The legislative history of China's drug test data protection regime is a slow journey from aspirational principle to operational rule, passing through four distinct phases: conceptual inception, renewed attempts, deliberate reboot, and formal implementation.

The conceptual inception phase dates to 2002. That year, Article 35 of the Implementing Regulations of the Drug Administration Law first introduced data protection, providing that the State would protect independently obtained and undisclosed test data submitted by manufacturers or sellers of drugs containing new chemical entities, and that within six years of the grant of a marketing license, the drug regulatory authority would not approve applications by other applicants to produce or sell such drugs using that data without the original applicant's consent. The provision aimed to give innovative drugs a second layer of protection beyond patents, but its scope was limited to drugs containing "new chemical entities," and it left undefined critical concepts such as "independently obtained" and "undisclosed," while providing no implementing procedures, review standards, or publication mechanisms. Article 20 of the Drug Registration Measures in 2007 restated the principle, but likewise remained at the level of generalities. For more than a decade thereafter, the drug regulatory authorities declined to accept any data exclusivity applications on the ground that implementing rules were lacking, leaving the system in a state of de facto suspension.

In 2017, the regime entered a phase of renewed attempts. In October 2017, the General Offices of the CPC Central Committee and the State Council issued the Opinions on Deepening the Reform of the Review and Approval System to Encourage Innovation in Drugs and Medical Devices, explicitly calling for "improving and implementing the drug test data protection system." In April 2018, the National Medical Products Administration (NMPA) issued a draft Implementation Measures for Drug Test Data Protection (Provisional), which for the first time proposed a systematic framework: six years of data exclusivity for innovative drugs, twelve years for innovative biological products, and six years for orphan drugs and pediatric drugs. The draft, however, sparked fierce controversy over ambiguous concepts and overly broad scope, compounded by intense lobbying from both the innovative and generic pharmaceutical industries, and ultimately never reached final promulgation.

In 2020, the regime entered a deliberate reboot. The Phase One U.S.-China Economic and Trade Agreement signed in January 2020 required both parties to provide effective protection and enforcement of pharmaceutical-related intellectual property rights, including undisclosed test data submitted as a condition of marketing approval. Paradoxically, the Drug Registration Measures promulgated in July 2020 deleted the data protection provision that had existed in the 2007 version (Article 20). This deletion was not a retreat but a strategic pause—removing a provision that had never been enforced in practice, and waiting for the revision of the Implementing Regulations of the Drug Administration Law to rebuild the system from the ground up. The period that followed was one of gestation at the level of higher-level legislation. In 2022, the draft revised Implementing Regulations for the first time systematically addressed data protection at the administrative-regulation level. In January 2025, the General Office of the State Council issued Opinions on Comprehensively Deepening the Reform of Regulation of Drugs and Medical Devices to Promote the High-quality Development of the Pharmaceutical Sector (Guobanfa [2024] No. 53), which explicitly distinguished between the "data protection period" (the regulator's obligation not to rely on protected data) and the "market exclusivity period" (the regulator's refusal to approve competing products), extending market exclusivity protection to eligible drugs for rare diseases, drugs for children, the first chemical generic drugs and exclusive varieties of TCMs.

The formal implementation phase began in 2026. On January 16, 2026, State Council Order No. 828 promulgated the revised Implementing Regulations of the Drug Administration Law, whose Article 22 formally established the data protection regime: "The State shall protect undisclosed test data and other data independently obtained and submitted by MAHs of drugs containing new chemical entities and other drugs that meet conditions, and no one shall make unfair commercial use of such undisclosed test data and other data. The protection period for the data specified in the preceding paragraph shall not exceed 6 years from the date of drug registration. During the protection period, for any other applicant who, without the consent of the MAH, uses the data specified in the preceding paragraph to apply for a drug registration, no license shall be granted; however, this does not apply where the another applicant submits independently obtained data. " 

This authorization at the administrative-regulation level provided a solid legal basis for departmental rules. On May 15, 2026, the NMPA issued the Implementation Measures, effective immediately; on the same day, the Center for Drug Evaluation (CDE) issued the Working Procedures for Drug Test Data Protection (hereinafter the "Working Procedures"), clarifying application timing, review processes, and publication mechanisms. At this point, China's new drug data exclusivity regime completed its journey from principle to rule, and from text to practice.

