LATEST ARTICLES ,

Interpretation of Data Compliance Series in the Insurance Industry - Analysis of Typical Cases of Data Compliance in the Insurance Industry

2024-10-26

LABEL: Telecommunications, media, entertainmentand high technology , Insurance , Compliance business ,

introduction

In recent years, the insurance industry has entered a critical period of digital transformation, coinciding with the implementation of laws and regulations such as the Personal Information Protection Law. It is necessary to develop digital businesses and urgently improve data compliance levels. Practice has shown that the insurance industry is a high-risk area for personal information protection compliance. The regulatory authorities have continuously increased their enforcement efforts on data compliance, and cases of insurance companies being punished are not uncommon, including direct punishment of employees and executives, and even criminal liability. As a data intensive industry, the insurance industry has a large scale of data, diverse scenarios, and significant value, making data compliance increasingly important.

The Jindu Network Security and Data Compliance team has been engaged in personal information compliance business since 2016, providing professional legal services to a large number of clients and accumulating rich practical experience. In response to the prominent pressure of data compliance in the insurance industry, we will comprehensively sort out and interpret it through a series of articles to provide reference guidance for data compliance in the insurance industry. The specific arrangements are as follows, and we sincerely invite everyone to pay attention together.

(1) Typical case analysis of data compliance in the insurance industry

(2) Legal System and Key Points for Data Compliance in the Insurance Industry

(3) Main scenarios and compliance points of data compliance in the insurance industry

(4) Construction and Key Steps of Insurance Industry Data Compliance System
1、 Overall situation of data compliance cases in the insurance industry

The digital transformation of the insurance industry is an inevitable trend for the development of the digital age, a clear deployment requirement of regulatory agencies, and a key to providing high-quality services to customers. The digital transformation of the insurance industry means that in the process of providing services, a large amount of data will be processed. For example, in the digitalization process of traditional business, data needs to be processed through information technology to provide insurance services such as insurance application, underwriting, and claims. The new insurance business is based on data and covers the entire business process. The insurance industry itself needs to process a large amount of personal information and has accumulated rich personal information resources. Faced with new compliance requirements such as the Personal Information Protection Law, while accelerating digital transformation, the insurance industry must also do a good job in data compliance for personal information protection.

Since the official promulgation of the Personal Information Protection Law in 2021, the issue of data compliance in the insurance industry has gradually become prominent. Regulatory authorities have taken a series of regulatory activities targeting the insurance industry, and have put forward high requirements for personal information compliance in the insurance industry. Based on the retrieval and sorting of public cases, the compliance of personal information protection in the insurance industry presents the following characteristics.

(1) Regulatory authorities: involving financial regulatory agencies, telecommunications regulatory agencies, and public security organs.

(2) Legal basis: including the Personal Information Protection Law, Insurance Law, Insurance Company Management Regulations, Criminal Law, etc.

(3) Responsible parties: both for enterprises and employees.

(4) Types of responsibility: including administrative responsibility and criminal responsibility, specifically fines, employment bans, and fixed-term imprisonment.
2、 Common regulatory agencies and punishment situations

The protection of personal information involves multiple regulatory departments. According to the Personal Information Protection Law, the national cyberspace administration is responsible for coordinating the work of personal information protection and related supervision and management; The relevant departments of the State Council are responsible for the protection and supervision of personal information within their respective areas of responsibility in accordance with this Law and relevant laws and administrative regulations. Therefore, personal information protection includes two systems: general supervision and industry supervision.

General supervision mainly includes the cyberspace administration, telecommunications regulatory agencies, market supervision and management departments, and public security organs. The cyberspace administration department, based on its responsibilities of overall coordination and supervision, can coordinate relevant departments to promote personal information protection work, formulate specific rules and standards for personal information protection, and take relevant personal information protection regulatory measures; The telecommunications administration refers to the Ministry of Industry and Information Technology and the provincial communications administration, which mainly carry out the supervision of personal information protection by technical means, based on the responsibility of telecommunications and Internet personal information protection; The market supervision and management department mainly implements personal information protection supervision based on consumer rights protection; The public security organs mainly carry out personal information protection and management from the perspective of criminal crackdown.

