U.S. health care providers, device manufacturers, lab managers, health information technology and telemedicine/telehealth project investors, and other industry members involved in projects in China, need to be aware of a long and growing list of China-specific data-flow and content restrictions. These restrictions are increasingly concerning in light of the health care industry’s growing use of cloud technology and need for financial and other systems that protect medical record, insurance data and other sensitive information, but that are efficient, and that provide unimpeded online access.
The data-flow restrictions in China arise from a complex combination of government concerns, such as cybersecurity, data privacy, and patient and other consumer protection. U.S. and other industry associations have called upon China to openly discuss changes to rules that require disclosure of sensitive intellectual property and restrict cross-border flows of commercial data. The concerns have reportedly even fueled Chinese manufacturer’s efforts to market replacements for foreign technology with Chinese-developed systems.
With this in mind, while U.S. government and industry negotiators continue to push for resolution of industry concerns involving China data-flow restrictions, the fact remains that health care industry members must understand these restrictions in order to enjoy continued business success, minimize data-access and business continuity risks, and even avoid criminal liability exposure.
Health Care Information and Patient Privacy
Measures issued last year potentially apply to a vast array of health information which medical, health care and family planning service agencies of all types and at all levels generate within China while providing services or managing health care operations. These Measures prohibit storage of such information “in overseas servers, [or in] hosted or rented overseas servers.” See Management Measures for Population Health Information (for Trial Implementation), (National Health and Family Planning Commission, May 5, 2014), Section 10.
Personal Data Privacy
China’s personal data privacy laws and guidelines have been expanding over the last few years. Certain of these laws and guidelines touch upon the issue of data flow. For instance, China has issued standards that provide that “without express consent of the subject of personal information, the express requirement of any law or regulation, or the consent of the competent authority, a personal information administrator should not transmit personal information to any overseas personal information recipient, including an individual located abroad or an organization or institution registered abroad.” See Information Security Technology – Guidelines for Personal Information Protection within Information Systems for Public and Commercial Services (GB/Z 28828-2012), (Standardization Administration of China and the Administration of Quality Supervision, Inspection and Quarantine, November 5, 2012), Section 5.4.5. See also Decision on Strengthening Online Information Protection (Standing Committee of the National People’s Congress, December 28, 2012) (among other things, making illegal the collection and provision of personal information without authorization); Provisions on Protecting the Personal Information of Telecommunication and Internet Users (Ministry of Industry and Information Technology, July 16, 2013) (regulating the activities of telecommunications service providers and Internet infrastructure service providers in collection and use of personal data in services conducted within China).
China has proposed criminalizing unauthorized “sale or offers to sell personal information obtained…during the provision of services,” according to the 9th Amendment Draft of the Criminal Law of the People’s Republic of China published on November 3, 2014 (National People’s Congress), at proposed Section 253.1. If enacted, this would significantly expand the scope of such criminal liability, which was introduced in the 7th Amendment of the Criminal Law, effective February 28, 2009, and which currently focuses on employees in the health care, among other sectors.
Internet companies operating in China would need to store customer data on Chinese servers and to provide technical interfaces and encryption keys to public security agencies to enable these authorities to monitor terrorism threats under the proposed Counter-Terrorism Law of the People’s Republic of China published on November 3, 2014 (National People’s Congress), at proposed Section 15. National security issues driving China’s restrictions on data flow and content are not limited to this proposal. The proposed National Security Law of China (Standing Committee of the National People’s Congress, May 6, 2015) introduces in proposed Section 26 the concept of “internet sovereignty,” which essentially provides that a country has the right to determine what data flows in and out of the country’s territory. Existing Chinese laws also reflect these issues for company data-flow and content restrictions. See State Secrets Law of the People’s Republic of China (Standing Committee of the National People’s Congress, as amended April 29, 2010) (prohibiting, among other things, unauthorized overseas transfer of information that the government deems a “State secret,” including classified matters concerning national economic and social development and science and technology); Foreign Trade Law of the People’s Republic of China (Standing Committee of the National People’s Congress, April 6, 2004) (restricting export of data associated with certain technologies).
We note that this growing trend of data-flow restrictions in China also extends to other sectors, such as the financial industry. Certain measures for restricting data-flow initiated for this sector offer a preview of what the healthcare sector in China may have to deal with in the future. For instance, China recently temporarily suspended the implementation of new banking sector Guidelines that would require companies which provide technology equipment to Chinese banks to, among other things, turn over source code. Specifically, goals indicated in the Guidelines included substantially increasing financial institution use of “safe and controllable” [安全可控] information technology by the end of 2019. See Circular on the Guidelines for Secure and Controllable Information in the Banking Industry (2014-2015) (General Offices of the China Banking Regulatory Commission and the Ministry of Industry and Information Technology, December 26, 2014) (temporarily suspended), Section 2(10). See also Circular of the People’s Bank of China on Urging Banking and Financial Institutions to Undertake Protection of Personal Financial Information (People’s Bank of China, January 21, 2011), Section 6 (requiring, among other things, that personal financial information collected in China must be stored, processed, and analyzed within the territory of China); Management Regulation on Credit Information Industry (State Council, December 26, 2012), Article 24 (specifying, among other things, that information collected by credit institutions in China shall be organized, stored, and processed within the territory of China).
Much of the great promise for health care-sector internet-based and other technology innovations is dependent upon predictable and reliable data flow and globally accepted standards to address security improvements. Not surprisingly, understanding how China’s restrictions and risks may affect data flow helps U.S. health care sector members develop proper controls in the near term to minimize risks. Also, specific examples, such as those provided above, strengthen advocacy for globally accepted security standards in the long term to best take advantage of China market opportunities.