New drug data exclusivity and patent protection are both exclusivity mechanisms for innovative pharmaceuticals, yet they differ fundamentally in institutional logic, legal character, and enforcement mechanism, while simultaneously functioning as complementary layers of protection.

In terms of subject matter, patent protection covers technical solutions that meet the requirements of novelty, inventiveness, and practical applicability—compounds, manufacturing processes, therapeutic uses, formulations, and the like—representing essentially a property right in technological innovation. Data protection, by contrast, covers the test data and other data submitted by MAHs to demonstrate safety, efficacy, and quality controllability. Its defining characteristic is that it is "independently obtained and undisclosed"; its value lies not in the technical solution itself, but in its function as an information asset supporting regulatory decision-making. Patent protection answers the question of "whether one may practice the technology"; data protection answers the question of "whether one may free-ride on the data."

In terms of legal character, patent rights are absolute exclusionary rights. The patentee may prohibit any third party from practicing the patented technology without authorization, regardless of whether the third party developed the technology independently or through reverse engineering, so long as the acts fall within the scope of the patent claims. Data protection, by contrast, is a relative exclusionary right whose effect is contingent upon "data reliance." Article 3(2) of the Implementation Measures expressly provides that the restriction does not apply to "other applicants who have independently obtained data and do not rely on others' protected data." This means generic manufacturers may still obtain marketing approval by conducting their own clinical trials and submitting their own data; data protection does not bar independent research and development.

In terms of enforcement mechanism, patent protection relies on a dual-track system of judicial protection and administrative enforcement, allowing the patentee to seek injunctive relief and damages through infringement litigation, or to request a cease-and-desist order through administrative channels, combining ex post remedies with active rights assertion. Data protection, by contrast, is a front-loaded, administrative-process protection. Its operating logic is as follows: when reviewing a generic drug application, the drug regulatory authority simultaneously examines whether the application relies on protected data; if reliance exists and the rights holder's consent has not been obtained, the authority directly issues a "non-approval" administrative decision. As Article 2 (3) of the Working Procedures provides: "During the data protection period, when accepting marketing registration applications or supplemental applications that rely on protected data held by other marketing authorization holders, [the CDE] shall simultaneously review the relevant information of the protected data relied upon. After completing the technical review, if the protected data relied upon remains within the protection period and the applicant has not obtained the holder's consent, the review shall be suspended." In other words, this protection requires no lawsuit or complaint by the rights holder; it is executed automatically by the regulator within the review process—a "silent barrier."

Despite these divergences, the two systems are functionally complementary. Patent protection may fail due to invalidation, narrow claim construction, or design-around by generic competitors, whereas data protection provides a "hard floor" of protection independent of patent validity. Conversely, after the data protection period expires, if the relevant patent remains in force, a generic drug may obtain marketing approval but may still be enjoined from sale by judicial patent enforcement. In practice, an innovative drug often enjoys both patent protection and data exclusivity, and the layering of the two affords the innovator a more robust period of market exclusivity.

The Implementation Measures and its accompanying documents, effective May 15, 2026, construct a comprehensive framework covering scope of protection, application procedures, duration, and exceptions.

(A) Scope of Protection

Article 3 of the Implementation Measures defines the protected subject matter as "test data and other data independently obtained and undisclosed submitted by the applicant." Specifically:

For innovative drugs and originator drugs approved abroad but not yet in China, Article 5 provides that the scope of data protection covers "all test data in the drug marketing authorization application materials used to prove the safety, efficacy, and quality controllability of the drug," with a protection period of six years from the date of first marketing approval in China.

For improved drugs, Article 6 limits the scope to "new clinical trial data demonstrating obvious clinical advantages over drugs with known active ingredients (biological products already marketed)," while expressly excluding "bioavailability, bioequivalence, and immunogenicity data for vaccines," with a protection period of four years.

