How Should Pharmaceutical Companies Deal with China’s New Data Export Regulations?
Kevin Duan and Kemeng Cai, of Han Kun Law Offices, discuss Chinese data protection regulation and its effect on the pharmaceutical industry in China.
Kevin Duan
Kemeng Cai
On 7 July 2022, the Cyberspace Administration of China (CAC) formally issued the long-awaited Measures for Security Assessment of Cross-border Data Transfers (the “Assessment Measures”). The Assessment Measures specify circumstances where the export of data is subject to the CAC’s security assessment (the “Security Assessment”), including:
- data handlers who export important data;
- critical information infrastructure operators or personal information handlers who export personal information and have processed the personal information of at least 1 million individuals;
- data handlers who have cumulatively exported the personal information of at least 100,000 individuals or the sensitive personal information of at least 10,000 individuals since 1 January of the previous year; and
- other circumstances where an application for a Security Assessment is required as prescribed by the CAC.
"The CAC Security Assessment will be largely based on a paper review of the self-assessment."
The Assessment Measures came into effect on 1 September 2022, and they grant a grace period of six months therefrom for a data handler to rectify data exports not in compliance with the requirements of the Assessment Measures.
What does the Security Assessment look like?
Data handlers must carry out a self-assessment before applying for the Security Assessment, which will be the core of the Security Assessment. The matters to be covered in the self-assessment mainly include:
- the legality, legitimacy and necessity of the export as well as the purpose, scope, and method of the data processing of overseas receivers;
- the quantity, scope, type, sensitivity and risk profile of the data exported;
- the protection capabilities of overseas receivers;
- security risks during and after cross-border data transfer and the protection of personal information rights and interests; and,
- contractual arrangements governing the responsibilities and obligations of both parties for data security and protection in contracts or other legally binding documents drawn up for the data export.
"The Assessment Measures represent the high-water mark of a series of regulations on cross-border data transfers issued in recent months."
The CAC Security Assessment will be largely based on a paper review of the self-assessment. Some additional factors to be evaluated in the Security Assessment include whether the laws and regulations of the receiving country provide an adequate level of protection equivalent to that under the PRC laws.
Security Assessment procedure and timelines
The application for a security assessment should be submitted to the relevant provincial CAC for procedural review, and if the provincial CAC confirms the application materials are complete, it will forward the materials to the central CAC for further formal review. Once the central CAC accepts the application, it should complete the assessment within 45 business days, which can be extended in cases of complexity. The entire application is expected to take around two to three months.
How the Assessment Measures interact with other recent data export regulations
The Assessment Measures represent the high-water mark of a series of regulations on cross-border data transfers issued in recent months. Other key pieces of regulation include the following.
- On 29 April 2022, the National Information Security Standardisation Technical Committee issued for public comments a draft of the Technical Specifications for the Certification of Personal Information Cross-Border Processing (the “Draft Specifications”), which outline the framework for the voluntary certification of cross-border processing of personal information among multinational group companies.
- On 30 June 2022, the CAC issued the Provisions on the Standard Contract for the Export of Personal Information (Draft for Comment) and the Draft Standard Contract for the Export of Personal Information (the “Standard Contract”) which clarifies the application scope, conditions of application and the main contents of the China-version standard contract for personal information export.
"Cross-border data transfer is crucial for multinational pharmaceutical companies’ business and operation in China."
For other data export circumstances not triggering the Security Assessment, data handlers may transfer personal information outside of China upon entering into the Standard Contract with the overseas receivers or upon completing the security certification by government-designated certification agencies if the transfer is among affiliates within multinational group companies.
Restrictions on the export of human genetic data
Furthermore, according to the 2019 Regulations on the Management of Human Genetic Resources and the draft Detailed Rules for the Implementation of the Regulations on the Management of Human Genetic Resources (the “Rules”) issued by the Ministry of Science and Technology (MOST) for public comment, provision of human genetic resources (HGR) information to foreign entities or individuals or entities under actual control by such foreign entities/individuals shall be filed with MOST for record.
