I. Regulatory Requirements from a Human Genetic Resources Administration Perspective

The regulation of human genetic resources is one of the regulatory dimensions that the pharmaceutical industry may be involved in many situations (e.g., clinical trials). Human genetic resources administration and regulation may be triggered in a scenario involving cross-border transfer of human genetic resources related data.

Back in 1998, the Ministry of Science and Technology (the “MOST”) and the former Ministry of Health jointly formulated the Interim Administrative Measures on Human Genetic Resources (the “Interim Measures”). Since the implementation of the Interim Measures, penalties related to cross-border transfer of data from the human genetic resources administration perspective have been reported. For example, in 2015, in the course of the international scientific research cooperation between Shenzhen BGI Science and Technology Co., Ltd. (“BGI”) and Huashan Hospital of Fudan University in the implementation of the “Large-Sample Case-Control Study on Major Depressive Disorder in Chinese Women”, they cooperated with the University of Oxford in UK in conducting international cooperative research on human genetic resources in China. A portion of the human genetic resources information involved was transferred out of China via internet without prior approval. According to the Interim Measures effective at that time, the MOST required BGI to immediately stop the implementation of the research work, destroy all the genetic resource materials and related research data that had not been transferred abroad, and its international cooperation involving human genetic resources in China was also required to stop, and should not resume until the rectification work had been completed and passed the inspection and acceptance process.

In 2019, the State Council promulgated the Administrative Regulations on Human Genetic Resources (the “Administrative Regulations”, which were revised in 2024). The MOST and the Human Genetic Resource Administration of China (which was formerly under its purview) successively issued documents in the form of guidelines and Q&As. In 2023, the MOST issued the Implementation Rules for the Administrative Regulations on Human Genetic Resources (the “Implementation Rules”). In 2024, the revised Administrative Regulations changed the regulatory body for human genetic resources from the MOST to the National Health Commission (the “NHC”). The above rules and supporting documents have evolved over time to form the main regulatory system for the administration on human genetic resources in China.

According to the Administrative Regulations, the Implementation Rules and relevant guidelines, human genetic resources are defined as follows:

One of the key points of the administration on human genetic resources is the regulation of the participation of “foreign entities”. For the purpose of this article, we will not dive into the details determining “foreign entities”[1]. But we note that entities established overseas and those within China that meet the relevant criteria may fall under the category of foreign entities. In the context of cross-border transfer of human genetic resources information and related data, administrative approval/record-filing procedures involving foreign entities are usually triggered.

First of all, according to the Administrative Regulations, foreign entities are prohibited from collecting or preserving China’s human genetic resources within China, and are prohibited from providing China’s human genetic resources to any overseas recipients.

For foreign entities, the more common route of transferring human genetic resources overseas is through administrative approval for international cooperation in scientific research or record-filing of international cooperation in clinical trials. This situation mainly occurs in scenarios such as clinical trials (e.g., multi-regional clinical trials). If the following conditions are met, a foreign entity only needs to conduct a record- filing of international cooperation in clinical trials; if not, it needs to apply for an administrative approval for international cooperation in scientific research:

(i) The clinical trial is for the purpose of obtaining a permit for the sale of relevant drug or medical equipment in China;

(ii) The clinical trial is conducted in a clinical medical and health institution and utilizes human genetic resources in China;

(iii) No cross-border transfer of human genetic resource materials is involved;

(iv) Any of the following conditions is satisfied: (a) the collection, testing, and analysis of the human genetic resources involved, the disposition of the residual human genetic resource materials, and related activities will be carried out within the clinical medical and health institution; or (b) the human genetic resources involved will be collected within the clinical medical and health institution, and the testing, analysis, and disposition of the residual samples of the human genetic resources will be conducted by any designated domestic entity in the clinical trial plan developed to obtain a permit for the sale of relevant medicine or medical equipment.

In addition, for any exploratory research conducted as part of a clinical trial, an administrative approval application for international cooperation in scientific research of human genetic resources shall be submitted.