For the first generic or biosimilar of an originator drug approved abroad but not yet in China, Article 8 provides that the scope covers "necessary clinical trial data supporting approval," likewise excluding bioavailability, bioequivalence, and vaccine immunogenicity data, with a protection period of three years.

At the indication level, Articles 5 and 7 establish a tiered protection mechanism: for multiple indications successively approved for the same innovative drug under the same approval number, each indication receives data protection according to its registration category; for new indications of originator drugs approved abroad but not in China that have not been approved anywhere in the world, six years of data protection are granted, while subsequently added indications receive four years.

(B) Application and Confirmation Procedures

Article 9 of the Implementation Measures provides that "an applicant intending to apply for data protection shall simultaneously submit a data protection application when filing the drug marketing authorization application." Article 3 of the Working Procedures further clarifies that the applicant shall submit the data protection application concurrently with the marketing registration application, truthfully completing the relevant information in the application form and specifying the duration of data protection.

At the review stage, Article 10 of the Implementation Measures establishes a "simultaneous review, simultaneous confirmation" mechanism: "The CDE shall, when conducting technical review of the drug registration application, confirm the scope and duration of data protection in accordance with these Measures." Article 4 of the Working Procedures refines this by requiring synchronized review of the data protection application upon acceptance of the marketing authorization application, and marking the product after acceptance.

At the grant and publication stage, Article 11 of the Implementation Measures establishes a dual publication mechanism: first, "the NMPA shall annotate the data protection information of the drug in the drug approval document"; second, "the CDE shall establish a data protection column on its website to publish relevant information on drug data protection."

For subsequent applications that rely on protected data, Article 2 of the Working Procedures establishes a "simultaneous review, automatic suspension" mechanism, whereby data protection is executed automatically within the review process without requiring active rights assertion by the rights holder. In addition, Article 12 of the Implementation Measures provides: "After a drug obtains data protection, other applicants may submit drug marketing applications or supplemental applications relying on the protected data within one year before the expiration of the data protection period; the CDE shall suspend the review timer after completing technical review, and approve the relevant drug after the data protection period expires."

(C) Duration of Protection

Article 3 of the Implementation Measures establishes a general principle that the data protection period shall not exceed six years. On this basis, the specific durations are as follows:

The protection period is calculated from the date the drug registration application is approved in China.

(D) Exceptions to Protection

Three circumstances render data exclusivity inapplicable.

The first is the "independently obtained data" exception. Data exclusivity restricts only applications that rely on others' data, not those based on independently generated data. Article 3(2) of the Implementation Measures, provide: "Where other applicants apply for drug marketing authorization or supplemental applications relying on the data without the consent of the marketing authorization holder, the NMPA shall not approve; except where other applicants have independently obtained data and do not rely on others' protected data." Article 3(3) further clarifies: "Where other applicants submit drug registration applications with independently obtained data, the applications shall be approved if they meet the conditions, but no data protection period shall be granted, and such data may not be relied upon by subsequent applicants."

The second is the "public interest" exception. Article 3(4) of the Implementation Measures provides that "in the event of a public health emergency, or where public interest so requires, the relevant provisions shall apply."

The third is analogous to the Bolar exemption, allowing generic manufacturers to file applications relying on others' data before the data exclusivity period expires, with approval deferred until the period ends. Article 12 of the Implementation Measures provides: "Other applicants may submit drug marketing applications or supplemental applications relying on the protected data within one year before the expiration of the data protection period; the CDE shall suspend the review timer after completing technical review, and approve the relevant drug after the data protection period expires."

The formal implementation of the drug data protection regime will profoundly reshape China's pharmaceutical innovation ecosystem and competitive landscape. Companies of different types should adjust their IP strategies and product development plans accordingly.

