Shanghai authorities are moving to tighten oversight of online healthcare companies with new guidelines aimed at strengthening cybersecurity and personal-data protection compliance frameworks.
Jointly issued by Shanghai’s internet, market and healthcare regulators, the guidelines apply to internet-based medical service companies involved in developing or maintaining medical software, providing medical-services training and offering digital-health services.
Their services include appointment booking, online consultations, health advice, e-prescriptions, test-result inquiries, medical information distribution and data-analysis support for hospitals, clinicians and patients.
These companies handle individuals’ health and medical information as well as electronic data derived from it, including demographic details, medical histories, payment data and broader healthcare-resource information.
The guidelines, though not legally binding, can raise compliance expectations above national requirements, a move seen as addressing long-standing concerns about misuse of personal data by internet-based medical-service providers.
The guidelines stress the general principles of legality, legitimacy, necessity and good faith, and require companies to process personal information only for clear and lawful purposes, obtain user consent and limit data collection to what is necessary.
While collecting individuals’ health and medical information, companies should notify individuals “in a prominent way” and obtain their “separate consent”. That requirement also applies when companies share data with partners, outsource processing or jointly handle such information.
The guidelines’ sixth article require companies to obtain separate consent before pushing information or launching commercial marketing to individuals. It also mandates giving users the option to avoid targeted content or providing a straightforward way to opt out.
Article 29 of China’s Personal Information Protection Law requires separate consent when handling sensitive data. Critics say this does not mean platforms must secure such consent for every action involving medical-service users.
The sixth article
The sixth provision of the guidelines has drawn pushback from industry observers who argue it conflicts with the opt-out structure of China’s Advertising Law and increases compliance costs for companies.
Article 43 of the Advertising Law allows organizations to send electronic advertisements only with a recipient’s consent or request and requires senders to disclose their identity and provide a simple opt-out method.
Industry observers say that while SMS marketing requires consent, the law does not specify the form it should take. They argue that standardized marketing messages often lack individual profiling, making it difficult to design a non-targeted alternative when no automated decision-making is used.
The sixth article effectively shifts commercial marketing toward an opt-in model, raising practical questions about how separate consent should be obtained. Companies say that relying on pop-up requests would disrupt user experience and hinder routine operations.
In reality, many Chinese companies already blend limited opt-in with an opt-out mechanism. Companies typically embed general consent for marketing or data use within privacy policies or user agreements, allowing SMS outreach or targeted advertising.
At the same time, they offer one-click unsubscribe links for texts and in-app settings to disable personalized recommendations.
Industry observers note that China’s approach to opt-in is less strict than in Western jurisdictions, often requiring only that a consent clause be included in a privacy policy rather than a specific toggle that users must actively enable.
Other requirements
The guidelines also set restrictions on illegal web crawling, require tiered management of health and medical data and call for secure technologies to protect information during transmission and storage.
Companies must adopt technical measures to record network access, establish systems for security monitoring, early warning and emergency response, and ensure that patients retain rights to access, control and decide how their personal data is used.
Companies handling information on more than one million individuals must file details of their data-protection officers with the Shanghai internet regulator. Those processing data for over 10 million people must conduct personal-information compliance audits at least once every two years.
Companies that use artificial intelligence or blockchain to process health and medical data must perform security assessments, protect individual rights and complete required registration or filing procedures under relevant laws.
Source: MLex
