Strategic Compliance: Navigating HGR and Data Risks in China Life Sciences Transactions

For multinational companies and biotech companies engaging in “in-licensing” transactions with Chinese partners, the transfer of biological samples and clinical trial data is more than just a technical necessity, it is the deal’s most regulated bottleneck. It is important to understand China’s oversight on Human Genetic Resources and Personal Information, which creates significant compliance burdens that directly impact clinical and commercial timelines for foreign licensees.

MAY 2026 NHC CONSULTATION DRAFT SIGNALS MAJOR REGULATORY RELIEF

On May 8, 2026, the National Health Commission (NHC) released a public consultation draft for updated Implementation Rules of Administrative Regulations on Human Genetic Resources (the 2026 Draft), with a comment deadline of June 7, 2026. Contrary to initial expectations of tightening regulations, this draft signals a highly favorable, pragmatic shift toward bifurcated regulatory oversight, offering significant relief for many cross-border life sciences transactions.

The 2026 Draft proposes three major relaxations that directly impact deal structuring. First, it significantly narrows the definition of a “foreign party.” The new definition is limited to entities where foreign organizations or individuals hold 50% or more of the equity or voting rights. This completely removes the previous “actual control” test, meaning many Chinese biotech companies operating under Variable Interest Entity (VIE) structures may no longer be classified as “foreign parties” subject to strict Human Genetics Resources (HGR) restrictions.

Second, the 2026 Draft explicitly narrows the scope of HGR Information. It now explicitly excludes pure clinical data, imaging data, protein data, and metabolic data, focusing strictly on nucleic acid sequence data (such as genomic and transcriptomic data). This provides immense relief for standard clinical trials that do not involve genetic sequencing, effectively separating them from the burdensome HGR regulatory track.

Third, the 2026 Draft introduces a new fast-track provision for international collaborative clinical trials that do not involve the export of HGR information, mandating that the NHC confirm the filing on the same or next working day.

The 2026 Draft also appears to remove the explicit requirement for a separate “security review” for sensitive HGR data (previously required under Article 37 of the 2023 Implementation Rules for important genetic families, specific geographic regions, or large-scale sequencing involving more than 500 cases), removing a major previous hurdle.

KEY CHANGES: 2023 RULES VS. 2026 DRAFT

HUMAN GENETIC RESOURCES: PHYSICAL SAMPLES AND GENOMIC DATA

The management of HGR is governed by the Administrative Regulations on Human Genetic Resources (amended in 2024, the HGR Regulations) and the Implementation Rules (effective July 1, 2023). Since 2023, primary oversight has shifted from the Ministry of Science and Technology to the NHC.

Scope and Designation

China’s HGR framework covers both HGR Materials (organs, tissues, cells containing genetic material) and HGR Information (data generated from such materials, such as genomic or sequencing data).[1]

The regime applies strict scrutiny to “foreign parties.” Under the current 2023 Implementation Rules, this includes foreign organizations and individuals as well as Chinese entities effectively controlled by offshore interests (e.g., via VIE structures).[2]

However, as discussed above, the 2026 Draft proposes to narrow this definition significantly to a bright-line 50% equity/voting rights test. If adopted, this would represent a fundamental shift in the compliance landscape for VIE-structured entities.

Foreign parties are prohibited from collecting or preserving Chinese HGR independently and must operate through international cooperation with a Chinese partner.[3]

Challenge of Mandatory Joint IP

Article 24 of the HGR Regulations is often the most difficult hurdle in cross-border licensing as it imposes mandatory co-ownership of intellectual property (IP). Patents arising from international cooperation involving Chinese HGR must be filed jointly and owned by both the Chinese and foreign parties.[4]

The Chinese partner must participate substantially in the research, and all records and data must be open to them and backed up locally. To reconcile “joint ownership” with the need for global exclusivity, parties must adopt contractual strategies enabling foreign entities to maintain operational and commercial control over the IP.

Specifically, while the patent is jointly owned, the Chinese licensor should grant an exclusive, worldwide, and irrevocable license of its share back to the foreign licensee (Exclusive Grant-back Mechanisms). Parties should also carefully distinguish between Arising IP (directly utilizing Chinese HGR) and Independent IP (generated offshore using de-identified data) to limit the scope of co-ownership (Segmented IP Definitions).

