China Health and Medical Data Protection (I): Human Genetic Resources Information

Written By

james gong Module
James Gong

Legal Director
China

I am a Legal Director based in Hong Kong and lead the China data protection and cybersecurity team.

jacqueline che Module
Jacqueline Che

Associate
China

As an associate in our Commercial team based in Shanghai, I advise Chinese and international clients on a range of data protection and cybersecurity issues, with a special focus on the TMT sector.

I. An Overview of Regulatory Regime

Under the Chinese law, human generic resources (“HGR”), include (i) HGR materials, such as organs, tissues, cells and other genetic materials that contain human genome, genes and other genetic materials (“HGR Materials”); and (ii) information and data generated by using HGR materials (“HGR Information”).

Back in 1998, the Ministry of Science and Technology (“MOST”) and the former Ministry of Health published the Interim Measures for the Management of Human Genetic Resources (《人类遗传资源管理暂行办法》), which set out the general framework regulating the collection, research and development, international collaboration and export of HGR. Since 2011, the MOST has released a series of rules and regulations implementing the regulatory framework and establishing the procedures for approval and permits created thereunder.

In recent years, national security has become one of the dominating priorities of China’s legislative agenda, and the government is also tightening its scrutiny over HGR. In particular, the regime governing administration and protection of the HGR has gained escalating legal authority. In 2019, the State Council, i.e. the central government, promulgated the Regulations on the Administration of Human Genetic Resources (《人类遗传资源管理条例》) (“HGR Regulations”), which provide for a higher legal effect for a regulatory regime covering the full life cycle of HGR and are binding on all government ministries. In 2020, the county’s legislature, the National People’s Congress Standing Committee, enacted a national law entitled the Biosecurity Law (《生物安全法》) (“BSL”), which designates a chapter to administration of the HGR.

In March 2022, the MOST published the draft Implementing Rules for Human Genetic Resources Administration (《人类遗传资源管理条例实施细则(征求意见稿)》) (“Draft HGR Rules”), which aim to implement the HGR Regulations in the context of recently enacted laws, such as the BSL and the Data Security Law. This marks that the government is close to establishing a comprehensive regulatory regime governing HGR-related activities.

Meanwhile, HGR Information is also subject to requirements under data protection laws and regulations that came into force in recent years, most notably, the Personal Information Protection Law (《个人信息保护法》) (“PIPL”) and the Data Security Law (《数据安全法》) (“DSL”). (For our comments on the Personal Information Protection Law, please click here)

II. HGR Information as Personal Information, Sensitive Personal Information and Important Data

Under the PIPL, “personal information” refers to all kinds of information relating to identified or identifiable natural persons recorded by electronic or other means, excluding anonymized information.

The HGR Information usually relates to a natural person and is likely to be considered personal information, unless the information has been anonymized or such natural persons is not identified or identifiable.

Under the PIPL, “sensitive personal information” refers to personal information that, if leaked or illegally used, may easily result in harm to the personal dignity of natural persons or endanger their personal or property security. Examples include biometric information, religious beliefs, specific identity, medical health, financial accounts, personal whereabouts, and personal information of minors under the age of 14.

The PIPL does not define biometric information. Instead, only illustrative examples of biometric information are provided in recommended technical standards, which include information of personal genes, fingerprints, voiceprints, palmprints, eye prints, auricles, iris, facial recognition features, gait, etc. HGR Information is generated from HGR Materials, which by nature may reflect the biometric aspects of natural persons. Thus, HGR Information is likely to also constitute sensitive personal information unless it has been anonymized.

Under the DSL, important Data is afforded a higher level of protection compared with ordinary data. Sectoral authorities are charged with the task of formulating catalogues of important data within their respective sectors. As of the date of this article, no such catalogue has been published yet, although the Ministry of Industry and Information Technology is pioneering with its data security regime (for our comments on the data security regime, please click here).

Under the draft Administrative Regulations for Network Data Security (《网络数据安全管理条例(征求意见稿)》) released by the Cyberspace Administration of China (“CAC”), “important data” is defined as data that, if altered without authorisation, destructed, leaked, or illegally obtained or used, may harm national security and public interests. In particular, the important data includes national basic data of gene, which reaches certain scale or precision prescribed by the government. In the draft Guideline for Identification of Important Data (《重要数据识别指南(征求意见稿)》), the HGR Information is also specifically identified as important data. Therefore, it is also likely that the HGR Information will be considered important data, although it is not clear whether it will include all types of the HGR Information.

Thus, when an organisation processes the HGR Information, it may also need to comply with the requirements applicable to processing of personal information, sensitive personal information and important data.

