In most cases, one of the main tasks of data compliance lies in the protection for personal information. However, companies in the pharmaceutical sector have bigger fish to fry. Since these companies also collect and process a volume of personal information and scientific data that are of high importance and sensitivity, the landscape of data compliance for them is much more complicated. Meanwhile, the past few years have witnessed an explosion of laws and regulations promulgated by the Chinese government to guide the development of the so-called “Medical Big Data”. Without fear of contradiction, we can say healthcare data will be subject to much tougher scrutiny in the foreseeable future in China. Given the situation, companies in this highly regulated sector are facing more challenges and are thus advised to take more proactive measures to ensure compliance with the increasingly complicated legal regimes and manage the potential legal risks. This alert will address this significant issue and suggest the best practice of compliance in China.
I. Starting point: How to Establish an Effective Data Compliance System
For companies in the pharmaceutical sector, in-house counsels are most likely to be encountered with the challenge of establishing an effective data compliance system from the ground up. We hereby lay out the three-step take-away as follows.
A：Step 1: Find the Gap
Companies will normally sort out scenarios in the data lifecycle within the organization and classify the data involved. In addition to the general “personal information” which applies the PRC Cybersecurity Law (“CSL”) and the relevant laws, regulations and national standards, attention shall also be paid to regulatory requirements pertaining to special data types prevalent in the pharmaceutical sector, such as medical big data, human genetic resources, population health information, pharmaceutical data, medical device data, scientific data, and medical record. Companies are advised to figure out the gap between the legal requirements and the status quo so as to have a better understanding of the whole data landscape within the organization.
B：Step 2: Policy Formulation
C：Step 3: Policy Implementation and Periodic Audit
Companies shall take effort to fully implement the data compliance policies within the organization, such efforts may include but are not limited to: (i) upgrading the internal data processing system, (ii) designating the data security officer with well-defined responsibilities and authorities, and (iii) providing periodic training to enhance employees’ compliance awareness. Companies shall also conduct periodic internal/external audit to review and improve the data compliance policies.
A：Best Practice under the PISS
It is worth noting that the latest version of the PISS has introduced noticeable changes in the following aspects:
Independent choices for multiple business functions;
Restrictions on the use of user profiling;
Use of personalized display;
Gathering and integrating personal information collected for different business purposes;
Third-party access management;
Personal information security project (similar to privacy by design); and
Special protection for personal biological identification data.
Although PISS is merely a national standard and thus is not legally mandatory, it is of vital reference value in practice.
Besides, if children’s personal information is involved, special attention shall be paid to the relevant provisions in the Provisions on Children’s Online Personal Information Protection.
B：Personal Information Collection and Use by Apps
Ever since the beginning of 2019, the Cyberspace Administration of China and other three major authorities have engaged in special rectification on illegal collection and use of personal information by Apps, established a special working group, and issued several guidelines, such as the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps, and the Methods for Determining the Illegal Collection and Use of Personal Information by Apps. Enterprises are suggested to comply with the relevant provisions thereunder, as it is expected that the enforcement activities on illegal collection and use of personal information by Apps may remain active in the period ahead.
III. Cross-border Transfer of Scientific Data
R&D center of a company in the pharmaceutical sectors is not always located in the immediate vicinity of where data are collected. As such, cross-border transfer of scientific data will be required for R&D purpose. However, not all scientific data are allowed to be transferred across the border. For example, “population health information” must be stored locally according to the Measures for the Management of Population Health Information (For Trial Implementation); and “state secrets” cannot be transferred abroad according to the Law on Guarding State Secrets.
A：Data Localization and Cross-border Transfer under the CSL
Under the CSL, “personal information” and “important data” collected and generated by operators of critical information infrastructure (“CII Operators”) are subject to the rules on localization and cross-border transfer according to the CSL. That is to say, for CII Operators, it is principally required to store data only on servers within the Chinese territory, in the cases where it is necessary to provide such data abroad due to business needs, security assessment must be carried out before any form of cross-border transfer occurs.