Industry supervision is mainly carried out by industry regulatory authorities based on the Personal Information Protection Law and relevant personal information protection regulations in the industry, to carry out personal information protection supervision activities. For the insurance industry, the regulatory authority is the State Administration for Financial Supervision and Administration (formerly known as the China Banking and Insurance Regulatory Commission).

According to the current situation of personal information penalties in the insurance industry, financial regulatory agencies, telecommunications management agencies, and public security organs have all publicly disclosed cases.
(1) Financial regulatory agency (formerly China Banking and Insurance Regulatory Commission)

In 2015, the Guiding Opinions of the General Office of the State Council on Strengthening the Protection of Financial Consumer Rights and Interests required the protection of financial consumer information security rights. Financial institutions were required to take effective measures to strengthen the management of third-party cooperative institutions, clarify the rights and obligations of both parties, strictly prevent and control the risk of financial consumer information leakage, and ensure the security of financial consumer information. After the Personal Information Protection Law was passed and implemented in 2021, the insurance regulatory authorities quickly launched a special campaign to rectify personal information protection. In 2022, the former China Banking and Insurance Regulatory Commission issued a notice to various banking and insurance bureaus, banks, and insurance institutions on carrying out a special rectification work on the infringement of personal information rights and interests by banking and insurance institutions, requiring a comprehensive review and investigation of the problems and loopholes in personal information protection in the banking and insurance industry, in-depth rectification of the infringement of consumer information rights and interests, and urging banks and insurance institutions to establish and improve mechanisms for consumer personal information protection.

In March of this year, the State Administration for Financial Regulation issued a notice to various regulatory bureaus, large banks, joint-stock banks, foreign banks, direct banks, wealth management companies, insurance group (holding) companies, insurance companies, and insurance professional intermediaries on the main problems discovered in the special rectification of the chaos of bank and insurance institutions infringing on personal information rights and interests. It pointed out that from the problems reflected in the current complaint supervision, investigation, and regulatory evaluation work, the behavior of bank and insurance institutions infringing on personal information rights and interests still occurs from time to time, and there are still shortcomings, weaknesses, and hidden risks in internal control. The notice pointed out that from the results of self inspection and spot checks, the special rectification comprehensively and deeply examined various processes of personal information processing in banks and insurance institutions. A large number of problems or hidden dangers were found in the specific implementation of personal information processing. The institution's self inspection found a total of 154200 problems, involving 140900 employees, affecting 199 million consumers, and involving 26300 contract agreements, statements, etc; The regulatory authorities conducted regulatory spot checks and found a total of 5561 problems, involving 1985 institutions and 3566 employees, affecting 15.56 million consumers.

The main problems discovered are concentrated in five aspects: firstly, in terms of personal information collection, there are issues such as mandatory consent, expanded authorization, and general authorization. For example, a certain bank added an authorization clause that consumers cannot cancel during the credit card application process, forcing consumers to agree to use their information for marketing other products or services. A certain insurance company's short-term health insurance policy includes pre-set unreasonable authorization clauses in the formatted business application form, forcing consumers to agree to provide their information to external organizations and use it for purposes unrelated to the business they handle. Secondly, in terms of personal information storage and transmission, there are problems such as chaotic electronic data management, lax management of paper materials, and insecure transmission methods. For example, some banks and insurance institutions have employees sending personal information such as customer ID cards and social security card photos through self built business WeChat groups. Thirdly, in terms of personal information inquiry and use, there are issues such as illegal inquiry of account information and improper use of customer information. The fourth issue is the provision and deletion of personal information, which involves unauthorized disclosure and failure to delete it in a timely manner. The fifth issue is the lack of effective control over third-party cooperation institutions regarding personal information. The main manifestation is that the agreements signed with third-party organizations do not stipulate the protection of consumer personal information, and the third-party organizations' infringement of personal information rights and interests is not detected and dealt with in a timely manner.
(2) Telecommunications management agency

The telecommunications regulatory agency, which is responsible for the protection of personal information in the telecommunications and Internet fields, is the first domestic agency to carry out the protection and supervision of personal information. In 2013, the Ministry of Industry and Information Technology issued the Regulations on the Protection of Personal Information of Telecommunications and Internet Users (MIIT Order No. 24), which comprehensively regulated the collection and use of user personal information in the process of telecommunications services and Internet information services.