III. Key Requirements for Processing of HGR Information

1.1. Collection of HGR Information - notification and consent

Where the HGR Information constitutes personal information, the PIPL requires the processor of the HGR Information, who determines the purpose and means of the processing, to fully inform the relevant natural persons of the following matters : (i) the identity and contact details of the processor; (ii) the types of personal information to be processed; (iii) the purpose and means of the processing; (iv) the retention period; (v) the manner and procedure by which the natural persons may exercise their rights; and (vi) if the HGR Information also constitutes sensitive personal information, the necessity of the processing and the impact of the processing on their personal interests.

These requirements are consistent with the ones provided under the HGR Regulations. According to the HGR Regulations, before an organisation collects any HGR in China, it must inform the relevant natural persons of: (i) the purpose of the collection; (ii) the intended use of HGR; (iii) the possible impact on their health; and (iv) the privacy protection measures taken by the organisation. These matters informed to the natural persons must be comprehensive, complete, true and accurate and must not be misleading or deceptive.

The notification requirements discussed above focus on providing natural persons with clear and concise information about what an organisation does with their HGR Information so that they have a genuine choice as to whether to consent to the processing.

On the one hand, the PIPL requires the organisation to obtain a consent of the natural persons before processing their HGR Information that is personal information or, if the HGR Information is sensitive personal information, a sperate consent. Where a sperate consent is required, a specific consent to the processing of HGR Information must be obtained and cannot be bundled with the consent to any other personal information processing activities. Although the PIPL does not specify whether a sperate consent is required if the underlying lawful basis of the processing is not consent (e.g. contractual necessity or legal obligation), we would recommend obtaining a separate consent to avoid potential risks of non-compliance to the extent practically possible.

On the other hand, the HGR Regulations specifically provide that the organisation must give the natural persons the right to voluntary participation and unconditional withdrawal at any time during the processing of their HGR. In addition, the consent must be given in written form.

Besides, we note that collecting certain types of HGR will require an approval of the MOST and must meet prescribed criteria.

1.2. Storage of HGR Information

Storage of HGR, including the HGR Information, in China for providing a basic platform for scientific research requires an approval of the MOST, but this requirement should not apply to temporary storage of HGR for qualified teaching purposes or clinical research plans.

When an organisation stores HGR in China, it must take security measures, formulate incident response plans, and ensure security of the HGR Information. It must also keep a complete record of the information relevant to HGR storage and securely store the information about the source and use of the relevant HGR.

Pursuant to the HGR Regulations and the Draft HGR Rules, an organization must submit an annual report recording its HGR storage activities to the MOST by the end of March each year. The local offices of the MOST has the authority to examine the HGR storage activities conducted by the organization every five years, with a focus on the following aspects: (i) the general status of HGR storage; (ii) the sources and use of HGR Information; (iii) the implementation of HGR management rules; (iv) the maintenance and change of the premises, facilities and devices storing HGR Information, and (v) the change of staff responsible for HGR storage.

1.3. Localisation, Sharing and Export of HGR Information

Requirements under the HGR laws and regulations

International Cooperation

According to the BSL, foreign organisations and individuals and any entity established by or under actual control of foreign organisation or individuals (“Foreign Party”) are prohibited from collecting or storing HGR within the territory of China or exporting HGR. Instead, a Foreign Party is permitted to use HGR for scientific research purposes by cooperation with a Chinese scientific research institution, college, university, medical institution or enterprise (“Chinese Party”) (“International Cooperation”). The International Cooperation between a Chinese Party and a Foreign Party must be approved by the MOST first, and the parties must sign a cooperation agreement.

Under the BSL and the HGR Regulation, an approval is not required for a clinical trial institution’s processing of HGR in China for clinical trial by international cooperation, if the clinical trial is conducted to obtain marketing authorisations for drugs and medical devices and does not involve the export of any HGR Materials. In this case, the organisation must make a filing with the MOST of the categories, volume and uses of the HGR to be processed.

The Foreign Party must ensure that all records and data generated during the International Cooperation are made available and shared with the Chinese Party. A report regarding the research and development carried out during the International Cooperation must be submitted to the MOST within 6 months after the cooperation ends.

Exporting HGR Information

Under the BSL and the HRG Regulations, when providing or making available any HGR Information to a Foreign Party, the Chinese Party must report to and make a filing with the MOST. If providing the HGR Information to the Foreign Parties may affect public health, national security and public interests of China, then the providing must also pass a security review organised by the MOST. Although the law does not make it clear, we understand providing the HGR Information to a Foreign Party will include exporting such HGR Information to a foreign country.

