New Jersey and New Hampshire passed new consumer privacy bills beginning of 2024. Both will apply on 1st January 2025. 

New Jersey:

Governor Phil Murphy, D-N.J., signed New Jersey's comprehensive privacy bill S332/A1971 into law on 16 January 2024. The law, targeted at consumers' privacy, will take effect one year after its signing date in January 2025.

Under the privacy law, certain entities, including internet websites and online providers must notify customers of the collection of their personal data. Such entities must also inform consumers on the disclosure of personal information to other third parties and to provide customers with an ability to opt-out of that collection or disclosure. The bill also entitles the consumer to know what data is held by the operator, so they have the ability to correct or delete incorrect information. The operator also must limit the collection of personal data to what is adequate, relevant, and reasonably necessary to their business and they must specify the express purposes for which personal data are processed. 

Comment from PharMarketing:

This is a step closer to the EU GDPR and its articles 13 to 17, but it is limited to consumer personal data. In the future, we hope this law will also address employee personal data, patient data, professional contact details and more, and cover any kind of personal data processing. Read the bill here.

New Hampshire:

On March 6, 2024, New Hampshire Governor Chris Sununu signed Senate Bill 255 into law, making New Hampshire the 14th U.S. state to enact a comprehensive privacy law. 

There are many exemptions: nonprofit organizations, and institutions of higher education are exempted of this law. Same for protected health information under HIPAA, businesses that process the personal data of less than 35,000 unique consumers in one year, businesses which process personal data only for completing a payment transaction. The bill gives Consumers the right to information, to modification and to deletion. The law requireds an organisation to obtains the person's express consent before processing sensitive personal data. 

Read the full text of the law here.

Comment from PharMarketing:

As the privacy bill from New Jersey, NH's privacy law is limited to only to some data subject categories and to some situations. It gives rights to consumers, but it is still far from the breadth of the EU GDPR and other comprehensive privacy laws.

The EU-U.S. Data Privacy Framework ('DPF') was approved in 2023 by Joe Biden and Ursula von der Leyen and applies since 10 July 2023. It replaces the former EU-US scheme called the Privacy Shield, which was invalidated in 2020 following the 'Schrems II ' decision.

 It is one of the tools* to make transfers of personal data from the EU/EEA to the US compliant with the EU General Data Protection Regulation ('EU GDPR'). The only condition is that the recipient organisation in the US (the 'data importer') be registered (and complies) with the DPF.

( * ) There are several other tools available, like for example putting in place a Data Transfer Agreement containing the Standard Contractual Clauses provided by the EU Commission.

On October 12, 2023, the UK Government’s recognition of the adequacy of the UK Extension to the EU-U.S. DPF entered into force. Eligible organizations that self-certify their compliance with the UK Extension to the EU-U.S. DPF may now receive personal data transferred from the United Kingdom and Gibraltar to the United States in reliance on the UK Extension to the EU-U.S. DPF.

Comment from PharMarketing:

Like the DPF, the UK extension to the DPF requires significative effort and money from the US data importer to be put in place and maintained. To this extent, our opinion that the DPF and the UK extension makes sense for 2 types of US organisations:

• Service companies which want to use the DPF as a 'marketing' tool to demonstrate compliance to the EU GDPR to organisations in EU/EEA; a typical example is a small CRO or a small software provider in the US who want to access electronic health records from hospitals in Europe for doing business.

• Big organisations which are interacting a lot with other organisations in EU/EEA.

For help determining the most appropriate data transfer mechanism for personal data from the United Kingdom and, as applicable, Gibraltar, to the United States, please contact, contact Bertrand at b.p.lebourgeois@pharmarketing.net

More details on the UK Extension to the EU-U.S. DPF:

• The UK Extension to the EU-U.S. DPF provides participating organizations with a reliable mechanism for personal data transfers to the United States from the United Kingdom (and Gibraltar) while ensuring data protection that is consistent with UK law.

• Effective as of October 12, 2023, eligible organizations that have self-certified their compliance pursuant to the UK Extension to the EU-U.S. DPF may receive personal data from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF.

