It is not easy to navigate through the labyrinth of China’s legal instruments of variable legal status that bear on the sharing of genomic data. Identifying major regulatory frameworks that address divergent policy concerns can serve as a compass to relevant instruments, and help to understand the fast-changing governance approaches to genomic and health data in China. The frameworks can be analytically divided into three, each stemming from a different perception of the nature of genomic data and its political and/or social implications (see Fig. 1).
Administrative licensing concerning human genetic resources
Administrative licensing is the first and foremost phase for genomic data to be legally transferred overseas. The licensing framework treats genetic materials as unique resources for the nation’s collective good and places them under stringent state control, which can be regarded as a “genetic exceptionalism” model (Joly et al. 2017).Footnote 1 According to the foundational instrument, Interim Measures of Human Genetic Resources (PRC 1998a) (Interim Measures hereafter), human genetic resources refer to genetic materials, such as human tissues, cells, blood specimens, preparations, or recombinant DNA constructs that contain the human genome, genes or gene products, and information concerning such materials (emphasis added by the authors),Footnote 2 thus encompassing genomic data [Art. 2]. The collection, storage, and export of human genetic resources are all subject to the government’s prior approval and the standing oversight by the China Administration of Human Genetic Resources (CAHGR) [Arts. 4 & 7], which is under the joint supervision of the Ministry of Science & Technology (MOST) and the Ministry of Health (MOH). With the Administrative Licensing Law coming into force in 2004, examination and approval have been undertaken through the administrative licensing process (PRC 2003). Figure 2 illustrates the process for cross-border sharing of genetic samples and data.
The Interim Measures stipulates that domestic R&D institutions enjoy the exclusive possession right over information about human genetic resources, in particular data concerning important pedigrees and genetic resources in specified regions [Art. 17]. It forbids the extraterritorial provision of such information and resources without authorization. The only lawful means for an overseas entity to access genomic data is through an international collaboration project with a Chinese institution, which should further apply for approvals from both the authority that governs the institution and the CAHGR [Art.11]. Apart from the consent requirements (to be discussed later), the conditions for approval stress that the ownership of intellectual property should be clear and the sharing of benefits reasonable and that the overseas collaborator should have relatively strong research and development capacity and advantages [Arts. 12 & 13].
In view of the brevity of the Interim Measures, the MOST drafted a more comprehensive Regulation on Human Genetic Resources (draft HGR Regulation hereafter) in 2012 (Legislative Affairs Office of the State Council 2012). 4 years later, the State Council released a revised draft for public comment (Legislative Affairs Office of the State Council 2016). Licensing under the 2016 draft HGR Regulation does not apply to the handling of genetic resources for clinical diagnosis, and focuses on R&D activities of overseas entities or domestic institutions with overseas investments. In addition to conditions provided under the Interim Measures, applicants are required to justify the reasonableness in engaging in international collaboration and export of genetic resources [Art. 17(3)]. Most importantly, the collaboration and/or export will be rejected when they “may jeopardize national security, national interests or public security” [Art. 19 (7)]. As the regulation is still pending, the MOST has incorporated most requirements of the draft into a new “Licensing Guide” that refines the licensing conditions, which took effect on October 1, 2015 (MOST 2015).
This robust state control is mainly grounded on biosecurity considerations and the desire for national competitiveness. Anxiety over bio-piracy was triggered by media coverage of the Anhui incident in 1997. Two occupational epidemiologists affiliated with Harvard University collected blood samples for a genetic project from over 16,000 Chinese peasants in Anhui Province without appropriate informed consent, and were subsequently disciplined by the university (Lawler 2002; Chen et al. 2015). Prominent Chinese scientists, in particular Chinese geneticists, called for the government to undertake actions to protect the nation’s genetic resources against foreign exploitation (Fu 2018; Zhang and Zheng 2017). The enactment of the Interim Measures was a prompt response.
The 2016 draft HGR Regulation further declares “safeguarding national security” as one of its legislative purposes, with biosecurity as a core element of national security. It also emphasizes equality and mutual benefits in international collaboration. According to the MOST, domestic genetic materials concerning ethnic groups, pedigrees, and typical diseases are strategic resources for life science as well as biomedical technologies and industries, and having control over these materials will significantly contribute to a country’s position among the stiff international competition in those areas (MOST 2016). The draft Regulation further specifies that overseas collaborators shall ensure that Chinese collaborators have substantially participated in the R&D activities [Art. 16]. This move may relate to the authority’s concern over the practices in recent years that domestic researchers play a marginal role in publishing findings that are based on Chinese genomic data shared with overseas collaborators (Yuan 2017). Echoing the repeated warning against illegal seizures of genetic resources by foreign entities, the drafters identify in particular cross-border data transfer as a new and covert means of seizure. This position is in a distinctive contrast with international consensus on the imperative of genomic data sharing, as recognized under the Bermuda Principles (HUGO 1996), the Fort Lauderdale Agreement (2003), and initiatives of building interoperable rules of sharing, such as the Framework for Responsible Sharing of Genomic and Health-Related Data of the Global Alliance for Genomics & Health (GA4GH 2014).
