CHINA Law and Practice Contributed by: Alan Zhou, Charlene Huang, Jenny Chen and Stephanie Wang, Global Law Office
protection campaigns on mobile applications, including apps used in the healthcare industry. National Data Bureau (NDB) The NDB was officially inaugurated on 23 October 2023 to co-ordinate the improvement of data infrastructure systems, including the development, utilisation and interaction of data resources and pushing the building of digital China forward. It is therefore expected that the NDB will play a specific role in data protection enforcement regarding digital healthcare. 3.3 Enforcement The primary areas of regulatory enforcement in digital healthcare currently include cybersecu- rity, personal data protection and internet-based diagnosis and treatment (including internet hos- pitals). In terms of cybersecurity, the implementation of the MLPS, which is a compulsory legal obliga- tion under the Cybersecurity Law of the PRC and relevant regulations, is now becoming an enforcement focus for most industries involving sensitive information, particularly healthcare. The MLPS is composed of a series of technical and organisational standards and requirements that need to be fulfilled by all network operators in China. As the development and operation of digital healthcare heavily relies on networks and IT infrastructure, it is critical for digital healthcare providers to enforce and complete the MLPS grading process. Under the Administrative Measures for Internet- based Diagnosis (for Trial Implementation) and the Administrative Measures for Internet Hospi- tals (for Trial Implementation), healthcare insti- tutions providing internet-based diagnosis ser- vices and internet hospitals will be graded and
protected as Grade III under the MLPS regime. Failure to complete the MLPS will lead to admin- istrative penalties including warnings and fines being issued by the PSB. In terms of personal data protection, relevant data protection authorities such as the CAC, the MIIT and the PSB have been actively enforcing personal data protection requirements across industries, including healthcare. Industry super- vision authorities such as the NHC and the NHSA are also involved in those enforcement actions on healthcare institutions. 3.4 Sufficiency of Oversight No information has been provided in this juris- diction. 4. Liability 4.1 Legal Risks of Digital Healthcare Data Use and Data Sharing As personal health data largely falls within the category of personal sensitive data under the laws of the PRC, the scope of liability for data breach or unauthorised use of, or access to, personal health data in use and sharing are cur- rently the same as for personal data. They are regulated under the Criminal Law of the PRC, the Cybersecurity Law of the PRC, the PIPL, the Regulations on the Security Management of Network Data and the Civil Code of the PRC, which include: • criminal liabilities for infringement of personal data including criminal detention, a fixed-term sentence and monetary fines depending on the severity of the conduct and the conse- quences; • administrative liabilities for illegally process- ing personal data including written warnings,
30
CHAMBERS.COM
Powered by FlippingBook