For example, a well-drafted term sheet might define “Arising IP” narrowly as patents claiming inventions that directly incorporate Chinese HGR sequence data, while “Independent IP” would cover all downstream formulation, manufacturing processes, and delivery system innovations developed outside China. The contract should also delegate the sole right to manage patent filing, prosecution, and maintenance to the foreign party to ensure global consistency (Centralized Prosecution Control).

Structuring Data Transfers: When to File vs. License

Outbound movement of HGR triggers specific regulatory pathways. For HGR Materials, export requires prior administrative approval. For HGR Information, providing or opening access to a foreign party generally requires a pre-reporting/filing with the NHC.[5]

A streamlined filing is available for clinical trials aimed at drug marketing in China that do not involve the export of physical materials.[6]

Notably, the 2026 Draft introduces a same-day or next-working-day confirmation for such clinical trial filings, dramatically reducing the administrative timeline. It is crucial for parties to align their collaboration agreements with these regulatory filings to ensure that IP and data access rights are enforceable under Chinese law.

PERSONAL INFORMATION EXPORT: VOLUME-BASED THRESHOLDS

HGR compliance does not substitute for personal information (PI) or data-export compliance. China’s data governance framework rests on the Personal Information Protection Law (PIPL), Data Security Law, Cybersecurity Law, and implementing rules issued by the Cyberspace Administration of China (CAC), including the 2024 Provisions on Promoting and Regulating Cross-Border Data Flow (the CAC Provisions).

The PIPL applies wherever a dataset contains identified or identifiable PI. In practice, clinical health data and genetic information are classified as sensitive personal information (Sensitive PI). It is important to note that the use of “subject identification codes” under Good Clinical Practice (GCP) rules means the data is merely de-identified, not fully anonymized.

Under the GCP framework, clinical trial institutions assign each subject a unique identification code that replaces the subject’s name in all trial-related data and adverse event reports. While this code alone does not directly identify the subject, the clinical trial institution retains the “subject identification code table” linking codes to real identities. Because re-identification remains possible through this table, the data is de-identified rather than anonymized, and therefore remains regulated as PI under Chinese law.

Furthermore, under Chinese practice, the trial sponsor and the clinical trial institution are often viewed as joint controllers of the subject’s personal information, which complicates data export mechanisms. Both parties share responsibility for PIPL compliance, and the data export pathway must account for this joint controllership when structuring cross-border data flows.

Under current CAC rules, volume determines the outbound-transfer mechanism for PI, but it does not exhaust the analysis. Important data, Critical Information Infrastructure Operator (CIIO) status, sectoral requirements, data-security obligations, notice, separate consent, and PI protection impact assessment obligations must be analyzed independently.

The CAC Provisions also clarify that if data has not been notified or publicly released by relevant authorities or regions as important data, the data handler does not need to declare a data export security assessment on the basis that the data is important data.[7]

Security Assessment Track (High-Volume or Important Data)

A CAC security assessment is required if any of the following applies:

• Important Data: The exporter provides “important data” overseas, unless an exemption or free-trade-zone negative-list rule applies. In the life sciences sector, important data should not be assumed solely because the data relates to health; the analysis should track any applicable catalog, regulator notice, local rule, or negative list.
• CIIO Status: A Critical Information Infrastructure Operator provides PI or important data overseas. Public hospitals, major health platforms, or other entities in critical sectors may require a separate CIIO analysis.
• PI Volume Threshold: A non-CIIO data handler has, since January 1 of the current year, cumulatively provided overseas PI of at least one million individuals (excluding Sensitive PI) or cumulatively provided overseas Sensitive PI of at least 10,000 individuals. Clinical health data and genetic information are generally Sensitive PI.[8]

When the security assessment track applies, the compliance burden is materially higher. The assessment focuses on the legality, legitimacy, and necessity of the transfer; the risks to national security, public interests, and individual rights; and the adequacy of the overseas recipient’s obligations and safeguards.

The exporter should expect to provide evidence of data classification, technical and organizational safeguards, incident response, access control, encryption, audit logs, and network-security compliance. Multi-Level Protection Scheme (MLPS) classification and filing materials may be relevant, particularly for higher-risk systems, but MLPS certification is not a universal statutory prerequisite for every data export security assessment; rather, it constitutes an overarching cybersecurity compliance obligation for enterprises maintaining server infrastructure within China.