• Organizations that wish to receive personal data from the United Kingdom and, as applicable, Gibraltar in reliance on the UK Extension to the EU-U.S. DPF must comply with the EU-U.S. DPF Principles with regard to such data. Organizations that wish to participate in the UK Extension to the EU-U.S. DPF must also participate in the EU-U.S. DPF. These commitments to comply shall be reflected in such organizations’ self-certification submissions to the ITA, and in their privacy policies.

(See FAQ 5, FAQs – Privacy Policy for language that is acceptable for that purpose)

• Under the UK Extension to the EU-U.S. DPF personal data transfers from the United Kingdom and, as applicable, Gibraltar to the United States shall, as appropriate (i.e., where the organization has elected to cover such transfers), be treated in accordance with the EU-U.S. DPF Principles and Annex I of the Principles. It follows that for the purposes of the UK Extension to the EU-U.S. DPF references in the EU-U.S. DPF Principles and Annex I of the Principles to the European Union and/or the European Commission, EU DPAs, and EU individuals should generally be understood as referring respectively to the United Kingdom and/or the UK Government, the ICO and, as applicable, the GRA, and UK individuals (i.e., as consistent with relevant differences between the United Kingdom and, as applicable, Gibraltar and the European Union).

• An organization that already participates in the EU-U.S. DPF and intends to extend its participation to also cover personal data received from the United Kingdom and, as applicable, Gibraltar would make its election to participate in the UK Extension to the EU-U.S. DPF either: (a) as part of its annual re-certification to the EU-U.S. DPF, or (b) outside of its annual re-certification to the EU-U.S. DPF provided it makes that election no later than six months from July 17, 2023.

• If your organization has already self-certified its compliance pursuant to the EU-U.S. DPF, it can log into its DPF program account and click on “Self-Certify” after which point it would be presented with the option to add the UK Extension to the EU-U.S. DPF to the scope of its existing self-certification and include other relevant information during the online self-certification process.
• Please note that an organization’s re-certification for both the UK Extension to the EU-U.S. DPF and the EU-U.S. DPF would be due at the same time (i.e., re-certification to the relevant part(s) of the DPF program is synchronized).

• An organization that does not already participate in the EU-U.S. DPF and intends for its participation to also cover personal data received from the United Kingdom and, as applicable, Gibraltar would make its election to participate in the UK Extension to the EU-U.S. DPF as part of its initial self-certification to the EU-U.S. DPF.
• If your organization has not already self-certified its compliance pursuant to the EU-U.S. DPF, it can click on the "Self-Certify" link on this website, create a profile, and then must select both the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF during the online self-certification process.

• The annual fee that an organization is required to pay to the ITA to participate in the EU-U.S. DPF currently covers both the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

Link to the DPF: click here.

Link to the UK extension to the DPF: click here.

The FDA released a Guidance on Informed Consent: provide feedback before 30 April!

The US Food and Drug Administration (FDA) wants sponsors and clinical trial researchers to present information to trial participants or their representatives early and concisely, making it easier to understand why they should or should not participate, according to a new draft guidance. The guidance also proposes communication strategies that can be used to ensure the information is more accessible.

When Congress passed the 21st Century Cures Act (Cures Act) in 2016, lawmakers included language that updated the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, to ensure clinical trial participants were better informed about their trials. Similarly, FDA proposed a rule with identical requirements.

On 29 February, FDA and the Office for Human Research Protections (OHRP) at the Department of Health and Human Services (HHS) published a draft guidance on how sponsors and researchers can conform to the rules.

The guidance proposes that sponsors and researchers present informed consent information to trial participants in layperson language, ensuring they better understand what the trial aims to do and their role in it. More specifically, it lays out how key information should be presented, and recommends what the information should cover, how it should be organized, and how it should be presented in clinical trials for drugs, devices, and biologics.

The revised Common Rule requires that clinical trial participants or their legally authorized representatives receive concise and easy-to-understand language to help them decide why they should or should not participate in the trial. With that in mind, the guidance recommends how sponsors and researchers can present key information to meet the requirements set in the rule and the strategies they can use to present such information. It also includes a sample approach to how key information may be presented.

“The presentation of key information at the beginning of the consent process can help facilitate discussions between a prospective subject and an investigator about whether the prospective subject should participate in the trial,” said FDA. “This information also may be useful to enrolled subjects as a resource and to facilitate any further discussions with investigators.”

