China Cybersecurity Law.

Legal News & Analysis - Asia Pacific - China - Cybersecurity - Insurance & Reinsurance

4 December, 2017


China is at the forefront of fintech and digitalisation, and the insurance industry is no exception. Until recently, the rules and regulations relating to personal data and network security were relatively loose and scattered. This changed when the Cybersecurity Law (CSL) came into effect on 1 June 2017 giving wide-ranging powers to a new and well-resourced regulator – the Cybersecurity Administration of China (CAC) – which will work with sector-specific regulators, such as the China Insurance Regulatory Commission (CIRC). Insurers in China are in the process of reviewing their existing operations to navigate the new regulatory environment. 


CSL’s scope is broad and includes, among other things, obligations on businesses to improve network security and IT systems generally, co-operate with government agencies in the national and public interest, obtain customer consent for collecting personal data and places restrictions on the storing and transferring of data. It is followed by other rules and guidance which will determine many of CSL’s practical implications. In this article we look at two important aspects for insurers in China.


Localisation and cross boarder transfer of data etc


CSL contains particularly onerous obligations in relation to Critical Information Infrastructure (CII), a term which covers “critical industries and fields like public communications and information services, power, traffic, water, finance, public service, electronic governance ... and other critical information infrastructure ... which if [lost, damaged or compromised] ... will result in serious damage to the national security”. The CSL definition is broad and additional guidance and decisions are expected to clarify what will constitute CII and who will be classified as CII operators. However, CII may well include insurance operations handling substantial amounts of Chinese customer data.


Of particular importance to foreign-owned insurers is the requirement that CII operators must store locally all personal information and important data gathered and produced in China. This requirement may force CII operators to use servers in China and to segregate their Chinese data from global databases.


Cross-border transfer of personal data will also be regulated. According to a draft of the relevant implementing rules, the new regime will come into effect on 31 December 2018 and broadly provides that (i) customers’ consent must be obtained for cross-border transfers and (ii) large cross-border transfers of personal data or particularly sensitive information require prior regulatory approval whereas other cross-border transfers will be subject to self-assessment.


Collection and use of customer data


CSL contains measures to protect customers’ personal data. When collecting personal data, the network operator must obtain the data subject’s consent and disclose the purposes, means and scope of the collection and use of the personal data. Further, the personal data must be kept secure and not be used for unrelated purposes. Individuals also have a right to request network operators to delete their personal information and to make corrections to it.




These legislative provisions are new and the CSL contains no express grandfathering provisions. Insurers should reassess customer onboarding procedures and IT and administrative processes and decide whether customer consents obtained in the past are sufficient.

Ashurst Logo

For further information, please contact:


Daniel Öhvall, Ashurst

[email protected]