BLOG POST

As Prescribed

YOUR GO-TO SOURCE FOR ANALYSIS OF ISSUES AFFECTING THE PHARMA & BIOTECH SECTORS

Ready or Not, Here It Comes: China’s GDPR Is Coming

China’s long-awaited Personal Information Protection Law (PIPL) has potentially significant implications for pharmaceutical and medical device companies doing business in China or with the market in China. Personal health information is considered sensitive personal information and is now subject to enhanced data compliance requirements for collection, processing, and cross-border transfer. After two rounds of draft versions, the PIPL was finally passed by the Standing Committee of the National People's Congress on August 20, 2021 and will become effective November 1, 2021.

The PIPL significantly increases the burden and cost of data privacy compliance for multinational companies operating in China. The PIPL also extends its jurisdiction over multinational companies without a presence in China so long as they process personal information of individuals located in China for the purpose of providing products or services to such individuals, or analyzing or assessing their behaviors. Companies in violation of the PIPL may be subject to severe penalties, including a fine of up to 5% of the last year's turnover of the company, revocation of license to do business in China, and personal liabilities for company executives.

In light of US-China tensions and the Chinese government’s heightened focus on national security risks related to cross-border transfer of sensitive data, the PIPL is another regulatory tool the Chinese government can use in addressing corporate behavior it deems at odds with national interest.

Read our recent LawFlash to learn more about the PIPL’s rules on how businesses should collect, use, process, share, and overseas transfer personal information in China.