China cross border data transfer security assessments will have new measures which come into force on September 1, 2022. The new Measures for Data Export Security Assessment (the “security assessment measures”) were issued on July 7, 2022, by China’s top cybersecurity authority, the Cyberspace Administration of China (CAC).
The new security assessment measures are supporting legislation to China’s three overarching data security laws:
- Cybersecurity Law (CSL) June 1, 2017
- Data Security Law (DSL) June 10, 2021
- Personal Information Protection Law (PIPL) which came into effect most recently on November 1, 2021.
- The new security assessment measures provide specific requirements, steps, and procedures for companies to undergo a security assessment in order to transfer data or personal information (PI) overseas.
- The measures apply to data processors of “important data” and personal information collected and generated within the territory of the People’s Republic of China.
Scope of Application
- Not all companies need to undergo a data security assessment before transferring data overseas. If one of the following conditions is met, a data export security assessment must be sent to the national cybersecurity and informatization department through the local provincial level cybersecurity and informatization authority:
- The data handler transfers “important data” abroad.
- Critical Information Infrastructure Operators (CIIO) and data processors that process the personal information (PI) of more than 1 million people transferring personal information abroad.
- Data processors that have transferred the PI of over 100,000 people or the “sensitive” PI of over 10,000 people overseas since January 1 of the previous year.
- Other situations stipulated by the national cybersecurity and informatization department that need to declare data export security assessment.
As China regulatory affairs experts and CRO below you will find our analysis of the measures for field of pharmaceuticals.
Risk assessment of data export in the field of pharmaceuticals
- The compliance issues of data export in the field of pharmaceuticals mainly focus on the human genetic resources used and the data generated during the drug clinical trial. Clinical trials involve the collection, storage, use, processing, transmission and other processing operations of the subjects’ personal information. There are many types of personal information involved, including medical record information, medical insurance information, health logs, genetics, medical experiments etc. At present, the regulations for cross-border data supervision mainly focus on the “Good Clinical Practice for Drugs” (GCP) and “the Regulations of the People’s Republic of China on the Administration of Human Genetic Resources”.
- The GCP, which was implemented on July 1, 2020, clearly stipulates that the transfer of ownership of clinical trial data must comply with the requirements of relevant domestic laws and regulations (and should now comply with the data export security assessment methods). The GCP requires that clinical trial sponsors should take the protection of the rights and safety of subjects as well as the authenticity and reliability of clinical trial results as the basic consideration of clinical trials. Clinical trial sponsors should establish an independent data monitoring committee and use a system-validated electronic data management system that unauthorized personnel cannot access to ensure the security of the system.
- With the globalization of drug research and development, international multi-center clinical trials for drug registration are gaining popularity. When clinical trial sponsors plan and implement international multi-center drug clinical trials in China, they must comply with China’s Drug Administration Law and other relevant laws, regulations and provisions, and the implementation of China’s “Good Clinical Practice for Drugs”, with reference to ICH-GCP and other internationally accepted principles.
- Previously, China’s awareness of the compliance management of human genetic resources and data security was relatively weak. It is worth mentioning that in September 2015, a company in Shenzhen (“Shenzhen Company”), a domestic hospital and a famous university in the UK carried out international cooperative research on Chinese human genetic resources which involved the transfer of data out of China. The Shenzhen company was fined by the Ministry of Science and Technology of the People’s Republic of China for transmitting some human genetic resources information out of the country through the internet without permission. After the fine was made public, it attracted widespread attention from the public, and brought the topic of human genetic resources and data export security to the public’s attention.
- On June 10, 2019, the State Council officially issued “Regulations on the Administration of Human Genetic Resources”. The Regulations stipulate that if foreign entities need to use human genetic resources from China to carry out scientific research activities, they should cooperate with Chinese authorities, and clearly stipulate that if human genetic resources materials need to be transferred overseas, then approval is required. The introduction of this regulation makes the management of drug clinical trial data security more and more standardized.
If you would like to know how these measures for data export security assessments apply to your drug clinical trial, please contact us.