The Legal Status and Improvement Path of Human Genetic Data in Gene Therapy in China

INTRODUCTION

Genetic data is any information including an individual’s genetic make-up and genetic variants. Researchers are inevitably faced with the fundamental challenge of collecting, preserving, utilizing, and sharing various forms of human genetic data in the process of human genetic research and treatment. After He Jiankui’s case in 2018, Chinese legislators committed themselves to enhancing legislation regarding human embryo gene editing. ¹ In June 2023, Chinese research institutions unveiled a genomic map related to the genetic diversity of the Chinese population, with the goal of constructing a pangenome reference map encompassing genetic data from 36 Chinese populations. ² This research achievement, based on extensive sampling from Chinese populations to establish a comprehensive genetic database, holds significant scientific and medical value. It advances medical research and plays a significant role in disease prevention, control, and treatment. However, the potential privacy leakage and personal rights infringement caused by the disclosure of genetic data have raised various concerns among citizens, and even raised doubts about whether China protects human genetic data. Although China has not promulgated a law directly named after “gene”, it has actually constructed a relatively complete legal protection framework for the protection of human genetic data, and has frequently enacted legislation to improve it in recent years. The processing of human genetic data is subject to Personal Information Protection Law (hereinafter “PIPL”) and the Data Security Law (hereinafter “DSL”). At the same time, in the legal context of China, human genetic resources include human genetic resource materials and human genetic resource information, and human genetic data are included in the latter concept. ¹ Utilization of such data should be mainly regulated by the Biosecurity Law, the Regulation on the Administration of Human Genetic Resources (hereinafter “Regulation”), and the Detailed Rules for the Implementation of the Regulation on the Administration of Human Genetic Resources (hereinafter “Implementation Rules”). This article analyzes the legal norms of human genetic data in China from a systematic perspective and tries to demonstrate Chinese governance framework of human genetic data.

FUNDAMENTAL LEGAL ATTRIBUTES OF HUMAN GENETIC DATA

In 2021, China promulgated its first law on personal information, namely the PIPL. This legislation incorporates multiple regulations previously issued by China, such as the rules on the collection, storage, use, entrusted processing, sharing, transfer, and public disclosure of personal information in the Information Security Technology Personal Information Security Specification (GB/T 35273-2020), and draws on the excellent experience of legislation on the protection of personal information outside the region. PIPL for the first time defines the concept of sensitive personal information in the law and stipulates the prerequisites for processing sensitive personal information. Sensitive personal information refers to information that, if leaked or unlawfully used, can easily result in infringements against individuals’ dignity, jeopardize their personal safety, or pose risks to their property. It includes information related to biometric data, religious beliefs, specific identities, medical and health records, financial accounts, travel trajectories, and personal information of individuals under the age of 14. Genetic data, categorized as biometric information, fall within the realm of sensitive personal information. It is necessary to comply with three restrictive conditions when processing sensitive personal information, including “specific purposes,” “sufficient necessity,” and “implementation of strict protective measures.”

The term “specific purposes” refers to the processing of sensitive personal information within the necessary legal scope to accomplish a particular task. This derives from the principles of limitation outlined in Article 6 of PIPL, introducing the added restriction of “specific purposes” on top of the requirement for “clear and reasonable purposes.” This primarily addresses the issue of processing scope, which means that only sensitive personal information necessary and relevant to the execution of a task should be processed. It should not be processed if there is no relevance. Justifying the processing of sensitive personal information based on a presumption of potential future usefulness is strictly prohibited. For instance, when collecting human genetic data, research institutions or hospitals must inform individuals about the specific purposes of processing, such as for particular medical or research activities. As for the requirement of specificity, practical criteria like “understandability,” “foreseeability,” and “judicial reviewability” concerning individuals can be used as standards for judgment. Judgment solely based on abstract or uncertain legal concepts such as “public welfare” or “maintenance of social order” should not be considered for “specific purposes.” ³ Regarding the requirement of “sufficient necessity,” sensitive personal information should not be collected if the processing purpose can be achieved by collecting general personal information. “Necessity” is indeed an uncertain legal concept that requires interpretation. This principle also embodies the concept of proportionality. Based on this principle, information processors should adhere to the principle of “collecting the least amount of necessary information” and refrain from excessively collecting sensitive personal information. Information processors may be driven by cost considerations and aim to collect as much personal information as possible, sometimes even employing machine automation for collection. However, considering the risk of sensitive personal information leakage, it is advisable to collect as little information as possible. According to PIPL’s requirement of “implementing strict protective measures,” it is crucial to enhance notification. In addition to general information disclosure, individuals should be informed about the necessity of processing sensitive personal information and its impact on their rights and interests. Special protection measures should be implemented, such as obtaining consent from the parents or other guardians when processing personal information of individuals under the age of 14. Specific rules for processing personal information related to minors should be established. Furthermore, prior impact assessments on personal information protection should be conducted, and records of processing activities should be maintained. ⁴