It is worth noting that, the Security Assessment Measures on the Export of Personal Information and Important Data (Draft for Comments) and the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comments) further expand the applicable scope of the rules under the CSL from CII Operators to all “network operators”, covering almost all entities that use the network. However, considering that the two draft measures have yet to be finalized, only CII Operators are currently subject to the rules on localization and cross-border transfer.
Determination of CII Operator
According to the Regulations for the Security Protection of Critical Information Infrastructure (Draft for Comments), entities in the pharmaceutical sector shall be included in the scope of critical information infrastructure as its damage, dysfunction or data leakage may severely jeopardize national security, people’s livelihood and public interest. Therefore, it is highly possible that companies in the pharmaceutical sector will be considered as CII Operators and shall assume responsibilities that follows.
According to the Security Assessment Measures on the Export of Personal Information and Important Data (Draft for Comments), “important data” refers to data that is closely related to national security, economic development, and social and public interests. Additionally, theInformation Security Technology - Guideline of Security Assessment of the Cross-border Transfer of Data (Draft for Comments) describes and elaborates the concept of “important data” with examples that include those in pharmacy sector in the Appendix B. In absence of further detailed rules on the identification of important data, the above provisions are of certain reference significance at present.
B：Sectoral Restrictions on Cross-border Transfer of Data
For certain types of data such as “human genetic resource”, prior approval by the competent authority is a prerequisite for the cross-border transfer. Companies shall identify and categorize the healthcare data circulated within the entity and fulfill respective obligations set forth by relevant provisions on cross-border transfer. Additionally, in cases where personal information is concerned, explicit consent must be obtained from personal information subject.
Besides, “healthcare big data” are required to undergo security assessment before cross-border transfer according to the Administrative Measures on Standards, Security and Services of National Healthcare Big Data (For Trial Implementation).
IV. Employee Privacy Protection in the Context of Investigation
Companies in the sector of pharmacy may feel caught between Scylla and Charybdis when they are asked to provide employees’ personal information during the course of investigation either initiated internally or by the foreign government enforcement agencies (such as the Department of Justice in U.S.). Suggestions have been provided respectively as follows.
As aforementioned, companies in the pharmaceutical sector are prone to be identified as CII Operators. However, in the absence of effective measures on security assessment for cross-border transfer of personal information, it is recommended that operators at least explicitly inform the employees and obtain their consent before the transfer. Such consent may take the form of letter of consent or employee handbook, in which employees are explicitly informed and agree that their personal information may be transferred across the border.
If the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comments) come into effect, the cross-border transfer of personal information will be supervised by the competent authority. A network operator shall apply for security assessment with the local provincial cybersecurity department before the cross-border transfer of personal information, and the department shall review the application and notify the network operator of the outcome of the assessment. Noticeably, the latest version of the draft measures requires the data provider and the overseas receiver to sign a contract that specifies the rights and obligations of both parties for assessment application. As far as the cross-border transfer of personal information within the company, this mechanism shares some similarity with the “binding corporate rules” under the General Data Protection Regulation (“GDPR”), albeit companies may encounter higher regulatory requirements since administrative supervision in China runs through the whole process.
In an external investigation, generally, the participation of a foreign government cannot be used as a ground for exemption of any data protection obligations (such as obtaining the consent of personal information subjects) under the Chinese legal framework. That is to say, the cross-border transfer of employees’ personal information is premised upon the consent from the employees. Besides, according to the International Criminal Judicial Assistance Law, without the consent of the competent authority, institutions, organizations and individuals within the territory of China shall not provide evidence materials and assistance provided in this law to foreign countries. Therefore, if criminal investigation and evidence collection are involved, companies shall not provide materials or assistance of any kind to any foreign government without prior consent of the competent authorities.
