal financial information③ is data that can be identified to aspecific subject， and is important and sensitive personal information. Personal financial information comes from twoparts， one part is personal related information that data subjects actively provide to financial organizations in order toreceive financial services， which includes the name， address， ID card number， property status， work status， main familymembers and other information of natural persons. The other part comes from the personal transaction records， personalasset changes and other information formed by financial organizations in providing financial services， which has indi?rect identification and needs to be combined with other identifiers to jointly identify specific subjects. Financial organi?zation data refers to the operation， management and production information of financial organizations， including finan?cial product information， financial security information and financial operation data， etc. From the viewpoint of dataproperties and the process of generation， financial organizations are entitled to the ownership of financial organizationdata， which has exclusivity. The data of financial organizations do not have the possibility of identifying specific sub?jects and do not affect the rights and interests of individuals， which is not within the scope of this article. In general， fi?nancial data is a collection of information formed by financial organizations in the process of financial services， whichhas the functional value of identifying the specific subjects and is important and a valuable sensitive personal data.

1.2 Value Enhancement of Personal Financial Information Sets

The information provided by the data subject is a fragmented identifier of personal identity and property status，which has no value for use and no market value. Personal information has been available since before the data era. Thename， place of birth， gender， place of origin， degree， work history， property status， family and other information ele?ments of a natural person constitute the identifier of \"social identity\". At that time， there was no legal discussion on theprotection of personal information， so why is it a matter of hot issue today？ The reason for this is that discrete personalinformation cannot have an impact on a specific subject，and even has no special value to others or society. As informa?tion technology is constantly enhanced， information related to individuals continues to converge and fuse and form in?formation sets. When the collection of information about people is large enough and the samples are rich enough， it hasthe ability to analyze and predict the trend of consciousness and behavior， and the information set has the market value.This process is both the value of information aggregation to enhance. In the field of financial data， financial organiza?tions collect， store and process the fragmented personal information to form data sets in the service process. They ana?lyze and predict the consumption needs， transaction records and credit rating of individuals， design personalized mar?keting programs， carry out financial services with precision and differentiation， reduce the operating costs of financialorganizations and improve service quality.

1.3 Financial Organizations Enable Personal Financial Data to Generate Market Value

Social value， also called \"market value\"， is the symmetry of \"individual value\". Social value， which is determinedby socially necessary labor time， is the basis of commodity prices[8]. The market value of personal financial data cannotbe separated from the labor of financial organizations. When financial organizations collect， store， process， analyze andutilize unstructured personal information for better provision of financial services， they transform information with indi?vidual value into data sets with market value， so that the originally fragmented personal financial information becomesa factor of production. In this process financial organizations invest labor， property and information infrastructure tostructure and analyze the data provided by data subjects and financial organizations service data to finally form a valu?able data set. This data set is a useful resource with market value and commodity value， which can be put into a mar?ket-oriented trading platform to generate distribution value. The labor of financial organizations functions on personalfinancial data to form a personal financial data set with distribution value， transaction value， analysis value， predictionvalue， and evaluation value.

1.4 Asset Properties of Personal Financial Datasets

Data is becoming central to the business models of firms around the world. Obvious examples include data servic?es firms like Dow Jones， Factiva， and Bloomberg， as well as large technology companies like Google and Facebookwhose ability to generate valuable consumer data drives their core business of advertising[9]. Personal financial data isthe product of information technology generated in the process of providing services by financial organizations， whichcontributes to the improvement of service quality and efficiency of financial organizations while enhancing the abilityof financial organizations to reduce risks. At the early stage， personal financial data was only unstructured informationabout data subjects and account transactions. With the development of the big data era and the improvement of dataprocessing capabilities， financial organizations digitalized their business processes and have deposited a large numberof data sets to provide basic resources for analysis and prediction. Therefore， personal financial data has become an es?sential data asset with economic value and market value. Data assets not only bring value to financial organizationsthemselves， but also provide fundamental resources for data distribution and sharing among financial organizations andfinancial credit risk analysis and prediction. While the transformation of information into data assets has become a fact，the issue of property rights of data assets still needs to be further defined， in order to help to clear the relationship of da?ta rights and obligations among individuals， financial organizations and the public.

