China - Data compliance in the life sciences sector

China’s Ministry of Science and Technology (MOST) recently announced administrative sanctions against six entities for breach of the Provisional Measures for the Administration of Human Genetic Resources (Measure). In the 20 years since the Measure was implemented, this is the first time that MOST has announced any enforcement action. A closer look at the MOST decisions reveals that some of the enforcement actions took place two or three years ago. Perhaps the recent press coverage on these old enforcement actions is a sign of forthcoming heightened enforcement.

China is tightening its data protection and cybersecurity regulations. The new legislation and policies have created enhanced data compliance obligations for companies. This post outlines the current legal framework of data restrictions relevant to the life sciences sector.

1. 1998 Provisional Measures for the Administration of Human Genetic Resources

Any research involving genetic material is subject to the requirements of the Measure. The Measure regulates the sampling, collection, research, development, trading, export and transfer of human genetic resources.

The Measure defines “human genetic resources” to include genetic materials which contain human genomes, genes or gene products, as well as information relating to such genetic material. Therefore, the export of human biological data is regulated by the Measure even if all the human specimens remain in China. A decision by MOST has endorsed this construction.

Article 4 of the Measure provides that no institution or individual may export human genetic resources out of China without prior approval from MOST. Article 11 of the Measure specifies the approval process for an international collaborative project which involves human genetic resources in China. The Chinese collaborating party must first apply to the Human Genetic Resources Administration of China for approval to launch the project.

Further, MOST submitted to the State Council draft Regulations for the Administration of Human Genetic Resources in 2013 – and again in 2016. These regulations are intended to supersede the 1998 Measure, but have not yet been enacted. The draft released in 2016 imposed various additional requirements on international cooperation involving human genetic resources, including mandatory participation of Chinese researchers in substantive research and timely reporting to MOST after the conclusion of the research. The 2016 draft also requires that the human genetic resources collected in China be submitted to an agency designated by MOST before they can be exported out of China.

2. Cybersecurity Law (CSL) and implementing regulations

The CSL, which took effect on 1 June 2017, sets out the main legal framework regulating data security. The CSL applies to network operators (NOs) and critical information infrastructure operators (CIIOs). The CSL broadly defines an NO as any person or entity that owns or manages a network and network service providers. The definition could be construed to encompass any company that uses a network in its daily operations. The scope of the CIIOs is equally broad, including companies in critical sectors such as public communication and information services, power, traffic, water conservation, public service and e-government.

Key considerations that concern the life sciences companies under the CSL include (i) protection of personal information, and (ii) a requirement for local data storage and a related restriction on cross-border data transfers.

Personal information protection

The CSL requires personal information protection relevant to many aspects of the life sciences industry, including during R&D, distribution and post-market monitoring of products, and the provision of healthcare services.

Under the CSL, personal information includes all information that can be used to identify a person, including the person’s name, date of birth, ID number, biological identification information, address and telephone number. The CSL places various security protection obligations on NOs, including:

• obtaining the data subject’s consent before collecting and using personal information, and stating the purpose, means and scope for collecting and using the information
• in the event of a data breach, taking immediate remedial measures, notifying the affected individual and reporting to a competent agency
• deleting or amending the stored personal information upon if the data subject so requests

Personal information protection relates to a non-mandatory national standard issued by the Standardization Administration of China (SAC). The Personal Information Security Specification, effective on 1 May 2018, introduced the concept of “sensitive” personal information, which includes personal health and physiological information, and personal biological identification information. Sensitive personal information requires heightened protection. For example, express consent is required before collecting sensitive information – with no exceptions. The regulation also requires that the NOs must encrypt the data when transmitting or storing sensitive personal information.

In particular, under the CSL and the relevant standard human genetic resources is classified as sensitive personal information. The collecting, use and transfer of genetic information is also covered by the CSL.

Requirement for data local storage and restriction on cross-border transfer of personal information and important data

Under the CSL, the CIIOs must store personal information and important data collected or generated in China within China. The export of personal information and important data is only possible if the export is commercially necessary and has passed a security review. The CSL does not provide an exhaustive list of the industries considered as CIIOs. Even though the CSL itself does not provide any definition or guidance on the scope of “important data”, some draft regulations implementing the CSL offer some guidance on its intended scope. None of the regulations has been officially promulgated.

On 11 April 2017, the Cyberspace Administration of China (CAC) released the Measures for the Security Assessment Applicable to the Outflows of Personal Information and Important Data (Draft) (Draft Measures). These Draft Measures mandate a security review by regulators on the export of data involving:

• personal data of 500,000 or more individuals
• data relating to sensitive sectors such as chemical and biological industries and population health
• personal information and important data kept by CIIOs

On 10 July 2017, the CAC published the Regulation on the Safety and Protection of Critical Information Infrastructures (Draft) (Draft Regulation). The Draft Regulation extends the scope of CIIOs to include:

• entities in the healthcare sector
• pharmaceutical research and manufacturing organizations

On 25 August 2017, the SAC published the Guidelines for Data Cross-Border Transfer Security Assessment (Draft) (Draft Guidelines). The Draft Guidelines include an annex indicating the scope of important data in various industries. In particular:

• in the population health sector, important data includes (i) data generated in the reporting and monitoring of drug-adverse events, (ii) medical histories kept by medical institutions and health management service organizations, and (iii) genetic information about an individual or a family
• in the food and drug sector, important data includes (i) experimental data on drugs concerning national security submitted during the drug registration process, including pre-clinical data, clinical trial data, and data related to manufacturing and manufacturing facilities, and (ii) clinical trial data on Classes II and III medical devices

3. Tort Law

The Chinese Tort Law provides the right to privacy to any individual. Anyone who infringes the other’s right to privacy may be liable. Specifically, Article 62 of the Tort Law provides that a medical institution and its medical staff must keep a patient’s private information confidential. If any personal data of a patient is divulged or any of a patient’s medical history data is disclosed to the public without the patient’s consent, causing harm to the patient, the medical institution may be liable in tort.

4. Other regulations

Requirements regarding the domestic storage of data also appear in healthcare regulations. The 2014 Measures for the Administration of Population Health Information (Trial) prohibit the storage of population health information on servers outside China. The 2018 Measures for the Administration of Standards, Security and Services of National Health and Healthcare Metadata (Trial) require that data generated in the prevention or treatment of diseases in China be stored on servers located within China while the export of data must pass a security review.

Another policy paper – the 2018 Measures for the Administration of Scientific Data – mainly affects the data generated with state funding or containing state secrets. However, the regulation also contains a provision that may apply to scientific data generated from non-government-funded programs. It requires research institutions to provide scientific data free of charge where government policy-making, public safety, national defense, environmental protection, fire protection and control, or non-profit scientific research, needs such scientific data.

5. Conclusion

It appears that China has started to focus on data security and take a more rigorous view of “cyber-sovereignty” in respect of data. Companies should carefully review their current operations to ensure full compliance.