In life sciences, China’s recent legislative and regulatory developments have further reshaped that sector in terms of cross-border partnerships and domestic business development.

This GT Advisory explores the following considerations:

• The current amendment to the catalogue of technologies under export control indicates the Chinese government’s cautious approach to the development of cutting-edge life sciences technologies, in areas such as cell and gene therapy, synthetic biology technology, etc., especially when an increasing number of non-Chinese companies rely on Chinese companies’ innovation in these areas.

• The Cyberspace Administration of China’s first approval of data export underscores the pivotal role of Ministry of Science and Technology’s oversight over the export of human genetic resources.

• Long-awaited Implementing Rules on the Administrative Regulations on Human Genetic Resources will reduce the administrative compliance burdens on companies but also highlight the primary legal risk of national security oversight against companies.

On Dec. 30, 2022, the Ministry of Commerce (MOC) and Ministry of Science and Technology (MST) jointly released for public comment the draft catalogue of technologies prohibited and restricted from being exported. If finalized in its proposed form, the amended export catalogue would completely proscribe technologies in the prohibited section from being exported, while restricting others subject to approval of the provincial branch of MOC and MST. Export of technologies related to patent assignment, patent application assignment, license of patent, know-how assignment, and technical services would be regulated under the catalogue.

The draft proposes to:

• remove 32 technologies prohibited or restricted from being exported under the current effective 2022 catalogue, involving technologies for grain processing, agricultural machinery manufacturing, chemical pesticide production, photosensitive material productions, etc. Most of the removed technologies come from traditional industries rather than hi-tech ones.

• add one technology to the prohibited section, i.e., human cell cloning and human gene editing technology. The former includes cell nucleus extraction and removal technology, nucleus transfer technology, embryo transfer technology, key enzymes for cell activation. The latter includes ZFN (Zinc finger nucleases) technology, TALEN (transcription activator-like effector nucleases) technology and CRISPR (clustered regularly interspaced short palindromic repeats) technology, specific nuclease, homologous recombination technology, point knockout technology, gene introduction and fragment deletion technology, and multi-site mutation technology.

• add seven technologies to the restricted section, involving two life science technologies, CRISPR gene editing technology (usage in controversial areas such as gene editing of embryonic cells, egg cells and sperm cells, and other applications implicating significant harmful consequences) and synthetic biology technology (efficient synthesis and assembly of DNA, directed evolution, synthesis technology of amino acids, proteins and starches and others implicating significant harmful consequences). Among the rest of the restricted ones are crop hybridization utilization technology, photovoltaic silicon wafer preparation technology, and lidar systems, which also call for attention from relevant industries.

The prohibited and restricted sections involving life science technologies have raised significant concern among life science companies. In recent years, many innovative Chinese pharmaceutical companies have been seeking to license their prospective products to foreign partners, or establishing or planning to establish overseas R&D and/or manufacturing center. License-in transactions may be impacted as well since the foreign licensor may be concerned about the restriction/prohibition on technology export. If the draft were to be enacted as proposed, such business models would be heavily impacted.
 

In mid-January 2023, China’s cybersecurity watchdog, the Cyberspace Administration of China (CAC), announced it had for the first time approved the data export filed by Beijing Friendship Hospital (BFH) for its multi-center research (on certain resection) co-headed with Amsterdam University Medical Centers (AUMC). The CAC also indicated that its Beijing Branch had received official applications for data export from 16 enterprises from several important areas such as social media, medical, financial, automobile and civil aviation industries.

The Cybersecurity Law, Data Security Law and Personal Information Protection Law provide the framework for data export. In general, the CAC’s pre-export security assessment is essential for the export of important data, and export of personal information by a critical information infrastructure operator (CIIO), and export of personal information by a handler (a roughly comparable concept of “controller” under GDPR) processing personal information of individuals of a specified number. The formal requirements for the security assessment were, however, not clarified until July 2022 when the CAC published Measures for Security Assessment of Data Export (the Measures).

The Measures further enumerate four circumstances under which CAC security assessment is required:

• Export of important data by a data handler;

• Export of personal information by a CIIO or a data handler processing personal information of more than one million individuals;

• Export of personal information by a data handler who has cumulatively exported personal information of 100,000 individuals or sensitive personal information of 10,000 individuals since Jan. 1 of last year;

• Other circumstances specified by the CAC.

