Data Compliance on Collecting Human Genetic Resources from China

Due to the increase of cross-border research and development collaborations and international multi-site clinical trials for drugs and medical devices, it becomes more and more common for foreign organizations or corporations to collect human genetic resources (“HGR”) from China. These foreign entities must collaborate with China entities to use HGR for international scientific studies and should be aware of the requirements and restrictions imposed on them under the Chinese laws.

Under the Administrative Regulations on Human Genetic Resources (in Chinese: 人类遗传资源管理条例) (“HGR Regulations”), HGR include:

  1. HGR materials, such as organs, tissues, cells and other genetic materials that contain human genome, genes and other genetic materials; and
  2. information and data generated by using HGR materials (“HGR Information”).

The collaborating China entity shall file for record with the Ministry of Science and Technology of China (“MOST”) when exporting the HGR Information abroad and submit such information for backup.

On the other hand, the cross-border transfer of HGR Information is also subject to requirements under data protection laws and regulations that come into force in recent years, most notably, the Personal Information Protection Law (in Chinese: 个人信息保护法) (“PIPL”) and the Data Security Law (in Chinese: 数据安全法) (“DSL”). This article aims to introduce the cross-border data transfer compliance under PIPL and DSL with respect to human genetic resources.

Export HGR as Personal Information

Under PIPL, “Personal information” refers to information relating to identified or identifiable natural persons recorded by electronic or other means, excluding anonymized information. As such, when the HGR Information constitutes personal information, PIPL is applicable.

However, HGR Information may involve anonymized information which is excluded from personal information under PIPL. To facilitate the discussion, this section shall only discuss exporting HGR as personal information.

Before an organization exports personal information, it must inform individuals of the name and contact information of the foreign recipients, the purpose and means of the processing, the categories of the personal information to be exported, and mechanisms via which individuals may send requests to the foreign recipient to exercise the individuals’ rights to the personal information. The exporter must obtain consent from the individuals on this.

In addition, if the personal information is categorized as “sensitive personal information”, an additional consent from the individuals and prior impact assessment are required by PIPL.

“Sensitive personal information” refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including information such as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of people under the age of 14.

To export personal information, including sensitive personal information of certain scale (although the scale of the personal information is not fully clarified in the current legislation yet), companies must employ one of the following mechanisms according to Article 38 of the PIPL:

  1. security assessment organized by the Cyberspace Administration of China (“CAC”), except where exempted in relevant laws and regulations;
  2. personal information protection certification by a professional institution in accordance with the regulations of the CAC;
  3. standard contract (SCCs) with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC; or
  4. other conditions set by the CAC or relevant laws and regulations.

The security assessment applies to data processors who provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in total abroad since January 1 of the previous year and a critical information infrastructure operator transfers personal information overseas, in accordance with Security Assessment Measures for Outbound Data Transfers (in Chinese: 数据出境安全评估办法) (“Security Assessment Measures”) effective as of 1 September 2022. The scale of personal information for other mechanisms is not yet clarified and shall be further observed.

Export HGR as Important Data

DSL introduces the concept of the “important data” which is afforded a higher level of protection compared with ordinary data. Catalogues of important data shall be formulated by the relevant authority in order to clarify the important data.

Note that the official checklist of important data is not yet published and therefore, the relevant regulation is hardly implementable at this stage. As a reference, in the Draft Guideline for Identification of Important Data (in Chinese: 重要数据识别指南(征求意见稿)), the HGR Information and data related to public health is also specifically identified as important data.

Where the data constitutes important data, the data processor shall submit any proposed export for the security assessment in accordance with DSL and Security Assessment Measures.

The important data processor who wishes to export the important data shall file for security assessment through local CAC at the provincial level. The local CAC shall review the materials with 5 business days and submit the same to the CAC of the state level where the materials are complete. The state CAC shall determine whether to accept the materials within 7 business days and afterwards, complete the security assessment within 45 business days after accepting the materials (which could be extended at CAC’s discretion).

China is close to establish a comprehensive regulatory regime governing bio/health-related activities, especially for HGR. Apart from the regulation imposed by MOST, the parallel requirements on cross-border transfer of HGR under PIPL and DSL shall also be taken into serious consideration to ensure the compliance. Relevant companies are advised to pay close attention to the development on this to pre-empt the regulation.