Analyzed from the perspective of financial organization management， personal financial data is a product deriva?tive of the market served by financial organizations. However， as the financial market grows and financial risks in?crease， such derivatives are gradually playing a key role. The forecasts generated by financial big data analysis are re?flected in the internal operation and management of financial organizations， and they have become an important basisfor decision-making of financial organizations.

From the perspective of financial monetary resource allocation， the limited monetary resources of financial organi?zations should be allocated to the most suitable objects， controlling financial credit risks in the moderate range， opti?mize the business environment and guarantee the healthy development of the national financial order. Financial organi?zations evaluate personal financial data such as personal assets，credit，performance， and transaction records to find themost suitable requester and allocate a risk-controlled financial money amount to achieve the optimal resource alloca?tion between financial organizations and requester.

1.5 Credit Assessment Function of Personal Financial Datasets

The social credit system is composed of credit information.Credit information has a broad sense and a narrowsense. Broad credit information refers to the meaning of honesty， public morality， justice， etc.， expanding the connota?tion and extension of the concept of credit; narrow credit information refers to the concept of general credit information，in the meaning of almost equal to the credit data[10]. China's credit information mainly comes from personal credit infor?mation， performance information， asset information and other personal financial information provided by the financialservices industry， and is provided by financial organizations to the financial credit information infrastructure databasein accordance with regulations④.

Personal financial credit information can effectively evaluate the credit rating of individuals and has high guidingsignificance for financial organizations to conduct business and prevent risks. The sources of financial credit informa?tion are mainly： first， information that can identify a specific subject， including name， address， ID card number and oth?er information that can directly or indirectly identify a specific subject; second， information related to the evaluation ofindividuals， including moral character information， such as personal character identification， information on violationsof law; repayment ability information， such as personal income and age， consumption habits; asset information， such asproperty and vehicles， stock registration information; third， special information， information collected and investigatedby financial organizations themselves for specific purposes， such as transaction records， loan records， debt information，which the debt information should pay attention to the effective legal documents of the People's Court. The purpose ofthe credit application has a certain research value， and also requires due diligence and post-loan supervision by finan?cial organizations， and the purpose of the loan is important information for assessing credit risk[11]. The above informa?tion can be used to accurately \"profile\" an individual's credit capacity， credit rating and credit risk. It is important tonote that the credit evaluation function requires big data analysis and relying on manual judgment of credit ratings is bi?ased. Big data-based credit evaluation can produce many different results in practice， and predictions and risk assess?ments are made based on the relevance of many different combinations of models and big data collections[12]. As assess?ment models diversify and big data collections continue to enrich， those who would normally be allowed to lend may beturned away because of big data credit risk assessments. Those who have a history of delinquency， despite their pastdue status， may receive a positive credit assessment as their assets improve. Big data risk assessment can remove the dis?turbance of human subjective factors and objectively reflect the credit risk of individuals for financial organizations tomake rational decisions.

Personal financial data starts with personal information， adds value to personal financial data through the labor offinancial organizations， and generates marketable values such as circulation， transaction， utilization， and evaluation，but lacks legal recognition and has compliance risks. Financial organizations are the stakeholders of personal financialdata collections， and through the analysis and examination of personal financial datasets and evaluation of individualcredit ratings， they can improve the quality and efficiency of financial organization services and reduce credit risks.Personal financial data is not only about the transaction behavior of individuals and financial organizations， but also animportant basic resource for the construction of the social credit system， the improvement of social governance and theconstruction of intelligent system of financial system. A rational allocation of the right and interest attributes of person?al financial data， balancing the interests of data subjects， financial organizations， the community and the public， and fi?nally forming a legal system that gives equal importance to the protection and utilization of personal financial data.

2 Do Individuals Have Financial Data Interests？

Personal financial data can be identified to specific subjects and have a natural connection with individuals， andwhat rights and interests individuals have to financial data are related to the flow and security of personal financial da?ta. Whether individuals enjoy legal interests or rights to personal financial data is controversial in theory. Xing Huiq?iang considers that the personal identification information and personal property information in the personal financialinformation， as it is collated and submitted by the individual customer himself， the individual enjoys full propertyrights and interests[13]. Cheng Xiao considers that an individual's right to data is not an absolute right that can be active?ly used such as property rights， and can only be protected by the tort law when the right is infringed and leads to the in?fringement of other civil rights[14]. Gao Fuping argued that the protection of personal information is essentially a legalbenefit protection， rather than giving individuals a certain right to personal information to achieve protection[15]. The au?thors consider that individuals are entitled to an interest in personal financial data， rather than giving ownership ordominance to the data subject.

