August 28, 2023

How should life sciences companies implement China’s PIPL regulations?

How should life sciences companies implement China’s PIPL regulations?

Collecting private individuals’ health data is an important mechanism for the pharmaceutical industry. However, the emergence of data privacy laws around the world has made it necessary for pharmaceutical companies to pay more attention to how this data is handled to avoid the compliance, penalty, and remediation costs that come with falling out of line with a data protection law.

In November 2021, the Chinese government implemented the Personal Information Protection Law (PIPL) that set new regulations for collecting, processing, storing, and transferring private individuals’ data. This policy applies to all individuals, organizations, and businesses that process the personal data of Chinese citizens. As expected, the policy includes severe punishments for defaulting individuals or organizations.

PIPL, in conjunction with the Cybersecurity Administration of China (CAC), has made it increasingly difficult to export health data out of China and is driving data residency implementations.

This article will reveal how to manage China’s PIPL for pharma companies and how InCountry can help your pharmaceutical business stay compliant with China’s data residency for pharma companies.

Who should be aware of pharma data regulations in China?

Anyone involved in collecting, processing, storing, and transferring personal data in China must be familiar with these regulations. They are as follows:

  • Pharmaceutical companies

These organizations research, develop, and produce drugs or medications for medical conditions. Every such organization with operations in China must be aware of the pharma regulations in China and comply to avoid the penalties that are sure to follow.

  • Clinical research organizations

This type of company provides a range of services to organizations in the biotechnology, pharmaceutical, etc. industries. They support the planning, execution, and management of clinical trials and other research studies. As expected, they are included in companies that must be aware and compliant with China data localization pharma regulations.

  • Contract manufacturing organizations

As the name suggests, they are companies that provide manufacturing or production services to companies in the pharmaceutical industry and other relevant industries. They are also expected to comply with the pharma data protection regulations in China since they collaborate with pharma companies and need to be compliant.

  • Data analytics companies

Data analytics companies play a crucial role in helping pharma companies make informed decisions about drug production and marketing. By processing and interpreting data collected by these companies, they can provide valuable insights that aid in decision-making. However, it’s important for these companies to be aware of data regulations and remain compliant, given the large amounts of data they handle.

  • Other related organizations

This pertains to any entity that engages in the collection, processing, storage, or transfer of personal information belonging to patients in China. This encompasses top-level personnel such as Chief Executive Officers, Chief Information Officers, and data protection officers.

Key Chinese data protection laws for the pharmaceutical industry

Here are some healthcare data protection laws in China that apply in the pharmaceutical industry as well:

  • The Personal Information Protection Law (PIPL)

The PIPL is a Chinese legislation dedicated to safeguarding the personal information of residents of China. Its primary objective is to regulate the handling of personal information by both organizations and individuals involved in the processing of personal data. The scope of the PIPL extends from the collection of personal data to its processing within China’s borders, including the international transfer of Chinese citizens’ personal data. Below are the requirements the PIPL places on organizations processing personal data:

  • Obtaining consent from individuals before processing their personal information.
  • Providing individuals with access to their personal information and the right to correct or delete it.
  • Taking reasonable security measures to protect personal information.
  • Not transferring personal information to a third party without the individual’s consent.
  • Not using personal information for purposes other than those for which it was collected.

Finally, it applies penalties of as much as $7.7 million on defaulting companies or 5% of their annual revenue (depending on which is greater).

  • Data Security Law (DSL)

China’s DSL is a comprehensive legislation that was passed on June 10, 2021, and officially came into effect on September 1, 2021. It is specifically designed to address the critical matter of data security within China. The fundamental goal of the DSL centers around safeguarding the nation’s sovereignty, security, and developmental interests by meticulously overseeing the entire spectrum of data-related activities, including collection, storage, processing, utilization, transmission, and disclosure conducted within China’s borders. The DSL presents several requirements for organizations and individuals that handle data. These requirements include:

  • Establishing and improving data security management systems.
  • Implementing remedial measures when data security deficiencies are detected.
  • Promptly notifying users and authorities of any data breaches.
  • Designating an officer or a management team responsible for the security of data.
  • Submitting regular risk assessments to the relevant PRC authorities.
  • Complying with the cybersecurity review process for the transfer of data outside of China.

Failing to follow this law could attract a penalty as high as $1 million, or 1% of the company’s annual revenue (whichever is greater).

  • Regulations on Human Genetic Resources (HGR) Protection

China’s Regulations on Human Genetic Resources (HGR) Protection, effective from July 1, 2021, was established on January 10, 2021. These regulations are China’s initial national legislation dedicated to overseeing the proper collection, storage, utilization, and export of human genetic resources (HGR).

The HGR Regulations are designed to safeguard the well-being and rights of Chinese citizens, ensuring ethical and accountable practices in the handling of HGR. They also foster advancements in human genetics research and innovation. This is a major China data protection pharma law that every pharmaceutical company needs to be aware of,

These rules extend to all entities and individuals engaged in the collection, storage, use, or export of HGR within China’s borders. The HGR Regulations define HGR as any biological materials that contain human genes, including blood, tissue, cells, and DNA. Below are some requirements for organizations and individuals that handle HGR:

  • Obtaining consent from individuals before collecting their HGR.
  • Using HGR for approved purposes only.
  • Taking reasonable security measures to protect HGR.
  • Not exporting HGR without the approval of the Chinese government.

Flouting this law could attract a penalty as high as $1 million, or 1% of the company’s annual revenue (whichever is greater).

Chinese data cross-border rules

China’s data residency laws provide guidelines for the transfer of data outside the country. Some of these rules were provided by the Cyberspace Administration of China (CAC) to ensure adequate security for data that is transferred out of China. Below are some of the rules:

  • Before sending personal information outside China, the data sender must get the person’s clear and free consent. This consent should be specific and well-informed.
  • The sender must ensure the personal data stays safe while being moved. They must use the right safety steps that match the possible risks.
  • The recipient of the data should be located in a region with robust data protection legislation. These laws must guard people’s privacy and be enforceable.
  • If the sender hires others to deal with the data, these “others” must also follow the rules mentioned.
  • Before sending personal data out of China, the sender should do a special check to see how it might affect data security. This check must find and assess any risks to the data.
  • If the transfer involves data from more than 1,000,000 people in China or important data, the sender must first get permission from the CAC.
  • Recently CAC has been denying export permission for life sciences companies.

How InCountry can help pharma companies to stay compliant with Chinese laws

Managing a pharma company is engaging enough and does not require the distraction that comes with worrying about staying compliant and not breaching any data regulations. With InCountry’s Data Residency-as-a-Service, you would never need to bother about compliance again.

Our Data Residency-as-a-Service platform helps organizations store, process, and share regulated data internationally while complying with local data residency laws. This managed platform seamlessly integrates with existing systems in your organization, sparing organizations the need to create and oversee their infrastructure. A few of the benefits you enjoy by using our platform include:

  • It aligns with multiple data residency laws like GDPR, CCPA, PIPL, etc.
  • It ensures data protection via encryption, access control, and physical security.
  • It delivers high performance and availability, even for extensive data.
  • It is easily scalable to accommodate the increasing needs of your organization.
  • It offers a budget-friendly option for meeting data residency needs.
  • It is industry-friendly, so you need not worry about the pharmaceutical industry’s specifics and demands.

Get in touch to discuss your needs and find out how much value we can contribute to your pharmaceutical organization.