The communication strategy proposed in the guidance is based on prescription drug labeling research which aims to make such information more accessible to patients.

“By using simple phrases and plain language principles, as well as formatting and organizational tools, researchers found that presenting information in a discrete bubble format with topics organized or grouped together can facilitate consumer understanding,” said FDA. “In the appendix of the draft guidance, we provide an example of a key information section using the bubble format.”

“We encourage interested parties, with input from [institutional review boards (IRB)], to develop innovative ways to provide key information that will help prospective subjects better understand the reasons why one might or might not want to participate in research,” the agency added.

While the aim is to present key information concisely not to overwhelm trial participants, the guidance notes that supplemental information may be included in the key information section when it may be important to the trial participant’s decision-making. It adds that the HHS Secretary’s Advisory Committee on Human Research Protections (SACHRP) has recommendations on how to present such information that is consistent with the provisions of the Common Rule.

Stakeholders can comment on the draft guidance on www.regulations.gov under docket no. FDA-2022-D-2997 until 30 April.

Access the FDA Informed consent draft guidance.

On 4 March 2024, the AEPD, the Spanish Data Protection Authority, provided a guidance on how to conduct a risk analysis on a personal data processing which makes an Automated Decision on a person, as per Article 22 of the GDPR.

One of the key element is the involvement of a human being in the decision making process, and of course the impact on the private life of the data subject.

In the framework of treatments with possible automated decisions, an evaluation of the degree of human participation must be carried out, which implies evaluating both the system used and the treatment and its context. To do this, it is recommended to assess a person's participation in the decision process by examining different aspects, such as their authority, competence, capacity, diligence or independence.

Article 22 of the GDPR establishes that individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects on them or similarly significantly affects them, with some exceptional situations.

Regarding the concept "Decision based solely on automated processing", this is developed in section IV.A of the WP 251 Guidelines on automated individual decisions and profiling for the purposes of Regulation 2016/679, last revised and adopted on February 6, 2018:

Article 22(1) refers to decisions “based solely” on automated processing. This means that there is no human participation in the decision process.

The data controller cannot circumvent the provisions of article 22 by inventing human participation. For example, if someone routinely applies automatically generated profiles to people without having any real influence on the outcome, this would still be a decision based solely on automated processing.

To be considered human participation, the controller must ensure that any monitoring of the decision is meaningful, rather than just a symbolic gesture. It must be carried out by a person authorized and competent to modify the decision. As part of the analysis, he must take into account all relevant data.

As part of the DPIA, the data controller must identify and record the degree of human participation in the decision-making process and at what point this occurs.

Many automated decisions actually involve some degree of human intervention, however, to be considered as such, it has to be active and not just a symbolic gesture, that is, it has to have a certain degree of relevance and capacity.

An example that is not based solely on automated processing is shown in the WP251 Guidelines:

Example: An automated process produces what is, in reality, a recommendation regarding the interested party. If a human being reviews and takes into account other factors to make the final decision, that decision will not be “based solely” on automated processing.

An example of the opposite is shown in the documentation produced by the ICO:

A factory worker's salary is linked to his productivity, which is automatically monitored. The decision on how much pay the worker receives for each shift he works is made automatically by referencing data collected about his productivity.

The STJUE of December 7, 2023, case C-634/21, “SCHUFA”, establishes that it is also an automated decision in the sense of art. 22 of the RGPD, when the automatic generation of a value from personal data is transmitted by the person responsible. of the treatment to a third party, also responsible for the treatment, and this third party, in a decisive way, bases a decision about the person on said value.

Within the framework of treatments with possible automated decisions, an evaluation of the degree of human participation must be carried out. Evaluating whether human supervision is possible and effective involves evaluating both the system used and the treatment and its context. To carry out this evaluation systematically, it is recommended to objectively assess a person's participation in the decision process in the following way:

1. Competence and authority.

That is, it has the authority or assigned task that allows it to alter the result of the automated decision.

An example is an inmate requesting third degree or parole. To make a decision on this request, a report is prepared on the inmate, which, for example, includes an algorithmic prediction of the risk of recidivism. A prison official does not have the power to modify this prediction or the decision made based on it, only the obligation for this decision (made by a judge) to be carried out.