Since 2019, the Ministry of Industry and Information Technology and local communication management bureaus have organized special work on the protection of personal information on apps, mainly based on two notices - the "Notice on Carrying out the Action to Enhance Perception of Information and Communication Services" and the "Notice on Carrying out the Special Rectification Action to Deepen the Infringement of User Rights by Apps". The key compliance contents include: 1. Whether there is a dual list, namely the previously mentioned list of collected personal information and the list of third-party shared personal information; 2. Whether the privacy policy is complete, whether a summary of the privacy policy is provided, and whether the purpose and method of processing, such as the purpose of invoking permissions, are fully informed; 3. Is there any violation of handling user personal information; 4. Whether obstacles have been set up to affect users' right to know and choose, or frequent harassment of users, such as repeated pop ups, unreasonable repeated requests for permissions, etc; 5. Is there any behavior that deceives or misleads users.

At present, the management of APP detection has shifted from specialized work to regular work, with strong technical detection capabilities and comprehensive coverage of APP (mini program) and SDK. The Ministry of Industry and Information Technology fully utilizes technological means in the field of personal information protection law, and conducts technical testing on listed apps through the "National APP Technology Testing Platform". The testing capacity reaches an average of 80000 apps per month, with the goal of covering all apps. For apps that fail the inspection, corrective measures will be notified. If the corrective measures cannot be completed, they will be taken down. Article 66 of the Personal Information Protection Law legalizes this supervisory and management method and makes it a legal requirement. For the insurance industry, the main carriers of insurance business through the Internet are APPs and applets, so it can be said that they will inevitably become regulated objects, and special attention should be paid to relevant compliance.

Typical case: APP detection reported

In May and September of this year, insurance companies were included in the list of apps reported by the Guangdong Provincial Administration of Communications (with problems or incomplete rectification).

The APP of a certain life insurance company, which was reported in May 2024, was publicly announced due to "illegal collection of personal information" and failure to complete rectification as required within the deadline. This app is the sales and service platform for the company's insurance agents, providing them with functions such as life insurance application, plan management, customer management, online recruitment, team management, activity management, education and training, performance inquiry, and operational services. It is an essential business tool for agents.

The APP of a certain insurance brokerage company was publicly announced in September 2024 for "collecting personal information beyond the scope" and failing to complete the required rectification within the deadline. The function of this app is to provide a sales platform for insurance agents, helping them expand their customer base and sell online.
(3) Public security organs

Infringement of citizens' personal information may not only result in administrative liability, but may also constitute the crime of 'infringing on citizens' personal information'. Article 253-1 of the Criminal Law stipulates that those who violate relevant national regulations by selling or providing personal information of citizens to others, if the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention, and shall also be fined or fined separately; If the circumstances are particularly serious, the offender shall be sentenced to fixed-term imprisonment of not less than three years but not more than seven years and shall also be fined. The second paragraph of this article specifies that those who sell or provide personal information of citizens obtained in the process of performing duties or providing services to others shall be punished severely in accordance with the provisions of the preceding paragraph. The third paragraph stipulates that those who steal or illegally obtain citizens' personal information by other means shall be punished in accordance with the provisions of the first paragraph.

Typical case: Stealing customer information suspected of criminal offense

At the beginning of this year, Yao applied for a loan assistance from a certain bank through a branch of a property and casualty insurance group in a certain city. All contacts, some call records, WeChat friends, and chat records in Yao's mobile phone address book were secretly filmed and stored in the company's Baidu cloud storage. After obtaining this information about Yao, the property and casualty insurance company began to collect payments before Yao's loan became overdue. Friends, relatives, colleagues, and even village branch cadres on Yao's phone have received collection calls, and his mother has been hospitalized due to a cerebral infarction. Yao said that this has caused him great pain. According to public reports, the type of information captured and stored by the property insurance company is not just Yao's, but a large number of people who handled loan assistance business at the city branch from 2018 to 2023. In January 2024, the criminal investigation team of the public security organs accepted the case and issued a receipt of acceptance to Yao. This case has caused a huge response and seriously affected the reputation of the insurance company. Moreover, according to the subsequent investigation results by the criminal police, the company and related responsible personnel are highly likely to bear corresponding criminal responsibilities.
3、 What legal responsibilities may be assumed?