Based on the same rationale, the MOST launched nationwide audit campaigns in 2011 and 2013 to identify sino-overseas projects that are unauthorized or uncompliant with state policies (Feng and Huang 2018). According to the number released by the CAHGR, more than 100 transnational projects involving human genetic resources have been approved in 2017 alone. The frequency of the license approval has shifted from a quarterly to semimonthly basis resulting from an attempt to meet the voluminous projects awaiting administrative approval (MOST 2018). While supporting international collaboration, the CAHGR has statutory power to revoke approved licenses. It is noteworthy that in February 2018, the CAHGR revoked the licenses granted to two high-profile collaborative projects, which concern the Comparative Genetic Study of Psychosis in Han Chinese (between UCLA and Shanghai Jiaotong University) and the Genetic Foundation of Depression in Chinese Women (between Oxford University and Peking University), respectively, and confiscated the exported genomic data (CAHGR 2018). The revocation was made pursuant to the Administrative License Law, but no specific reasons were disclosed in the formal decision.
Health data governance
While genomic data are part of human genetic resources amenable to research, it can also be generated during the provision of health care and hence become health data, falling under the jurisdiction of health authorities. Legal instruments in this jurisdiction are mainly oriented towards protecting interests of the individuals, such as ensuring good clinical care, respecting participants’ autonomy and preserving privacy. The individual-centric values are typically embodied in the Measures on the Ethical Review of Biomedical Research Involving Human Subjects (ERB Measures hereafter) (MOH 2016).Footnote 3 However, there are also instruments inspired by the need to build up state competitiveness, such as strengthening scientific research and facilitating the medical industry’s growth. The values of collective good are emphasized by the Measures on Population Health Information (PHI Measures hereafter) (MOH 2014)Footnote 4 and the Guiding Opinions on Promoting and Regulating the Application of Big Medical and Health Data (General Office of State Council 2016).
The PHI Measures is currently the general instrument that regulates the collection, management and use of “population health information”, which refers to information generated during healthcare services by health institutions, covering both population-level summary data and individual-level identifiable data [Arts. 3 & 15]. While facilitating the nationwide connectivity and interagency/inter-institutional sharing of population health information, it categorically prohibits the storing of such information in overseas servers [Art. 10]. This provision affects the means of genomic data sharing according to a compartmentalization of the data generator. Genomic data generated by health institutions (e.g., hospitals, clinical test labs, and disease control centers) are not allowed to be stored in overseas institutions or transferred to a cloud-computing environment that is not based in China and that serves many international biobanks or research consortia, but can only be accessed from Chinese servers subject to the technical and policy control of individual health institutions. For genomic data generated by entities other than health institutions (e.g., research institutions, biobanks not affiliated with hospitals, and providers of direct-to-customer services), it may be transferred across the border if the CAHGR so approves.
Personal data governance concerning privacy and cybersecurity
Insofar as genomic data contains personally identifiable data (including reversibly de-identified data), it is subject to a variety of legal instruments over the processing of personal data, whose policy goals include, most importantly, safeguarding privacy and cybersecurity. Due to the lack of a general law for personal data protection as well as a common statutory definition of privacy, sectoral instruments offer remedies to data privacy that depend on and differ between contexts (e.g., consumer data and telecommunication data). The obscure border of data privacy has hindered the regime of freedom of information which could otherwise enable re-use of government information for social progress (Chen 2015). The incoherence in privacy often leaves data users uncertain about the scope and manner of lawful data sharing. Major instruments that affect genomic data processing will be further analyzed in “Privacy”.
In addition, lawmakers have recently tended to associate data protection with “cybersecurity” which emerges as an overriding state concern. Enacted in 2016, the Cybersecurity Law is now the highest level instrument that governs data transmitted and processed online. Apart from incorporating important guarantees of data privacy, the law emphasizes “cyberspace sovereignty” and national security, imposing on data users comprehensive obligations with respect to network operation and control of data content (PRC 2016). Article 37 has a particularly significant impact on the transfer of genomic data. It prohibits “personal information or important data collected and generated within China by critical information infrastructure operators” (emphasis added by the authors) from being stored overseas. Where necessity exists in providing such data to overseas parties, domestic operators shall undergo security assessment in accordance with the rules formulated by the Cyberspace Administration of China (CAC) and relevant departments of the State Council. As the rules are currently pending before the State Council, it remains unclear as to whether genomic data stewards inside China fall within the scope of “critical infrastructure operator” and what security assessment measures they should comply with (Livingston and Greenleaf 2017). Overall, the Cybersecurity Law strengthens the restriction over cross-border genomic data sharing, and its state-centric policy goals echo those underpinning the “genetic exceptionalism” licensing framework.
With the major types of regulation unravelled, the following sections review the regulatory approaches pertaining to the specific dimensions of genomic data sharing.