News

Cross-border flows of medical data are frequent in the era of globalization: international multicenter drug clinical trials require sharing of patient medical record data; multinational AI medical companies locate servers for training algorithms abroad; teleconsultation platforms match patients with overseas specialists ...... However, both the EU's GDPR and China's personal insurance law set strict preconditions for cross-border transfers of personal information. strict pre-conditions for the cross-border transfer of personal information. If they rashly transmit massive amounts of health data to other countries, they may face severe penalties or be forced to shut down by regulation.

1、GDPR's cross-border transmission mechanism

The GDPR establishes a relatively comprehensive mechanism for cross-border transfers. The Adequacy Decision under Article 45 of the GDPR states that if the European Commission determines that a country's level of data protection is basically equivalent to that of the EU, it will be included in the list of “Adequacy Countries”, and will be able to freely transfer personal data across borders. Recognized countries include Japan, South Korea, and others. With respect to the United States, the new EU-US Data Privacy Framework between the EU and the United States has been adopted by the European Commission as a sufficiency decision in July 2023, although its practical application and potential legal challenges will require ongoing attention. As a result, EU healthcare organizations will need to adopt the alternatives described below when they want to transfer patient data to other non-sufficiency regions, such as China, or seek more robust safeguards in their transfers to the United States.

Adequate safeguards are common for GDPR cross-border transfers, the most common of which is the signing of Standard Contractual Clauses (SCCs). These are official EU template contracts, signed by the data exporter and importer, through which the importer is contractually guaranteed to provide privacy protections equivalent to EU levels. In the absence of such measures, DPAs (national data protection authorities) can prohibit the export of data. Healthcare AI companies often use SCCs to interface with offshore R&D centers, while also ensuring additional security means such as encryption and pseudonymization of health data.

Article 49 of the GDPR also lists a limited number of circumstances in which cross-border transfers may take place without a “sufficiency decision” or SCCs, such as where the data subject has given explicit consent, or where it is necessary for the protection of a vital public interest or a vital health emergency. However, these exceptions often require “one-off” or specialized scenarios, and should not be relied upon on a long-term basis as a regular cross-border method. Healthcare organizations that frequently collaborate with foreign countries usually have to go through SCCs or Binding Corporate Rules (BCRs).

2、Cross-Border Transfer Rules under China's Personal Insurance Law

China's Personal Insurance Law also sets out detailed rules for the cross-border transfer of personal information. According to Article 38 of the Personal Insurance Law, personal information leaving the country must meet one of the following requirements: pass the security assessment organized by the Internet Information Technology Department; be certified by a professional organization for personal information protection; sign a standard contract with the recipient developed by the State Office of Internet Information Technology (SONET) for the record; and meet any other conditions stipulated by laws and regulations or by the SONET.

If it is a large medical organization or classified as a critical information infrastructure operator, it is also required to store local data within the country, and if it is necessary to leave the country, it must undergo a strict security assessment. For large amounts of sensitive health data involving genes and medical records, the regulatory attitude is more prudent.

Unlike the GDPR, the Personal Insurance Law also requires that when sensitive personal information is provided outside the country, in addition to meeting the assessment/contractual requirements mentioned above, the individual's separate consent should be obtained, and the name of the recipient, the processing method, and the opt-out mechanism, etc., should be clearly stated at the time of notification. For medical data, if the patient refuses cross-border transmission, the platform is not allowed to compel it.

In addition, Article 40 of the Personal Protection Law stipulates that domestic personal information collected by operators handling personal information exceeding the scale specified by the net information department or critical information infrastructure should be stored within China, and if it is necessary to provide it outside the country, it must pass a security assessment. For hospitals, genetic testing companies and other subjects that handle sensitive health data, they often fall into the scope of application of this article. This means that cross-border cooperation is subject to a complex and time-consuming process of submitting materials to the Office of Internet Information Technology (OIT) for security assessment.

3、Differences and challenges

There are many differences between the GDPR and the Personal Insurance Law in terms of the rules for cross-border transfers of healthcare data, which also pose challenges for data processors. China places more emphasis on government approval, with the GDPR focusing on companies' autonomy to achieve “equivalent levels of protection” through SCCs or BCRs, without prior regulatory approval; whereas China, in addition to signing a standard contract, requires security assessments to be filed with the Office of the Internet Information Office (OIIO) or a designated department in most cases, which is a much more prudent approach.

The GDPR does not compel cross-border data to require the express consent of the data subject every time (unless the Art.49 exception applies); the Personal Insurance Laws include “individual consent” as a core requirement from the legislative level, which makes it more difficult to operate.

The EU does not generally mandate local storage of medical data, but only individual member states may require it in specific areas; China has clarified the obligation of localization for some subjects in the law, highlighting the concept of regulating both national data security and individual privacy.

4、Coping Strategies and Cases

In the face of these differences and challenges, there are a variety of coping strategies that data processors can adopt.

a. Multi-pronged approach

If a medical research organization wants to share Chinese patient sample data with an EU partner, it needs to comply with individual insurance laws first: do a safety assessment or sign a Chinese standard contract, obtain individual patient consent; and then comply with the GDPR's cross-border requirements. Otherwise, the EU party may also be blocked by the local DPA.

b. Reducing cross-border: “localizing” data

Some international companies use distributed or federated learning techniques to “move” algorithms to the country where the data is located for training, rather than directly transferring the original sensitive data. This is consistent with “data not leaving the country” and allows for cross-border collaboration.

c. Early planning, approval and filing

It takes months or even longer for applications, evaluations, and contract reviews to be conducted prior to departure. If the project involves urgent scientific research, such as emergency research on infectious diseases, a special green channel can be communicated with the regulatory authorities, but the most basic security controls cannot be bypassed.

Cross-border medical data flow is a trend of the times, but the legal compliance requirements are also becoming increasingly stringent, and the differences between the GDPR and the Personal Protection Act make it necessary for data processors to “go through both sides of the fence”. For platforms engaged in globalized medical R&D and services, this undoubtedly increases operational and time costs, but it is also a necessary measure to protect patients' rights and interests, prevent privacy leakage and even national security risks. Only through the flexible use of technical and contractual administrative means under the framework of legal regulation can the cross-border flow of medical data be smooth and orderly, and truly benefit medical research and health services.