China’s first cyber security law came into effect in June, but some pharma companies do not realize they need to comply.
June 2017 saw a new cyber security law came into force in China, however, some companies may not be aware of the new law and therefore may not be complying with new requirements, according to the law firm CMS.
The new law has a broad coverage and applies to all industries and sectors. Pharmaceutical companies are likely to be subject to requirements governing the collection, processing, storage, cross-border transfer and use of personal and other important data, CMS told the Pink Sheet.
“Some traditional pharma companies do not pay sufficient attention to or even realize that they have fallen into the regulatory regime governing digital businesses” - CMS
“With the rapid development of the digital health industry, more traditional pharma companies have expanded their business and started to become an online service operator or a manufacturer of connected medical devices. As such, more complex regulatory requirements will apply,” said the law firm.
However, CMS observes that “some traditional pharma companies do not pay sufficient attention to or even realize that they have fallen into the regulatory regime governing digital businesses, including the Cybersecurity Law and a series of administrative licensing requirements.”
Consequences for failing to comply can be heavy and companies could even see their business licenses revoked. In less serious cases, warnings or fines can be issued. “Failing to comply might also have [a] negative effect on a company's daily operation and reputation.”
Companies that are not familiar with China’s cybersecurity regulatory regime should undertake a cybersecurity compliance audit, CMS advises. Then, with the help of legal and technical experts they can work out how to improve their compliance status.
CMS further advises companies to pay attention to how different authorities will formulate and implement different rules and standards within their jurisdictions to guide application of the new law.
What The Law Says
The new law has a broad reach and applies to the establishment, operation, maintenance and usage of networks and to the supervision and management of network security within mainland China. It focuses on three main aspects: the protection of personal information; the manufacturing and use of safe and controllable network products; and the security of network operation and online service provision, clarifies CMS.
Some legal requirements governing the security of network operations, online service provision, the quality of network products and the protection of personal information were previously in place, says CMS. The new law puts new emphasis on these requirements from a cybersecurity perspective and also introduces new obligations concerning critical information infrastructure, the cross border transfer of data and security assessments and examinations for network products.
CMS points out that the law sets out a number of compliance requirements. These include:
- formulating internal cybersecurity management policies and procedures;
- assigning qualified staff to be in charge of cybersecurity matters;
- taking the necessary technical measures to protect operational security, manufacturing and using safe and controllable products; and
- complying with certain obligations when collecting, processing and using personal information.
The law also guarantees “cyber sovereignty,” which as CMS explains, means that China can independently choose its own cyber development path and their own model of regulation. Nevertheless, with its new law, China “has no intention to provide unfair treatment to foreign operators,” says CMS. “China will work together with the international community to uphold cyber sovereignty, promote fair and equitable global internet governance and bring about a more open, inclusive and secure cyberspace.”
From the editors of Scrip Regulatory Affairs