In the case of providing or making available information on human genetic resources to any foreign entity, the Chinese entity that is the owner of the information shall report the case in advance and submit a backup of the information to the NHC. It should be noted that there is also a special circumstance under this scenario: if it may affect the public health, national security or social public interests of China, a security review organized by the NHC shall be passed. A security review shall be conducted if any of the following subjects are involved: (i) human genetic resource information of any important genetic lineage; (ii) specific regional human genetic resource information; (iii) resources of exome sequencing or genome sequencing information involving more than 500 people; or (iv) other cases where China’s public health, national security, or social public interests may be impacted.

In view of the above, pharmaceutical companies should also improve their compliance systems and regimes for cross-border transfer of human genetic resources related information and data, such as the following:

(i) Strengthening the functions of the departments/persons in charge of human genetic resources administration, setting up necessary systems and processes (SOPs), and placing the approval and business processes related to human genetic resources in scenarios such as clinical trials. For example, the aforesaid departments/personnel may assist in identifying when and what kind of foreign entities may trigger human genetic resources-related formalities, and the procedures to be implemented.

(ii) Pharmaceutical companies shall pay attention to cross-border data transfer scenarios other than traditional clinical trial dimensions, such as license-outs. When a domestic company provides a license for a pre-market drug to a foreign licensee, if the license involves the provision of clinical trial data to the foreign licensee, it may trigger the provision of human genetic resources to a foreign entity. On the contrary, if the data involved is preclinical data, the likelihood of triggering a regulatory mechanism for human genetic resources may be relatively low, as the data involved may not constitute human genetic resources.

(iii) Coordination and integral work shall be conducted among different departments from different regulatory dimensions. As detailed below, in addition to the dimension of human genetic resources, the regulation of cross-border transfer of data/personal information and the requirement of approval/filings may be involved from the dimensions of data security and personal information protection. In the process of reviewing and implementing projects of pharmaceutical companies, different departments need to routinely share relevant information and communicate with each other and make forward-looking arrangements from different regulatory dimensions in the future timeline of such projects.

II. Regulatory Requirements from a Data Security Perspective

In addition to the aforementioned dimension of human genetic resources, China also has regulatory requirements in the area of data security, including those related to the cross-border transfer of data. In terms of basic laws, China has established a three-pillared mechanism including the Cybersecurity Law (the “CSL”), the Data Security Law (the “DSL”) and the Personal Information Protection Law (the “PIPL”), and has promulgated a number of other supporting laws, regulations and rules on this basis, with the subjects of regulation echoing and overlapping each other. In particular, a special regulatory system has been established in the area of cross-border transfer of data/personal information. In addition to the regulatory and procedural requirements for cross-border transfer of personal information (which will be discussed in detail below), there are also regulatory requirements in the dimension of data security.

In 2024 the Shanghai branch of the Cyberspace Administration of China (the “CAC”) announced a penalty case. The penalized entity is a private medical technology company (the “Penalized Company”), which mainly engaged in technology development services for education and training in the medical industry. The Penalized Company’s internal production testing system was deployed on a cloud service platform, which stored a large amount of personal information data, including names, employer names, provinces and cities, towns/communities, and cell phone numbers (encryption measures were taken) etc. The Shanghai branch of the CAC disclosed the following findings, including: this system did not take effective network security measures, unauthorized access vulnerability was found, the network and data security management system was not well-functioned, the network log retention period was less than 6 months, and resulting in data leakage and subsequently stolen by overseas entities[2]. The Penalized Company was in violation of Article 27 of the DSL. It should be noted that, the Guide to Applications for Security Assessment of Outbound Cross-Border Data Transfers (Second Edition) provides that cross-border transfer of data includes the following scenario: if data collected and generated by a data processor stored within China can be accessed, retrieved, downloaded, or exported by an institution, organization or individual outside of China. Although this case does not constitute an “proactive” cross-border transfer of data, it also suggests that pharmaceutical companies need to pay great attention to data governance issues, especially to possible “passive” data cross-border transfer/access.

The penalties of the Penalized Company’s case is based on Article 27 of the DSL, which provides the following requirements: those conducting data processing activities shall, in accordance with laws and regulations, establish and perfect a data security management system across the entire workflow, organize and conduct data security education and training, and adopt the corresponding technical measures and other necessary measures to ensure data security. Those conducting data processing activities by using the internet or other information networks shall, based on the graded cybersecurity protection system, perform the aforesaid data security protection obligations. Those processing important data shall clearly specify responsible personnel and management bodies for data security and fully implement data security protection responsibilities. The CSL also imposes the same requirements on network operators[3].

