Recently, cross-border data transfer regulatory policies in both the US and China have shown divergent trends. The Chinese government has adopted a policy orientation that is strict yet increasingly accommodating, actively responding to the demands of foreign enterprises and exploring a dual model of "post-approval flow + free flow." On the other hand, in the US, President Biden signed the Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern on February 28. The US Department of Justice issued a fact sheet on proposed rulemaking associated with this Executive Order on the same day. Future transactions involving a significant volume of human genomic data, personal health data, and other sensitive personal data of Americans will be restricted or prohibited between the US and countries of concern, including China. For Chinese pharmaceutical companies expanding overseas, multinational biopharmaceutical companies, and innovative drug companies engaging in investment or BD transactions, understanding and planning for compliance with the data regulatory policies of both the US and China is crucial.

I. Overview of the Executive Order

The Executive Order, its fact sheet, and subsequent implementation details [1] aim to scrutinize and restrict transactions involving large volumes of sensitive personal data and government data ("regulated data") between specified countries and the US.

A. Regulated Data Types

The Executive Order and the fact sheet specify six categories of sensitive personal data: certain types of personal identifiers, precise geolocation data, biometric identifiers (e.g., fingerprints, facial recognition, iris scans), human 'omic data (e.g., genomic, epigenomic, proteomic data) [2], personal health data, and personal financial data, along with any combinations thereof that are associated with identifiable US individuals or groups. This also covers US government-related data. However, internal data generated within multinational companies for human resources management, public health monitoring data, legally public court records, or other government records are not included. Specific sensitive personal data types will be further detailed in subsequent regulations.

It's important to note that transactions involving sensitive personal data only fall under regulation when they exceed certain thresholds (i.e., a certain number of US individuals or devices). Specific threshold rules have yet to be issued. Data related to the US government is not affected by these threshold rules.

B. Categories of Regulated Data Transactions

According to the Executive Order and its Fact Sheet, the categories of transactions that are prohibited or restricted might include both direct access to regulated data through the acquisition of data sets and obtaining access rights to regulated data, enabling operations such as reading, copying, decrypting, or in any form viewing or receiving the data. The Fact Sheet elaborates further on this:

1. Categories of Transactions That May Be Prohibited

(1) Data brokerage transactions, for instance, directly purchasing real-world datasets that contain personal health information of American individuals through data brokers.

(2) Transactions involving bulk human genomic data or biological samples from which such data can be extracted.

2. Categories of Transactions That May Be Restricted

Entities or individuals under the jurisdiction, guidance, ownership, or control of countries of concern obtaining regulated data directly or indirectly through (1) agreements related to the provision of goods and services (including cloud service agreements), (2) employment agreements, or (3) investment agreements. For example, a company registered in a country of concern providing cloud services to an American pharmaceutical company might have the potential to access sensitive personal data of the pharmaceutical company through direct reception or online access by leveraging its status as a supplier. According to the Executive Order and the Fact Sheet, these restricted transactions could proceed, provided they meet specific security requirements, such as basic cybersecurity protocols, physical and logical access controls, data masking and minimization, and privacy protection technologies.

II. Impact Analysis of the Executive Order on Biopharmaceutical Companies' Key Business Scenarios

With the implementation of the Executive Order and its accompanying regulations, biopharmaceutical enterprises face increased difficulty in obtaining, sharing, or cross-border receiving of large volumes of sensitive personal data from Americans through U.S. subsidiaries or branches, multinational companies' U.S. headquarters or entities, U.S. pharmaceutical and medical device companies, U.S. medical institutions or research organizations, and data brokers. This challenge could potentially affect the main operations of pharmaceutical and medical device research and development, clinical trials, pharmacovigilance, and product management.

A. Investigator-Sponsored Trials (IST)/Investigator-Initiated Trials (IIT) Scenario

1. Scenario Description

For clinical trial approvals (IND) or medical device registration applications (NDA) in China, it might involve U.S. pharmaceutical companies submitting existing human clinical experience, clinical data, case report forms, etc., to Chinese regulatory authorities. In international multicenter clinical trials covering both China and the U.S., it could also involve transferring clinical trial data of participants from U.S. pharmaceutical companies to central laboratories located in China. In the case of new drug development companies' license-in projects, there might be situations where the U.S. licensor transfers a large amount of de-identified participant personal information and healthcare professional (HCP) personal information cross-border to the domestic licensee and a series of suppliers. Moreover, researcher-initiated clinical research also involves the collection and cross-border transmission of health and medical data related to the diagnosis, treatment, rehabilitation, prognosis, etiology, prevention, and health maintenance of diseases.