2. Preparation and training.

That is, it has the capacity and skills to evaluate the decision and the factors that determine that decision in relation to the context of the treatment and the automated system used, in its capabilities and limitations.

For example, in the case of an automated health diagnosis, the intervention of a health professional in the specialty related to the diagnosis will be necessary to be able to dispute the decision with knowledge of the facts.

In other cases, in addition to basic training, the person must have the necessary training to know the peculiarities of specific decisions in real operating contexts.

3. Independence and diligence in the exercise of his powers.

It is necessary to evaluate whether there are pressures from the organization or from outside the organization that condition the person's dispute of the decision.

For example, it may be the case that the investment in the automated system makes it inadvisable to question it. Another example is that the number of decisions in dispute is limited or the fact of disputing them causes some type of damage to the competent person or others.

Also the competent person themselves, or those who supervise them, may be conditioned by automation bias, which leads them not to question (or to do so on very rare occasions) the decisions made in an automated manner.

This requires continuous review of the decision process, including oversight being carried out by more than one person in some cases. This review must include guarantees regarding the person's diligence in the execution of his or her obligations.

4. Means to be able to exercise their competence and qualification.

Regarding the means necessary to evaluate the degree of intervention, it should be assessed that the person has the following capacities available:

A. That it can procedurally exercise its jurisdiction.

This means that the procedure that frames the decision considers its ability to intervene at the appropriate moment or point in a timely manner, before applying it to the individual. Furthermore, if the procedure is digitalized, the systems must incorporate mechanisms that allow it in any circumstance.

For example, it may be the case that the legal effects, or those that significantly affect the interested party, occur in a period insufficient for a person to exercise their jurisdiction, as is the case of taking transportation (a flight, for example). , attend an event, access a service such as a gym, etc.

B. That you have the necessary information in a timely manner to be able to exercise your qualification.

You must be able to know the consequences and risks of decisions in general, and those that are being taken for specific cases.

You must be able to know all the aspects that determine the automated decision. These include the data of the specific individual, but could also include the procedures for collecting input data, the data implicit in the model that generates the decision, contextual data that has not been taken into account in the automated decision, as well as the capabilities and limits of the decision system. Also those data that the person, in their qualification, considers necessary to consider for the specific case and that have not been considered in the automated decision.

C. That you have the resources to be able to exercise your qualification.

For example, it is necessary to have applications that allow you to analyze the information in the format that is being used for the automated decision, or to convert said format to the needs of the person. Also those that he needs to process the information in the optimal way or the team that supports him.

D. That he has the necessary time to be able to exercise his qualification for each of the decisions that fall within his competence.

A person can be competent, qualified and have their needs met from the previous resources. However, if you are faced with a work regime that requires you to supervise decisions on 100 reports of 100 pages each, each day, this requires you to read and analyze 21 pages per minute, which would not be feasible. And this, without taking into account that he may have additional tasks that his position requires him to attend to, which would make human supervision de facto unfeasible.

This post is related to other materials published by the Innovation and Technology Division of the AEPD, such as:

• Risk management and impact assessment in personal data processing

• Adaptation to the RGPD of treatments that incorporate Artificial Intelligence

• Artificial Intelligence: System vs. treatment, means vs. purpose

• Artificial Intelligence: principle of accuracy in treatments

Read article from AEPD: Evaluación de la intervención humana en las decisiones automatizadas | AEPD

Turkey's data protection authority, the Kişisel Verileri Koruma Kurumu, announced approved amendments to the Personal Data Protection Law. The amendments include updates to provisions on international data transfers and processing special categories of personal data. The changes take effect 1 June.

Public Announcement on the Amendments to the Law on the Protection of Personal Data No. 6698
As it is known, the Law on the Amendment of the Criminal Procedure Code and Certain Laws, which also includes provisions for the Law on the Protection of Personal Data No. 6698, was published in the Official Gazette dated 12 March 2024 and numbered 32487. Articles 33 to 36 of the said Law and Articles 6, 9 and 18 of the Law No. 6698 are amended and a new temporary article is added to the Law No. 6698.

