According to the Measures on Promotion and Regulation of Cross-border Data Transfer released and taken into effect from 22 March 2024 (the “Measures”), free trade zones (“FTZe”) are allowed to set forth their own lists of the data which are subject to data export security assessment, personal information export standard contract and personal information protection certification (the “Negative List”). The data processor within relevant FTZ can export data without the necessity of conducting data export security assessment, personal information protection certification and signing personal information export standard contract if such data does not fall into the Negative List.

In less than two months after the enactment of the Measures, the first Negative List was published by Tianjin Free Trade Zone, namely China (Tianjin) Free Trade Pilot Zone’s List on Data Export Regulation (Negative) (2024) (the “Tianjin FTZ Negative List”) on 9 May 2024. Only eight days later, Shanghai Free Trade Zone also released its own list on data export, namely Lingang Special Area of China (Shanghai) Free Trade Pilot Zone’s General Data List of Cross-border Data in Different Scenarios (the “Shanghai FTZ Lin-gang Positive List”). Interestingly, the Shanghai FTZ Lin-gang Positive List does not adopt the form of negative list, but was promulgated as a positive list. These two lists provide us with a good opportunity to compare the practices of different FTZs on their data export regulation approaches. As the Shanghai FTZ Lin-gang Positive List only covers five industries, our review will focus on the area of biology and healthcare as it is covered by both lists.

I.         General Introduction

The first point worth mentioning is the Tianjin FTZ Negative List is a full-range list covers 13 big categories including manufacturing, finance, public security, traffic and transportation, statistic and e-commerce and 45 small items further broken down. However, the Shanghai FTZ Lin-gang Positive List only covers three industries which are “biology and healthcare”, “intelligent connected vehicles” and “mutual fund”. These three industries are all major industries specially promoted in Lin-gang area of Shanghai FTZ. Although only covers three industries, the Shanghai FTZ Lin-gang Positive List further break down each industries into several “scenarios” and sets out “typical example and remark” and “requirements on transfer” to each scenario.

And it shall also be noted that the Tianjin FTZ Negative List is applicable to “export of data by companies of Tianjin FTZ” while the Shanghai FTZ Lin-gang Positive List is applicable to entities “registered in Shanghai FTZ Lin-gang Area” and also “engaged in activities relevant to the export of data within the Lin-gang Area”. And the “entity” shall also include company as well as all non-company entities.

Finally, these two lists set out different regulatory requirements. According to Tianjin FTZ Negative List, companies who export data other than those provided in the negative list are exempted from the data export security assessment, personal information export standard contract and personal information protection certification. However, according to Shanghai FTZ Lin-gang Positive List, export of data set forth in the positive list (namely, general data) shall still be filed with the administrative authority of Lin-gang area in advance.

II.       Comparison between the Two Lists

As mentioned above, the Tianjin FTZ Negative List is a full-range list while the Shanghai FTZ Lin-gang Positive List is only a limited one. We will focus on the area of healthcare to see the difference between these two lists.

In the Tianjin FTZ Negative List, healthcare related datas are set forth under category No.9, namely “Public Healthcare” in four items (Item No.31 “Healthcare and Medical”, Item No.33 “Pharmaceutical”, Item No,34 “Biological Safety” and Items No. 35 “Disease Control Data”).  And the Shanghai FTZ Lin-gang Positive List for healthcare industry covers five scenarios, namely “clinical trial and development”, “pharmacovigilance and medical device adverse event monitoring”, “medical enquiry”, “products claim” and “business partner management”. It is clear that the Shanghai FTZ Lin-gang Positive List is more focused on the business scenes for the whole lifespan from development, manufacturing to distribution. And following are a few points worth paying attention to when comparing these two lists.

1.        Is it really unnecessary to include the medical device related data to the negative list?

The Category No.9 of the Tianjin FTZ Negative List only covers “pharmaceutical” and does not mention “medical device”. On the contrary, the Shanghai FTZ Lin-gang Positive List covers both drugs and medical devices under the two scenarios of “clinical trial and development” and “pharmacovigilance and medical device adverse event monitoring”. From the wording of the list, it seems in Tianjin FTZ, data related to medical device is not subject to any data export regulation, thus can be freely exported.

As it is generally understood that medical devices and drugs have numerous aspects in common from the perspective of regulation. For example, clinical trials shall be conducted before a drug was approved to the market which is the same to some medical devices. Pharmacovigilance system shall be established after the drug was approved and adverse event monitoring system shall be established in the case of medical devices.

Data and personal information collected and processed through these processes are highly similar to each other regardless to whether it is for drug or for medical devices. It is questionable that all data related to medical devices can be freely exported without any regulation measures.

2.       How to define freely transferable test data?

According to the Shanghai FTZ Lin-gang Positive List, 4 types of “clinical trial and development” data are categorized as general data, namely “subjects’ de-identified basic information”, “subjects’ health and physiological information”, “investigator’s basic information” and “investigator’s educational and professional information”. These 4 types of data are all clinical trial related information, so it is unclear whether data related to pre-clinical study shall also be treated as general data in the positive list.

