CHINA Trends and Developments Contributed by: Hanshuo Zhou, Xiaoyun Wang and Taige Shi (Casper), Jingtian & Gongcheng
sion or misinformation. Additionally, service pro- viders must also embed the metadata itself with content origin, provider identity, and traceable identifiers to ensure accountability throughout
ted to flow more freely, subject to basic compli- ance safeguards. Cross-border data requirements vary signifi- cantly across different digital health business models. For example, remote care scenarios – such as AI-driven internet consultations – may involve outbound transmission of diagnos- tic data, while international R&D partnerships often require cross-border sharing of clinical trial results, pharmaceutical data, and patient- level health records. Companies operating in this domain must conduct thorough internal audits to map out cross-border data activities, evaluate whether they trigger regulatory thresholds, and determine whether the security assessments or standard contract filings are required. Best prac- tices also include signing data transfer agree- ments with overseas recipients, implementing encryption and access control protocols, and ensuring auditability throughout the data life cycle. Importantly, regulators are beginning to adopt a sector-specific approach to compliance. For data involving sensitive patient information, biosafety concerns, or public health implica- tions, stricter controls are expected. Converse- ly, transfers involving lower-risk healthcare data may benefit from simplified procedures, provid- ed security and transparency are maintained. As more FTZs introduce or refine their negative lists for data export, digital health companies should actively monitor local developments and proactively align their compliance strategies with jurisdiction-specific requirements. Data compliance and personal information protection under the Cybersecurity Law The implementation of the Regulations on the Security Management of Network Data on 1 January 2025, marks a significant step forward
the chain of information distribution. Cross-border flow of medical data
The regulatory landscape for outbound medical data transfers in China has begun to take shape. In March 2024, the Cyberspace Administration of China (CAC) issued the Regulations on Pro- moting and Regulating Cross-Border Data Flow, a landmark framework that streamlines key com- pliance pathways for international data transfers. The regulation refines existing mechanisms – including outbound data security assessments, standard contracts for personal information exports, and data protection certification – and introduces new flexibility by allowing free trade zones (FTZs) to independently formulate “nega- tive lists” of restricted data categories. Following this national framework, several FTZs – including those in Beijing, Tianjin, and Shang- hai – have published local data export lists tai- lored to regional priorities. Beijing’s negative list, for example, includes categories relevant to the healthcare and pharmaceutical industries, such as large-scale diagnostic datasets, physi- ological and health status data, medical emer- gency response records, and specific drug trial data – all of which require data export security assessments before export. Tianjin’s FTZ places a particular regulatory focus on biopharmaceuti- cal data, including patient treatment records and experimental drug data. In contrast, Shanghai’s Lingang New Area has taken a scenario-based approach, issuing a “general data list” for com- mon biomedical use cases such as clinical tri- als, pharmacovigilance, and medical inquiries. Under this framework, eligible data categories may be classified as “general data” and permit-
43
CHAMBERS.COM
Powered by FlippingBook