Geopolitical Data Barriers in Biomedicine: Resolving Sino–U.S. Regulatory Conflicts and Compliance Challenges Under Executive Order 14117

Abstract

The globalization of the biomedical industry is closely linked to the cross-border flow of data, but the U.S.–China data regulatory conflict has exacerbated the compliance dilemma for multinational enterprises. The U.S. Executive Order 14117 builds a data blockade system against Chinese biomedical enterprises by expanding the scope of regulation, refining data standards, and restricting transaction scenarios on the grounds of national security, forming a sovereignty rivalry and technical standard conflict with China’s Data Security Law and other regulations. This study reveals the core conflict points between the two countries in data classification, encryption requirements, and jurisdictional overlap through institutional comparison and case analysis and proposes to resolve the compliance conflicts through internal governance and external adjustment. The study builds a dynamic risk assessment model and a cross-border collaboration framework to provide strategic support for enterprises to balance R&D efficiency and compliance security. The results provide new ideas for cracking the cross-border compliance barriers under the data sovereignty game, which is of practical significance for maintaining the stability of the global biomedical industry chain.

I. INTRODUCTION

The biopharmaceutical industry is highly globalized and technology-intensive, relying on efficient cross-border data flows to facilitate multinational Research and Development (R&D) collaboration, share clinical trial data, and achieve supply chain coordination. The cross-border transfer of human genetic resources and patient health data has become an essential foundation for new drug development and international multicenter clinical trials. This not only serves as a technical prerequisite for enterprises to conduct transnational operations but also represents a critical element in the restructuring of the global biopharmaceutical value chain.¹ Under international economic and trade frameworks such as the General Agreement on Trade in Services and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, the regulation of cross-border data flows has emerged as a core agenda in digital trade rule negotiations. Countries seek to balance national security imperatives with trade liberalization by implementing measures such as data localization requirements and whitelists for cross-border data transfers.²

China and the United States are the two nations most capable of substantively shaping global digital trade rules.³ However, as both countries continually update their legal and regulatory frameworks, regulatory fragmentation has intensified.⁴ The U.S. government has systematically developed and enforced a series of data flow control measures aimed at constructing a “firewall” to prevent sensitive domestic data from flowing to foreign competitors.⁵ These measures directly threaten existing R&D models in the biopharmaceutical sector, driving abrupt increases in compliance costs while exacerbating fragmentation in international medical collaboration mechanisms.

In international multicenter clinical trials, divergent compliance standards between China and the United States regarding data storage, transmission, and usage pose significant challenges. China emphasizes data localization and security protection, whereas the United States prioritizes restrictions on cross-border data transfers and privacy safeguards. Such discrepancies force enterprises to navigate complex compliance landscapes, escalating operational risks and potential cross-border legal liabilities. Violations of U.S. regulations or Chinese laws could result in severe consequences, including substantial fines, operational restrictions, and even criminal charges.

On February 28, 2024, U.S. President Joe Biden signed Executive Order 14117 (“Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern”), authorizing the Department of Justice (DOJ) to establish specialized regulations preventing designated “countries of concern” and affiliated entities from acquiring sensitive U.S. citizen data and government-related information through commercial transactions. The DOJ released an Advance Notice of Proposed Rulemaking (ANPRM) on March 5, 2024, followed by a Notice of Proposed Rulemaking (NPRM) on October 21, 2024, soliciting public feedback. The final rule, titled Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, was published on December 27, 2024. Every legal framework embodies implicit assumptions about temporality, spatiality, and human agency.⁶ EO 14117 seeks to prohibit or restrict U.S. entities from engaging in transactions that could enable “countries of concern” or “covered persons” to access bulk sensitive personal data of Americans or U.S. government-related data. This article analyzes EO 14117’s regulatory logic for Chinese biopharmaceutical enterprises, identifies key points of Sino–U.S. data regulation conflicts, and proposes three strategic responses—risk identification, internal–external alignment adjustments, and dynamic compliance—to assist enterprises in constructing holistic compliance frameworks encompassing data governance, operational models, and technological tools. These measures aim to address tightening international regulatory pressures while ensuring the harmonization of R&D efficiency and compliance security.