2.1 Comparison of Legal Interest Protection Model and Right Protection Model in Personal FinancialData

The term legal interest originated from German scholar Michadl Bimbaum who introduced it into the field of crim?inal law around 1830. There are two views on the definition of legal interests： one broadly regards legal interests as in?terests protected by law and emphasizes the legal protection characteristics of interests， represented by Zhang Mingkaiand Liang Huixing; the other narrowly defines legal interests as having the characteristics of indirect protection， nega?tive recognition and reflexivity，which is held by scholars such as Shi Shangkuan， Hong Xunxin， Zhang Chi and HanQiang[16]. The former is broadly understood to include narrowly defined legal interests and rights， which are easy to beconfused; the latter has a ambiguous concept and features that are not easy to understand. Long Weiqiu defines legalinterests and clearly explains the relationship between rights and legal interests by using the exclusion method， thatis， \"rights are limited to those who are nominally called rights and belong to the core part of the broad legal interests，and the rest of the interests in civil law are called other legal interests\"[17]. In summary， interests are the initial form oflegal interests and rights， which are protected by law and rise to become legal interests， and rise to become rightswhen legal interests are typified[18]. Therefore， legal interest is essentially an interest， with legal protectability and le?gal properties. According to Zhang Mingkai， a legal interest must be an interest that may in fact be threatened with in?fringement in reality，and if it is not likely to be infringed or threatened， there is no need to protect it[19]. Therefore， thelegal interest is passive in nature. Once the infringement does not exist， the legal interest is not necessary to exist， andthe legal interest cannot actively rely on the request system to actively protect its own interests， as the right does. Inthe case of legal interests， the individual has only a negative compensatory role， but not an active right to claim bymeaning[20]. That is， the legal interest can only have a claim for compensation after the damage has occurred[16]

The right protection model is to grant exclusive and dominant rights to individuals. However， there are the obsta?cles to its application in the field of personal financial data. First of all， personal information has the characteristics ofbeing invisible and non-exclusive. Personal information can be stored in multiple media at the same time and appliedto multiple occasions. Personal information is scattered in multiple scenarios in social interactions， so individuals can?not accurately grasp to what extent and in what scenarios personal information is used by others. There is a certainblind spot of control， and it is impossible to achieve absolute dominance like physical property or intellectual propertyrights. It is impossible to idealize that information is controlled and dominated by individuals. Second， the right protec?tion model will cause the social utilization of personal information to be hindered， and the phenomenon of \"anti-trage?dy of the commons\" will become increasingly serious. Granting individuals the right of ownership or dominion overpersonal information， the use of personal information requires authorization or permission from individuals， which seri?ously affects the normal operation of society， increases the cost of social operation， and hinders the further release ofbig data dividends. Finally， the right boundary of the right protection model cannot be defined. The types of personalinformation cover a wide range and are applicable to many scenarios， and the boundary of rights and obligations hasnot yet reached a general social consensus. The law cannot give individuals the right to dominate personal informationindependently of social agreement and transaction habits. The granting of ownership rights to personal financial infor?mation will inevitably cause financial organizations to obtain authorization from individuals or pay consideration ifthey want to share and disseminate personal financial information， which will increase the service costs of financial or?ganizations and eventually transfer the increased costs to consumers themselves. In practice， the use of personal infor?mation requires payment of a reasonable price， and there are ethical and technical barriers in the pricing process. Thepricing of personal information inevitably increases the possibility of personal information trafficking， undermines thesecurity of personal information， and promotes criminal activities against personal information fraud. At the same time，the pricing of personal information is not feasible and operational， and violates the basic human rights concept that allpeople are equal， for example， there is a world of difference between the selling price of travel information of celebri?ties and that of ordinary people.

