Richard Bartlett Finance & Capital Markets, King & Wood Mallesons
Whether directly or indirectly involved with human genetic resources sourced from China, foreign organizations and individuals (or institutions formed or controlled by them) (together “Foreign Parties“) should be aware of the Regulation of the People’s Republic of China on the Administration of Human Genetic Resources (中华人民共和国人类遗传资源管理条例) (the “Regulations“).
At the same time, Foreign Parties should also be mindful that when they are using China’s human genetic resources, it is likely that other laws may be applicable. In particular, laws relating to data protection, cybersecurity as well as laws specific to a certain industry or sector such as the healthcare sector, are also likely to be relevant and may require the adoption of additional measures to ensure compliance.
The Regulations, which came into effect in July 2019, permit Foreign Parties to only “use” China’s human genetic resources. Foreign Parties, unlike Chinese entities, are not permitted to collect or store within China, or to provide outside of China, any of China’s human genetic resources (although the Regulations do contemplate and regulate international cooperation involving the use of China’s human genetic resources between Foreign Parties and Chinese entities).
The term “use“, although employed extensively in the Regulations, is undefined and so is potentially wide-ranging.
The scope of the term “human genetic resources” as used in the Regulations is also very broad, and is defined to include not only genetic materials generally but also any information, including but not limited to data, that is generated from such genetic material.
Consequently, the scope of application of the Regulations to activities undertaken by Foreign Parties alone or with local partners in connection with China’s human genetic resources is potentially very broad.
At a more general level, the Regulations should also be seen as one part of the measures adopted in China to protect personal data as well as regulate cybersecurity. Consequently, when assessing activities involving human genetic resources to determine if they are governed by the Regulations, entities should also consider if any of the information or data generated by those activities are also governed by other regulations, in particular laws governing the medical industry or network security and personal information.
For example, when using data generated from human genetic resources, Foreign Parties should be mindful that such data could also be classified as:
- personal sensitive information, for the purposes of the Cybersecurity Law (中华人民共和国网络安全法)；
- population health information, for the purposes of the “Population Health Information Management Measure (Trial)” (人口健康信息管理办法（试行))；or
- “healthcare big data”, for the purposes of “Administrative Measures on Standards, Security and Services of National Healthcare Big Data (Trial)” (国家健康医疗大数据标准、安全和服务管理办法（试行)).
Similarly, in addition to the Regulations, a Chinese partner may also be subject to other laws and regulations in relation to its involvement with human genetic resources. For example, a Foreign Party may be cooperating with a Chinese hospital to collect medical imaging data, in circumstances where that hospital may simultaneously be classified as:
- a medical institution; which will likely mean that its management of medical records is governed under the Regulations on the Management of Medical Records in Medical Institutions (医疗机构病历管理规定（2013年版))；
- a network operator; which will likely mean that its collection and use of patient data that constitutes personal information are governed under the Cybersecurity Law; or
- an entity responsible for “healthcare big data” security and use; which will likely mean that its management of patient data is governed under the Administrative Measures on Standards, Security and Services of National Healthcare Big Data.
To sum up, when dealing with China’s human genetic resources, Foreign Parties should make sure that they and any local partners are aware not only of the steps necessary to ensure compliance with the Regulations but that they have also considered any other compliance requirements resulting from China’s laws on data security as well as regulation of the medical industry.
If you have questions or need any further information, please do not hesitate to contact us.