China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.
Under the Measures, a security assessment by the Cyberspace Administration of China (“CAC”) is required in the following circumstances:
- outbound transfer of “important data” by a data handler;
- outbound transfer of personal information by a critical information infrastructure operator or a personal information handler which has processed the personal information of more than 1,000,000 people;
- outbound transfer of personal information by a personal information handler which has made outbound transfers of the personal information of 100,000 people cumulatively, or the sensitive personal information of 10,000 people cumulatively since January 1 of the previous year; and
- other circumstances prescribed by the CAC.
Those affected by the Measures will mainly be international pharma companies, but domestic Chinese companies may also be affected if they need to transfer data out of the country in order to, for example, register their products with U.S. or European regulators.
International pharma companies are already obliged to comply with Chinese regulations restricting the sharing and transfers of sensitive health data originating in China, in particular human genetic resources (“HGR”) data from clinical trials in China. However, the Measures introduce an additional layer of regulation on top of the existing regime.
The Measures have a focus on the exporting of both personal information and the crucial Chinese classification of “important data.” This means that they are likely to capture types of health data that were not regulated in the past under the wide category of “personal information.” The types of data that are likely to be affected by the Measures – if the data set is large enough to meet the specified thresholds – include:
- Employee data, which multinational pharma companies want to transfer, for internal management purposes, to their headquarters or to a database hosted outside China.
- Clinical trial data, from multi-center trials, or HGR data, which need to be transferred outside China for product licensing reasons. This data is already covered by another Chinese data regulatory regime which has existed for many years. However, the Measures add an additional layer of regulation on top of the existing mechanism, and it is still unclear how the two regimes will interact. Nor is it known whether procedures will be simplified so that companies will be able to receive a green light under the Measures, or whether the two regimes will operate independently.
- Data collected from health care professionals (HCPs): Typically pharma companies will use a vendor to transfer and store data about doctors and nurses outside China.
- Software accompanying medical devices or drugs: This software may also collect a large amount of health data and then transfer it outside China.
- Data collected for pharmacovigilance purposes: All pharma companies have a need to report pharmacovigilance data to regulators across the globe. As this data will be collected from HCPs or patients in China, they will likely be considered a data transfer under the Measures.
The point about size and thresholds is generally applicable; always check whether your data set falls under the size threshold. Be aware that all data will be calculated in aggregates to determine whether the thresholds are met. If your data set is too small to trigger the threshold, you can follow the standard contract or obtain a personal information protection certification in accordance with the relevant rules in order to legitimize the cross-border data transfers.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.