2.2 Defensive Legal Interests of Personal Financial Data

Personal Information Protection Law of the People's Republic of China（PIPL） treats personal information process?ing rules as a code of conduct[21]， rather than granting individuals an absolute， dominant right to personal information.PIPL is the basic law for the protection of the rights and interests of individual subjects in personal information pro?cessing， which regulates the behavior of personal information processing， and realizes the flow of personal informationuse under the premise of protecting the rights of subjects through the configuration of rights and obligations in the rela?tionship of personal information processing[22]. Rather than protecting \"static\" personal information， the processing ofpersonal information shall be governed by the principles of legality， propriety， and necessity. Where PIPL includes in?formed consent as one of the bases of legality， financial organizations may also use personal information for the pur?pose of entering into or performing a contract to which the individual is a party without the consent of the individual.Therefore， it is legal and proper for financial organizations to control and manage the processing of personal databased on the individual's consent or for contractual purposes. For example， if an individual submits personal informa?tion when applying for a loan， the financial agency has the right to use the personal information directly for contractualpurposes such as granting loans， credit analysis， collection of capital and interest， debt collection， and lawsuits. Infact， consent of individuals has been \"generalized\" and criticized by many scholars， and consent of individuals is notthe same as granting authorization， let alone the absolute right of individuals to dominate information. Therefore， thepersonal information provided by an individual to obtain financial services is not considered as an authorization ortransfer of personal information rights， but rather a transfer of personal information to financial organizations for con?trol and management， thus the individual has lost control over the personal information. However， individuals do nothave no rights and interests to financial information， because of the natural connection between information and indi?viduals. Personal financial information is the carrier of various interests such as personal identity and privacy， implicitlegal interests in personal financial information， and once the information processor infringes on the personal dignity，freedom and other basic rights of individuals， the implicit legal interests of individuals are explicit and can seek pri?vate or public remedies

Personal autonomy， identity interests，and equality interests derived from the protection of human dignity in theprocessing of personal financial information[15]. The individual has a negative， defensive legal interest in the processingof personal financial information. That is， the right to prevent the improper processing （utilization） of personal informa?tion that violates the dignity and freedom of the individual （subject）， a right that is inherent to the human being andshould be protected and not lost or unprotected because of the individual's willingness（consent）[22]. Defensive legalinterests include consent before information processing， correction， deletion and withdrawal during information process?ing， and lawsuits against wrongful acts after information processing.

2.3 Obligations to Protect Legal Interests of Personal Financial Data

Personal financial data originate from individuals and are digital records concerning personal identity， property，social status， and other identifiable specific subjects， which are managed and controlled by financial organizations inreal time. The paradigm of protection of personal financial information should not be to allocate dominant rights to in?dividuals over personal financial data， but rather individuals should enjoy protection of legal interests in the processof financial data processing， and such legal interests are a passive defensive legal interest. When personal informa?tion is infringed in the process of financial data processing， individuals have the right to claim to copy， access， delete，correct and compensate personal information. There are two elements that need to be satisfied for a personal financialinformation subject to claim the right to request， namely the general element and the special element. The general el?ement is that the personal rights and interests of the subject of personal information are being infringed or are in dan?ger of being infringed due to the processing of personal information， and the special element is that the provisions ofspecific laws related to the protection of personal rights and interests in the processing of personal information arebreached[23].

Financial organizations， system platform designers， and government department's all have protection obligations.As the direct protector and beneficiary of personal financial information， financial organizations need to use their owntechnical capabilities and instruments to strictly protect the safety of personal financial data and implement the require?ments of personal financial information protection under the supervision of the national information security supervi?sion and management department. Designers of financial data system platforms should also develop system platformsthat comply with the protection， utilization and circulation of personal financial information from the perspective of un?derlying code and algorithm logic. General Data Protection Regulation（GDPR） adopts \"data protection by design\" as aguiding principle， the core idea of which is that privacy protection is not only an after-the-fact legal remedy， but alsothe concept of privacy protection needs to be carried out throughout the design of product development to ensure thatinformation controllers and processors as well as product developers practice data protection[24]. Data subjects are in avulnerable position in data protection，and there is an urgent need for government departments to implement supervi?sion and management powers. On the one hand， the government departments carry out dialogue and cooperation withinternational data protection agencies to exercise the world discourse on data protection and flow in China， and on theother hand， supervise data enterprises to use personal information in compliance with the law.

