How Should Pharmaceutical Companies Deal with China’s New Data Export Regulations?

On 7 July 2022, the Cyberspace Administration of China (CAC) formally issued the long-awaited Measures for Security Assessment of Cross-border Data Transfers (the “Assessment Measures”). The Assessment Measures specify circumstances where the export of data is subject to the CAC’s security assessment (the “Security Assessment”), including:

The Assessment Measures came into effect on 1 September 2022, and they grant a grace period of six months therefrom for a data handler to rectify data exports not in compliance with the requirements of the Assessment Measures.

Data handlers must carry out a self-assessment before applying for the Security Assessment, which will be the core of the Security Assessment. The matters to be covered in the self-assessment mainly include:

The CAC Security Assessment will be largely based on a paper review of the self-assessment. Some additional factors to be evaluated in the Security Assessment include whether the laws and regulations of the receiving country provide an adequate level of protection equivalent to that under the PRC laws.

The application for a security assessment should be submitted to the relevant provincial CAC for procedural review, and if the provincial CAC confirms the application materials are complete, it will forward the materials to the central CAC for further formal review. Once the central CAC accepts the application, it should complete the assessment within 45 business days, which can be extended in cases of complexity. The entire application is expected to take around two to three months.

The Assessment Measures represent the high-water mark of a series of regulations on cross-border data transfers issued in recent months. Other key pieces of regulation include the following.

For other data export circumstances not triggering the Security Assessment, data handlers may transfer personal information outside of China upon entering into the Standard Contract with the overseas receivers or upon completing the security certification by government-designated certification agencies if the transfer is among affiliates within multinational group companies.

Furthermore, according to the 2019 Regulations on the Management of Human Genetic Resources and the draft Detailed Rules for the Implementation of the Regulations on the Management of Human Genetic Resources (the “Rules”) issued by the Ministry of Science and Technology (MOST) for public comment, provision of human genetic resources (HGR) information to foreign entities or individuals or entities under actual control by such foreign entities/individuals shall be filed with MOST for record.

As exceptions, where such outbound provision may endanger China’s national security, public health and public interest – for example, HGR information of prominent families, HGR information in specific regions, or exome sequencing and genome sequencing information of more than 500 people – the provision must pass the national security assessment by MOST. Since HGR information may also constitute personal information or even important data, the restrictions on the export of HGR information under the HGR regulations may overlap with the data export regulations such as the Assessment Measures. Currently, pharmaceutical companies should apply to both MOST and the CAC if the export of HGR meets the triggering conditions under the HGR regulations and data export regulations.

Cross-border data transfer is crucial for multinational pharmaceutical companies’ business and operation in China. Pharmaceutical companies may need to apply for a Security Assessment if their data exporting meets the threshold under the Assessment Measures. Several common data export scenarios meeting this threshold are set out below.

Multinational pharmaceutical companies usually need to submit a variety of information when submitting investigational new drug (IND) and new drug (ND) applications with respective administrators in different jurisdictions, which may contain pre-clinical data, manufacturing information, clinical protocols, investigator information, pharmacology and toxicology data, non-clinical pharmacological and toxicological information, human pharmacokinetic (PK) and bioavailability information, microbiology, clinical information, safety update, statistical information, patent and exclusivity information, etc.

Use of electronic data capture (EDC) systems to process clinical trial data by pharmaceutical companies has become increasingly prevalent in recent years. Foreign EDC suppliers may host their EDC systems abroad, thus requiring their clients’ clinical trial data to be exported outside China. It should be noted that coded clinical data without any direct identifying information may be deemed as de-identified information rather than anonymised information and thus still constitute personal information under PRC laws and be subject to the data export regulations.

Foreign organisations and individuals and entities established by or under the actual control of foreign organisations or individuals are permitted to use HGR collected in China for scientific research purposes in co-operation with a Chinese scientific research institution, college, university, medical institution or enterprise. Such international collaborative research usually entail the export of HGR information.

Like most multinational companies in other industries, multinational pharmaceutical companies rely on globally deployed HR, financial, client relations, office and other back-end systems to support their daily operations, which may entail cross-border transfers of personal information of employees, suppliers, healthcare professionals, etc.

The Security Assessment requirements place unprecedentedly strict restrictions on the export of data from Mainland China. To address the compliance challenges posed by the recent data export regulations, it is advisable for pharmaceutical companies to consider the following.