When data protection norms meet digital health technology: China's regulatory approaches to health data protection

While ageing remains a global concern, it is especially challenging for China, which has the world's largest ageing population. In response, the Chinese government has introduced digitalisation policies that clearly embrace the use of information and communication technologies in health. To enhance data protection in this tide of digital transformation, China adopted its first ever standalone data protection legislation in 2021, the Personal Information Protection Law, which is expected to have huge impacts on technology and data processing. This paper captures these significant changes related to technological advances and regulatory approaches. It aims to explore the interplay between China's new data protection legal regime and the digital health advances which were proposed to facilitate healthcare in an ageing society. To do so, the paper first reviews and categorises the use of digital tools for various health functions and argues that the use of digital health technologies creates significant data protection concerns. The paper then investigates to what extent China's data protection rules mitigate privacy risks created by digital health technologies. An evolutionary overview of China's data protection legal landscape is mapped out. On this basis, outstanding legal issues surrounding health data protection are explored, contributing to a nuanced analysis of health data processing under different scenarios including: (1) healthcare provision; (2) health research; (3) public health; (4) social care and health management in a non-medical context; and (5) real-world data for market approval. The paper shows that the Personal Information Protection Law renders China's data protection legal landscape less fragmented and offers important legal safeguards for health data. Despite legislative advances, a closer look at relevant provisions in the Personal Information Protection Law and their interplay with other regulations reveals areas where further clarification is needed, including the definition of health data, the meaning of ‘separate consent’, data minimisation requirements for health apps, and the operation of the enforcement mechanism. The paper ends with indicating potential steps forward, with a hope that the benefits of digital health can be realised in a manner that respects privacy and human dignity.