Navigating Privacy Requirements for Clinical Trials Across Jurisdictions: Focus on China

Clinical Trials and Data Protection: Navigating China’s Regulatory Landscape

Conducting a clinical trial is not limited to addressing the scientific complexities surrounding an investigational medicine, method, or device. A critical component of the process is establishing robust procedures to protect the personal data of participant subjects and site personnel.

Given the highly regulated nature of clinical trials, the data protection aspect does not escape the scrutiny of regulatory agencies and competent authorities. Data are at the heart of clinical trials and retain their importance even after the lifecycle of a trial concludes, demonstrating the need for solid compliance measures and thorough documentation to meet applicable data protection regulations worldwide.

Identifying the relevant data protection laws can be a challenging task. Similar to the GDPR, many global data protection frameworks extend their jurisdictional reach, requiring compliance whenever data subjects, as residents of their territory, are impacted.

For this reason, selecting the sites where a clinical trial will take place is a critical decision.  It is essential to have a clear understanding of the relevant data protection legislation in each territory under consideration.

This article series aims to decode the data protection requirements in clinical trials at a global scale, starting with China. Data protection should not be seen as an obstacle; rather, it is a critical tool for ensuring the integrity and continuity of clinical trials. By facilitating lawful data reuse and safeguarding sensitive information, compliance with data protection measures supports the shared goal of advancing research in a secure and responsible manner.

Legislation and Guidelines Applicable in China

The challenges and specialised expertise required to ensure data protection compliance in clinical trials become evident right from the start, particularly when determining the applicable legislation. This complexity arises from the fact that data protection provisions relevant to clinical trials may originate from multiple regulatory frameworks and pieces of legislation, which are domain specific, rather than solely relying on the local data protection law.

This holds true in China, where data protection requirements for clinical trials are derived from various legal sources and guidelines, including:

1. The primary legislation governing data protection in China – the Personal Data Protection Law of the People’s Republic of China (PIPL). This law establishes fundamental data protection requirements and compliance obligations across various business sectors. Regarding its extraterritorial scope, the PIPL applies to any activities involving the processing of personal data of individuals within the territory of China, particularly when such activities aim to provide products or services to individuals in China. In the context of clinical trials, this means that the PIPL will apply to trials conducted wholly or partially in China, such as by selecting an investigational site there to perform medical examinations, administer the investigational drug, or implement an investigational method.
2. The new Good Clinical Practice – 2020 in China (GCP-2020) published in April 2020 by the China National Medical Products Administration (NMPA) and the National Health Committee (NHC), implementing the principles International Council for Harmonisation's Guideline for Good Clinical Practice, mainly governing the content of the Informed Consent Form (ICF), the reporting of Serious Adverse Events (SAEs), the oversight by the Ethics Committee.
3. The Ethical Review Measures for Life Science and Medical Research Involving Human Beings regulating the main ethical aspects of a clinical trial.
4. The Rules on Sensitive Personal Information, which ****establish the fundamental compliance requirements for processing sensitive personal data. This includes categories such as health data and data related to race or ethnicity, which are integral components of clinical trial data.
5. The Provisions to Promote and Regulate Cross-Border Data Flows, specifically oriented to the regulation of transfers of data outside China. This piece of legislation is supplemented by the Standard Contract Measures for the Export of Personal Information, as one of the transfer tools available to enable cross-border data flows, as well as by the Guidance on the Filing of Standard Contract, applied to this transfer tool.

Each of these provisions may govern a distinct aspect of the trial across its lifecycle. A thorough and methodical interpretation of these laws is essential to determine which rule prevails in any given situation. The following section delves into some of the key provisions, aiming to clarify and interpret their application in this context.

Preparing an ICF in China

The Informed Consent Form (ICF) is one of the key study documents submitted for review by the ethics committee (EC) and the competent regulatory authorities. In China, the National Medical Products Administration (NMPA) oversees clinical trial applications, while approval from the EC is mandatory before the sponsor can initiate the trial.

The EC's review focuses primarily on upholding the dignity, rights, and safety of research participants. Additionally, the Ethical Review Measures emphasise that protecting the privacy and personal information of study participants is a critical aspect of the EC's evaluation.

To address these requirements, the ICF includes a dedicated section on the confidentiality of study data. This section must meet certain minimum content standards to ensure compliance with applicable laws and guidelines.