On the other hand, in the Tianjin FTZ Negative List, it mentioned “data related to the safety of drug use, biological security and public security such as the test data of certain types of drugs and test data related to the manufacturing process and manufacturing facilities of drugs”. But the wording of “data related to the safety of drug use, biological security and public security” is very broad. Theoretically speaking, any data generated from clinical trial can be deemed as directly or indirectly “related to the safety of drug use” and “certain types of drugs” is also nowhere defined.

3.       Different remarks on human genetic resource information.

In the Shanghai FTZ Lin-gang Positive List, it is mentioned that regarding the export to human genetic resources information, it shall be filed with relevant authority in accordance with the Regulation on Administration of Human Genetic Resource and for those that “may affect the public health of our country, national security and social public interest”, it shall pass the security assessment conducted by the healthcare authority of the central government. The wording here is the same to the wording of the Regulation on Administration of Human Genetic Resource which means human genetic resource information are not covered in the positive list and export of human genetic resource information shall be regulated otherwise.   

Item No. 31 of the Tianjin FTZ Negative List also mentions that “genetic resource information that reflects general condition of the race or related to the social public security” shall be treated as information covered by the negative list. The wording here is slightly different from the wording of the Regulation on Administration of Human Genetic Resource. But as the Regulation on Administration of Human Genetic Resource is the special regulation on the processing of human genetic resource information, export of human genetic resource information must be in compliance with the special regulation. And the different wording of these two lists will not cause any big difference in the actual practice in these two FTZs.

4.       How to deal with the personal information obtained from clinical trial, pharmacovigilance and adverse event monitoring?

During drug clinical trial, as it is usually required to be double blinding, sponsor can only get access to de-identified personal information of the subjects. However, as the investigation site can de-blind the identity of the subjects, it is generally recognized that subjects’ de-identified information can not reach the level of “anonymization” under the Personal Information Protection Law, thus still be treated as personal information. And no matter obtained from clinical trial or pharmacovigilance, because those personal information usually contains information related to the subjects’ medical and healthcare, those information are very likely to be deemed as sensitive personal information under the Personal Information Protection Law.     

The Tianjin FTZ Negative List only requires that “data processor other than CIIO who has exported personal information (exclusive for sensitive personal information) more than 1 million people or sensitive personal information more than 10,000 people from 1 January of the current year” shall pass the data export security assessment. And “data processor other than CIIO who has exported personal information (exclusive for sensitive personal information) more than 100,000 people or sensitive personal information less than 10,000 people from 1 January of the current year” shall sign personal data export standard contract or pass personal information protection certification. Such requirements are same to the regulatory requirements set forth in the Measures.

On the other hand, according to the Shanghai FTZ Lin-gang Positive List, “subjects’ de-identified basic information”, “subjects’ health and physiological information”, “patients’ basic physiological information” and “patients’ medical records” are included in the list as general data. But the Shanghai FTZ Lin-gang Positive List also requires that “with respect to the personal information among the general data, the data processor shall have exported personal information (exclusive for sensitive personal information) less than 100,000 people from 1 January of the current year”. Based on the wording, it seems that export of personal information shall be subject to the Measures. However, as mentioned above, since “subjects’ health and physiological information”, “patients’ basic physiological information” and “patients’ medical records”, even de-identified, are clearly sensitive personal information and must be regulated by the Measures, then what is the point to include such personal information in the positive list? Or is it permittable to say that “de-identified” personal information can be treated as non-person information? It is worth further clarifying.

III. Summary

Both the Tianjin FTZ Negative List and Shanghai FTZ Lin-gang Positive List are among the first batch of FTZs’ practice to regulate data export. The biggest point of the Tianjin FTZ Negative List is it has set out a relatively detailed list of “important data”. As we all now, ever since the enactment of the Measure, great attention has been paid to the scope of the “important data”, because according to the Measure, for those data which “have not been informed or publicly stated by relevant authority as important data”, the processor is not required to apply for a data export security assessment. Although the Tianjin Negative List still has vagueness to some point, it at least provides a valuable reference to which kind of data is more likely to be treated as important data.

 As a positive list, the Shanghai FTZ Lin-gang Positive List is more precise, clear and detailed on the scope of general data. But there is still a crucial question need to be clarified which is whether all the data not included in the Shanghai FTZ Lin-gang Positive List shall be treated as important data? Because in according to Shanghai FTZ’s measures on administration of data export, all data shall be categorized into three categories, namely “core data”, “important data” and “general data” and the administrative authority will set out lists of both “important data” and “general data”. Under such a scheme, it is questionable as how it shall be treated if a type of data is not included in either the important data list or the general data list as it is extremely difficult to create an exhaustive list for general data. And if any data which is not included in the general data list shall, at least, be treated as important data, then such an interpretation is clearly against the principle of the Measures that a data can only be deemed as important data if it has been “informed and publicly stated” as important data by relevant authorities.