On 1st November 2021, China’s first national privacy law – the Personal Information Protection Law (“PIPL”) came into effect. The law, which mirrors the EU’s GDPR but is stricter in a few respects, seeks to “protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information.” It enshrines a number of privacy rights for individuals and provides guidelines for processing and cross-border data transfers of personal data.
The PIPL has potential impact on businesses across Asia as the law applies to any company processing, analyzing or evaluating personal information related to the provision of services or products to individuals in China, or the activities of individuals in China. The PIPL grants individuals a number of privacy rights similar to EU’s GDPR, such as the right to access, right to correction, right to erasure, right to object and restrict processing of data and right to withdraw consent.
From a cyber insurance perspective, the law may have two key impacts on the market in Asia. The law broadens the requirement to notify regulators and data subjects of a data breach, which may lead to increased breach response costs to insureds and insurers. From a liability standpoint, the law grants individuals the right to bring lawsuits for infringement of personal data rights and interests. The law also grants the People’s Protectorate, consumers associations and other designated organizations the right to file public interest litigations if a group of impacted individuals is large enough. These changes may lead to increasing legal expenses and liability losses for the cyber insurance market.
In terms of fines and penalties, under the PIPL, regulators may issue fines of up to 50 million RMB or 5% of an organization’s annual revenues. Unfortunately, in China fines and the other corrective actions available to regulators (confiscating income, suspending services) are not insurable at law.
The main changes we may see in the cyber insurance market:
China’s new privacy law requires companies to notify relevant authorities and individuals in the event a data incident has occurred or is likely to occur.
However it’s worth noting that companies may elect not to notify affected individuals if they determine they have taken effective measures to prevent harm caused by the data incident (although this determination may be overridden by the data protection authority).
Under the PIPL individuals will have the right to bring lawsuits against companies if they infringe on their privacy rights. Further, if a group being victimized is large enough in size, the People’s Procuratorate, consumers associations and other designated organizations may file public interest litigations.
For reference, China’s PIPL grants individuals a number of privacy rights similar to GDPR, such as the right to access, right to correction, right to erasure, right to object and restrict processing of data, right to withdraw consent etc.
In terms of fines and penalties, under the PIPL, regulators may issue fines of up to 50 million RMB or 5% of an organization’s annual revenues. In China, fines and the other corrective actions available to regulators (confiscating income or suspending services for example) are not insurable at law however the legal costs to defend any regulatory action remain a core and vital insurance coverage available under cyber insurance policies.
WTW is an insurance broker and gives its views on the meaning or interpretation of insurance policy wordings as brokers experienced in the insurance market. Insurers may take a different view on the meaning of policy wordings. Any interpretation or thoughts given are not legal advice, and they should not be interpreted or relied upon as such. Should a legal interpretation of an insurance contract be required, please seek your own advice from a suitably qualified lawyer in the relevant jurisdiction. While all reasonable skill and care has been taken in preparation of this document it should not be construed or relied upon as a substitute for specific advice on your insurance needs. No warranty or liability is accepted by WTW, their shareholders, directors, employees, other affiliated entities for any statement, error or omission.
For more information, please contact local entities of the WTW Group:
Willis Insurance Brokers Co. Ltd. | Willis Hong Kong Limited | Willis Towers Watson India Insurance Brokers Pvt. Ltd | PT Willis Towers Watson Insurance Broker Indonesia | Willis Japan Services K.K. | Willis (Malaysia) Sdn Bhd | Willis Towers Watson Insurance Brokers Philippines, Inc. | Willis Towers Watson Brokers (Singapore) Pte. Ltd. | Willis Towers Watson Insurance Korea Limited | Willis Towers Watson Taiwan Limited | Willis Towers Watson Vietnam Insurance Broker