PIPL establishes the “separate consent” rule for sensitive personal information processing. ² The “separate consent” rule prohibits blanket authorization and imposes an explicit obligation on the processor to provide clear notification. This means that data processors cannot collect human genetic data through generalized consent, but need to provide clear information and obtain specialized consent regarding specific genetic data. The purpose is to prevent data processors from circumventing the consent rule through standardized contracts and to achieve stricter protection of sensitive personal information. It imposes higher responsibilities and obligations on data processors. According to PIPL, individual consent for sensitive personal information does not necessarily need to be in written form, which means that consent through oral or email means also meets the requirements. However, if there are other legal norms that require special requirements, corresponding rules should be followed. For example, according to the “Management Regulations”, written consent must be obtained when collecting genetic data. ³ However, when conducting gene therapy or examination, medical personnel are allowed to use oral communication according to the actual situation, and retain the evidence of communication through various means such as recording, video recording, and lawyer witnessing, which gives medical personnel more flexibility in practice. ⁴

The DSL implements a system of classified protection for data. Considering the pivotal role of data in social and economic development and the potential risks to national security, public interests, and the legal rights and interests of individuals and organizations in cases of tampering, destruction, leakage, illegal access, or unauthorized use, data are subject to classified protection based on its level of significance. Data associated with national security, the backbone of the national economy, essential livelihood matters, and major public interests are categorized as core data and subjected to more rigorous administrative measures. In cases of violations against the core data administration system that pose a threat to national sovereignty, security, and development interests, authorities may impose fines of up to 10 million yuan. In the first half of 2023, administrative authorities have imposed 21 administrative penalties in accordance with DSL. In March 2023, during the investigation and handling of a data security violation case, the network security department of Wenzhou Public Security Bureau in Zhejiang Province discovered that a technology company in Zhejiang Province, while developing an operation and maintenance information management system for a county-level government department in Zhejiang, illegally uploaded sensitive data collected by the government department to a rented public cloud server without the consent and did not take security measures, resulting in serious data leakage. According to Article 45 of DSL, the public security department in Wenzhou, Zhejiang Province have imposed administrative penalties of 1 million yuan, 80,000 yuan, and 60,000 yuan on the company, project managers, and directly responsible personnel, respectively. ⁵ In addition, in terms of criminal responsibility, the Eleventh Amendment to the Criminal Law promulgated in 2020 added criminal regulations on illegal collection and cross-border transmission of genetic resources, and those with serious circumstances will face up to 7 years in prison. ⁵

APPROVAL AND RECORD FOR SPECIFIC ACTIVITIES INVOLVING HUMAN GENETIC DATA

The Regulation issued in 2019 establishes a system for the approval and administration of specific activities involving the collection, preservation, utilization, and external provision of human genetic data. ⁶ This system encompasses four approval categories: collection approval, preservation approval, approval for international cooperative scientific research, and approval for the export of human genetic resource materials. In addition, there are two record systems: one for international cooperative clinical trials involving human genetic resources and the other for the provision or availability of human genetic resource information to external entities. Since the Regulation’s implementation, the relevant Chinese authorities have issued a series of administrative licensing service guidelines, record instructions, and registration methods. However, practical challenges persist, necessitating further clarification, which has raised significant concerns among research institutions and companies engaged in related activities. With the official implementation of the Biosecurity Law in China in 2021, activities within the pharmaceutical and health care industries involving human genetic resources are subject to heightened compliance requirements. ⁷ In July 2023, China implemented the Implementation Rules, which provide a more comprehensive framework for the approval and record processes related to human genetic data, thereby strengthening the control of key procedures.

