PIPL vs. GDPR: What life sciences companies need to know
Mark Parsons, partner in the Hogan Lovells strategic operations, agreements & regulation practice and head of the firm’s Asia-Pacific region regulatory practice, began the discussion with an overview of China’s Personal Information Protection Law (PIPL), in effect from November 2021. Mr. Parsons noted that PIPL has been described by many as “China's GDPR” because it tracks many features of the European Union’s General Data Protection Regulation (GDPR). Highlighting certain key features, Mr. Parsons noted that both PIPL and GDPR have provisions regarding extra-territorial scope, data subject rights, a privacy impact assessment, requirements regarding a Data Protection Officer (DPO) role, regulation of automated decision-making, data breach notification, and standard contractual clauses (SCC). In some ways, Mr. Parsons noted, PIPL is even more strict than GDPR. For example, Mr. Parsons noted, PIPL has no legitimate interests basis for processing. Moreover, PIPL requires consent to international transfers as well as official review of certain international transfers, neither of which are required under GDPR.
Elaborating on some of these distinctions, Mr. Parsons noted while PIPL has a very similar extra-territorial reach to GDPR, without the benefit of specific guidance to date on PIPL, there remains some uncertainty on how broad this reach will be. For example, under a hypothetical analysis of clinical trial data, Mr. Parsons noted that while it is still unknown whether personal information, such as pseudonymized data for clinical trial participants will apply under PIPL (as it does under GDPR), there is a suggestion that PIPL could also be interpreted this way. With respect to “sensitive personal data” such as biometric characteristics or medical health information, PIPL requires that this data have a specific purpose. Moreover, the only lawful basis for processing “sensitive personal data” under PIPL is the data subjects’ “separate consent”, which is one of several key challenges in coping with the PIPL. Also relevant in the context of clinical trials is “anonymized personal data”. While expressly excluded from PIPL, there is as yet no specific list of data points (such as Health Insurance Portability and Accountability Act (HIPAA)-style identifiers) to give clear boundaries on what data is to be de-identified.
As Mr. Parsons noted earlier, unlike GDPR, under PIPL, there is no legitimate interest basis for processing data. Rather, processing under PIPL requires consent with certain exceptions. This is relevant to life sciences and health care companies in many contexts, including where the transfer involves personal data by data controllers to third parties, publication of personal data, the use of a personal image or personally identifiable information collected in public other than for public security, processing of “sensitive personal data”, and cross-border transfers of personal data. However, the format for such separate consent remains unclear.
Turning to international transfer restrictions, Mr. Parsons noted that organizations meeting certain threshold requirements are subject to data localization requirements, meaning that personal information collected and generated in China must be stored locally in China and pass a government security assessment to the extent they seek to transfer personal information outside of China. Adding a further layer of complexity compared to GDPR, cross-border transfers under PIPL also require a “consent plus” model. This means that international transfers will require consent from data subjects, an actual business need to transfer, measures to ensure PIPL standards by the offshore recipient, as well as one of: completing a cyber security assessment, obtaining a third party certification, entering into an agreement between the Chinese data transferor and the offshore recipient incorporating certain SCC, or meeting any other requirements specified by the laws, regulations, or the CAC. In contrast, while international transfers under GDPR require EU SCC, they do not require consent by the data subject.
As a final distinction, Mr. Parsons compared the rights of erasure under PIPL and GDPR, noting that PIPL’s requirement has no specific qualification or carve-out where rescinding consent is “likely to impair” achievements as the GDPR does. The end result is that data subjects under PIPL maintain a powerful right to rescind their consent at any time, which could have a significant impact in the life sciences industry, including in clinical trials.
“Sensitive personal data” and beyond
Turning to specific requirements for health related data, Sherry Gong, partner in the Hogan Lovells general corporate & finance practice, provided an overview of key regulated data in the industry; namely, “sensitive personal data”, “important data”, population health information, and big data of health care. As Mr. Parsons also advised, the key concerns under PIPL for “sensitive personal data”, such as biometric characteristics or medical health information, are the need for separate consent as well as data exportation restrictions for personal information. However, Ms. Gong noted, “sensitive personal data” is also governed under the Personal Information Security Specification, which requires encryption and other security measures for transmission and storage, separate storage of biometric information, and which also, in principle, prohibits the storage of original personal biometric information (such as specimens and images).
Also relevant to health data is the People’s Republic of China (PRC) Data Security Law (DSL), which governs “important data” including genetic information, health management data, and specific drug experimental data. Accordingly, Ms. Gong noted, in order to comport with the DSL, companies involved in clinical trials must conduct a government security assessment for the exportation of important data, appoint a DPO, and carry out regular risk assessments of their data activities. Also relevant to the governance of “important data” is the draft Regulations on the Administration of Network Data Security (Draft Regulations), which provide details of the activities required to implement the DSL and PIPL. The Draft Regulations additionally provide for record filing with the local CAC, annual security assessments and training, prior approval of sharing, trading, or entrusted processing of “important data”, as well as implementation of a Multi-Level Protection Scheme (MLPS) under the Cyber Security Law (CSL). Even as to information which would only meet the definitions of population health information (e.g., basic demographics) or big data of health care (e.g., broader data generated in the process of disease prevention and health management), Ms. Gong advised that companies should store these data on a secure server within China under strict security meeting MLPS requirements.