From the perspective of corporate data governance, strict compliance with the requirements of the Cross-border Data Transfer Procedures (defined as provided below) alone would not be totally compliant. Pharmaceutical companies should also improve their management system of cross-border data transfer in the pre-processing stage, for example:

(i) Pharmaceutical companies should establish their own corporate data classification and grading system. Pharmaceutical companies may refer to the various guidance documents issued in recent years, in particular the “Network Security Standard Practice Guidelines - Network Data Classification and Grading Guidelines” (TC260-PG-20212A) issued by the National Information Security Standardization Technical Committee in 2021 and the “Data Security Technology - Rules for Data Classification and Grading” published by the National Technical Committee on Cybersecurity of Standardization Administration of China in 2024 (GB/T 43697-2024). In terms of data classification, the type of data can be distinguished according to business requirements (e.g., personal information, trade secrets). In terms of data classification, data should be managed according to its importance and sensitivity to ensure that different protection measures are taken for different levels of data. In accordance with the principles of “comprehensiveness” and “dynamic update” provided in the aforementioned rules, and taking into account the nature of the data involved and technological situations of such companies, pharmaceutical companies need to invest a certain amount of effort in this regard. In conclusion, data classification and grading can help pharmaceutical companies to identify the security level of various data, classify the authorizations to access different data, and set up various security measures accordingly, so as to avoid non-compliant “proactive” and “passive” cross-border data transfer incidents.

(ii) Pharmaceutical companies need to set up effective technical protection measures. For example, pharmaceutical companies may adopt the following measures: to carry out encryption in data transmission and storage; to implement strict access control policies to ensure that only authorized personnel can access the relevant data, such as implementing multi-factor authentication (MFA) and setting up strict user authorization accordingly; to carry out segment isolation of their internal network, and use secure VPN connections for remote access; to establish a data backup and recovery system, and arrange regular backup of important data.

(iii) Pharmaceutical companies may establish monitoring and internal/external auditing mechanisms for data access and transfer, and may refer to relevant regulations such as the “Administrative Measures for Personal Information Protection Compliance Audits” promulgated in February 2025, according to which abnormal behavior can be detected and disposed of in a timely manner; in addition, pharmaceutical companies may also set up a response mechanism for security incidents.

(iv) Pharmaceutical companies may implement data desensitization during data processing and storage, and adopt de-identification/anonymization techniques as far as possible; they may also establish corresponding approval mechanisms and processes when cross-border transfer of data is triggered, and clarify the criteria for permission of cross-border transfer of data, as well as the corresponding responsible persons and their authority.

(v) Pharmaceutical companies may enhance employee security training and awareness so that employees in different positions understand the importance of data security and strictly adhere to the bottom lines corresponding to their positions.

In addition, as mentioned above, when it comes to cross-border transfer of data/personal information, pharmaceutical companies should fulfill their obligations related to the Cross-border Data Transfer Procedures as required by the current regulatory regime.

III. Regulatory Requirements from a Personal Information Protection Perspective

In March, 2024, the CAC released the Provisions on Facilitating and Regulating Cross-border Data Flow (the “Regulations on Cross-Border Data Flow”) and relevant guidelines, including the updated Guide to Applications for Security Assessment of Outbound Data Transfers (Second Edition) and Guidelines for Filing the Standard Contract for Outbound Cross-Border Transfer of Personal Information (Second Edition), which further provides more detailed guidelines for the Cross-border Data (personal information) Transfer Procedures. Currently, where it is necessary for personal information to be cross-border transferred, at least one of the following conditions shall be met: conducting the security assessments organized by national cyberspace authority (“Security Assessments”), completing personal information protection certification conducted by professional institutions (“Certification”), entering into contracts with overseas recipients based on standard contracts formulated by the national cyberspace authority (“Standard Contracts”, collectively “Cross-border Data Transfer Procedures”) or where any other condition prescribed by law, administrative regulations or the national cyberspace authority is met.