(A) Significance for Different Categories of Companies

For first-generic companies, the data protection regime presents both challenges and opportunities. The challenge is that the originator's data protection period becomes a temporal barrier to generic entry, preventing generic manufacturers from "free-riding" on the originator's data during the protection period. The opportunity lies in the three-year data protection period granted to the first-approved generic under Article 8 of the Implementation Measures, allowing the first mover to prevent other generic competitors from relying on its data to file marketing applications for three years. For drugs approved abroad but not yet in China, if the originator has not filed for patent protection in China (for example, by not extending its patent filing to China) or if the patent term has expired, generic companies could otherwise copy the drug without patent barriers. However, Article 5 of the Implementation Measures expressly provides that such originator drugs receive six years of data protection upon first approval in China. This means that even absent patent obstacles, competitors must either wait out the data protection period or conduct full clinical trials themselves. This design effectively provides originators with a "second line of defense" independent of patents. Consequently, first-generic companies should establish a dual monitoring mechanism: on one hand, closely tracking the data protection expiration dates of originator drugs in China and positioning for pre-filing one year in advance; on the other hand, identifying "no-patent-but-data-protection" scenarios among drugs approved abroad but not in China, assessing the commercial viability of conducting independent clinical trials against the benefit of three years of data exclusivity as the first generic to market.

For companies engaged in deep development of existing active pharmaceutical ingredients, the data protection regime provides a tool that transcends patent protection. In practice, improved innovations such as new indications, new crystal forms, new salt forms, and new routes of administration for known active ingredients may be protected by indication patents, crystal form patents, or salt form patents, but these patents are often susceptible to design-around by generic competitors, and patent enforcement faces uncertainties in claim construction. The data protection regime, by contrast, directly protects the clinical trial data supporting approval of the improved drug: so long as generic competitors cannot independently complete clinical trials demonstrating clinical superiority, they cannot obtain marketing approval. This data-based barrier may prove more robust in practice than patent protection. Therefore, pharmaceutical companies should attach greater importance to lifecycle management of existing drugs, generating protectable data assets through high-quality clinical trials.

For innovative drug companies, data protection provides a "safety net" beyond the patent system. Patent protection for innovative drugs may fail due to invalidation, defective claim drafting, or generic design-arounds, whereas data protection is independent of patent validity: so long as the drug obtains marketing approval, it automatically receives up to six years of data protection. This mechanism provides a baseline guarantee for innovative companies to recoup R&D investments. Innovative drug companies should integrate data protection into their overall IP portfolio management framework, planning data generation strategies early in drug development to ensure the completeness and systematicity of clinical trial data, thereby securing data protection at the time of marketing application.

(B) Confidentiality Requirements

The effective operation of the data protection regime depends not only on regulatory design but also on companies' own management of test data as trade secrets. Before submission to the drug regulatory authorities, test data is inherently a core trade secret of the enterprise; if leaked before filing and thereby entering the public domain, the "undisclosed" status required for data protection is destroyed, and the exclusivity conferred by the regime collapses. Even after submission to the regulator, while summary information may enter the public domain through review disclosures, the underlying complete clinical study reports, raw datasets, statistical analysis plans, and individual patient data must remain strictly protected. Therefore, pharmaceutical companies should treat test data as a strategic asset on par with patents, incorporating it into the full-process control of the enterprise IP management system.

Accordingly, companies should adopt appropriate technical and managerial measures to maintain the confidentiality of test data. At the technical level, companies should implement full-lifecycle encrypted storage and transmission of clinical trial data, establish role-based access controls to ensure that only authorized personnel may access sensitive data, and deploy audit-trail systems to record all data access and manipulation activities, enabling traceability in the event of a leak. At the managerial level, companies should establish data classification and grading systems, assigning confidentiality levels based on data sensitivity and commercial value, with differentiated access privileges and confidentiality agreements. For clinical institutions, contract research organizations, and internal employees involved in clinical trials, confidentiality obligations and liability for breach should be clearly stipulated in cooperation agreements and employment contracts; departure procedures should include data handover and declassification period management to prevent core data from leaking through personnel turnover. In addition, companies should attend to the institutional interface after the data protection period expires: when administrative data exclusivity terminates, if the test data remains undisclosed, the company may still rely on trade secret law to assert rights against competitors who improperly acquire or use the data, thereby sustaining a continuous defensive capability in market competition.

Source: Llinks Law Offices