II. KEY ELEMENTS OF THE U.S. CROSS-BORDER DATA REGULATION

A. Core regulatory analysis

EO 14117 exemplifies its extraterritorial reach by designating China (including Hong Kong and Macau) as a “country of concern,” expanding regulatory oversight beyond conventional entities to include equity-linked relationships, employment affiliations, and technological collaborations. This expansion operates through three interconnected mechanisms. Geographically, the inclusion of Hong Kong and Macau disregards customary international legal standards for sovereign entities, automatically classifying biopharmaceutical enterprises registered in these regions—even those without mainland Chinese capital involvement—as China-affiliated entities. Employment affiliations further extend scrutiny to Chinese researchers accessing sensitive data categories such as human genomics or health monitoring, irrespective of their physical location in the United States or third countries. Equity control retroactivity introduces comprehensive oversight for overseas entities with cumulative direct or indirect ownership exceeding 50% by Chinese entities, including subsidiaries and grandchild companies, surpassing traditional foreign investment review thresholds in both scope and rigor.

What’s more, EO 14117 enforces stringent oversight of cross-border biopharmaceutical data flows by implementing granular data categorization and lowering regulatory thresholds. A cornerstone of this framework is the nonanonymizability of human multiomics data, which retains its classification as sensitive even when anonymized under General Data Protection Regulation (GDPR) standards, directly undermining compliance for Chinese firms in multinational clinical trials. Complementing this are diversified threshold mechanisms: Section 202.205 defines “bulk U.S. sensitive personal data” as datasets involving health or financial data for ≥10,000 U.S. individuals, or human multiomics data for ≥1,000 U.S. individuals, accumulated over 12 months. These thresholds apply irrespective of anonymization, pseudonymization, or encryption status, with oversight intensity scaling dynamically based on dataset characteristics. Further reinforcing these measures is mandatory technical isolation, which shifts regulatory focus from data transmission acts to transaction-centric controls. Activities are bifurcated into prohibited transactions (requiring special licenses) and restricted transactions (permitted under CISA-defined security protocols), effectively redefining compliance boundaries.

The order establishes a contractual firewall to constrain cross-border data activities in China’s biopharmaceutical sector. At its core lies the prohibition of data brokerage, barring U.S. persons from intermediary-facilitated transfers—such as sales, authorized access, or third-party redistribution—with “countries of concern,” absent explicit exemptions. Vendor agreements undergo heightened scrutiny, mandating Chinese teams in Sino–U.S. joint R&D projects to demonstrate “no data repatriation” through verifiable audit logs, with noncompliant partnerships subject to mandatory termination. Investment agreements are similarly constrained, requiring full disclosure of data flow pathways for Chinese investments in U.S. biotech firms. U.S. authorities retain unilateral authority to mandate divestiture of assets involving human multiomics data, effectively weaponizing contractual terms to enforce jurisdictional priorities.

B. Limitations on pharmaceutical industry exemptions

Beyond the core regulatory restrictions, EO 14117 establishes partial exemptions with specific carve-outs for the biopharmaceutical sector. Conditional exemptions for drug, biological, or medical device licensing applications or maintenance require data to meet four cumulative criteria: technical de-identification or anonymization, usage strictly confined to regulatory submissions (e.g., approvals, postmarket studies, or product safety evaluations), submission to authorized agencies such as China’s National Medical Products Administration, and demonstrable necessity for assessing product safety and efficacy. Notably, the justification for necessity hinges on rigorous proportionality analysis, where the rationale must align with evidentiary standards and regulatory objectives. Exemptions for clinical research and postmarket surveillance data apply only to Food and Drug Administration (FDA)-governed activities, including trials or approvals under the Federal Food, Drug, and Cosmetic Act (FD&C Act). While these provisions appear permissive, their practical applicability remains constrained by the FDA’s preexisting stringent privacy protections for research subjects, which already enforce robust safeguards for sensitive health data. Furthermore, EO 14117 references exemptions for transactions complying with statutory obligations or investment agreements explicitly exempted by law, such as data exchanges mandated under international frameworks like the U.S.–China Science and Technology Cooperation Agreement or Committee on Foreign Investment in the United States (CFIUS)-regulated investments. These clauses, however, remain subject to future regulatory interpretation, leaving their operational scope ambiguous.

