By Michael Martina
BEIJING (Reuters) - Controversial cyber security regulations for China's insurance industry, now before the World Trade Organization (WTO), could soon take effect despite efforts by foreign business groups to persuade Beijing to change tack.
Those groups say the draft measures are vague and discriminatory, and industry experts say international insurers could be required to source substandard or insecure technology or software in order to do business in China, or use products incompatible with their global operations.
First announced by the China Insurance Regulatory Commission(CIRC) last year, the draft rules have revived debate over Chinese rules that incorporate contentious data localisation mandates and "secure and controllable" provisions for IT products.
Critics fear the rules could be used to drive preferential treatment for Chinese companies supplying businesses and government departments - as China rolls out its Internet Plus and Made in China 2025 strategies, which aim to make Chinese firms world technology leaders and call for more local components in key industries such as robotics.
Concerns over the draft insurance regulations are likely to add to already rancorous U.S.-China trade relations ahead of the annual Strategic and Economic Dialogue on June 6-7 in Beijing, which will be attended by U.S. Secretary of State John Kerry and Treasury Secretary Jack Lew.
"This is much broader than the CIRC measures. It's about laying down a marker which they [China] will then replicate in other sectors," said a person with knowledge of the rules and the upcoming talks.
The person said the regulations and the attending "secure and controllable" issue are set to be one of the top items on the United States' agenda for the June talks.
"This has been raised across the U.S. government at the highest levels ... there is a good understanding of what this CIRC play represents and that it's a big problem," the person said.
China is considering similar regulations for banking technology, though push-back from industry and the U.S. government last year has slowed their rollout.
Beijing has said repeatedly that foreign businesses have nothing to fear from new measures intended to address what officials say are growing security threats, such as terrorism.
But industry advocates say insurance products are hardly critical to national security and don't merit such provisions. "'Secure and controllable' policies are unworkable for global industry," said Jacob Parker, vice president of China operations for the U.S.-China Business Council.
Foreign insurers already face market access barriers in China, including ownership caps and licensing difficulties. Foreign-invested insurers have less than 5 percent market share in China, according to the American Chamber of Commerce.
More than 20 foreign business lobbies, including the American Chamber of Commerce in China and the American Council of Life Insurers (ACLI), petitioned the CIRC late last year to amend the draft regulations, which state that insurance companies should prioritize buying "secure and controllable" products, including Chinese encryption technologies, hardware and software.
On April 19, the CIRC filed a technical barriers to trade(TBT) notification to the WTO, indicating the rules would be approved within 60 days. Trade experts say the WTO has no say in the filing designed simply to alert trade partners.
The foreign groups say the rules have not been substantially changed to address concerns after an initial comment period, and the tight deadline listed in the WTO filing suggests China has little intention to incorporate feedback.
Several groups plan to petition CIRC Chairman Xiang Junbo in writing ahead of the U.S.-China talks, according to documents seen by Reuters.
The CIRC could not be reached for comment on the issue.
The regulations currently require all China data for insurance products be stored in China, and mandate that any international data transfers be conducted according to yet unspecified regulations.
That could also create obstacles to moving information overseas and to third-party service providers, such as accounting firms.
Article 53 requires that insurance providers give purchasing priority to so-called "secure and controllable" products.
Such provisions have appeared in a number of draft Chinese laws and regulations. Though Beijing has not formally defined the term, foreign business groups say they would entail onerous conditions, such as providing authorities access to proprietary source code or incorporating Chinese components.
(Reporting by Michael Martina, with additional reporting by Matthew Miller; Editing by Ian Geoghegan)