Deal timetables should not assume immediate data flow upon signing as practical preparation, completeness review, supplementation, and interagency coordination can cause the process to take several months.

Filing Track (Medium-Volume Data)

For a non-CIIO exporter that is below the CAC security assessment thresholds but since January 1 of the current year has cumulatively provided overseas PI of 100,000 or more but fewer than one million individuals, or Sensitive PI of fewer than 10,000 individuals, the exporter must choose one of the following pathways to legalize the transfer, unless an exemption applies:

• CAC Standard Contract: Execute the official standard contract with the foreign recipient, conduct a Personal Information Protection Impact Assessment (PIPIA), and file both with the provincial CAC within 10 working days of the contract’s effective date.[9]
• PI Export Certification: Obtain a PI protection certification from a professional institution recognized by the CAC.[10]

Low-Volume and Exempt Transfers

Under the 2024 CAC provisions, a non-CIIO data handler that has, since January 1 of the current year, provided overseas PI of fewer than 100,000 individuals (excluding Sensitive PI) is exempt from the security assessment, standard contract, and certification mechanisms, provided that the data does not include important data and no other special rule applies.

This exemption does not waive core PIPL obligations such as notice, separate consent where required, PIPIA, purpose limitation, data minimization, retention controls, and security safeguards.

PI Transfer Compliance Matrix

Dual-Jurisdiction Context: US DOJ Bulk Data Rule

While navigating China’s data export rules, multinational companies must also be acutely aware of US restrictions. The US Department of Justice’s Bulk Data Rule, effective April 8, 2025, implements Executive Order 14117 and places strict controls on the transfer of bulk sensitive personal data (including human genomic data and personal health data) to countries of concern, including China.

Transactions must be structured to comply with both China’s outbound transfer restrictions and the US Justice Department’s inbound/outbound bulk data prohibitions, requiring a coordinated dual-jurisdiction compliance strategy.

KEY COMPLIANCE SUMMARY

Before evaluating specific transfer pathways, it is essential to distinguish between the two primary regulatory regimes governing clinical assets in China. While they often overlap (particularly regarding genomic data), they are overseen by different authorities and triggered by different criteria.

STRATEGIC RECOMMENDATIONS FOR MULTINATIONAL COMPANIES

To successfully navigate the dual oversight of the NHC and CAC when licensing assets from Chinese partners, companies should adopt the following strategies.

Perform “Dual-Track” Audits. Conduct “look-through” audits of Chinese subsidiaries to confirm “foreign party” status under the new 50% equity threshold proposed in the 2026 Draft, while simultaneously tracking cumulative PI volumes to anticipate when CAC thresholds will be triggered.

Harmonize Agreements with Filings. Ensure that collaboration agreements are strictly aligned with HGR and PI regulatory filings. Discrepancies between the private contract and the administrative filing can render IP and data access rights unenforceable under Chinese law.

Secure IP via Contractual Architecture. To reconcile mandatory HGR co-ownership with global exclusivity, explicitly include “grant-back” licenses (exclusive, worldwide, and irrevocable) and “prosecution control” clauses in the initial Term Sheet. Carefully segment “Arising IP” from “Independent IP” to limit the scope of mandatory Chinese co-ownership.

Implement Data Localization and De-identification. Utilize robust de-identification for genomic data to lower the risk profile during NHC/CAC reviews. For high-volume data, consider Secure Data Rooms or Trusted Execution Environments within China to allow analysis without the data technically “leaving” the jurisdiction.

Build “Regulatory Buffers” into Timelines. Factor a strategic buffer into clinical and commercial milestones to accommodate the overlapping administrative cycles of the NHC and CAC.

Obtain “Separate Consent” Early. Ensure clinical trial protocols and informed consent forms specifically include “separate consent” for outbound data transfer, as required by PIPL, to avoid the need for retrospective re-consenting.

Monitor the 2026 Draft Closely. The public comment period for the 2026 Draft closes on June 7, 2026. MNCs should monitor the finalization of these rules and consider submitting comments through industry associations. If adopted as proposed, the narrowed definitions of “Foreign Party” and “HGR Information” could fundamentally reduce the compliance burden for many cross-border life science transactions.