3 Configuring Data Property Rights for Financial Organizations

With the increasing scale and value of financial data， there are multiple rights and interests on personal financialdata. The reasonable arrangement of data subjects and financial organizations' rights and interests configuration is thekey issue. Under the dual pressure of collection limitation principle and purpose specificity principle， the use of per?sonal financial data by financial organizations is still on thin ice.There is an urgent need to \"untie\" financial organiza?tions in terms of laws and administrative regulations and give them property rights over personal financial data. Onlywhen the data flow and sharing can be completed among financial organizations can a financial credit risk preventionand control system be established， and the potential value of personal financial data be activated to serve the healthydevelopment of the national financial system

When financial organizations exercise their property rights to financial data， the defensive legal interests of indi?viduals serve to supervise and restrain financial organizations from unlawfully infringing on the interests of individualsin terms of human dignity and freedom. In the event that a financial organization breaches the norms of processing be?havior and infringe upon the interests of individuals， individuals have the right to exercise legal remedies. The defen?sive legal interests of individuals and the property rights of financial organizations are set up separately， and each isfunctionally independent and mutually restrained. The unique system of separation of three rights of rural land in Chi?na's legal system， sets ownership， contracting and management rights of the same rural land are set separately. Theserights have both overall utility and individual functions to protect the rights and interests of different subjects and pro?mote the maximum utility of land resources.

3.1 Motivations for Rightsizing of Personal Financial Data

Rightsizing data assets is the process of \"writing\" the defined， desensitized or described data into the record carri?er controlled or entitled to use by the controller of big data. It is the process of \"evolving\" big data into the subject oftransaction，and transforming data that is merely an information carrier into data with legal significance. The process oftransforming data with legal significance[25]. The shift from data assets to data rights needs to address the issues of rea?sonable empowerment and interest measurement. The allocation of rights and interests on personal financial data is notsimply to attribute data to a certain party， but to reasonably measure the interests of multiple subjects， seek effective le?gal arrangements for multiple values on data， and realize the multiple protection of legal rights and interests on person?al financial data by legal norms.

3.1.1 Empowerment for the Purpose of Data Dissemination and Utilization

Personal financial data originates from the data subject providing and financial organizations operating deposits，is managed and maintained by financial organizations data set， which have become an important financial organiza?tions. Even if financial organizations does not have property rights to financial organizations， the fact that they controland utilize it doe snot cause a greater impact on them. The question is whether financial organizations have the right toshare， flow and trade with the outside world， which is the fundamental issue of empowerment. If only financial organiza?tions control personal financial data for their own use， they do not need legal empowerment because they have alreadyrealized the internalized use of data by virtue of their financial business needs. The empowerment of personal financialdata should achieve two most central purposes. First， to stimulate financial organizations to provide personal financialdata to society and build up a compliance market for the orderly sharing， flow and safe transaction of personal financialdata. Second， to establish a financial credit risk prevention and control system based on personal financial data shar?ing， analysis and decision prediction among financial organizations， and finally to build a personal financial credit rat?ing evaluation system. The value of data is in the dissemination and utilization， and personal financial data is benefi?cial to the financial industry or other industries to improve service capability， analyze consumption habits， and betterprovide quality services to consumers.

3.1.2 Empowerment Based on the Purpose of Building Credit Risk Management System

Firms are using Big Data to improve their fraud detection and prevention capabilities. Big Data has been used tocollate vast amounts of information on customer behavior， market behavior， and environmental issues which will allowfirms to predict what causes frauds[26]. Financial credit system is an important part of social credit system construction.The fundamental resource of the financial credit system is personal financial data. The analysis and prediction of per?sonal financial data are the most effective measures for financial organizations and supervisors to fight against financialrisks. Based on the purpose of credit risk prevention and control， property rights are given to financial organizations sothat they have the property rights to possess， use and gain personal financial data. This allows financial organizations toshare personal financial data under the legal framework. And gradually establishes a credit point or rating system inthe social credit system to reward people with higher credit and restrict people with lower credit delivery. In administra?tive management and public services， we will provide \"green channel\"， shortage tolerance and simplified proceduresfor people with high creditworthiness. We will also provide exclusive financial products for people with high creditwor?thiness in the field of finance and credit. Gradually， a system of credit risk management， credit evaluation， creditpoints， credit rewards and restrictions will be established in social governance.

3.1.3 Empowerment for the Purpose of Fact-Based Management Control

The essence of data circulation is based on the legal control of data， and the data controller may not only use ithimself， but also license it to others， as long as such authorized use does not infringe the rights of others and does notviolate prohibited legal provisions[27]. Once the law admits that the data controller's control over data rises to a propertyright， it is conducive to motivating data controllers to exploit and protect data， opening the data Pandora's Box and re?lease the great value of data.