C. High-risk scenarios in practice

Biopharmaceutical enterprises face escalating operational risks under the evolving regulatory landscape. A critical challenge emerged on April 4, 2025, when the U.S. National Institutes of Health (NIH) imposed restrictions on “countries of concern,” including China and Russia, barring access to core biomedical databases such as the Database of Genotypes and Phenotypes (dbGaP), The Cancer Genome Atlas (TCGA), and the AnVIL genomic analysis platform. These repositories house the world’s most comprehensive genomic, phenotypic, and disease research datasets, which are foundational for advancements in oncology and genetics. Concurrently, Chinese firms providing clinical data management services to U.S. clients risk violating EO 14117 if bulk health data transfers exceed regulatory thresholds, potentially triggering penalties for unauthorized data brokerage activities. Even routine corporate operations, such as U.S.-registered subsidiaries transmitting employee health records or patient feedback to Chinese headquarters, may violate cross-border restrictions, disrupting internal data governance workflows.

International research collaboration faces further complications due to conflicting jurisdictional mandates. Chinese researchers participating in multinational clinical trials must simultaneously comply with EO 14117’s U.S. data localization requirements and China’s cross-border security assessment protocols. This creates a regulatory paradox: Complying with China’s data localization requirements violates EO 14117’s mandate for U.S.-localized processing. Enterprises are thus forced into unresolvable compliance dilemmas, jeopardizing collaborative research efficiency and legal standing. For instance, data generated from U.S. participants in multinational trials cannot be freely transferred to Chinese research teams for analysis without violating either U.S. restrictions or China’s data sovereignty requirements, effectively stalling critical research workflows.

The interplay between EO 14117 and China’s data regulations exemplifies the broader geopolitical tensions reshaping global scientific collaboration. These measures not only amplify operational costs but also fragment the integrity of international research ecosystems, underscoring the urgent need for harmonized frameworks that balance security concerns with scientific progress.

III. ANALYSIS OF CHINA–U.S. DATA REGULATION CONFLICTS

A. Core requirements of China’s data governance framework

Like most nations, China has established rigorous oversight mechanisms for critical data. The regulatory framework centers on three pillars: the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and the Regulations on the Administration of Human Genetic Resources (HGR Regulations). These laws impose strict controls on cross-border data transfers, personal information processing, and human genetic resource management.

For cross-border data flows, China employs a multilayered regulatory approach. The PIPL mandates that data handlers ensure compliance through security assessments, standard contractual clauses, or certification mechanisms for personal information exports. Entities transferring personal data overseas must conduct risk assessments, implement safeguards (e.g., encryption, de-identification), and file declarations with authorities. The DSL requires important data—defined as information impacting national security, economic stability, or public welfare—to be stored domestically, with cross-border transfers contingent on stringent security reviews. The HGR Regulations further prohibit unauthorized exports of human genetic data, requiring prior approval from the Ministry of Science and Technology to prevent misuse of sensitive biological resources.

Enterprises bear primary responsibility under this framework. They must classify data by sensitivity, conduct pretransfer risk assessments, and deploy technical safeguards such as state-approved encryption protocols and de-identification techniques to ensure confidentiality, integrity, and availability. For example, genomic datasets must undergo anonymization exceeding GDPR standards to mitigate re-identification risks before any offshore analysis.

B. China–U.S. regulatory conflicts

The clash between Chinese data sovereignty principles and U.S. national security priorities under Executive Order (EO) 14117 manifests in three dimensions:

First, jurisdictional tensions over cross-border data flows. EO 14117 compels Chinese biopharmaceutical firms to disclose clinical trial records or genomic analyses to U.S. regulators, directly conflicting with Article 36 of China’s DSL, which prohibits exporting important data without security assessments. For instance, sharing U.S.-demanded patient health data for gene therapy trials may violate PIPL’s Article 38 on personal information exports, exposing companies to dual penalties: fines up to ¥5 million and operational suspension in China versus U.S. entity list designations and market access restrictions.

