Digital Business Practice Group

Digital Business Practice Group

Personal Data Protection Comes to China

Thursday, 17 May 2018 19:27

May 4, 2018


China’s long-awaited new National Standards on Information Security Technology – Personal Information Security Specification GB/T 35273-2017 (the “Regulations”) came into force on May 1, 2018. The Regulations are arguably China’s most important personal data protection rules, representing new standards for the handling of personal data.

The Regulations supplement rather than abrogate China’s existing patchwork of data protection laws and regulations. Although the Regulations themselves are not legally binding, they dovetail with China’s 2017 Cybersecurity Law and Consumer Protection Law which are binding. Furthermore, over the coming months, regulators will be pressing for compliance with the Regulations, so organisations operating in China are strongly advised to review and update their China data protection policies and practices to reflect the new standards.


Summary of Key Features

  • Clarification of key data protection concepts and definitions.
  • Personal data is defined as either “personal information” or “sensitive personal information” with the latter subject to more stringent data protection (eg: all personal information of persons under 14 years of age is categorized as “sensitive personal information”).
  • Explicit consent is required for collection of sensitive personal information or use of personal information for any new purpose.
  • Inclusion of certain prescribed information in all privacy notices, including but not limited to (for business use) personal information collection and processing rules such as the collection method and frequency, place of storage, and frequency of collection; if data is shared, disclosed or transferred, the types of data involved, the types of the data recipients, and rights and obligations of each party; data subject rights, and complaint handling; security principles followed, and security measures implemented.
  • Personal information security impact assessments are required for: (i) outsourcing of data processing; (ii) sharing and transfer of personal information; or (iii) disclosing personal information to public.
  • All personal information collected/produced in China and transferred to or shared with offshore parties requires a security assessment and all such assessments must be conducted in accordance with yet-to-be-released official standards and procedures.
  • All requests for access to, correction of, copies and deletion of personal information, and withdrawal of consent must be responded to within 30 days, and there should be no charge for any reasonable request unless repeated requests are made within a certain period of time.
  • New standards and procedures for effective data protection that organisations need to comply with and include: (i) drafting, implementing and updating privacy policies and corresponding procedures; (ii) privacy training; (iii) security impact assessments and audits.
  • Organisations must appoint a data protection officer and a dedicated data security team to be directly responsible for the protection of personal information.
  • Data breach notifications: a specific incident response plan is required together with periodic reviews and rehearsals and organisations must keep a record of incidents detailing the scope of such breaches.
  • Periodic data protection impact assessments which must be carried out at least annually.


OLN Insights

The Regulations do not bring China’s data protection framework as close to GDPR standards as some commentators have predicted but they are an unmistakable sign both that the PRC government takes data protection seriously and is moving towards adopting international best practices in this space. This will be welcomed by international businesses currently undertaking GDPR compliance reviews and who are now turning their attention to their China practices. Nevertheless, clear local distinctions (notably regarding data localisation, the requirement for consent, and restrictions on handling of non-personal data) remain in China and must be specifically addressed.

Over the course of the next year or so, we should see new and updated national standards promulgated to cover key areas such as data anonymisation, handling of big data, overseas data transfers, and diverse aspects of information security. Some of these implementing standards will simply adapt existing ISO standards.

We are continuing to monitor regulatory developments in this space and will report as and when they occur. In the meantime, organisations with data exposure to China need to appreciate that enforcement action in the data protection sphere is already a reality in China and as this regulatory and enforcement framework continues to evolve, they need to take steps now to review and update their compliance programmes to ensure these comply with the Regulations.

EU Regime: When Blockchain meets GDPR

Friday, 10 November 2017 15:18

The General Data Protection Regulation (GDPR), a single, pan-European law for data protection comes into force on 25 May 2018, operates to regulate the processing of personal data in the context of the activities of an establishment of a controller or a processor in EU, regardless of whether the processing takes place in EU or not. 

However, when one harmonized set of regulations meets Blockchain, a decentralized and self-maintaining technology, how much can an individual be reassured that they can still maintain control over their personal data as promised under the GDPR?

Click here to read the article.

Why should an EU regulation, which only becomes applicable on 25th May 2018 have any relevance in Hong Kong today?

The answer is because the GDPR has a global footprint and so, if you already have a company which is registered within the EU or intend to have one incorporated before 25th May 2018, then the GDPR will apply.  The GDPR will also apply to organisations that: (i) do not physically process data in EU but are ‘established’ (i.e. exercise a real and effective activity) in EU, or (ii) do online businesses with representatives in EU countries.  If you have customers who are EU citizens, you will have to comply with GDPR too.