From the perspective of the civil law theory of possession， financial organizations have the \"physical\" and \"mental\"elements to possess personal financial data， in line with the theory of Savigny's possession[28]. Financial organizationscontrol and manage personal financial data based on legal norms and facts， in line with the duality of facts andnorms[29]. Financial organizations have de facto control and regulatory legitimacy over personal financial data. In termsof \"mental\" element， financial organizations have the intention to process， manage， analyze and utilize personal finan?cial data. From the perspective of the purpose of control and willingness to control， it is more reasonable and scientificfor financial organizations to use their technical capabilities to manage and control personal financial data in real timein order to improve their services， to deter regulatory pressure， and to enhance their management capabilities， which isin line with the laws of marketization. Therefore， personal financial data is fully controlled by financial organizations，and most of the data is generated by financial organizations based on operational services. In other words， propertyrights should be granted to financial organizations， which should use personal financial data reasonably under the prem?ise ofactualcontrol，and bring into play the maximum effectiveness ofpersonalfinancialdata.

Personal financial data is a dynamic and continuous resource. As basic personal information changes， transactionrecords are updated all the time， and the financial market environment and social environment are constantly changing，it will have an impact on personal financial data collection and storage. Financial organizations play a unique conve?nience that allows them to keep an eye on data updates and timeliness. The continuous control and management of fi?nancial organizations consume large costs， and personal financial data is diverse and fragmented data， while the contri?bution of financial organizations' information construction and data governance system is indispensable to form struc?tured data that can be used for analysis and utilization. The original data left by users is disorganized and does not haveuse value， only after processing and analysis can the data provide useful information and become a commodity with usevalue and value[30]. The granting of any property right must be based on a de facto capacity for possession and domina?tion， and the so-called legal empowerment is only the confirmation and definition of the legitimacy of such control （in?cluding the limitation of the scope and effect of the right）[31]. Financial organizations are the \"gatekeepers\" of personalfinancial data， and they invest a lot of manpower and material costs in managing， utilizing and protecting personal fi?nancial data for a long time. Financial organizations always pay attention to the changes of personal financial data andadopt the strictest data security measures to ensure the legitimate use of personal data. Therefore， financial organiza?tions should enjoy the fruits of their input and labor—rightsized personal financial data.

3.2 Financial Data Flows under the Supervision of Data Protection Authorities

A state may claim ownership of data its subjects （or residents） are required to provide when they are situated inthe country （data localisation） or it may impose rules on the use of the data by third parties[32]. Personal financial datacontains important sensitive information and private information， which can directly or indirectly identify specific sub?jects， and once personal financial data is leaked or illegally transmitted across the border will seriously affect personalproperty security， social peace and national sovereign security. In the Information Security Technology Personal Infor?mation Security Specification provides that personal financial information is classified as personal sensitive informa?tion， strict requirements should be followed when collecting personal sensitive information[13]. From 2019 to 2021， thefinancial regulators have seen a significant increase in penalties related to inadequate protection of personal financialinformation and violations of regulations governing the protection of financial consumers' rights and interests. Pleaserefer to Figure 2. Among them， the causes directly related to \"inadequate protection of personal financial information\"appeared 40 times in 2021， mainly divided into the following four sub-categories. Please refer to Table 1. By analyz?ing the regulatory direction， the capability and level of personal financial data governance can be further improved. Fi?nancial organizations are required to establish high-level security protection systems and security management sys?tems under the strict supervision of data protection agencies. Establish internal staff hierarchical access to informationprivilege configuration to prevent internal leakage of personal data. The technical solutions and security precautions forthe collection， storage， management and utilization of personal financial data need to be risk assessed by data protec?tion agencies to ensure that data is not leaked or transmitted across borders.