Minimum Content of the Data Protection Section in the ICF based on the GCP-2020

1. Extent of confidentiality: According to GCP-2020, this section should clarify the confidentiality of participants’ clinical trial records. It must explain that, where necessary, entities such as the sponsor, the EC, regulatory authorities, and inspectors may access participants’ original medical records to verify trial data and processes.
2. Scope and method of data use: The ICF should describe how research data and participants' personal data will be used, including any plans for data sharing or secondary use.
3. Confidentiality assurance: It must include a statement confirming that records containing identifiable information will not be publicly disclosed. Additionally, if clinical trial results are released, participants’ identifying details should remain confidential.

Supplementary Requirements Under PIPL

The Personal Information Protection Law (PIPL) introduces additional requirements for the data protection section of the Informed Consent Form (ICF)..Under PIPL, the entity processing personal data, defined as the “data processor” (equivalent to the EU’s data controller), is primarily responsible for compliance. In clinical trials, it is the sponsor who typically assumes this role. In addition, the PIPL uses the term “personal information” instead of “personal data,” and this terminology will be adopted throughout this article.

According to Article 17 of PIPL, the ICF must inform study participants of the following:

• Name and contact information of the data processor: The sponsor must provide their name, address and how participants can reach them.
• Purpose, method, and retention period: The purpose for processing personal information, the methods used, the types of data collected, and the retention period must be clearly stated.
• Rights and procedures for their exercise: Participants must be informed of the methods and procedures to exercise their rights under PIPL.

Requirements Relating to the Processing of Sensitive Information

Moreover, especially when it comes to the processing of sensitive information (such as health data), the PIPL requires by the data processor to provide information to affected data subjects on:

• The necessity of processing the specific categories of information.
• The way this processing is expected to impact the individuals’ rights and interests (risks of processing).

Requirements Relating to the use of Third Parties

When third parties are involved in data processing, such as CROs, auditors, data hosting service providers and other types of vendors, the sponsor must disclose:

• The name and contact information of the third party.
• The purpose, method, and types of personal information processed by the third party.

It is also worth mentioning that a separate consent must be obtained from participants for the involvement of any third-party, other than the data processor or those belonging in the same entity with the data processor, in the data processing activities.

Data Subjects Rights

What about the rights of the data subjects in relation to the data processing? As stated above, participants to clinical trials should be informed on the data protection rights that they have in their disposal, listed within different articles (44-50 and 15) of PIPL. More specifically, study participants, as data subjects, should be informed on their:

• right to restrict or refuse others from processing their personal data;
• right to access their personal data;
• right to transfer their personal data under the possession of a specific processors to another processor;
• right to rectify their information;
• right to request from the processor to explain them the conditions and rules of the data processing;
• right to deletion of their personal data;
• right to withdraw their consent to the data processing, without this consent affecting the validity of the processing prior to the withdrawal.

It could be concluded that PIPL equips study participants with a variety of rights to ensure they are in control of their own information. Conversely, the strengthening of individual rights requires controllers to establish proper mechanisms for exercising these rights and maintain a clear overview of all data processing activities during the clinical trial to effectively respond to data subjects' requests.

Required Disclosures for Data Transfers

Finally, additional sets of information should be provided specifically tackling with the transfers of personal information outside China. More specifically, whenever a sponsor, acting as the data processor, decides to transfer personal information of study participants outside China, they should inform the affected individuals on:

• The name and contact information of the foreign recipient entity.
• The purpose of transferring the data.
• The method of transferring.
• The types of personal information transferred.

By providing the above categories of information, the sponsor is also required to obtain the study participant’s separate consent for the transfer when the data processing is based on the participant’s consent, which will be always the case for clinical trials in China.

Further analysis of the data transfers regime in China is provided in a later section below, but it should be kept in mind that they will apply each time a clinical trial sponsor is not an entity established in China. This will occur since data, initially collected in China, will be transferred (even in a pseudonymised form) to the clinical trial sponsor for the conduction of research analysis and for meeting its pharmacovigilance obligations. In these cases, complying with the requirements for data transfers, including providing the necessary information to data subjects – study participants, is unavoidable.

