The privacy regulatory landscape continues to develop rapidly across the U.S, Europe, and China. The most significant recent developments have been in China, where the Security Assessment Measures for Outbound Cross-Border Data Transfers (the CBDT Measures) have recently come into force. As a result, international pharmaceutical companies with Chinese operations face more challenges in transferring data outside of China and increased pressure to localize certain data.
The Chinese CBDT Measures stipulate that a company must pass a security assessment by the Cyberspace Administration of China before exporting data in certain circumstances. Some of these circumstances relate to the number and type of data being transferred; a security assessment is needed if the amount of data exceeds a certain threshold. The most complex consideration is whether the data to be exported is considered “important data” under Chinese law. The exact scope of “important data” is currently unclear, and it is hoped that guidance on this point from the Chinese authorities will be forthcoming in 2023. In addition to the CBDT Measures, Chinese law recognizes two additional data transfer mechanisms: privacy protection certification and standard contract. These have not yet been implemented but – after they are finalized in 2023 – they will provide additional options for companies not regulated by the CBDT Measures to legitimize their cross-border data transfers. They will also further complicate the landscape for Chinese data transfers by raising the bar for compliance.
The U.S. made significant attempts in 2022 to develop a comprehensive privacy law, but none has yet materialized. Currently, the lack of such a federal law – together with the advancement of state privacy laws and enforcement efforts – leaves life sciences companies subject to a patchwork of U.S. laws without clear direction and with a growing number of overlapping obligations. Adding to the complexity is a forthcoming large set of amendments to the CCPA, known as the California Privacy Rights Act (CPRA). These amendments, which will come into effect on January 1, 2023, represent a significant change for the many life sciences entities primarily processing data that until now has been exempt from the CCPA.
International data transfers between Europe and the U.S. will continue to be complex for life sciences companies following the October 2022 publication of a U.S. executive order to facilitate a new Trans-Atlantic Data Privacy Framework. This framework, which has been endorsed by the EU, will act as a successor to the invalidated EU-U.S. Privacy Shield. The UK is also developing its own position on international data transfers, adopting new UK adequacy agreements with other countries, for example South Korea, and introducing a UK form for international data transfer agreements. Due to these continuing developments on international data transfers, the off-shoring of medical data will continue to be a hot issue that merits careful consideration.
Within the EU itself, there has been a slew of new legislation that will affect digital health players. Of particular note is the new AI Act, which the EU Council approved on December 6, 2022, with the European Parliament due to finalize its version in March 2023. The AI Act will regulate AI systems according to their level of risk, with systems that create a “high-risk” to health, being subject to the most stringent mandatory requirements, including a requirement that a “conformity assessment” be completed. As such, life sciences companies that use AI to manage health records, manufacture health trackers, and create AI-driven medical devices will need to carefully consider the impact of the AI Act. In 2023, life sciences companies will also need to prepare for the advent of the European Health Data Space Regulation, which increases access to electronic health data and facilitates the sharing of such data for secondary research purposes.
In 2023 we expect privacy and cyber developments in many jurisdictions globally, including the US, China and the EU. We also expect new regulations for different forms of technology, such as AI. All these developments will add further complexity to the life sciences landscape. Life sciences companies should therefore follow these data privacy and cyber developments closely, and assess the impact on their products and business operations.
Colleen Theresa Brown, William Long, Geeta Malhotra, Lauren Kitces, and Lianying Wang survey a fast-evolving global landscape, taking in the forthcoming California Consumer Privacy Act, the UK’s form for international data transfer agreements, the EU’s AI Act, and China’s new data security measures.