The dissemination of personal financial data also requires the establishment of a unified， standardized and securedata circulation platform， and there are two models for the establishment of this platform. Firstly， personal financial datais an important resource for financial institutions. Financial institutions have a strong willingness to control personal fi?nancial data to protect their own interests， so it is difficult for them to share it voluntarily. However， the personal finan?cial data controlled by financial institutions is also limited， and the value of big financial data can only be broughtinto play if the contradiction between self-interest and shared interest is dealt with; secondly， the financial regulatorestablishes a personal financial data dissemination plat?form， and financial institutions upload personal financialdata in accordance with data dissemination standards，which is a more common practice internationally， and thecredit system of the People's Bank of China adopts thismodel. However， this model requires too much technicalcapacity of regulators， single management subjects， and in?sufficient market vitality for intelligent analysis and utiliza?tion of data. As China is at the primary stage of personal fi?nancial data collection， utilization and circulation， it is nec?essary to draw in-depth reference from the EU systemwhere data protection and personal financial data circula?tion are more developed， to complete the circulation man?agement of personal financial data in a more refined， stan?dardized and efficient form， and to transform from a roughand loose mode to a refined mode of personal financial dataprotection and circulation. Represented by the EuropeanMarket Infrastructure Regulation and Financial Market In?frastructure Directive， the norms provide for financial dataregulatory reporting obligations and financial data stan?dardization requirements. On the one hand， regulators arerequired to develop data management systems to improvetheir ability to receive and process the large amount of datadelivered by the financial industry. On the other hand， reg?ulated institutions are required to collect and transmit moredata， triggering a new FinTech cycle from the top down[33].The EU model gives China's personal financial data regula?tion and circulation rules to play a model role， indicating the direction of improvement. First， to enhance the process?ing capacity of the financial data regulator， including personal financial data classification and management capacity，artificial intelligence analysis capacity， change the People's Bank of China credit system is only a single \"data storageand display\" function. The function of the People's Bank of China credit system is only \"data storage and display\".Classify the data collected， controlled and managed by the People's Bank of China in a hierarchical manner， and ini?tially analyze and process personal financial data collections for initial decision making by financial institutions， whichmay also use data \"sharing pools\" under the available data levels according to their own service purposes. Second，strengthen the ability of diversified and standardized collection of personal financial data， and change the problem of asingle source of personal financial data and insufficient collection of non-standardized data in the credit center of thePeople's Bank of China. The richer the information collection and the more extensive the sources， the better the data\"portrait\" matches the real situation of individuals， which is conducive to financial institutions to penetrate the veil andunderstand the real property status， money usage， credit situation and other important assessment information. At thesame time， from the perspective of financial order governance and financial risk prevention， the circulation of personalfinancial data between financial institutions and regulators helps regulators monitor the operation of financial institu?tions and protect the safety of personal financial data. Regulators can also analyze the \"shared pool\" of personal finan?cial data to judge the health of the national financial market， make appropriate predictions and regulation before theeconomic downturn， and prevent the emergence of U.S. \"subprime crisis\".

4 Conclusion： Improvement of PIPL

The value of data lies in its dissemination. Personal financial data is data about the interests of individuals and fi?nancial institutions， and there are multiple interests on personal financial data. Personal financial data is collected，stored， managed and utilized by financial institutions， which is an important resource for financial institutions. At thesame time， personal financial data also concerns the construction of credit system and financial system， which involvessocial and public interests. With the technical means of big data and artificial intelligence analysis， the utilization ofpersonal financial data determines the establishment of financial credit system and the upgrading of financial marketservices. Fintech is based on big data， artificial intelligence and cloud computing， of which， big data is the basic com?puting material[34]. The personal financial data deposited down in financial institutions needs to be realized from controlto empowerment， and the legislature needs to face up to the value of factual control and give property rights to financialinstitutions to realize the value of personal financial data. After the enforcement of PIPL， the author suggests that forspecial personal financial data， medical and health data， traffic data and other important and sensitive data with strongsocial public interest attributes， the author takes the initiative to empower data controllers with property rights to real?ize the strength of data protection and maximize data utilization， and use the market law to stimulate the potential of da?ta controllers to protect and utilize data. The PIPL as the general legal regulation and the special law for the purpose ofregulating the protection， circulation and utilization of special data such as financial， transportation and medical datatogether constitute the legal system for personal information protection. Through the empowerment model instead of thebehavior regulation model， the boundary of rights and obligations of data controllers is delineated， and the right to cir?culation of special data is fully guaranteed. In the circulation and protection of personal financial data， the system of da?ta \"gatekeeper\" is added， and the rights， obligations and responsibilities of data controllers or processors are config?ured. The responsibilities and obligations of data storage and circulation carriers-data platform designers and produc?ers are also added， so as to regulate the circulation of personal data from the perspective of underlying algorithms. It istechnically feasible and economically reasonable to ensure algorithmic justice in the technical and operational environ?ments， and to upgrade from a monolithic protection subject to a pluralistic protection subject.