Legal Grounds for Processing Personal Data

The appropriate legal basis for processing study participants’ personal information in China is their consent. While PIPL allows for other legal bases to process general personal information (Article 13 PIPL), consent remains the most suitable basis given the purposes of a clinical trial (scientific research) and the requirements of the law. Furthermore, for the processing of sensitive personal information, consent is the only permissible legal basis under Article 29 PIPL.

Statement of consent

Considering the above, the consent statement in the ICF document should not only request the potential study participant's consent to participate in the study but also obtain their explicit consent for:

• The processing of their personal information, including sensitive personal information.
• The involvement of third-party service providers in data processing activities.
• The transfer of their personal information outside China, when consent serves as the legal basis for the processing.

Cross-Border Transfer of Personal Information from China

Deciding to conduct all or part of a clinical trial in China—by collecting patient information there for further analysis—necessitates identifying an appropriate mechanism to legitimize the transfer of this information, including sensitive data, to locations outside China, such as the Sponsor’s headquarters, the Sponsor’s vendors, or foreign regulatory authorities.

China’s legal framework for transferring personal data overseas is notably stricter than its EU counterpart, as it imposes specific administrative requirements, the compliance with which is unavoidable for ensuring lawful data transfers.

To begin with, the sponsor, as the data processor, must select one of the transfer mechanisms provided under Article 38 of PIPL to legitimise the transfer of personal information outside China:

• Passing the security assessment organised by the Cyberspace Administration of China (CAC).
• Obtaining certification for personal data protection in accordance with CAC provisions.
• Entering into a contract with the overseas recipient using the Standard Contract formulated by the CAC, which outlines the rights and obligations of both parties.
• Following other conditions stipulated by sectoral laws, administrative regulations, or directives from national cyberspace administration departments.
• Relying on international treaties or agreements that permit data transfers to foreign recipients.

Regardless of the chosen transfer mechanism, the sponsor is required to provide affected data subjects—individuals whose personal information is being processed—with detailed information about the transfer of their data outside China, as discussed in the ICF analysis section of this article.

When the destination country is not covered by an international treaty allowing data transfers from China, the Standard Contract formulated by the CAC is often the most practical mechanism for foreign entities. The latest version of the Standard Contract and the accompanying Measures for the Standard Contract were issued by the CAC in February 2023. Additionally, the CAC has provided a Guidance on Filing for the Standard Contract for Outbound Cross-Border Transfer of Personal Information, which assists organisations in complying with filing requirements.

The Measures for the Standard Contract and the Guidance on Filing outline criteria for using the Standard Contract to legitimise outbound personal information transfers. A personal information processor may use the Standard Contract if the following conditions are met:

• The processor is not a critical information infrastructure operator.
• The processor has handled the personal information of fewer than 1 million individuals.
• Fewer than 100,000 individuals’ personal information has been transferred overseas since January 1 of the previous year.
• Fewer than 10,000 individuals’ sensitive personal information has been transferred overseas since January 1 of the previous year.

If any of these criteria are not met, the processor must use an alternative transfer mechanism under PIPL.

While the Standard Contract's terms are fixed, processors and overseas recipients may agree on additional terms that do not conflict with the standard provisions. The contract includes key elements such as:

• Basic information of the processor and recipient (e.g., names, addresses, contact details).
• Details of the personal information transfer (e.g., purpose, sensitivity, volume, retention period).
• Responsibilities and obligations of both parties, including technical and managerial safeguards.
• Impact of the recipient country’s laws on compliance with the contract.
• Rights of data subjects and mechanisms to protect those rights.
• Terms for remedies, liability, termination, and dispute resolution.

Personal Information Protection Impact Assessment (PIPIA)

Before transferring personal information overseas, a processor must complete a PIPIA and submit the report, along with the Standard Contract and required materials, to the Cyberspace CAC within 10 working days of the contract's effective date.

The PIPIA evaluates:

• The legality, legitimacy, and necessity of the data processing.
• Scope, type, and sensitivity of the data, and associated risks to personal information rights.
• Adequacy of the recipient’s technical and management measures for data protection.
• Risks of data tampering, loss, or misuse, and the availability of mechanisms for protecting data subjects’ rights.
• Impact of the recipient country’s laws on fulfilling the Standard Contract.

The PIPIA must be completed within three months prior to the filing date and remain valid without material changes up to that date.

