Multinational pharmaceutical companies, by nature of their business, handle a great deal of data, often transferred across borders, whether based on research, clinical trial data, and employee personal data.
A heightened focus on national security risks related to the cross-border transfer of sensitive data coming out of China has given rise to new and far-reaching laws to address what it deems at odds with national interests. We take a look at two laws in particular that impact life sciences companies with operations in China: the Personal Information Protection Law (PIPL), which comes into effect in just less than a month on November 1, 2021, and the Data Security Law (DSL), which came into effect on September 1, 2021. We also provide a reminder on the key provisions of the Regulation on Human Genetic Resources (HGR), which came into effect in 2019 and is specific to life sciences organizations.
PERSONAL INFORMATION PROTECTION LAW: ONE MONTH TO IMPLEMENTATION
China’s long-awaited PIPL is regarded as China’s version of the EU General Data Protection Regulation, and lays out a comprehensive set of rules for how business operators should collect, use, process, share, and transfer personal information in China. The PIPL further supplements the existing data protection regime previously established by the Cybersecurity Law (CSL) and national guidelines, and it provides another pillar in China’s efforts to regulate how companies use data and to further protect the personal data of its citizens.
The PIPL requires companies as data controllers to obtain informed and separate consents from the data subjects for the collection, processing, and cross-border transfer of their personal data (limited exceptions apply), and to store personal data on servers physically located in China if the company is certified as a critical information infrastructure operator, or processing personal data exceeding a certain volume threshold, which the regulator has yet to publish. Employers qualify as data controllers, so every company will need to ensure that they understand the new requirements that cover the collection and processing of their employees’ personal data, in addition to other types of personal data, as part of their routine employee management functions.
Companies in violation of the PIPL may be subject to severe penalties, including a fine of up to 5% of the last year's turnover of the company, revocation of the company’s license to do business in China, and personal liabilities for company executives.
DATA SECURITY LAW
The DSL introduces certain notable data security mechanisms in addition to some updates and supplements to the existing data security regime established by the CSL. For instance, the DSL establishes a stricter regulatory framework for the protection of “national core data” on top of that for “important data.” In addition, the DSL reemphasizes the importance of the multilevel protection scheme that was previously set up by the CSL and enhances the data security obligations thereunder. The DSL also increases the amount of penalties for violation of unauthorized foreign transfer of data.
The data security obligations outlined in the DSL will potentially affect all business operators in China, including multinational life sciences corporations. Violations of such obligations may result in a fine of up to RMB 2 million and a suspension of related business, and a fine of up to RMB 200,000 on responsible persons.
REGULATION ON HUMAN GENETIC RESOURCES
The HGR has been in effect since July 2019 and covers a broad range of genetic materials such as human organs, tissues, cells, blood specimens, preparations of any types, or recombinant DNA constructs, which contain human genomes, genes, or gene products as well as information or data relating to such genetic materials. As such this expansive scope could be of relevance to any multinational life sciences company conducting clinical trials in China.
Of particular note is the HGR’s requirement of the notification filing prior to electronic data capture transmission of clinical trial data to foreign parties, including any transmission to the US Food and Drug Administration or similar foreign regulatory agencies, even if the transmission is for adverse-event reporting purposes. It is an area of proactivity in China: Since late 2019, we have seen two nationwide campaigns to enforce the regulation.
HOW TO PREPARE
Asian life sciences companies should fully understand the legal requirements in relation to data handling in China, particularly of the newer regulations, the DSL and PIPL. It is recommended that they conduct compliance reviews for their existing data processing practices, and upgrade and implement robust privacy protection mechanisms for data compliance.
Visit our US-China Trading Policy & Global Impact resource page, a centralized portal sharing our insights and analyses.