Both the Chinese Party and the Foreign Party may use the HGR Information generated by the International Cooperation that uses Chinese HGR. However, the law does not make it clear whether such HGR Information is also subject to the filing and security review requirement discussed above.

We note that exporting HGR Materials requires approval of the MOST and meeting prescribed criteria, irrespective of whether the export is necessary for the International Cooperation or otherwise.

Requirements under the PIPL and DSL

Where the HGR Information also constitutes personal information, the requirements under the PIPL on the export of the Personal Information are appliable. To be specific, before an organisation exports any HGR Information, it must inform individuals of the name and contact information of the foreign recipients, the purpose and means of the processing, the categories of the HGR Information to be exported, and mechanisms via which individuals may send requests to the foreign recipient to exercise the individuals’ rights to the personal information. The exporter must obtain a separate consent from the individuals. In addition, the organisation must conduct a personal information protection impact assessment and take necessary measures to ensure that the foreign recipient’s processing activities are compliant with the relevant requirements of PIPL.

Under the PIPL, where the processing of the HGR Information triggers any of the threshold amounts prescribed by the CAC, then the processor must store within China the HGR Information collected and generated in China and must pass a security assessment organised by the CAC (“Governmental Assessment”). According to the draft Measures of Security Assessment for Data Export (《数据出境安全评估办法(征求意见稿)》) (the “Draft Export Measures”) released by the CAC, the proposed thresholds are as follows: (i) the organisation processes personal information of 1,000,000 individuals or more; (ii) the organisation in aggregate exports personal information of over 100,000 individuals; or (iii) the organisation in aggregate exports sensitive personal information of over 10,000 individuals (For our comments on the Draft Export Measures, please click here) .

If none of the thresholds is triggered, then the export of the HGR Information does not need to pass the Governmental Assessment. Instead, the organisation may export it either after obtaining a personal information protection certification issued by a professional institution accredited by the CAC or entering into a standard contract (to be formulated by the CAC) with the foreign recipient.

Where the HGR Information constitutes personal information or important data and the organisation processing the HGR Information is a critical information infrastructure (“CII”) operator, then the CII operator must store within China the HGR Information that is collected or generated in China and submit any proposed export for the Governmental Assessment.

As to export of the important data by non-CII processors, the DSL requires them to follow the requirements under the regulations to be prepared by the Chinese authorities. Pursuant to the Draft Export Measures, non-CII processors must also submit their proposed export to the Governmental Assessment.

IV. Legal Liability

Under the HGR Regulations, a violation of the rules for processing HGR Information will result in an order for cease of processing activities, forfeiture of illegal income, revocation of approval, and a fine of up to RMB 10 million or five to ten times of any illegal income. The individuals liable for the violations, usually the management, may also be held liable and penalized.

Notably, illegally collecting HGR in China or exporting HGR Materials may also give rise to criminal liability, if such collection or export harms public health or public interest.

Considering that the HGR Information may also constitute personal information, sensitive personal information and important data, the processing of the HGR Information will need to comply with the requirements under the PIPL and the DSL. A violation of such requirements may be subject to administrative penalties including warnings, orders for rectification, fines of up to 5% of the annual turnover or RMB 50 million, suspension or termination of business, or even revocation of business licences. The responsible personnel may also be subject to personal liability,

V. Enforcement Actions

The International Cooperation and export of the HGR have been a focus of enforcement actions by the MOST in recent years. In the reported cases, violations include carrying out the International Cooperation without obtaining approval of the MOST or exceeding the approved scope, obtaining the approval of the MOST with forged documents, and unpermitted export of HGR. The entities involved in these cases include biotechnology companies, contractual research organisations (CROs), pharmaceuticals companies, hospitals and universities.

Notably, in one case a biotechnology company triggered criminal investigation for alleged illegal export of HGR, where its chairman and employees were reported to have been arrested.

VI. Conclusion

The laws and regulations on HGR coupled with data protection laws have established a restrictive regulatory framework for use of the HGR and processing the HGR Information. In particular, the Foreign Parties should carefully navigate through the rules on sharing and exporting HGR to avoid violations that could give rise to severe legal consequences.

With growing concerns over national security, we expect that the authorities will step up their efforts in enforcing the HGR laws and regulations. Entities involved in using HGR or processing HGR Information should familiarise themselves with the applicable requirements and ensure compliance.

Latest insights

More Insights
Curiosity line yellow background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More
Mobile Phone in hand on purple background

SEP & FRAND before the UPC - what has been happening in 2024?

Dec 18 2024

Read More
digital data security

Online Safety: Illegal Harms Codes of Practice and categorisation thresholds laid before Parliament, new critical deadlines for digital services

Dec 16 2024

Read More