For the life science industry, the export of human genetic resources (HGR, either in the form of materials such as blood and tissue, or in the form of information such as sequencing data) is further subject to MST approval. In addition, the export may trigger a security assessment under the Measures. Read more about the MST approval and potential obligations of security assessment in our 2021 GT Advisory, China on the Move: An Improving Regulatory Landscape with New Challenges Ahead – Genomics and National Security.

The BFH case illustrates the current regime, despite the lack of details in CAC’s announcement. BFH’s own introduction to the multi-center research is informative:

• The multi-center research of resection being initiated by public hospitals is different from a multi-center clinical trial of certain new drugs sponsored by a pharmaceutical company;

• BFH is supervised by the National Health Commission, which is believed to have provided guidance to BFH’s application;

• There are 170 subjects in this research project;

• BFH evaluated HGR and the relation between data export and output of the project, and finally confirmed the “necessity and scientific value” of data export;

• BFH formulated its own Measures for Security Management of Data Export to regulate the data export activities and protect patients’ rights to their personal information, and to establish its own mechanism for review, evaluation and supervision of exporting important data, etc.

Comparing the four circumstances triggering mandatory security assessment under the Measures and the information disclosed by BFH, below are some considerations:

• Large hospitals may have processed personal information of more than 1 million individuals. Therefore, their export of personal information is likely to be subject to a CAC security assessment.

• Large hospitals may be considered CIIOs. For a CIIO, the export of any personal information (as well as important data), regardless of the number, should be pre-approved by the CAC. Although the government has not publicly released a list of CIIOs, large hospitals, especially Grade A Tertiary Hospitals, are more likely to qualify.

• Despite a moderate number of individuals (subjects) involved in data export by BFH, the deliberate mentioning of the existence of important data in BFH’s announcement indicated that the exported information might contain important data. Important data is only vaguely defined in the Measures, and several versions of draft guidelines identifying important data since 2017 are not yet officially adopted. Although it is widely assumed that a large aggregation of data reflecting sensitive information (such as undisclosed demographic information collected by census, information reflecting ethnic characteristics) is more likely to contain important data, BFH’s case may suggest that the clinical records of a small group of people (about 170 cases) might also be considered important data. BFH and AUMC, both as primary investigators, co-headed the project, and the foreign party might access a wide range of clinical records of Chinese patients, increasing the sensitivity of the aggregated clinical record accordingly. In a draft guideline for identifying important data (March 2022), diagnosis and treatment data of certain people would likely constitute important data, without a quantified threshold. Although there is no legally binding regulation delineating the scope of important data, life sciences companies should be cautious about the data they possess and export.

• Together with BFH’s case, the CAC approved the data export of Air China, with even less information disclosed. Most likely, Air China has been processing personal information of far more than 1 million individuals, and its export is no doubt subject to security assessment. After the BFH case, CAC has not yet published any successful case of security assessment in life sciences. The data export by a cosmetics retailer and a vehicle manufacturer was approved by the Shanghai branch of CAC on May 5. It is unclear whether life sciences companies should count on the BFH example.

Protecting national security is an underlying purpose of the Cybersecurity Law and Data Security Law. In the newly issued Counter-Espionage Law (effective July 1, 2023), “stealing, seeking, purchasing and illegally providing national security and interest-related documents, data, files and material” may be deemed spying. Under the Measures, the security assessment is a mechanism to maintain national security, and the exporter must evaluate the risk to national security caused by data export.

In May 2023, MST released Implementing Rules of the Administrative Regulations on HGR (“Rules”, 人类遗传资源管理条例实施细则). Apart from clarifying procedural issues in dealing with HGR, the Rules for the first time enumerate under what circumstances security review led by MST is essential before providing human genetic information (HGI) to foreign entities:

• HGI of important genetic families;

• HGI of specific regions;

• Exome sequencing and genome sequencing information resources for more than 500 cases;

• Other circumstance that may affect public health, national security and public interest.

The security review also focuses on how providing HGI to foreign entities could affect China’s national security. However, the Rules are silent on what aspects MST will take into consideration in security review. For example, will the identity of the foreign entity receiving HGI or the jurisdiction to which the HGI is exported be factored in?

There has not been an enforcement case where exporting medical-related data is explicitly connected with a national security risk. With increasing application of security assessments under the Measures and security review under the Rules, how exporting medical related data affects national security may be further defined.