Insurance Connect: Data privacy challenges for Hong Kong insurers setting up Greater Bay Area Service Desks
As part of the plans for the financial integration of the Guangdong-Hong Kong-Macao Greater Bay Area (GBA), the China Banking and Insurance Regulatory Commission and the Hong Kong Insurance Authority have been working on an “insurance connect” scheme (Insurance Connect). The aim of Insurance Connect is to facilitate cross-border insurance business and eventually to allow the cross-border sale of insurance products within the GBA.
The South China Morning Post is now reporting that the first stage of Insurance Connect will involve the Hong Kong Federation of Insurers setting up service centres in two mainland PRC cities in the GBA (GBA Service Centres). These GBA Service Centres will provide shared facilities for Hong Kong insurance companies to set up post-sales service “desks” (GBA Service Desks) to service their existing policyholders living in the GBA by handling claims, updating policyholder information and processing premium payments etc. Cross-border sales of new policies will hopefully follow later.
One of the regulatory challenges a Hong Kong insurer establishing a GBA Service Desk will face is the need to transfer personal data from Hong Kong to mainland China and then back again into Hong Kong. This article considers cross-border data transfer restrictions under Hong Kong law and compares these with those under Chinese law.
Transferring personal data from Hong Kong to mainland China
The Personal Data (Privacy) Ordinance (the PDPO) does not currently restrict the transfer of personal data outside Hong Kong, including to mainland China. This means insurers do not currently require any special measures to transfer personal data from Hong Kong to anywhere else in the GBA.
Section 33 of the PDPO does contain provisions restricting the transfer of personal data outside of Hong Kong. However, this section has not yet been enacted. The Privacy Commissioner for Personal Data (the Privacy Commissioner) has for some years pushed for s.33 to be brought into force and has prepared for when that happens. Hong Kong insurers who intend to establish a GBA Service Desk would therefore be well advised to ensure they will be able to comply with s.33 as and when it becomes law.
Section 33(2) of the PDPO will, when enacted, prohibit the transfer of personal data outside Hong Kong unless at least one of the following exceptions applies:
a) whitelist: the Privacy Commissioner approves the place to which the personal data is transferred on a “whitelist” of places to which personal data may be transferred;
b) similar laws: the data user has reasonable grounds for believing that the place to which the personal data is transferred has privacy laws that are substantially similar to or serve the same purpose as the PDPO;
c) consent: the data subject consents in writing to the transfer of their data outside Hong Kong;
d) mitigating adverse action: the data user has reasonable grounds for believing that: (i) the transfer avoids or mitigates adverse action against the data subject; (ii) it is not practical to obtain the data subject's consent; and (iii) the data subject would likely consent to the transfer if asked;
e) DPP 3 exemption: the personal data is exempt from Data Protection Principle 3 (for example, where the personal data is being transferred for the purposes of emergency rescue operations or relief services); or
f) reasonable precautions: the data user has taken all reasonable precautions and exercised all due diligence to ensure that once transferred, the data will not be handled in any manner that would violate the PDPO if it occurred in Hong Kong.
Whilst the term “transfer” is not defined under the PDPO, the Privacy Commissioner has clarified that personal data will be regarded as being “transferred” under the PDPO when either:
- a copy of data is transmitted or sent to a person located outside of Hong Kong; or
- the data is stored locally in Hong Kong but access to the data is provided to a person located outside Hong Kong.
This means that the restrictions in s.33 of the PDPO will apply regardless of whether a GBA Service Desk accesses personal data remotely from a server in Hong Kong, or whether a copy of that data is sent to the GBA Service Desk to be hosted on a computer there.
Mainland China currently lacks a comprehensive general data privacy law similar to the PDPO, although the National People’s Congress has announced plans to introduce such a law. Until that law is introduced, it seems unlikely that the Privacy Commissioner will “whitelist” mainland China, or that Hong Kong insurers could use the “similar laws” exception to justify transferring personal data to mainland China.
A Hong Kong insurer could seek consent from data subjects to the transfer of their personal data to a GBA Service Desk, but this poses a number of practical problems. It is arguable that for that consent to constitute genuine consent the data subject would need to be given the option to refuse to have their personal data processed outside Hong Kong; in which case the insurer would need to make alternative arrangements to process that person’s personal data in Hong Kong. Furthermore, consent would be required from all individuals whose personal data was to be processed by the GBA Service Desk. This would include the policyholder and beneficiaries to the policy, but also a range of individuals who may be involved with a policy claim – such as counterparties, witnesses, investigators and doctors etc. It may be impractical for the Hong Kong insurer to obtain consent from all these individuals.
The “mitigating adverse action” and “DPP 3 exemption” exceptions may be useful in specific situations, but will not apply to most of the personal data handled by a Hong Kong insurer.
The “reasonable precautions” exception is likely to be the most useful for a Hong Kong insurer establishing a GBA Service Desk. To rely on this exception, the Hong Kong insurer would need to put precautions in place and exercise all due diligence to ensure that any personal data they transferred to the GBA Service Desk would be treated in accordance with the PDPO. How a Hong Kong insurer can do so would depend on whether its GBA Service Desk was operated by the Hong Kong insurer itself or by a separate entity. If the Hong Kong insurer operates its GBA Service Desk itself, then it would be able to internal governance and due diligence measures in place to ensure that any personal data accessed by the GBA Service Desk was treated in accordance with the PDPO. If another entity operated its GBA Service Desk, the Hong Kong insurer would need to enter into an agreement with that entity under which that entity would agree to treat all personal data it handled in operating the GBA Service Desk in accordance with the PDPO. The Hong Kong insurer would also need to periodically check that the entity was complying with those obligations.