Second, irreconcilable compliance standards. EO 14117 mandates adherence to Cybersecurity and Infrastructure Security Agency (CISA) requirements—including data masking, encryption, and quarterly audits—while China’s DSL stipulates core data must use domestic cryptographic algorithms and remain stored onshore. Simultaneously, Article 28 of the HGR Regulations bars unauthorized disclosures of human genetic data to foreign entities, creating direct conflict with U.S. audit obligations. This forces enterprises to maintain parallel systems: one using CISA-approved protocols for U.S. operations and another complying with Chinese encryption standards.

Third, extraterritorial jurisdiction disputes. The U.S. designation of Hong Kong/Macau-registered, Chinese-controlled entities as “covered persons” under EO 14117 clashes with China’s assertion of absolute jurisdiction over domestic data activities under DSL Article 2. For example, a Hong Kong biotech firm’s U.S. subsidiary ordered to share parent company data could trigger China’s Anti-Foreign Sanctions Law, escalating retaliatory measures. This jurisdictional overlap imposes duplicative compliance costs, requiring enterprises to establish segregated data architectures meeting both nations’ audit criteria.

These conflicts underscore a fundamental divergence: China prioritizes data sovereignty and controlled openness under its “dual circulation” strategy, while the United States leverages EO 14117 to weaponize data governance for geopolitical containment. Resolving such tensions demands multilateral frameworks balancing security imperatives with collaborative innovation—a prospect increasingly elusive amid intensifying tech decoupling.

C. Core similarities, differences, and compliance conflicts in China–U.S. data governance

The regulatory frameworks of China and the United States exhibit structural institutional divergences in cross-border biomedical data governance while demonstrating limited convergence in their prioritization of data security. These similarities and differences can be analyzed across three dimensions.

First, shared legislative logic versus conflicting regulatory objectives. Both nations anchor their regulatory approaches on national security imperatives. China’s DSL Article 21 and Section 2(c) of U.S. Executive Order (EO) 14117 classify biomedical data as strategic security assets, with institutional parallels evident in the tiered protection mechanisms for biomedical databases established by China’s Ministry of Science and Technology and the NIH. Both systems employ sensitivity-based data classification and dynamic access controls. However, their fundamental objectives clash: China emphasizes controlled data flows under sovereignty, as exemplified by Article 10 of the Regulations on the Administration of Human Genetic Resources (HGR Regulations), which mandates dual reviews for cross-border transfers based on “technical necessity” and “national security.” In contrast, the U.S. enforces asymmetrical data containment through its “countries of concern” framework, with Section 201.104 of EO 14117 explicitly prohibiting Chinese entities from accessing biometric data identifiable to U.S. citizens, creating a unidirectional data blockade.

Second, overlapping jurisdictional claims versus exclusionary standards. While both nations classify human genomic and clinical trial data as highly sensitivity—with significant alignment between NIH’s classification protocols and China’s Human Genetic Resource Information Management Guidelines—their enforcement mechanisms remain irreconcilable. For instance, China’s DSL Article 36 mandates domestic storage of critical data and security assessments for cross-border transfers, whereas EO 14117 requires U.S.-localized processing for data involving American subjects. This jurisdictional overlap creates sovereignty conflicts, as enterprises face contradictory mandates: complying with China’s security assessments for data exports violates U.S. localization requirements, and vice versa.

Third, extraterritorial enforcement and systemic incompatibility. Both jurisdictions assert extraterritorial authority, yet their technical governance paradigms reflect competing visions for digital sovereignty.⁷ China’s HGR Regulations impose strict approval processes for international research collaborations involving human genetic data, while the U.S. leverages EO 14117 to restrict Chinese access to NIH-funded biomedical repositories like dbGaP and TCGA. These measures exemplify the broader struggle for dominance in shaping global data governance standards. For biopharmaceutical enterprises, reconciling these regimes necessitates costly compliance overhauls, including parallel data architectures (U.S.-compliant encryption vs. China’s domestic cryptographic algorithms) and dual auditing systems to meet conflicting reporting obligations.