Add new circumstances where administrative licensing for data collection is not required. According to the Regulation, the collection of significant genetic pedigrees in China, specific regional human genetic resources, or human genetic resources of types and quantities specified by the competent science and technology administrative department of the State Council requires approval from the relevant Chinese authorities. ⁶ The Implementation Rules have introduced new circumstances in which administrative licensing for data collection is not required: (1) The threshold for large-scale collection activities that previously necessitated administrative licensing, as outlined in the Service Guidelines for Administrative Licensing of Human Genetic Resource Collection in China (also known as the “Guidelines”), has been revised from 500 cases to 3,000 cases. (2) Common diseases, such as hypertension, diabetes, red-green color blindness, and hemophilia, are no longer subject to administrative licensing for the collection of “important genetic pedigrees.” (3) The category of “rare diseases, populations with significant genetic variations, or distinctive physiological characteristics,” which previously mandated administrative licensing for collection as per the Guidelines, has been eliminated. (4) Collection activities related to clinical trials with the objective of securing marketing authorization for relevant drugs and medical devices in China, regardless of the sample size, are exempt from the collection approval process and only require the record procedure for clinical trials. ⁷

Simplify preservation licensing. The Implementation Rules, for the first time at the legal and regulatory level, accurately define the concept of “preservation” as follows: “The preservation of human genetic resources means the act of preserving human genetic resources of legal origin under suitable environmental to ensure their quality and safety for future scientific research. This excludes temporary storage as required by laws and regulations or as stipulated in clinical research protocols for teaching purposes, after laboratory testing.” According to this definition, in practice, applicants collaborating with testing institutions for conducting clinical trials or researchers conducting clinical research that involves the temporary preservation of human genetic resource materials are not obligated to undergo the preservation licensing process. Furthermore, the Implementation Rules incorporate preservation licensing into the collection licensing framework. It is stipulated that when the collection of human genetic resources is linked to the preservation of human genetic resources requiring administrative licensing, the applicant only needs to apply for administrative licensing for the preservation of human genetic resources and is not required to submit a separate application for administrative licensing for the collection of human genetic resources. ⁸

Introduce simplified operational rules for foreign ethical review. Applications for administrative licensing related to international cooperation in scientific research on human genetic resources will be subject to ethical review in the country or region where either party to the cooperation is based. If the foreign entity is indeed unable to provide supporting materials for ethical review in its own country or region, it may submit materials demonstrating its acceptance of the ethical review opinion of the Chinese entity. According to the Regulation, foreign entities are not permitted to independently utilize China’s human genetic resources for scientific research activities and must collaborate with Chinese entities. Such international cooperation requires a specific approval process. However, international cooperative scientific research involving the use of China’s human genetic resources for clinical trials, meeting specific conditions, does not require approval but only necessitates record before the clinical trial commences. The specific conditions stipulated by Regulation include: (1) for the purpose of obtaining marketing authorization for relevant drugs and medical devices in China; (2) conducting international cooperative clinical trials using China’s human genetic resources within clinical institutions; and (3) not involving the transport of human genetic resource materials out of China. ⁹ The term “within clinical institutions” in the second criterion is not explicitly defined in the Regulation. However, the Implementation Rules clarify that activities such as “collection, testing, and analysis of human genetic resources and the disposal of remaining human genetic resource materials conducted within clinical medical and health institutions” are considered “within clinical institutions.” In addition, “the involved human genetic resources collected in a clinical medical and health institution and subject to the testing, analysis, and disposal of remaining samples by the domestic entity designated in the clinical protocol for the marketing authorization of a related drug or medical device” also fall under the category of “within clinical institutions.” Therefore, they are eligible for the record of international cooperative clinical trials. ¹⁰

