China: Proposed data security regulations

On 1 June 2017, the Cybersecurity Law of the People’s Republic of China came into effect, introducing new requirements relating to the collection, use and protection of personal data which has been generated or collected in the course of operations within China.

As part of this legislative reform, draft Measures for Assessing the Security of Transferring Personal Information and Important Data Overseas (“draft Measures”) have been proposed, which could have implications on how personal information and important data can be stored within and transferred out of mainland China. As currently drafted, the draft Measures would require an initial assessment before transferring data cross-border and a subsequent annual security assessment. In some circumstances, the transfer of data outside of mainland China would be prohibited.

To supplement the draft Measures, draft Guidelines for Data Cross-Border Transfer Security Assessment (“draft Guidelines”) have also been published. The draft Guidelines propose that all transfers should be “lawful and legitimate” (eg for a genuine business purpose) and the associated risks controllable. If the “lawful and legitimate” criteria are met, the risks associated with the transfer should then be properly considered and assessed, including the likelihood of security incidents during and post transfer. If the risks involved in the transfer are assessed as low or medium, the transfers may proceed.

Uncertainty remains around how the provisions of the new legislation and accompanying guidance will impact the current data transfer practices of foreign insurers located in mainland China, including Lloyd’s, or the insurance industry more broadly. Lloyd’s will monitor the development of the draft Measures and draft Guidelines, along with the Cybersecurity Law, and will update the market of any significant changes.