Some legislation provides a “grace period” for implementation, but that does not apply to the GDPR. Besides, GDPR is a regulation, not a directive, it has binding legal force and therefore by 25th May next year, every relevant company must have in place a fully thought through protective environment and protocol for the collection, handling and storage of personnel data.  This includes defining access permission, passwords and data encryption.


Most importantly is the requirement that all unencrypted data breaches must be reported to the relevant national data protection authority (Supervisory Authority) within 72 hours, if not, draconin sanctions are applicable and we are told they will be enforced. This reminds us that there is a real need for every company, especially a company which has a European footprint, to have in place proper and detailed protocols to deal with data breaches and cyber-attacks. Billions of dollars are already lost each year through email fraud and now there is an ever expanding threat of cyber-attack on data, whether through malware, ransome ware or the like.


So, does your company yet have in place plans and protocols that can prevent or reduce the risk of any such cyber-attack?  Has that yet been considered, because after an attack has taken place, it will be too late?

Typically, there should not only be an initial compliance plan to monitor the risk of any such attack, but there then needs to be an instant response plan. From a legal point of view, there will also be the questions of whether law enforcement agencies are required to investigate and prosecute, so when should the incidents be reported, how should the reporting be performed, what evidence should be collected and how should that evidence be collected? Part of this process will be the required communication response to reduce reputation risk. The World is becoming more and more international and so there is a greater threat to business through an increasing reliance on e-commerce and continuity in cyber space.


OLN in Hong Kong and through its international network of Law Firms can assist in this area. Should you want more information, please do not hesitate to contact Stephen Chan at


Give Me My Personal Data!

Monday, 09 October 2017 13:32

1. What is a Data Access Request (“DAR”)

In the course of business dealings, your company may have collected, held, processed or used the personal data of employees or other individuals. These people are entitled to request your company to supply them with a copy of the personal data held (the “requestor”). This is called a data access request (“DAR”)  and is a core right contained in the Personal Data (Privacy) Ordinance (“Ordinance”).

2. Complying with a DAR

a. When your company receives a DAR, it should:

(i) ascertain the identity of the requestor;

(ii) assess whether it holds the relevant personal data; and

(iii) respond within the statutory time limit.

Personal Data?

b. A requestor is not entitled under a DAR to access data which is not personal data or personal data not belonging to him. To constitute personal data of an individual, the data must firstly relate directly or indirectly to the individual. Secondly, it must be possible from such data to directly or indirectly determine the identity of the individual.

For example, in a performance appraisal report where the appraising officer states his opinion about the aptitude and performance of the appraisee, such opinion will constitute the personal data of the appraisee. On the contrary, recorded opinion about the performance of a property management company expressed by an owner during an owners’ meeting will generally not constitute the personal data of that owner.

Holding relevant Personal Data?

c. If your company holds the relevant personal data, it should supply a copy of the requested data in an intelligible form and within 40 calendar days after receiving the

DAR, unless specific exemption applies.  If the Privacy Commissioner concludes that there is a breach of the Ordinance after investigation, he may serve an enforcement notice on the data user concerned directing it take steps to remedy the situation and where appropriate, to prevent any recurrence. Non-compliance of an enforcement notice is an offence which may result in a fine and imprisonment.

d. If your company does not hold the requested data, it is still required to inform the requestor in writing within the 40-day time limit that it does not hold the data.

e. If your company has already destroyed the requested data it is required to inform the requestor that it no longer holds the data. To avoid any suspicion of bad faith, your company may explain the reason for destroying the data to the requestor.

Should you provide “All personal data”?

f. Where the description of the requested data is too generic, especially where there have been extensive dealings between your company and the requestor during which a large amount of personal data has been generated, your company should seek clarification from the requestor . If the requestor fails to supply the information reasonably requested for locating the requested data, your company is entitled to refuse to comply with the DAR.

g. Having said that, your company may not simply rely on the fact that the request is made in too broad or generic terms to refuse to comply with a DAR. If you are aware of and can reasonably locate the requested data without any further specification from the requestor, the data user should comply with the DAR.

3. Charge for Complying with a DAR

a. Your company may impose a fee for complying with a DAR which should not be excessive, and should not charge a fee on a commercial basis. It should clearly inform the requestor what fee, if any, will be charged as soon as possible and in any event not later than 40 days after receiving the DAR.

b. Fees that will be considered excessive or not directly related to and necessary for the compliance of a DAR could include fees that exceed the cost of compliance, e.g. costs of seeking legal advice in relation to the Ordinance or inclusion or your company’s administrative or office overheads.