Change the provision of human genetic resource information to foreign entities from a record system to a reporting system, with enhanced security review requirements. Prior to sharing or making human genetic resource information available to foreign entities, a prior report should be submitted to the Ministry of Science and Technology, along with the submission of information backups. According to the Implementation Rules, the following information should be included in the prior report: (1) the purpose and use of China’s human genetic resource information provided to or made available to foreign entities; (2) details regarding the provision or availability of information on China’s human genetic resources to foreign entities, including information backups; (3) basic information on the foreign entities that will receive the information on human genetic resources; and (4) an assessment of potential risks arising from the external provision or availability of information on human genetic resources to foreign entities. The Regulation provides fundamental principles for conducting security reviews when providing or making human genetic resource information available to foreign entities under specific circumstances. The Implementation Rules specify the circumstances in which security reviews are required, including the external provision or availability of: (1) human genetic resource information related to important genetic pedigrees; (2) human genetic resource information related to specific regions; (3) exome sequencing and genomic sequencing information resources with a sample size exceeding 500; and (4) other information that may affect China’s public health, national security, and public interest. ¹¹ Moreover, human genetic data are also important biological genetic data, and the corresponding data also need to be evaluated by the Cyberspace Administration of China during cross-border circulation. According to the Measures for Security Assessment of Data Export, data processors of important data, as well as data processors who have accumulated over 1 million pieces of personal information or have accumulated over 100,000 pieces of personal information or 10,000 pieces of private information since January 1, 2021, must apply for a data export security assessment through the Cyberspace Administration of China before cross-border data transmission. ¹² On July 21, 2022, the Cyberspace Administration of China imposed a high fine of up to 8.026 billion yuan on Didi Global Co., Ltd. for its illegal cross-border transmission of personal information and other illegal actions. ¹³

DILEMMAS AND IMPROVEMENTS FOR PROTECTION OF GENETIC DATA PRIVACY

The utilization of genetic data is still a cutting-edge emerging field, and there is still a lag in the legal system in this regard. Overall, through frequent promulgations and revisions of legislations in the field of genetic data in recent years, China has established a relatively complete legal protection framework for human genetic data. From the perspective of protection efforts, the number of administrative regulations related to human genetic data far exceeds the number of privacy and personal information protection regulations, emphasizing strict protection of genetic data from a national security perspective. The emergence of this phenomenon is related to the understanding of the important resource attributes of genetic data. Countries generally take the lead in restricting the collection and export of genetic data in the name of national security, to avoid the disclosure of genetic data and prevent potential national security risks. However, there are still certain shortcomings in Chinese private protection, and in practice, the privacy of genetic data cannot be fully protected. This is the area that China needs to further improve in the future.

At present, the protection of genetic data privacy in China mainly relies on the privacy rules in the Civil Code and PIPL. In terms of the value orientation of protection, genetic data points to the highest private domain of human beings, life, so genetic data are regarded as human private and have a strong individualistic color. Chinese privacy rights and the PIPL also follow this value position, respecting individual autonomy and adhering to the principle of “informed consent”. This means that the collection of genetic data only requires the consent of the data provider. However, in practice, due to the fact that the utilization of genetic data often fails to clarify specific research objectives in advance, processors often adopt “principled” consent rules, such as “agreeing to all activities carried out for scientific research,” requiring genetic data providers to provide “broad” consent. ⁸ This approach actually violates the “principle of openness and transparency” in Article 7 of PIPL. ¹⁴ However, considering the rationality of individuals’ self-determination and policy stance to promote the development of biotechnology, such behavior has widely existed in practice. At the same time, the anonymization system in PIPL also increases the risk of genetic data leakage. According to Article 4 of PIPL, if personal information is anonymized, the corresponding processing rules will no longer be subject to the regulations of the PIPL. ¹⁵ In the field of genetic data, the anonymization system has become a favorable tool for genetic data processors to evade legal supervision. Genetic data reveal the characteristics of each individual’s life, like an ID card pointing to a specific individual, with distinct identification. ⁹ Given the particularity of genes, anonymization of genetic data is actually impossible to achieve. Due to the inherent stability and uniqueness of genetic data, the DNA of any two individuals can be easily distinguished from each other, making them vulnerable to individual recognition attacks. When it comes to genetic data, just the power of informed consent and autonomy begins to show its limitations. ¹⁰ By utilizing the anonymization system, the processing of personal genetic data will not be protected by law, which puts the privacy of personal genetic data at great risk of exposure.

