China cross border data transfer for medical devices have new measures that came into force on September 1, 2022. The new Measures for Data Export Security Assessment (the “security assessment measures”) were issued on July 7, 2022, by China’s top cybersecurity authority, the Cyberspace Administration of China (CAC).
- The new security assessment measures provide specific requirements, steps, and procedures for companies to undergo a security assessment in order to transfer data or personal information (PI) overseas.
- The measures apply to data processors of “important data” and personal information collected and generated within the territory of the People’s Republic of China.
- The new security assessment measures are supporting legislation to China’s three overarching data security laws:
- Cybersecurity Law (CSL) June 1, 2017
- Data Security Law (DSL) June 10, 2021
- Personal Information Protection Law (PIPL) which came into effect most recently on November 1, 2021.
Scope of Application
- Not all companies need to undergo a data security assessment before transferring data overseas. If one of the following conditions is met, a data export security assessment must be sent to the national cybersecurity and informatization department through the local provincial level cybersecurity and informatization authority:
- The data handler transfers “important data” abroad.
- Critical Information Infrastructure Operators (CIIO) and data processors that process the personal information (PI) of more than 1 million people transferring personal information abroad.
- Data processors that have transferred the PI of over 100,000 people or the “sensitive” PI of over 10,000 people overseas since January 1 of the previous year.
- Other situations stipulated by the national cybersecurity and informatization department that need to declare data export security assessment.
As China regulatory affairs experts and CRO, below you will find our analysis of the measures for the field of medical devices.
Risk assessment of data export in the field of medical device
- The launch of “the Security Assessment Measures” further reinforces the NMPA’s implementation of the Medical Device Cybersecurity Technical Review Guidelines.
- As a result of the release of the security assessment measures, the NMPA will be more rigorous in implementing the Medical Device Cybersecurity Technical Review Guidelines, which require that important data, personal information and human genetic resource information collected and generated in China should, in principle, be stored in China.
- For businesses that need to provide PI outside the country, this should be undertaken in accordance with the national network information department and in conjunction with the relevant departments of the State Council to develop a security assessment.
- The NMPA will rigorously review the cybersecurity of the medical device during the medical device registration review phase due to this release of security assessments measures for China cross border data transfer for medical devices. The manufacturer will need to submit complete, accurate and consistent cybersecurity documentation to the NMPA. Cybersecurity documentation includes:
- cybersecurity description documents,
- cybersecurity risk management documents,
- cybersecurity requirements specifications,
- cybersecurity validation plans,
- cybersecurity validation reports,
- cybersecurity vulnerability assessments,
- and cybersecurity analyses.
If you would like to know how these measures for data export security assessments apply to your medical device registration or medical device clinical trial, please contact us.