According to the Personal Information Protection Law, Insurance Law, Insurance Company Management Regulations, Criminal Law and other legal provisions, if the insurance industry violates personal information protection requirements, it may bear administrative and criminal responsibilities (while also not excluding civil responsibilities in private remedies cases), and both units and individuals may bear legal responsibilities.
(1) Criminal responsibility

The biggest risk of personal information protection compliance is criminal liability. Article 253-1 of the Criminal Law stipulates that those who violate relevant national regulations by selling or providing personal information of citizens to others, if the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention, and shall also be fined or fined separately; If the circumstances are particularly serious, the offender shall be sentenced to fixed-term imprisonment of not less than three years but not more than seven years and shall also be fined. The second paragraph of this article specifies that those who sell or provide personal information of citizens obtained in the process of performing duties or providing services to others shall be punished severely in accordance with the provisions of the preceding paragraph. The third paragraph stipulates that those who steal or illegally obtain citizens' personal information by other means shall be punished in accordance with the provisions of the first paragraph.

In 2017, the Supreme People's Court and the Supreme People's Procuratorate issued the "Interpretation on Several Issues Concerning the Application of Law in Handling Criminal Cases of Infringement of Citizens' Personal Information", which clarifies that "citizens' personal information" refers to various information recorded in electronic or other ways that can identify the identity of a specific natural person or reflect the activities of a specific natural person independently or in combination with other information, including name, ID number, communication contact information, address, account password, property status, trajectory, etc. At the same time, it also clarified the criteria for sentencing, mainly considering the quantity and amount standards. Specifically, as follows:

           

For the insurance industry, special attention should be paid to the fact that infringing on citizens' personal information during the service process is an aggravating circumstance (i.e. obtaining citizens' personal information during the provision of services), and the threshold for constituting a criminal offense is very low (the standard is halved).

Typical case: An employee of an insurance company was sentenced for selling personal information

From February to December 2020, a customer service representative named Wang colluded with a business director named Jiang to provide telephone sales policy numbers for insurance company customers. Wang then searched for the policy number and provided the customer's name, contact information, address, type of insurance purchased, premium, purchase time, expiration time, etc. Based on this, Jiang conducted insurance sales business. Jiang pays Wang 8 to 15 yuan per message. During this period, Wang also contacted colleagues Kong and Jiang to assist in providing information. Wang, Kong, and Jiang illegally profited over 260000 yuan from it and were sentenced to one to three years in prison.
(2) Administrative responsibility

The Personal Information Protection Law is the heaviest administrative responsibility, and there is no lower limit on fines for enterprises, with a maximum of 50 million yuan or 5% of the previous year's revenue; The starting point for punishment of personnel is 100000 yuan, with a maximum of one million yuan, and it can be decided to prohibit them from serving as directors, supervisors, senior management personnel, and personal information protection officers of relevant enterprises for a certain period of time. In addition to fines and restrictions on employment, violating the Personal Information Protection Law may also result in confiscation of illegal gains, ordering suspension of related businesses or suspension of operations for rectification, and notifying relevant regulatory authorities to revoke relevant business licenses or revoke business licenses.

Typical Case 1: An insurance company and its agent were punished for illegally collecting personal information

In July 2024, a certain insurance company was punished by a local regulatory bureau of the State Administration of Financial Supervision for illegally collecting and using personal information. The punishment was "illegal collection and use of personal information", and the company was warned and fined 320000 yuan. One insurance agent was fined 20000 yuan, and the deputy manager (in charge of work) who was directly responsible for the illegal collection and use of personal information was fined 60000 yuan.