The changes will take effect on 1st June 2024. However, the current first paragraph of Article 9 of the Law No. 6698, which regulates the procedures and principles regarding the transfer of personal data abroad, will continue to be applied until 1st September 2024, together with the amended version of the article.

In this context, during the transition period, data controllers and data processors should carry out preparatory work meticulously and urgently in order to comply with the new regulations.

KİŞİSEL VERİLERİ KORUMA KURUMU | KVKK | 6698 Sayılı Kişisel Verilerin Korunması Kanununda Yapılan Değişiklikler Hakkında Kamuoyu Duyurusu

The Monitoring Body (OdM) for the Code of Conduct for Telemarketing and Telesales activities has been accredited on 17 March 2024:

The Code, which aims to protect users from unwanted calls, will become fully effective from the day following its publication in the Official Journal.

If your Life Science organisation plans to perform a phone marketing campaign to Healthcare Professionals or to prospects in Italy, you can use this Code of Conduct to simplify and streamline your compliance with GDPR. 

If you plan to subcontract the phone calls to a telemarketing agency, please check they comply with this code of conduct.

https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9993833?mkt_tok=MTM4LUVaTS0wNDIAAAGR8Xzm9lE1Y22exXrGy1Wc98XQVnVz4zE3JGDbcNoMOZ3Jr5wTyjRkaCrQcKPzPf-FQYZ7cxG1qESVFhvgHCHl2eSLacsNczaYUCIKffefG8CO

For any question on this topic, feel free to contact our Italian DPO Mary Elizabeth Wieder: m.e.wieder@pharmarketing.net

On 15 March 2024, a provisional agreement has been reached on the European Health Data System ('EHDS' between the EU Parliament, Council, and the Commission on the EHDS now reached. 

Besides allowing access to patients and healthcare professionals for primary use, it also clarifies how pseudonymised patient data from EHDS can be reused and for which objectives.

Core elements of the agreement

On the part on primary use of health data, the agreement will enable all EU citizens to access their health data electronically and give health professionals access to the data necessary for treatment. It will also make it possible for patients to pick up their prescriptions in a different EU country than it was issued in.

On the particularly tricky issue of secondary use of health data, anonymised or pseudonymised health data, including extremely sensitive genetic data, can be shared for public interest purposes, such as research and innovation, policy-making, education, and patient safety purposes.

According to a MEP and co-rapporteur, the major issues for the Parliament in the negotiations were opt-out clauses for patients, which were included; strict data localisation and storage of data within the EU, which did not get included; how long national parallel systems should continue to exist, which resulted in a review clause; and implementation timelines.

However, purposes such as advertising, decisions on lending conditions and more are clearly excluded from this.

Impacts on pharma companies:

First, pharma companies might have to share health data they collect with the EHDS (as they do with the Eudravigilange system today. It could be health data collected through medical information line, vigilance notifications, or clinical studies.

Second, it will probably change the way pharma companies and service organisations conduct clinical research and market access research: member states will identify a 'Trusted Data Holder' that can securely process requests for access to health data.

In other words, the way sponsors access retrospective patient data for secondary use studies might change in EU countries.

Next steps:

The provisional agreement will now have to be endorsed by the Council and the Parliament. It will then be formally adopted by both institutions after legal-linguistic revision. The regulation will enter into force 20 days after publication in the EU’s Official Journal.

Comments from the EFPIA:

The European Federation of Pharmaceutical Industries and Associations (EFPIA) is the European Trade Body for Pharma companies. They said on 14 March 2024: three fundamental issues remain to be solved: 

The regulation must enable and protect innovation in Europe

An additional opt out mechanism is not needed

Implementation timelines must be appropriate to ensure a smooth roll out and functioning of the EHDS

https://www.efpia.eu/news-even...

References:

Read the press release from the EU dated 15 March 2024 here.

Read more in the article from Euractiv here.

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the European Health Data Space

COM/2022/197 final dated 3 May 2022:

EUR-Lex - 52022PC0197 - EN - EUR-Lex (europa.eu)

Proposal for a Regulation on the European Health Data Space - Analysis of the final compromise text with a view to agreement dated 18 March 2024: https://www.consilium.europa.e...