Transferring personal data from mainland China to Hong Kong
At present, there is no unified privacy and data protection law in mainland China. The rules on cross-border transfer of personal data outside of mainland China are still at their infant stages and are proposed and discussed in a variety of draft regulations and national standards.
As for the definition of the “cross-border data transfer”, a draft Chinese national standard, namely the Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comment) (《信息安全技术 数据出境安全评估指南（征求意见稿）》) (Draft Assessment Guidelines) provides that personal data will be regarded as being “transferred across the border” when:
- a copy of the data is provided to subjects within the territory of China, but not under the jurisdiction of or not registered in China;
- the data has not been transferred and stored outside China, but has been accessed and viewed by institutions, organisations, and individuals outside China (except for public information and web page access); or
- the internal data of a network operator group is transferred from domestic to overseas, involving personal data collected and generated during its operations in China.
This means that if personal data collected or generated by a GBA Service Desk in mainland China is provided to, or is accessed or viewed by, an insurer in Hong Kong, this will be regarded as a “cross-border transfer”.
Article 41 of the Cyber Security Law of the People’s Republic of China (《中华人民共和国网络安全法》) (the CSL) and Article 1035 of the Civil Code of the People’s Republic of China (《中华人民共和国民法典》) (the Civil Code) require that an entity which processes personal data should expressly notify data subjects of the purpose, methods and scope of such processing, and obtain the consent of the data subject. This means that, if the GBA Service Desks intend to process personal data in mainland China, they should inform the data subject of the purposes of such processing and obtain their consent.
Data localization and security assessment requirements under the CSL regime
The CSL provides that “citizens’ personal information and important business data collected and generated in the operation of critical information infrastructures (CIIs) operators (CIIOs) within the territory of the People's Republic of China shall be stored within the territory. Where it is necessary to provide such information and data abroad due to business needs, security assessment shall be carried out according to the measures formulated by the national Internet information department in conjunction with the relevant departments of the State Council; if there are other provisions in laws and regulations, those provisions shall prevail.”
The CSL only provides some examples of the industries in which CIIs may exist (including public communication and information service, energy, communications, water conservation, finance, public services and e-government affairs) and leaves the detailed scope of CIIs and relevant security protection measures to the implementation rules to be issued by the State Council.
Under the CSL, only the CIIOs are required to comply with the requirements of data localisation and security assessment for cross-border data transfer, and there is no data localisation requirement or cross-border data transfer security assessment requirement for ordinary network operators. However, the CAC issued the Measures on the Security Assessment of Cross-Border Transfer of Personal Information and Important Data (Draft for Comment version and Revised Draft version) (《个人信息和重要数据出境安全评估办法》(征求意见稿和修订稿)) (the 2017 Draft Assessment Measures) in 2017 and the Measures on Cross-border Transfer of Personal Information (Draft for Comment) (《个人信息出境安全评估办法（征求意见稿）》) (the 2019 Draft Assessment Measures) in 2019, both of which appear to expand the data localisation requirement and cross-border data transfer security assessment requirement to all network operators.
Both the 2017 and 2019 Draft Assessment Measures require network operators to conduct a security assessment before transferring personal data collected and generated within the territory of China overseas. Compared to the 2017 Draft Assessment Measures under which the security assessment may be conduct by the network operator itself or the competent authority based on the category, quantity, and importance of the data to be transferred, the 2019 Draft Assessment Measures require that a network operator shall report to cyberspace authority at the provincial level, which will then conduct security assessment. Failing the security assessment, the personal data cannot be sent to the overseas recipient. Apparently, the 2019 Draft Assessment Measures adopt a more stringent and rigid approach in dealing with cross-border transfer of personal data. It remains to be seen whether the 2019 Draft Assessment Measures, which are subject to debates, would pass as they are.
Existing data localization requirement in the insurance industry
It is worth noting that, before the promulgation of the CSL, the China Insurance Regulatory Commission (CIRC) had already issued a number of regulations (or draft regulations) requiring that “business data, financial data or other important data” of insurance companies should be stored within China (collectively CIRC Regulations). The CIRC Regulations do not specify the meaning of “business data” or “important data” but they are generally understood to include personal data of policyholders and the insureds. It is unclear whether the GBA Service Centres would also be subject to this data localisation requirement as if they are insurance companies registered in China, or perhaps they are exempted from this requirement on the basis that they are not insurance companies registered in China.
According to the 2020 legislative work plan of National People’s Congress Standing Committee, a separate Personal Information Protection Law and the Data Security Law will be submitted for deliberation. These new laws may likely contain requirements on the cross-border transfer of personal data and may have an impact on cross-border data transfer practice for GBA.
 《信息安全技术 数据出境安全评估指南（征求意见稿）》: 3.7 注1：以下情形属于数据出境:
 The Draft Assessment Guidelines adopt a similar methodology with the 2017 Draft Assessment Measures, under which the security assessment is classified as self-assessment and assessment by the competent authority and the assessment will be initiated by the competent authority when the data to be transferred abroad meet certain conditions in category, quantity, scope, and importance.
 These CIRC Regulations include: The Guidelines on Acceptance Inspection for Commencement of Business of Insurance Companies (2011) (《保险公司开业验收指引》), the Insurance Organization Informatization Regulatory Rules (Draft For Comment) (2015) (《保险机构信息化监管规定（征求意见稿）》), and the Guidelines for Insurance Companies on Information System Security (Trial) (《保险公司信息系统安全管理指引（试行）》).