It is worth noting that the punishment basis for this case is Article 161 of the Insurance Law of the People's Republic of China and Article 69 of the Regulations on the Administration of Insurance Companies. If punished according to the Personal Information Protection Law, the upper limit of fines for units will be reduced to 50 million yuan (or 5% of the previous year's turnover), and the minimum amount of fines for individuals will be 100000 yuan, with a maximum of 1 million yuan. It can be seen that the Personal Information Protection Law has greatly strengthened the punishment for personal information violations.

Typical Case 2: Insurance company executives and employees are banned from operating due to infringement of citizens' personal information

In August 2022, the Ningxia Regulatory Bureau of the former China Banking and Insurance Regulatory Commission imposed an administrative penalty of prohibiting the general manager of a certain insurance company's power grid sales department from entering the insurance industry for 5 years; Three employees of two insurance companies were administratively punished with a five-year ban from entering the insurance industry. The illegal and irregular facts are all: violating legal provisions and infringing on citizens' personal information.

The above punishment is based on Article 177 of the Insurance Law of the People's Republic of China: If a person violates the provisions of laws and administrative regulations and the circumstances are serious, the insurance regulatory authority of the State Council may prohibit the relevant responsible personnel from entering the insurance industry for a certain period of time or even for life. Article 66 of the Personal Information Protection Law stipulates that individuals may be prohibited from serving as directors, supervisors, senior management personnel, and personal information protection officers of relevant enterprises for a certain period of time. Therefore, in the actual law enforcement process, insurance industry practitioners may be prohibited from engaging in the insurance industry, as well as being prohibited from serving as corporate executives or personal information protection officers.
4、 Implications for Compliance of Insurance Companies

The insurance industry involves multiple types of natural persons such as policyholders, insured persons (including minors), beneficiaries, insurance agents, insurance brokers, etc. Collecting and using personal information is a business necessity, and it is involved in sales, claims, related party sharing, and data export scenarios. In the process of digital transformation, a massive amount of personal information will also be processed. With the increasing supervision of personal information protection, the protection of personal information in the insurance industry will become a key and routine task.

Based on typical cases, both insurance companies and specific practitioners may bear legal responsibility for illegal processing of personal information, and even criminal responsibility for being sentenced to imprisonment. Therefore, for the insurance industry, it is urgent to enhance awareness of personal information protection compliance, master knowledge of personal information protection compliance, carry out personal information protection compliance work, so as to seize the digital development dividends in the digital wave and effectively prevent personal information protection compliance risks.

This article is the beginning of a series of articles on data compliance in the insurance industry. We hope to help relevant companies clarify their legal responsibilities and practical cases, and clarify the importance and urgency of personal information protection in the insurance industry. In the following series of articles, we will further interpret the legal system, typical scenarios, and compliance points of data compliance in the insurance industry. Please stay tuned for more information.
Related Fields

About The Author

    Latest articles
    HOT SPOTS
    The United States has released proposed rules to restrict connected vehicles, and the Chinese automotive industry will face challenges head-on
    On September 23, 2024, the Bureau of Industry Security (BIS) of the US Department of Commerce offici

    2024/10/26

    HOT SPOTS
    Enterprise Going Global - Overview of Overseas Data Compliance (South Africa Edition)
    South Africa is currently the second largest economy in Africa, with a leading level of economy and

    2024/10/26

    HOT SPOTS
    The United States is about to take measures to ban trading of Chinese connected vehicles
    On September 23rd, the Bureau of Industry and Security (BIS) of the US Department of Commerce releas

    2024/10/26

    Read the latest articles
    PROFESSIONAL TEAM
    English | Chinese
    Chinese English
    PROFESSIONAL TEAM
    OFFICE
    FRONTIER OBSERVATION
    CAREER DEVELOPMENT
    ABOUT US
    Explore our expertise
    Read article
    阅读更多文章
    Contact us
    PROFESSIONAL AREAS
    MEDIA CENTER
    PROFESSIONAL TEAM
    OFFICE
    FRONTIER OBSERVATION
    CAREER DEVELOPMENT
    ABOUT US
    King & Wood Mallesons Logo

    ©2024 Zhejiang Zhiben Law Firm. All rights reserved.Zhejiang 

    浙ICP备2024130020号-1  | 

    privacy policy
    Terms of use and legal notice