2. Data Types

Clinical trials usually collect participants' personal health data (e.g., surgical information, pathological information, diagnostic information, medical record data, prescription information, patient-reported outcomes, etc.); human genetic resource materials that may contain human 'omic data (e.g., whole blood, serum, plasma, etc.); personal financial data related to medical service payments (e.g., insurance claim data, billing information, etc.); personal biometric data (e.g., fingerprints, DNA information, etc.). These types of data could fall under the sensitive personal data categories regulated by the Executive Order.

3. Impact Assessment

The Executive Order aims to prohibit or restrict the collection and transfer of large volumes of sensitive personal data of Americans between China and the U.S. When the amount of data collected in clinical research or trials is below the legal threshold requirements, it may not fall under the regulation of the Executive Order. Furthermore, once the detailed implementation rules of the Executive Order are issued, biopharmaceutical enterprises, with the help of professionals, can actively argue for the necessity of collecting and transferring clinical research or trial data. They can explore the possibility of including the cross-border transfer of data in these scenarios in the data transaction exemption list or obtaining a transaction permit issued by the competent authorities.

B. Pharmacovigilance Scenario

1. Scenario Description

Pharmacovigilance is a legal obligation for biopharmaceutical companies under the Drug Administration Law and related International Council for Harmonisation (ICH) guidelines. According to Articles 38 and 51 of the Pharmacovigilance Quality Management Standards [3], for drugs marketed both domestically and internationally, the marketing authorization holder must collect information on suspected adverse drug reactions occurring abroad. Therefore, for drugs marketed in multiple countries and regions globally, multinational pharmaceutical companies typically use their established global pharmacovigilance systems to share safety information from abroad (for example, from the United States) with China.

2. Data Types

The personal physiological condition information of patients who experience adverse reactions to drugs (for example, height, weight, history of adverse reactions to drugs, allergy history, medical history); medication records (for example, dosage, timing of medication, indications for treatment); adverse reaction information (for example, adverse reaction events, related laboratory test information). The aforementioned data may fall into the category of sensitive personal data regulated by the Executive Order.

3. Impact Assessment

Similar to the impact on clinical trial scenarios by the Executive Order, only when the volume of data collected in pharmacovigilance exceeds the legal threshold requirements might it fall under the regulation of the Executive Order. The unique aspect of the pharmacovigilance scenario is the continuous collection of information on adverse drug reactions through information systems established by multinational pharmaceutical companies as part of their global pharmacovigilance systems. Future determinations on the amount of data collected will need further clarification based on subsequent implementation guidelines.

C. Post-Market Sales Scenario for Pharmaceuticals and Medical Devices

During their operations in the United States, multinational pharmaceutical companies might generate and collect data including healthcare professional (HCP) personal information entered into CRM systems, operational data from the sales of pharmaceuticals and medical devices, information from electronic medical records (EMR), electronic prescriptions, purchase records, information on the geographic distribution of indications, specialized disease databases, data on patients with rare (chronic) diseases, human genetic resource information, insurance information, and personal information of patients in health insurance or commercial insurance. This data could fall under the sensitive personal data categories regulated by the Executive Order.

On one hand, further clarification on whether the operation of pharmaceuticals and medical devices involves obtaining regulated data will be needed based on the sensitive personal data determination rules to be issued by the U.S. Department of Justice and other departments. On the other hand, only when the volume of collected data exceeds the legally set thresholds could it potentially fall under the regulation of the Executive Order.

D. Real-World Study (RWS) Data Transaction Scenario

In the context of real-world studies (RWS) aiming to collect extensive relevant health data sets, it might involve purchasing electronic health record (EHR) data of American patients from CRO companies or data brokers and transferring it across borders to domestic real-world data (RWD) platforms. This includes patients' medical records, treatment histories, test results, etc. This data might contain sensitive personal data categories regulated by the Executive Order. The transaction behavior involving sensitive personal data sets in the RWD context is more likely to fall under the regulation of the Executive Order, especially if the volume of data traded exceeds the threshold levels set by the rule.

E. Other Scenarios

In the United States, scenarios involving medical devices with networking or storage capabilities, such as collecting diagnostic and treatment monitoring data (blood oxygen saturation, blood pressure, blood sugar, heart rate, sleep) or behavioral and emotional data (running distance, walking trajectory, steps, energy expenditure, exercise duration) using wearable devices and other health sensors; imaging systems may collect patients' imaging and diagnostic reports; testing systems may collect patients' test reports and results. In the scenario of AI medical device software development, for instance, AI medical device software continuously learns from a vast amount of personal health data of American patients in the real world to improve functionality, performance, and adaptability. In these scenarios, once the volume of collected data exceeds the threshold levels set by the regulation, the transaction behavior is more likely to fall under the regulation of the Executive Order.

