CHINA Trends and Developments Contributed by: Hanshuo Zhou, Xiaoyun Wang and Taige Shi (Casper), Jingtian & Gongcheng
in China’s regulatory framework for data security and personal information protection – particu- larly in sensitive sectors such as digital health. The new rules provide more detailed compliance guidance and clearly define the responsibilities and obligations of data processors. Medical data is subject to heightened scrutiny due to its sensitivity and potential national secu- rity implications. Information such as genetic sequences, rare disease diagnostics, and public health data related to infectious disease preven- tion, if leaked or tampered with, could seriously threaten public interests. As a result, tiered and classified protection has become a regulatory priority. The regulations provide explicit direction for data classification in the healthcare context. Digital health companies are required to iden- tify “important data” based on sector-specific guidelines or published catalogues, compile internal registries of such data, and report them to the relevant authorities. Until industry-specific catalogues are officially released by the industry regulators, companies may refer to the national standard Information Security Technology – Guidelines for Data Classification and Grading, effective as of 1 October 2024, to guide their compliance efforts. The regulations also tighten personal information protection requirements for digital health provid- ers. In scenarios such as AI-powered internet hospital consultations, companies that collect and process patient medical data must adhere strictly to the principles of informed consent. Pri- vacy notices and user agreements must clearly explain how data is collected, stored, used and shared, ensuring that patients provide meaning- ful consent based on full transparency.
Wearable devices present a separate but equally significant set of obligations. Companies pro- cessing biometric and health monitoring data – such as blood oxygen levels, ECGs and blood pressure – must implement robust encryption protocols for both storage and transmission, ensuring the secure exchange of data between devices and back-end servers. In addition, pro- viders must respect users’ data rights, including the right to be informed, the right to control how their data is used, and the right to request dele- tion. User interfaces should be designed to facil- itate easy access to medical records and health data, and offer the ability to delete or transfer personal information when needed. Prospectively, regulatory scrutiny of data com- pliance in China is expected to intensify. New laws and standards are likely to emerge to address evolving issues in cross-border data transfers, AI-driven decision-making, and sen- sitive information handling. Digital health com- panies must be proactive in strengthening their internal compliance systems to ensure lawful, secure and transparent data processing. Doing so will be critical not only for risk management, but also for supporting the sector’s sustainable and trustworthy development.
44
CHAMBERS.COM
Powered by FlippingBook