The insufficient protection of genetic data in China stems from two reasons. First, the particularity of genetic data, that is, the process of genetic data can affect multiple parties’ interests, and individuals cannot have complete autonomy over their genetic data. The second is the rigid individualistic value of Chinese privacy rights and PIPL, which means that the current system adopts “informed consent” and “anonymization system” that are not naturally applicable to genetic data. Considering the above two factors, China needs to first break away from individualistic positions in terms of value. That is, it cannot rely solely on individuals to fully decide or protect their genetic data, but should adopt diverse protection paths and methods. This can be mainly discussed from the following aspects.

First, establish specialized legislation to combat genetic discrimination. Excessive collection and disclosure of genetic data privacy is highly likely to lead to genetic discrimination. In this regard, although many scholars in China have called for the introduction of special provisions against genetic discrimination in specific fields such as labor employment and insurance, legislation has not yet responded to this. ¹¹ As some scholars have pointed out, China’s labor law does not prohibit the acquisition of genetic testing and other genetic data in the workplace, but only prohibits unreasonable discrimination against employees based on this information. ¹² In judicial practice, although the principle provisions on anti-employment discrimination, such as Article 3 of the Labor Law and Article 30 of the Employment Promotion Law, have certain applicable value. However, these highly generalized provisions are inevitably vague, ultimately leading to great uncertainty in the application of the law. ¹³ Therefore, it should be a better practice for the state to introduce specialized laws and regulations to prohibit it.

Second, fully utilize existing organizational functions. The excessive collection and disclosure of genetic data privacy mainly focus on the consumers and employers, and in these two areas, China has a relatively complete organizational structure that can provide protection for the group and the functional value of these organizations should be fully utilized. In the field of workers, China has a three-layer and five-level trade union organizational structure. ¹⁶ Moreover, trade unions have the obligation to protect the rights and interests of workers and can initiate labor arbitration on their behalf in case of infringement of their rights and interests. It should be said that under the current labor organization system in China, workers can seek the help of trade unions to face improper collection and processing of genetic data, which helps alleviate the current individualistic dilemma. Similarly, in the field of consumer protection, China also has a solid foundation of consumer associations. According to the Annual Report on the Protection of Consumer Rights and Interests in China (2021), as early as the end of September 1993, 2550 consumer associations at or above the county level have been established nationwide, and more than 18,000 grassroots consumer associations (branches) have been established in rural townships and urban streets. ¹⁴ Consumers can also rely on consumer associations as a group to protect their legitimate interests and prevent their genetic data from being illegally collected and utilized.

Third, leverage the value of the public interest litigation system. Facing the collective infringement caused by disclosure of genetic data privacy and genetic discrimination, leveraging the value of the personal information public interest litigation system has become an important solution to this problem. In Article 70 of PIPL passed in 2021, the public interest litigation system related to personal information has been established. This legislative design demonstrates China’s determination to protect social public interests. At present, considering the inherent and extensive connectivity of genetic data, the number of groups formed based on genetic data is very large, and corresponding infringement behaviors may cause social risks. For example, employment discrimination caused by genetic data disclosure has caused a series of problems. The function and value of the personal information public interest litigation system should be further utilized to provide relief for the group and prevent ethical risks of genetic data discrimination.

CONCLUSION

At present, we have entered the era of biotechnology, and the development of human gene therapy technology has provided infinite possibilities for diseases that cannot be treated by traditional medicine. However, the collection, preservation, utilization, and external provision of genetic data, which is the core of gene therapy technology, are prerequisite issues that must be addressed in the development of such technologies. Genetic data have multiple legal attributes, which are highly relevant to individuals as well as genetic resources related to relatives, families, and even ethnic groups. China has formed a relatively complete legal regulatory system for human genetic data. In recent years, China has also recognized the value potential of genetic data and actively promoted the rational utilization of it. The newly issued Implementation Rules have refined the approval and record of human genes, which to some extent helps to unleash the dividends of genetic data and promote the further development of human gene therapy in China. However, it should also be noted that China still has certain shortcomings in protecting the privacy of genetic data. Genetic data are still an emerging field, and the legal system lags behind in this regard. At present, China has introduced many regulations at the public law level, affirming the national security strategic resource status of genetic data. However, in terms of private law protection, the practice of placing genetic data under privacy right and PIPL is not comprehensive enough, and the particularity of genetic data has not been recognized. In the future legislative improvement, China should adopt diversified paths and plans to provide protection for the privacy of genetic data.

CONSENT FOR PUBLICATION

Both authors consent for publication.