V. Usage of VPN: A Special and Important Issue
Recent news on the penalties on companies using VPNs may frustrate the companies in the pharmaceutical sector, since VPNs are commonly used in multinationals to safeguard the information transmitted throughout the company. Admittedly, supervision of VPNs in China has been tightened. It can be traced back to 1997, when the State Council issued the Provisional Administrative Regulations on International Connections to Computer Information Networks, which provides that when a direct international connection is made with a computer information network, an international gateway channel provided by the State public telecommunication networks of the Ministry of Post and Telecommunications must be used. No unit or individual is allowed to establish or use other channels to make international connections without authorization. However, it is not until January 2017 when the Ministry of Industry and Information Technology issued the Notice on Cleaning up and Standardizing the Internet Network Access Service Market that the above provisions began to be used as the basis for law enforcement.
Violations of the above rules may entail concurrent penalties including suspension of internet connection, warning, a fine of less than RMB 15,000 (approx. $2117.42) and confiscation of illegal income (if any). It is worth noting that the suspension of internet connection may substantially affect the company’s operations.
Therefore, it is recommended that companies shall choose network providers with relevant qualifications. It is also suggested that companies shall block sensitive websites (for example, those involving terrorism, feudal superstition, gambling, pornography, violence, etc.) by means of blacklists / whitelists or other forms alike. Besides, companies are suggested to monitor and record the use of VPNs by employees as well to ensure compliance.
VI. Privacy by Design: International Convergence with GDPR?
The latest version of PISS introduces a mechanism of “personal information security project”, under which when developing products or services with the function of processing personal information, data controllers should consider personal information protection requirements at each stage of system engineering such as the stage of demand, design, development, testing, and release in accordance with relevant national standards to ensure the protection of personal information during system construction.
Such mechanism is similar to the “Privacy by Design” under the GDPR, which means integrating privacy into the creation and operation of new business models, and requires BMIs to embed privacy protection into the process of innovation, so that potential privacy risks may be identified and solved at an early stage.
In practice, more and more companies are beginning to consider such mechanism, and with the implementation of the PISS, it is expected that China’s privacy protection may be more in line with international practices in the future.
VII. Data Governance: Is Appointment of DPO Necessary?
One of the questions most frequently asked by companies in the pharmaceutical sector is whether it is necessary to appoint a Data Protection Officer (“DPO”) in light of the current legal regime of data protection, privacy, and cybersecurity in China.
Although there is no concept identically equivalent to the concept of DPO under the Chinese law, relevant laws and regulations also put forward requirements for “data security positions”. For example, the CSL requires the designation of a “person in charge of network security”, the Regulation on the Protection of Critical Information Infrastructure (Draft for Comments) requires the designation of a “person in charge of network security management”, theMeasures on Data Security Management (Draft for Comments) requires the designation of a “person in charge of data security”, and the Provisions on Children’s Online Personal Information Protection requires the designation of a “person in charge of children’s personal information protection”.
Notably, the latest version of the PISS clarifies the requirements and criteria for designating department and personnel responsible for personal data security management, as well as their responsibilities. Though the PISS is not legally binding, it is of great reference significance in practice.
At present, in the absence of uniformed regulations, it is recommended that companies shall make appropriate designations in accordance with the corresponding laws and regulations.
Conclusion and Look Forward
Similar to other jurisdictions, the data protection matters in all the key parts of operation of the companies in the pharmaceutical sector, such as the business innovation, sales promotion, R&D activity, and IT procurement. So, ensuring compliance and thus mitigating the legal risk in this area have become one of the top concerns for pharmaceutical companies in China. More importantly, China is speeding up its legislation process of the Personal Information Protection Law (which is somewhat the counterpart of GDPR) and is trying to introduce this law in the coming years. It is recommended that companies in the pharmaceutical sector shall keep close eye on the latest development of this law and accurately understand its effects on the companies’ business operation in China once the law is enacted.