The Commissioner’s office has provided examples on fees that may be charged for complying with a DAR in its Guidance Note.  Your company may charge the direct costs attributable to the time spent by its staff and the actual out-of-pocket expenses for locating, retrieving and reproducing the requested data for complying with a DAR. For example, if a clerical assistant has spent five hours on retrieving and photocopying the requested data in the course of handling a DAR, the calculation of the labour costs incurred is the hourly rate of his remuneration (including salary and fringe benefits) multiplied by five.  Your company may charge for the labour cost attributable to the time spent on extracting or editing the requested data, provided that such tasks are directly related to and necessary for compliance with the DAR.

4. Refusing to Comply with a DAR

a. Your company should refuse to comply with a DAR if:-

i. it is not supplied with sufficient information to identify the requestor;

ii. it cannot comply with the request without disclosing the personal data of a third party; or

iii. where compliance with the request is prohibited under the Ordinance or any other regulation.

b. Your company may refuse to comply with a DAR if the request is not made in writing using either the Chinese or English language.

c. Your company is obliged to give written notice and reasons for refusal to the requestor within 40 days from receiving the DAR and is also required to keep a log entry containing the particulars of the reasons for the refusal of the DAR for four years.

Get Ready for Insurtech!

Monday, 09 October 2017 13:18

By Consultant, Adelina Wong

Financial technology (fintech), the use of new technology by financial institutions, has shaken up the banking industry in areas such as foreign exchange, mobile payments and peer-to-peer (P2P) lending. Similarly, the use of technology in the insurance sector is accelerating and will have a potentially transformative effect on the development, marketing, sale, underwriting and administration of insurance products in the near future.  The term “Insurtech” has been coined to describe the application and use of technology in insurance. 

Why Insurtech?

In the insurance area, technological advancement is being used to create a more direct and efficient relationship between insurance companies and their retail customers.  Potentially, this will lead to a better customer experience.  Customers can benefit from lower premiums and greater product choice as insurers use big data to improve risk pricing and offer products (including online sales of insurance) customized to individual needs.  Automation of policy administration and claims handling processes using blockchain technology can lead to smoother and quicker processing of insurance claims, a primary concern for policyholders.   At the same time, insurers can benefit from the greater reach and lower cost of a digital sales platform.  Digital record keeping and settlements can also increase efficiency and reduce costs and fraud risk. 

InsurTech Developments

Current notable developments in InsurTech include the following:

1.  Application of blockchain technology in record keeping and policy administration;

2.  Marketing and sale of insurance on digital platforms; and

3.  Application of telematics technology and big data to underwriting and loss prevention.

Blockchain Technology                                                                                                                                     

Blockchain is the technology underpinning the cryptocurrency Bitcoin, and allows the creation of a distributed ledger that records transactions on a permanent global database on computer servers around the world. These servers work as nodes, with each node holding a complete copy of the data which is stored in tamper-proof blocks (joined in unbroken chains) on the common ledger.  In this way, each member of the network has a complete, traceable record of all transactions and information stored in the ledger, which cannot be changed or added to without the consent of everyone on the network. 

In insurance, an industry which heavily relies on documentation and databases, blockchain has the potential to increase efficiency and improve transparency by allowing parties to insurance and reinsurance transactions to share data and documentation with each other in real time.

Applications or programs can also be built on blockchain to allow automatic execution of contracts composed in computer code (so-called “smart contracts’) which are stored on the shared ledger.  Such smart contracts have the potential to greatly increase the speed and efficiency of claims processing, as well as alleviating fraud risk since the blockchain ledger provides immutable records and tracking.  As an example, life insurance smart contracts can be programmed in future to automatically transfer life insurance proceeds to the beneficiary’s bank account on the policyholder’s death, verified by an automatic real-time check of the online death register.  

Online Marketing & Sales

Going beyond policy administration, new digital platforms are being launched for the marketing and sale of insurance products.  Price comparison websites are already common, particularly in the automobile insurance area.  Taking digital distribution a step further, pure online insurance sales platforms are emerging with insurers directly selling to consumers with no intermediary or human interface.  In particular, online-only insurance companies are starting to take off in China, with the launch of Zhong An, an online-only property and casualty insurer, in 2013.  Backed by Chinese tech giants Alibaba Group and Tencent Holdings, Zhong An is the first and only company in China to date with an internet insurance license.  It has used its digital platform to sell tailored insurance for particular products/services to the mass market, such as shipping return insurance for online purchases on Taobao and flight delay insurance for online bookings on CTrip via links embedded on the platforms of its online market partners.  From inception through to the end of 2016, Zhong An has sold over 7.2 billion policies and serviced some 492 million customers.  It just raised US$1.5 billion in September 2017 by listing on the Hong Kong Stock Exchange in the city’s biggest fintech offering to date.

