Feb 32023

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

Lianying Wang
, ,

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.

Under the Measures, a security assessment by the Cyberspace Administration of China (“CAC”) is required in the following circumstances:

  1. outbound transfer of “important data” by a data handler;
  2. outbound transfer of personal information by a critical information infrastructure operator or a personal information handler which has processed the personal information of more than 1,000,000 people;
  3. outbound transfer of personal information by a personal information handler which has made outbound transfers of the personal information of 100,000 people cumulatively, or the sensitive personal information of 10,000 people cumulatively since January 1 of the previous year; and
  4. other circumstances prescribed by the CAC.

Those affected by the Measures will mainly be international pharma companies, but domestic Chinese companies may also be affected if they need to transfer data out of the country in order to, for example, register their products with U.S. or European regulators.

International pharma companies are already obliged to comply with Chinese regulations restricting the sharing and transfers of sensitive health data originating in China, in particular human genetic resources (“HGR”) data from clinical trials in China. However, the Measures introduce an additional layer of regulation on top of the existing regime.

The Measures have a focus on the exporting of both personal information and the crucial Chinese classification of “important data.” This means that they are likely to capture types of health data that were not regulated in the past under the wide category of “personal information.” The types of data that are likely to be affected by the Measures – if the data set is large enough to meet the specified thresholds – include:

  • Employee data, which multinational pharma companies want to transfer, for internal management purposes, to their headquarters or to a database hosted outside China.
  • Clinical trial data, from multi-center trials, or HGR data, which need to be transferred outside China for product licensing reasons. This data is already covered by another Chinese data regulatory regime which has existed for many years. However, the Measures add an additional layer of regulation on top of the existing mechanism, and it is still unclear how the two regimes will interact. Nor is it known whether procedures will be simplified so that companies will be able to receive a green light under the Measures, or whether the two regimes will operate independently.
  • Data collected from health care professionals (HCPs): Typically pharma companies will use a vendor to transfer and store data about doctors and nurses outside China.
  • Software accompanying medical devices or drugs: This software may also collect a large amount of health data and then transfer it outside China.
  • Data collected for pharmacovigilance purposes: All pharma companies have a need to report pharmacovigilance data to regulators across the globe. As this data will be collected from HCPs or patients in China, they will likely be considered a data transfer under the Measures.

The point about size and thresholds is generally applicable; always check whether your data set falls under the size threshold. Be aware that all data will be calculated in aggregates to determine whether the thresholds are met. If your data set is too small to trigger the threshold, you can follow the standard contract or obtain a personal information protection certification in accordance with the relevant rules in order to legitimize the cross-border data transfers.

This post originally appeared on Sidley’s GoodLifeSci blog.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Lianying Wang

Beijing

lianying.wang@sidley.com

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
EU Formally Adopts World’s First AI Law

On March 13, 2024, the European Parliament formally adopted the EU Artificial Intelligence Act (“AI Act”) with a large majority of 523-46 votes in favor of the legislation. The AI Act is the world’s first horizontal and standalone law governing AI, and a landmark piece of legislation for the EU.