For the pharmaceutical industry, the personal information involved is special. Pharmaceutical companies may be involved in various data/personal information cross-border transfer scenarios such as international cooperation (clinical trials), license-outs, etc. It is particularly important to determine the nature and scale of the cross-border transfer of data/personal information and conduct the appropriate Cross-border Data Transfer Procedures. Since there are already many public sources to access detailed descriptions of data/personal information cross-border transfer pathways, we will not repeat them here, but only summarize them in the following diagrams:

Chart 1: Outbound Cross-border Transfer of Personal Information

Chart 2: Outbound Cross-border Transfer of Data ( Other than personal information)

In this section, we would like to share several commonly seen issues in the dimension of cross-border transfer of personal information:

(1) Administration on Human Genetic Resources and Personal Information (Data) Cross-border Transfer in Parallel

For the pharmaceutical industry, we note that in practice, some of the cross-border transferred data/personal information and human genetic resources may be overlapped or different. The general view is that, with certain exceptions, the legal obligations regarding cross-border transfer of such different data need to be applied in parallel, i.e., while going through the formalities related to human genetic resources, it is also requisite to examine whether any Cross-border Data Transfer Procedure shall be conducted. For example, based on past guidelines on the administration of human genetic resources, human genetic resource information includes data and information on genes, genomes, transcriptomes, epigenomes and nucleic acid-based biomarkers such as ctDNA, as well as information on diseases, ethnicity and other associations related to such data. Even if the abovementioned information is not involved, although the data to be transferred may not constitute human genetic resource information, it may still constitute personal information by virtue of its association with the “identifiability” of certain individual, thus triggering an examination on the pathway of cross-border transfer of personal information[4].

(2) Determination of Important Data

There has been a long-standing discussion on how to recognize “important data”. Article 21 of the DSL states that the National Data Security Coordination Mechanism shall make overall planning for and coordinate relevant departments in formulating the catalogues for important data and strengthening the protection of important data; each region and department shall, in accordance with the classified and graded data protection system, determine the specific catalog for important data for the respective region and department, and in relevant industries and areas, and undertake special protection for the data included in the catalogue. We are not aware of any important data catalogs for the pharmaceutical industry from public sources. The Regulations on Cross-Border Data Flow provide clear clarification on the identification of important data, i.e., if any data is not announced or published by relevant department or locality as important data, data processors are not required to apply for the Security Assessments for such data.[5]

We also note that the “Information Security Technology – Guide for Health Data Security” (GB/T 39725-2020) released in 2020 mentions that important data such as the data involving human genetic resources (data generated by the use of human genetic resource materials, and human genetic resource materials refer to genetic materials such as organs, tissues, cells, etc. that contain human genomes, genes and other genetic materials) shall be processed in accordance with the requirements of the relevant government departments. There are views holding that this document, with its lower legal hierarchy and its issuance date (prior to the DSL), may not directly provide criteria for recognizing important data as described in the DSL and the Regulations on Cross-Border Data Flow. Some viewpoints suggest that, from a prudence perspective, it is recommended that pharmaceutical companies still treat human genetic resources information as important data and submit Security Assessments to the CAC. At present, we have not learned of any official interpretation of this issue from public sources. However, considering the special nature of human genetic resources, regardless of whether a pharmaceutical company decides to conduct Security Assessments, pharmaceutical companies shall still pay close attention to human genetic resources information in its internal data governance process and manage it at a higher security level; and in the process of conducting the Cross-border Data Transfer Procedures, it is also recommended that pharmaceutical companies communicate with the competent CAC offices to understand their corresponding regulatory approach. In addition, in the Negative Lists issued by certain Pilot Free Trade Zones (“PFTZs”, to be discussed below in detail), certain data of pharmaceutical industry is also recognized as important data, and pharmaceutical enterprises in the PFTZs shall conduct Security Assessments accordingly.