Filing Process and Outcomes

The provincial CAC reviews the filing within 15 working days and notifies the processor of the outcome, which may be "Pass" or "Fail." Unlike standard procedural filings, the CAC may perform a substantive review, potentially rejecting filings. However, the Measures specify that an outbound transfer may proceed once the Standard Contract is effective, regardless of filing status.

If the filing fails, the processor will be notified of the reasons and may resubmit additional materials within 10 working days. To avoid rejection, companies should conduct thorough PIPIA and proactively address compliance gaps.

‍

China’s Standard Contract: More Than a Template

Considering the above, it is evident that while the Standard Contract mechanism in China facilitates personal information processors by providing a compliant template for agreements with overseas recipients—similar to the Standard Contractual Clauses in the EU—relying solely on the template is insufficient. China’s legislation takes a more proactive and scrupulous approach to data transfers compared to the EU framework.

Personal information processors are required to conduct a comprehensive risk assessment before initiating a data transfer, identifying and addressing any compliance gaps in data security and management. Additionally, they must fulfill strict administrative obligations, including filing their data protection documentation within tight deadlines.

The CAC does not treat this filing process as a mere formality; instead, it performs a substantive review of the submitted documentation, ensuring compliance with China’s robust data protection standards.

Other obligations

Principles for the processing of personal information

In addition to the specific issues discussed above—such as the information to be provided to patients, the legal basis for processing, and data transfers—a Sponsor conducting a clinical trial in China must first address the fundamentals: what are the core principles of personal information processing that must be followed?

These principles, outlined in the PIPL, closely align with those under the GDPR and mandate that processing should:

• Be conducted in accordance with the principles of legality, legitimacy, necessity, and good faith.
• Be guided by a definite and reasonable purpose, with personal information collection limited to the minimum scope necessary for the stated purpose. Excessive data collection is strictly prohibited. Furthermore, processing must minimize the impact on individuals’ rights and interests.
• Adhere to the principles of openness and transparency, ensuring affected individuals are sufficiently informed of the processing rules. The purpose, method, and scope of processing must be explicitly disclosed.
• Guarantee the quality of personal information to avoid adverse effects on personal rights and interests caused by inaccurate and incomplete personal information.
• Ensure the security of the personal information.

All the above principles should guide the design of the clinical trial alongside scientific considerations. For example, they should inform decisions on the specific categories of personal and sensitive personal information that are strictly necessary to collect and process to effectively achieve the study's scientific and pharmacovigilance objectives.

Data reuse

An important consideration is the potential to reuse data collected during a clinical trial for future research on medical conditions that may be similar to or different from those addressed in the original trial.

Since there is no explicit provision under the law regarding the compatibility of further processing purposes (purposes different from those for which the personal information was initially collected) or a scientific research exception, and given that consent is the legal basis for the initial processing, it follows that separate consent must be obtained for any future reuse of patients’ data for research purposes.

This separate consent must meet the requirements for valid consent, meaning it must be informed, explicit, and easily revocable. In practice, if the sponsor intends to reuse data for future research, they should include as much relevant information as possible in the original ICF. This information should align with the requirements discussed in this article, particularly regarding the future research purpose.

While it may be challenging to provide precise details about the exact purpose of future processing or the specific third parties that will access the data, the sponsor should at least define categories of information. For example:

• Categories of third parties: the sponsor’s vendors, regulatory authorities.
• Category of purpose: future scientific research on the efficacy of a substance.

This approach is crucial, as the pseudonymised nature of the data available to the sponsor makes it practically difficult to re-contact trial participants to seek separate consent for future research. By proactively including these details in the original ICF, sponsors can better address compliance requirements while enabling the lawful reuse of data for advancing scientific research.

Appointment of a Data Protection Representative (DPR)

Finally, it is important to note that foreign Sponsors are required to appoint a Data Protection Representative (DPR) located within the territory of China. The DPR will be responsible for handling matters related to personal information protection within China. Additionally, the Sponsor must report the representative’s contact information to the CAC.

Conclusion

In China, the legal framework for protecting the personal information of clinical trial participants is dispersed across multiple regulations. While many aspects, such as principles for data processing, consent requirements, and information disclosure, align closely with the GDPR, China’s approach is notably stricter in certain areas. In particular, its provisions governing data transfers impose significant administrative burdens that must be carefully evaluated and addressed before initiating a trial.

‍