The inherent contradictions stem from the geopolitical contest to control emerging technological infrastructures. As China advances its “data sovereignty” framework through laws like the DSL and the PIPL, and the U.S. weaponizes data governance via national security-driven measures like EO 14117, multinational enterprises are forced into fragmented operational models. This regulatory arms race underscores the urgent need for multilateral dialogue to harmonize standards in critical sectors like biomedicine, where data sharing remains essential for global health innovation.⁸ In order to meet the dual regulatory requirements of the United States and China, biopharmaceutical companies need to revamp their compliance systems to achieve dynamic control of compliance risks (Table 1).

Table 1.

Differences in Cross-Border Management Systems for Biomedical Data Between China and the United States

Regulatory dimension	China requirements	U.S. requirements
1. Data classification standards	Human genetic resources data classified as highest protection level (HGR Regulations Article 10).	Sensitive personal data subdivided into 23 subcategories (EO 14117 Appendix B).
1. Data classification standards	Health data exceeding 1,000 individuals trigger “important data” designation.	Genomic data trigger thresholds at 1,000 individuals.
2. Data storage architecture	Mandatory domestic storage for important data (Data Security Law Article 36).	Cross-border data transfer permitted with domestic backup requirements (FDA 21 CFR Part 11).
2. Data storage architecture	Prohibits overseas server mirror backups.	Accepts international cloud services (e.g., AWS/GCP).
3. Approval process	Three-tier approval: Cyberspace Administration security assessment (60 working days) + Ministry of Science and Technology review (90 working days) and Health Commission ethics review.	Negative list and Safe Harbor exemptions (CISA certification within 30 days).
3. Approval process		FDA fast-track review for clinical data (21 CFR Part 312.120).
4. Control scope	Comprehensive oversight to ultimate beneficiaries (Anti-Foreign Sanctions Law Article 6).	Retroactive scrutiny on offshore entities with ≥50% Chinese ownership (CFIUS filing standards).
4. Control scope	Hong Kong and Macau entities classified as domestic.	Third-country R&D centers classified as “entities of concern.”
5. Audit and reporting	Annual security assessment reports (PIPL Article 53).	Quarterly security audit reports (CISA Rule 205).
5. Audit and reporting	Cross-border data logs retained for ≥3 years.	Real-time threat monitoring logs (NIST SP 800-171).
6. Exemption mechanism	Exemptions for scientific collaborations requiring cross-border data (HGR Regulations Article 15).	Safe Harbor exemptions for CISA-certified enterprises (Final Rule Article 204).
6. Exemption mechanism	Streamlined processes for public health emergencies.	FDA exemptions for breakthrough therapies (21 CFR Part 312.85).
7. Violation consequences	Fines up to ¥10 million and license revocation (Data Security Law Article 45).	Maximum penalty of $5 million per violation (50 CFR Part 174.23).

IV. STRATEGIC PATHWAYS FOR DATA COMPLIANCE RISK MITIGATION IN CHINA’S BIOPHARMACEUTICAL ENTERPRISES

A. Internal governance: Strengthening foundational compliance frameworks

Biopharmaceutical enterprises must align their internal compliance frameworks with the legal requirements of their primary operational jurisdictions, including China and the United States. For entities operating in China, the extraterritorial reach of the PIPL and DSL necessitates the establishment of a three-dimensional classification model for sensitive U.S.-related data. This model integrates data type (e.g., genomic data, clinical trial records), data flow (cross-border transmission nodes), and business scenarios (international R&D collaborations, commercial licensing) to enable dynamic risk stratification. For instance, cross-border genomic data-sharing projects involving thousands of samples may trigger compliance review committee interventions based on predefined risk thresholds.