Ms. Gong then outlined several scenarios involving clinical research involving an offshore sponsor at a Chinese site, and how these would be construed under the Information Security Technology – Guide for Health Data Security (Guide). Ms. Gong noted that decentralized studies present a particular challenge due to the data protections imparted on mobile applications and data, which is highly regulated in China.
Additional requirements for human genetic resources
Building upon this framework, Lu Zhou, partner in the Hogan Lovells general corporate and M&A practice, noted that it is unavoidable that companies conducting or considering clinical trials in China consider the PRC Human Genetic Resources (HGR) Administrative Regulations (HGR Regulations) as well as the PRC Biosecurity Law (BSL), which echoes the HGR Regulations in many respects but imposes different legal liabilities. Ms. Zhou noted that collectively, these are generally referred to as the HGR Rules. While the HGR Rules have some overlapping requirements to PIPL and/or DSL, not all parameters are the same. Most relevant for multinationals, Ms. Zhou noted, is that under the HGR Rules, a foreign party is not allowed to collect, utilize, preserve, or export Chinese human genetic resources in China by itself, and instead must collaborate with a local Chinese partner for any of these activities. Moreover, depending on the type of research activities to be carried out, the foreign party must either seek approval or record filing in advance through the Chinese partner with the Human Genetic Resource Administration of China (HGRAC), a bureau which operates within Ministry of Science and Technology (MOST). Ms. Zhou also noted that additional guidance on practical administration was recently provided in the draft Implementation Rules for the Regulations of Human Genetic Resources Administration (Draft Rules), which we summarized here.
First, what are HGR? Ms. Zhou noted that the HGR Rules distinguish between HGR “materials”, such as organs, tissues, and cells, and HGR “information”, such as data generated by HGR materials, including clinical data, image data, and biomarkers. In practice, Ms. Zhou noted, it is important to distinguish HGR “materials” from “information” where possible, because information is subject to less rigorous registration requirements in some aspects, such as in the context of cross-border transfers. Ms. Zhou noted, however, that the terms are quite general and the distinctions between them are not always clear. As a best practice, where a life science and health care company has decided that data should qualify as HGR “information” and therefore would not be subject to the approval requirement, one way to mitigate risk is to be clear and consistent on the classification as “information” in any internal protocols or agreements with third parties.
Second, what constitutes a “foreign party” and what restrictions are imposed under the HGR Rules? Formally, Ms. Zhou noted, the HGR Rules are directed to any foreign entity or an entity under “control” of such foreign entity. The Draft Rules attempt to clarify the scope of “control” by examining certain aspects of corporate decision-making. Ms. Zhou also noted that under the Draft Rules, even companies formed under a variable interest entity (VIE) structure may be captured as under this interpretation. The consequences are substantial. Under the HGR Rules, a “foreign party” is prohibited from collecting and preserving China’s human genetic resources within the territory of China and must collaborate with a Chinese party in order to meet the collection, preservation, and collaboration/exportation requirements related to HGR. Ms. Zhou outlined certain scenarios relevant for clinical trials, distinguishing where prior HGRAC approval would be required versus where prior record-filing would be sufficient. For example, if a “foreign party” is limited to a funding or drug supply role, it is unlikely that such foreign party will be required to collaborate with a PRC-based party for international collaborative scientific research projects involving Chinese HGR. Therefore, whether or not a project is subject to the HGR Rules shall be analyzed on the one-on-one basis.
Third, Ms. Zhou advised that the HGR Rules also provide a security review requirement. The Draft Rule also formally defines the scope of the security review, although the timeline and procedures for review remain unclear.
Finally, Ms. Zhou noted that while regulation in the HGR field hasn't been greatly developed, the promulgation of rules (including the Draft Rules) is expected in the near future. As best practices, companies are advised to implement an HGR compliance working group to watch for changes in the legal regime, have procedures in place, and conduct training sessions for employees on a regular basis.
As is clear from the above highlights, a number of recent regulations will govern various aspects of the collection, use, and transfer of health data in and from China. Life sciences and health care companies should be prepared to work closely with local Chinese partners to meet these standards. Moreover, companies should prepare for compliance with these regulations by keeping a close eye on further legislative developments relevant to this industry.
Why Hogan Lovells?
The Asia-Pacific region presents an immense, but also immensely challenging, commercial opportunity for future-ready pharmaceutical, biotech, medical device and health care companies.
We have been supporting clients in Asia-Pacific for over three decades and we are backed by a global dedicated life sciences practice comprising over 500 lawyers around the world. Leveraging the full-service capabilities of our offices within the region, we can offer a dedicated team of culturally-attuned, multi-jurisdictional and multi-practice lawyers with substantial experience and background in the life sciences and health care sector and the ability to advise on the full scope of issues in this sector.
We hope that the above summary has highlighted some key considerations in order to prepare for and navigate evolving issues, risks, and opportunities relevant for your commercial interests in the APAC region. The full webinar is available here and you can view the slides here.
You can access a summary of Session no. 1: “Internal investigations and enforcement trends in the Life Sciences sector in China” here, or view the full session here.
Please join us on 28 September 2022 for Session no. 3: “Corporate and IP (out-licensing to Chinese counterparties, including related necessary IP protections)”. Stay tuned for information on registering for and Session no. 4: “IP (the newly-introduced systems in China for patent term extension and patent linkage; and Chinese anti-monopoly issues when settling patent infringement actions)”.