Telematics & Big Data

Technology is also being used to inform underwriting decisions, including both risk assessment and pricing.  In particular, telematics, the “Internet of Things” (IoT) technology that collects, stores and transmits data about the location, usage, performance and operating status of devices, machines and products, is being used by insurers for ongoing risk profiling and monitoring of customers, allowing them to customize premiums and improve risk pricing.  For example, many auto insurers in the U.S. and Europe now offer premium discounts to customers for installing telematics devices in their cars (which track factors such as speed, braking, acceleration etc.) and then driving in a certain manner.  Similarly, some health insurers are giving customers free fitness tracking devices and then offering to lower their premiums if they meet certain exercise requirements.  Home insurers are likewise offering premium discounts to customers who install cameras, sensors, smoke detectors, leak detectors and other IoT devices in their homes.  In this way, customers are incentivized to reduce their health and accident risks and avoid claims under their insurance. 

Risks and Challenges

In the area of telematics, the primary challenges relate to privacy and security.  Even with the incentive of premium discounts, customers may be reluctant to share private information with IoT device manufacturers and insurance providers, particularly given security and hacking concerns.  To encourage broader customer take-up of IoT devices, better security will have to be built both into the devices themselves and the software applications and network connections linking the devices.  There is also concern about what companies will do with the information collected, much of which constitutes personal data subject to regulation.  For example, collected data could potentially be used to decline insurance altogether to high-risk customers. Thus, regulators will no doubt closely monitor how insurers collect and use IoT data in underwriting having regard to the fair treatment of customers. 

Online marketing and sales of insurance will likewise be subject to regulatory scrutiny.  While more straightforward products such as car and property insurance may quite easily be sold online, life insurance is a different proposition.  There are stringent regulatory requirements in most jurisdictions (including Hong Kong) regarding steps which must be taken by manufacturers and distributors of long-term insurance products in the marketing and sales of such products in order to ensure protection of the best interests of customers.  Requirements regarding undertaking a thorough suitability assessment of the customer’s insurance needs and financial circumstances and clear communication of complex product features and risks may be hard to meet via an online platform. 

Turning to the use of blockchain technology for policy administration, insurers can only take advantage of it after they digitalize and consolidate all of their contracts and data.  The technology itself also presents regulatory challenges since the blockchain is not located in any one jurisdiction making it difficult to regulate.  On the other hand, the transparent nature of blockchain makes the data available to those on the network and risk monitoring presumably more straightforward.    

Where is Hong Kong?

Following in the footsteps of Singapore and the UK, the Hong Kong Insurance Authority (IA) launched an “Insurtech Sandbox” on September 29, 2017.  This Sandbox will allow authorized insurers in Hong Kong to undertake pilot runs of new Insurtech products/applications without the need to get full regulatory approval provided that the initiatives in question meet certain criteria (which include having adequate safeguards to protect customers’ interests during the trial).  A similar pilot scheme was launched by the Hong Kong Monetary Authority over a year ago under which banks in Hong Kong have been running trials of their new fintech products.  It is expected that insurers will follow suit now that they potentially have a safe space try out new technologies without taking on the full cost and regulatory burden of IA supervisory requirements.

At the same time as launching the Sandbox, the IA introduced a pilot scheme “Fast Track” for applications for authorization from applicants who will carry on insurance business in or from Hong Kong using solely digital distribution channels – i.e. without the use of conventional channels involving agents, brokers or banks.  The intention is to promote direct digital distribution of insurance which it is envisaged will bring benefits to customers in terms of new products and cost efficiency. 


Insurtech has been slow to take off in Hong Kong, partly due to wariness from insurers and their traditional reliance on middlemen (agents and brokers) for distribution of insurance products. Hong Kong currently has approximately 100,000 individuals who are registered either as individual insurance agents, or responsible officers/technical representatives undertaking insurance agency or brokerage business in Hong Kong.   However, increased online sales of insurance by both traditional and newly authorized online-only insurers will allow insurers to interact directly with customers, allowing them to save on agency/brokerage commissions and reduce operating and distribution costs.  Reduction of the need for middlemen in the industry will likely lead to restructuring and redundancies.

On the other hand, and as warned by the IA in relation to the Fast Track scheme, not all insurance products are suitable to be sold online, and the IA’s expectation is that all of its existing “policyholder protection measures should remain intact”.  Stringent regulatory requirements in relation to the marketing and sale of long-term insurance may be a significant barrier to online distribution of life insurance.

Nonetheless, the advent of the Insurtech Sandbox and Fast Track application process for online insurers will likely draw more technology firms into the insurance sector, following the lead of Alibaba Group and Tencent Holdings which collaborated to set up Zhong An.  Traditional insurers will face competition from the new Insurtech startups and have already begun developing and investing in technology so as not to be left behind.  In this changing Insurtech landscape, the challenge for regulators such as the IA will be to develop a regulatory culture which protects customers but at the same time is flexible enough to support new Insurtech products and services.