Parallel to this, corporate training systems must evolve to address regulatory literacy, operational protocols, and emergency response mechanisms. Clinical data administrators, in particular, require specialized training in GDPR–Health Insurance Portability and Accountability Act (HIPAA) cross-compliance testing, supplemented by simulated FDA audit scenarios to reinforce procedural adherence. The GDPR’s emphasis on comprehensive personal data protection and the HIPAA’s focus on healthcare data security represent divergent legislative paradigms, demanding nuanced understanding to navigate transnational legal conflicts.

Internal governance must also extend to ethical oversight mechanisms. Establishing an independent Data Ethics Committee ensures dual reviews of research projects involving human genetic resources: one assessing technical feasibility and another evaluating ethical alignment. This reflects the integration of legal mandates with societal values, balancing scientific progress with moral imperatives. For example, projects involving gene-editing therapies undergo rigorous scrutiny to ensure compliance with China’s Regulations on the Administration of Human Genetic Resources (HGR Regulations), safeguarding both legal compliance and ethical integrity.

B. External adaptation: Prudent restructuring of collaboration and operational models

Biopharmaceutical enterprises pursuing international expansion face two primary operational models: localized operations (establishing U.S. subsidiaries under American law) and cross-border operations (remote management by China-based entities or third-country subsidiaries). While localized models mitigate data transfer risks, U.S. subsidiaries with Chinese affiliations risk classification as “covered entities” under EO 14117 due to perceived jurisdictional ties. Cross-border models, though flexible, expose firms to heightened compliance risks, particularly under China’s data localization mandates and U.S. restrictions on “countries of concern.”

Contractual frameworks must incorporate conflict-of-law prioritization clauses to resolve jurisdictional disputes. For instance, collaboration agreements may stipulate that data access requests conflicting with China’s DSL automatically activate termination clauses, prioritizing compliance with Chinese prohibitions. Additionally, an unconscionability clause under China’s Civil Code can nullify contract terms deemed excessively burdensome under evolving regulations.

Supply chain due diligence requires penetrative audits of U.S. Contract Research Organizations, extending beyond ISO 27001 certifications to scrutinize upstream suppliers for export control compliance. Enterprises should maintain alternative supplier databases to ensure operational continuity during compliance crises. For high-sensitivity projects, technical escrow models—where core algorithms are developed domestically and only processed results are shared internationally—minimize raw data exposure while enabling global collaboration.

These strategies form a closed-loop risk management system, where internal governance sets compliance baselines (e.g., data mapping informs supply chain audits), and external adaptations drive iterative policy upgrades (e.g., FDA feedback triggers procedural revisions). Enterprises should adopt a compliance maturity model, progressing from basic regulatory adherence to strategic compliance—transforming obligations into competitive advantages. For example, firms achieving HIPAA–GDPR dual certification can leverage this status to attract multinational partnerships, positioning compliance as a market differentiator.

This systemic approach underscores the necessity of dynamic adaptability in navigating the Sino-U.S. regulatory dichotomy. By harmonizing ethical oversight, jurisdictional agility, and technological innovation, biopharmaceutical enterprises can transform compliance challenges into drivers of sustainable growth within the global health ecosystem.

V. CONCLUSION

U.S. Executive Order 14117 relies on three regulatory tools—expansive interpretation of the scope of application of the subject, granularity refinement of data regulation, and domain-wide blocking of transaction scenarios—to build barriers to the flow of data for biomedical enterprises in designated countries. This provision is in structural conflict with China’s existing DSL and Regulations on the Management of Human Genetic Resources, resulting in confrontation of data sovereignty claims, exclusivity of technical standards, and overlapping jurisdictions, leading to a double compliance dilemma in cross-border R&D collaboration and data sharing. Studies have shown that such institutional rupture not only pushes up the compliance cost but also may fragment the global biomedical industry chain and impede the flow of human genomics data and international clinical trial collaboration. With the final rule of “data decoupling” established in the United States, Chinese enterprises will face more challenges when going to the United States or making transactions related to the United States. For this reason, this article proposes an internal and external compliance framework so that, under the premise of clearly identifying how their business in the United States may be impacted, enterprises can carry out specific compliance risk work as early as possible to avoid operational risks and reduce the cost of duplicated compliance, mitigating the risks of data fragmentation.