(3) Determination of Sensitive Personal Information

According to the aforementioned provisions of the Regulations on Cross-Border Data Flow, the quantitative judgment of sensitive personal information also helps determine the Cross-border Data Transfer Procedure adopted by pharmaceutical companies. It is commonly known that the PIPL provides a number of statutory requirements for processing sensitive personal information. The PIPL defines sensitive personal information as “personal information that, once leaked or illegally used, will easily lead to infringement of the human dignity or harm to the personal or property safety of a natural person, including biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other information of a natural person, as well as any personal information of a minor under the age of 14.” The “Cybersecurity Standard Practice Guidelines - Guidelines for Identification of Sensitive Personal Information” (TC260-PG-20244A) issued by the National Technical Committee on Cybersecurity of SAC in September 2024 is currently a widely applicable reference document for identifying sensitive personal information. Based on its “Rules for Identifying Sensitive Personal Information”, pharmaceutical companies can comprehensively assess the sensitivity attributes of the personal information they process/transfer. More importantly, its “Appendix A Examples of Common Categories of Sensitive Personal Information” lists some of the sensitive personal information that may be involved in the pharmaceutical sector, including:[6]

The aforementioned guidelines also provide that where certain laws and regulations determine certain personal information to be sensitive, then such laws and regulations shall apply. When it comes to some of the sensitive personal information in the categories listed in the appendix, further judgment can be made by referring to the corresponding national standards and other documents. Based on such guidelines, pharmaceutical companies can more accurately determine the categories of sensitive personal information, manage the relevant data based on the aforementioned data classification and grading system, and conduct the applicable Cross-border Data Transfer Procedures based on the corresponding thresholds when data is cross-border transferred.

(4) Application of the Negative Lists of PFTZs

According to Article 6 of the Regulations on Cross-Border Data Flow, PFTZs may independently formulate their own lists of the data to be included in the management scope of the Cross-border Data Transfer Procedures (the “Negative Lists”) for the corresponding PFTZs, and the outbound cross-border transfer of the data beyond the Negative List by data processors in the PFTZs could be exempted. PFTZs in Tianjin, Beijing, Shanghai and Jiangsu have promulgated their Negative Lists.

For example, the “China (Beijing) Pilot Free Trade Zone Data Cross-border Transfer Administration List (Negative List) (Version 2024)” released in August 2024 enumerates the negative list for the pharmaceutical industry, including: listing the following as important data: (i) data of more than a certain size on diagnosis and treatment of groups, health and physiological conditions, medical rescue and protection, and experiments on specific medicines, etc.; (ii) more than a certain size of biometric data and medical resource data of specific fields, groups and regions, and (iii) data on matters under export control or technology export administration, etc., and the corresponding basic characteristics and descriptions of the data are provided; different thresholds for different scenarios listed therein for the adoption of Security Assessments and Standard Contracts/Certification are set. In addition, although genetic information and genetic data that have reached the scale or precision stipulated by the relevant state departments constitute “important data”, this Negative List only requires the fulfillment of the “administrative approval and filing” obligations stipulated in Chapter 4 of the Implementation Rules.

The recently released “China (Shanghai) Pilot Free Trade Zone and Lingang New Area Data Cross-border Transfer Administration List (Negative List) (Version 2024)” does not include pharmaceutical industry data in its Negative List. Pharmaceutical companies should pay attention to PFTZ policies and choose appropriate PFTZ entities to carry out personal information/data cross-border, which will help to alleviate their burden in personal information/data cross-border transfer compliance and improve the efficiency of their data cross-border transfer.

IV. Conclusion

In addition to the dimensions discussed above, there are also scattered requirements related to cross-border transfer of data in the areas of state secrets and healthcare big data[8]. Due to the changes and development of China’s regulations in data security and personal information protection, the abovementioned regulations may also be further integrated and updated with the existing regulatory regime in the future practice; and pharmaceutical companies should also continue to keep an eye on them. In conclusion, due to the nature of the data/information that the pharmaceutical industry processes and accesses, pharmaceutical companies are widely regulated in a number of areas, including human genetic resources, data security and personal information protection. In the business development of pharmaceutical companies, typical scenarios such as clinical trials, license-out, etc. may involve the cross-border transfer of relevant data/information, and pharmaceutical companies should have a clear understanding of such facts and set up well-functioned polies and procedures accordingly. Pharmaceutical companies need to watch the latest legislative and regulatory developments and comply with the ever-evolving regulatory regime to improve their internal control systems and conduct regulatory formalities so that they can conduct their business in a more compliant and efficient manner.