Digital Governance Act, entered into force as an EU-Regulation on September 2023 (Regulation 868/2022): Regulation - 2022/868 - EN - EUR-Lex (europa.eu)

For any question of the EHDS and the secondary use of health data and data privacy laws, contact us at contact @ pharmarketing.net

European Data Protection Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.

Thanks to GDPR hub NOYB for all these valuable information!

Austria:

Fact: The Austrian Data Protection Authority (DPA), the DSB, imposed a fine of €10,000 on a gynaecologist after he disclosed the data subject's diagnosis in a public response to an online negative review by the data subject.

Read more on DSB (Austria) - 2023-0.420.407 - GDPRhub

Takeaway: Every organisation must protect the privacy of people, even the smallest ones like healthcare professionals in town. This is especially important if your organisation processor sensitive data like health data, as it was the case for this gynaecologist:

So, if your organisation also processes sensitive personal data, make sure all employees have been trained to data privacy, that their contracts contain data privacy clauses and that you have put IT security measures in place.

Cyprus:

Fact:The DPA fined a doctor €1,500 for its unauthorised access to a data subject’s medical records and for failing to explain her legal basis. Read more on GDPRhub...

Takeaway: Same as for the data breach done by a gynaecologist in Austria above.

Finland:

Fact: The Data Protection Authority of Finland found a hospital to have breached the principle of data minimisation by including unique and virtually permanent identification numbers in text messages sent to patients. Read more or edit on GDPRhub...

Takeaway: make sure you collect only the personal data you really need from people; same applies when sending personal dat, what IT people call 'data in transit'.

Italy:

Fact: The Italian DPA, the Garante, imposed a fine of €300,000 against Medtronic Diabetes, a global medical technology firm for its use of the 'To' field instead of the 'Bcc' field when sending emails to the users of its app, leading to unauthorized processing of health data. Read more on GDPRhub...

Takeaway:

1) Train regularly all your employees on the risks associated with the use of emails

2) Ask your IT to implement a software which delays the sending of emails by 5 minutes: then, if the sender realises that he made an error in the email, he/she can still delete it before it is sent.

Fact: The Italian DPA reprimanded a processor for having breached Article 5(1)(f) GDPR and Article 32 GDPR since, following a software update, the platform of a healthcare provider suffered a vulnerability and allowed logged-in patients to access other reports. Read more on GDPRhub...

Takeaways:

First, make sure you added data privacy language in your contract with software providers, especially wording addressing financial liability in case of such a breach following an update from the software provider.

Second, always test thoroughly a software product in integration environment following a release update, to check that the product is still working as expected and that the new version didn't introduce weaknesses: this is called non-regression tests.

The new version of the software should be put in production ONLY when you are sure the new software version works appropriately.

Slovenia:

Fact: The Slovenian DPA found that national law grants the data subject access to medical records of her deceased father if the information might have a significant impact on her health. Read more on GDPRhub: IP (Slovenia) - 07106-8-2023 - GDPRhub    

Takeaway: N/A

Spain:

Fact: The Spanish DPA, the AEPD, sanctioned a medical center €30,000, finding that it violated confidentiality principles when it required data subjects to take their temperature in a reception area where the data could be seen by third parties. 

Read more on GDPRhub...

Takeaway: Personal data collected in public areas should be limited and very secured, and data subjects should be informed: this applies also to CCTV.

For any question on this topic, feel free to contact : contact(at)pharmarketing.net

On 22 March 2024, the Cyberspace Administration of China (CAC) released clarifications on Data Transfers outside of China.

"Important data," are data that poses a threat to national and economic interests or affects the rights of individuals or organizations.

Data collected and generated in activities such as international trade and cross-border transportation that do not contain personal information or "important data" will be exempt from declaration, the Cyberspace Administration of China said.

The rules published on Friday said Chinese authorities would also establish a "negative list system" for free trade pilot zones, allowing those areas to independently formulate lists of data that need to be included in the scope of security assessment.

Reuters reported in February that Shanghai planned to accelerate approvals for foreign firms wanting to send their local data offshore by leveraging its sprawling free trade zones.

The new rules also adjusted the conditions for data export activities that need to declare a data export security assessment and extended the validity of assessment results from two years to three years.

These new rules are effective immediately.

Read more in the article from Reuters here.



For any question China data privacy laws, contact us at contact ( at ) pharmarketing.net