"Pharmaceutical companies are advised to carry out data mapping, complete rectifications and apply for a Security Assessment as early as possible."
As exceptions, where such outbound provision may endanger China’s national security, public health and public interest – for example, HGR information of prominent families, HGR information in specific regions, or exome sequencing and genome sequencing information of more than 500 people – the provision must pass the national security assessment by MOST. Since HGR information may also constitute personal information or even important data, the restrictions on the export of HGR information under the HGR regulations may overlap with the data export regulations such as the Assessment Measures. Currently, pharmaceutical companies should apply to both MOST and the CAC if the export of HGR meets the triggering conditions under the HGR regulations and data export regulations.
When might pharmaceutical companies need to submit a Security Assessment application?
Cross-border data transfer is crucial for multinational pharmaceutical companies’ business and operation in China. Pharmaceutical companies may need to apply for a Security Assessment if their data exporting meets the threshold under the Assessment Measures. Several common data export scenarios meeting this threshold are set out below.
Multi-centre IND and ND application data
Multinational pharmaceutical companies usually need to submit a variety of information when submitting investigational new drug (IND) and new drug (ND) applications with respective administrators in different jurisdictions, which may contain pre-clinical data, manufacturing information, clinical protocols, investigator information, pharmacology and toxicology data, non-clinical pharmacological and toxicological information, human pharmacokinetic (PK) and bioavailability information, microbiology, clinical information, safety update, statistical information, patent and exclusivity information, etc.
Data processed by foreign EDC system suppliers
Use of electronic data capture (EDC) systems to process clinical trial data by pharmaceutical companies has become increasingly prevalent in recent years. Foreign EDC suppliers may host their EDC systems abroad, thus requiring their clients’ clinical trial data to be exported outside China. It should be noted that coded clinical data without any direct identifying information may be deemed as de-identified information rather than anonymised information and thus still constitute personal information under PRC laws and be subject to the data export regulations.
International collaborative research data
Foreign organisations and individuals and entities established by or under the actual control of foreign organisations or individuals are permitted to use HGR collected in China for scientific research purposes in co-operation with a Chinese scientific research institution, college, university, medical institution or enterprise. Such international collaborative research usually entail the export of HGR information.
Internal management data
Like most multinational companies in other industries, multinational pharmaceutical companies rely on globally deployed HR, financial, client relations, office and other back-end systems to support their daily operations, which may entail cross-border transfers of personal information of employees, suppliers, healthcare professionals, etc.
How should pharmaceutical companies should prepare for the Security Assessment?
The Security Assessment requirements place unprecedentedly strict restrictions on the export of data from Mainland China. To address the compliance challenges posed by the recent data export regulations, it is advisable for pharmaceutical companies to consider the following.
- Pharmaceutical companies are advised to carry out data mapping, complete rectifications when necessary, and apply for a Security Assessment for required data export scenarios as early as possible. Theoretically, companies need to obtain approvals for data export, if applicable, before 1 March 2023, when the grace period expires. Data exports subject to a Security Assessment yet without an approval before the expiration of the grace period will be deemed illegal and this may lead to severe consequences under relevant PRC data protection laws.
- Pharmaceutical companies that intend to carry out data export activities in the future are advised to formulate an internal data export identification system and a self-assessment system, and to prepare relevant data export contracts, privacy policies, informed consent forms and other legal documents in advance, which will serve as key components to smoothly promote data export activities.
- The Assessment Measures set low quantity thresholds for the mandatory Security Assessment. As a result, pharmaceutical companies may consider localisation as an option to avoid lengthy assessment procedures and the uncertainty that they bring, especially for export of large volumes of sensitive personal information such as healthcare data and HGR information.
Han Kun Law Offices
12 ranked departments
Learn more about the firm’s ranking in Chambers Greater China Region 2022
View firm profile