III. New Developments in China's Cross-Border Data Transfer Regulatory Policy

In an explanation of the spirit of the 2023 Central Economic Work Conference, officials from the Central Financial Office explicitly stated the need to actively respond to foreign companies' demands and address issues related to cross-border data flow seriously. On September 28, 2023, the Cyberspace Administration of China released the "Regulations on Standardizing and Promoting Cross-Border Data Flow (Draft for Comments)," which specifies in Article 7 that Free Trade Zones are allowed to formulate their own lists of data requiring cross-border security assessments, standard contracts for personal information transfer, and the scope of personal information protection certification management (known as "negative lists"). Upon approval from provincial-level cyberspace and informatization committees and filing with the national internet information department, data not on the negative list can be transferred across borders without the need for security assessments, standard contracts, or certifications.

Following this, Shanghai Free Trade Zone [4] and the Lingang New Area [5] have successively signaled flexible regulatory measures for different types of data cross-border transfers. It is understood that for biopharmaceutical companies in the Lingang New Area involved in clinical trials or pharmacovigilance data going abroad, specific communication with cyberspace authorities can be conducted on a case-by-case basis. If judged by the competent authorities as general data, it can freely flow after filing.

IV. Compliance Responses for the Biopharmaceutical Industry in Cross-Border Data Transfers

Working with multinational biopharmaceutical companies, we often sense their universal concerns about regulations that restrict the free flow of data across borders, as cross-border exchanges of data and information are foundational to the survival and development of the pharmaceutical industry. Limiting data flow poses challenges to the unified management and global operations of multinational pharmaceutical companies and threatens the normal international cooperation in the drug innovation field. Currently, both China and the United States are focusing on data security and privacy protection, with regulatory laws becoming increasingly complex and variable, impacting the normal conduct of transnational business.

We suggest that multinational biopharmaceutical companies and Chinese pharmaceutical and medical device companies deploy compliance measures early to get ahead in risk prevention and achieve positive results in "embracing regulation." For example, they should quickly assess whether cross-border interactions involve accessing sensitive personal data of Americans or U.S. government-related data, and whether outbound data from China could be exempted under Chinese regulations without pre-approval, filing, or certification. Continuous communication with cyberspace authorities regarding data export procedures is advised with the assistance of regulatory lawyers. At the same time, conducting early personal information protection impact assessments to argue for the necessity of data export can support exemptions under different legal jurisdictions and prove that adequate data security measures have been legally taken to address government regulatory oversight.

[Note] 

[1] Based on the Executive Order, it is anticipated that several implementing rules may be issued subsequently. For example, the Executive Order requires the Secretary of Defense, the Secretary of Health and Human Services, the Secretary of Veterans Affairs, and the Director of the National Science Foundation to consider taking measures, including issuing timely regulations, guidance, or orders, to prohibit assistance provided from allowing countries of concern and their entities or individuals to access Americans' bulk sensitive personal data, or to impose mitigation measures on recipients of federal assistance. Additionally, relevant departments must develop and issue guidance to assist U.S. research entities in ensuring their bulk sensitive personal data is effectively protected.

[2] According to the Executive Order, transactions involving types of human 'omic data (other than human genomic data) are not restricted before submitting the risk assessment report related to human 'omic data as described in Section 6 of the Executive Order.

[3] Article 38 of the Pharmacovigilance Quality Management Standards stipulates that for drugs marketed both domestically and abroad, the holder must collect information on suspected adverse drug reactions occurring abroad. Article 51 states that for serious adverse reactions occurring abroad, the holder must submit them in accordance with the requirements for individual case safety report submission. If the sale, use, or marketing of a drug is suspended or withdrawn abroad due to adverse drug reactions, the holder must report to the national drug regulatory authority and the adverse drug reaction monitoring agency within 24 hours of becoming aware of the information.

[4] On December 7, 2023, the State Council issued the "Notice on the Comprehensive Alignment with International High-Standard Economic and Trade Rules to Promote High-Level Institutional Opening of China (Shanghai) Free Trade Zone" (State Issue [2023] No. 23), proposing to "pioneer the implementation of high-standard digital trade rules" in the Shanghai Free Trade Zone and further clarifying that "enterprises and individuals who need to provide data abroad for business needs and comply with national cross-border data transfer security management requirements, can provide data abroad."

[5] The "Management Measures for the Classification and Grading of Cross-Border Data Flow in the Lingang New Area of China (Shanghai) Free Trade Pilot Zone (Trial)" implemented on a trial basis from February 8, 2024, stipulate that under the premise of ensuring national security, public interest, and individual privacy, the Lingang New Area Administration Committee is responsible for formulating a general data list. Data handlers can apply to the Lingang New Area Administration Committee for registration and filing of data within the general data list and allow it to flow freely under the condition of meeting relevant management requirements.