Part 2: Health Data - From Personal Privacy to National Security Commodity

This is part 2/3 of the Life Sciences & National Security Series - For more articles like this one, make sure to sign up for our newsletter and follow us on Linkedin.

Part 1: https://www.seiatech.com/post/life-sciences-national-security-part-1

Insight from:

Erika D. Trujillo, Co-Founder & Managing Director at SEIA

The life sciences sector is experiencing a renaissance in strategic importance and national security is taking the forefront as the basis for restrictions. In the age of AI, genomic data is the next rare earth minerals and semiconductors in terms of critically controlled materials and technology.

Health Data: From Personal Privacy to National Security Commodity

Imagine that you are a trade compliance officer and have a vendor agreement that involves the transfer of patient data to a counterparty. Who is responsible for compliance? 

Until recently, the answer was straightforward, data privacy teams handled patient data. Export compliance teams handled restrictions on physical goods, technology, and software, etc. The two functions operated largely in parallel, but were governed by different bodies of law and managed by different parts of the organization.

However, something is changing in how governments think about health data, and this change highlights a critical trend in compliance for Life Sciences Companies. Over the past several years, across Washington, Beijing, and Brussels, regulators have begun treating certain categories of health and genomic data, previously under HIPAA or GDPR, as strategic assets.

The transfer of data is now increasingly seen as something to be controlled, restricted, and in certain transactions prohibited entirely, as the legal architecture being built around that data is being drawn directly from the same frameworks that govern the export of controlled goods and technology.

For trade compliance professionals in the life sciences sector, this represents a genuine expansion of scope. Understanding the trend requires first understanding what makes this data valuable enough to be national security relevant, then examining what is driving the regulatory response, and finally considering where that trajectory leads.

Why Health Data Is Strategically Significant

Health data has always been sensitive. What has changed is capabilities for analytical processing rapidly evolving with the increased sophistication of AI when paired with data aggregated at scale.

The Nature of Genomic Data: According to the US Department of Health and Human Services "a genome is the complete set of an organism’s genes—all the information needed to build and maintain an organism (human or nonhuman) throughout its life."

Consider what it means to sequence a genome: a technician loads a sample, a machine then reads the base pairs of human life, finally the data is stored, transmitted, and analysed. The analysis of single genome can provide a variety of information about an individual, like disease susceptibility, likely responses to specific pharmaceuticals, and ancestry.

Genomic data also has properties that distinguish it from other categories of sensitive information. Unlike a compromised password or a leaked financial record, genomic data is permanent and cannot be changed. The scope of impact is also wider, as a dataset on one individual carries predictive information about their relatives who may not have consented to any data transaction.

Aggregation Impact: Further, this data aggregates in ways that amplify its intelligence value at relatively small sample sizes. When aggregated across hundreds of thousands of individuals, a sufficiently large and well-structured genomic database becomes a population-level resource that can support drug target identification, precision medicine development, and the identification of biological vulnerabilities specific to particular populations or ethnic groups.

For this reason, the U.S. Data Security Program sets its compliance threshold for genomic data at 100 individuals, compared to 10,000 for general personal health data.

Acceleration of AI Capabilities: The acceleration of AI capabilities has substantially raised the analytical value of health datasets that would previously have been considered too fragmented or incomplete to be strategically significant. Data that was difficult to exploit a decade ago is considerably easier to exploit today.

In a hospital or a research lab, these data sets and analytics can lead to groundbreaking advancements in medical care; however, in a government intelligence briefing the concern is something else entirely.

Increasing National Security Concern

Taken together, these advancements open up wide possibilities for bad actors to engage in an expansive field of nefarious activities ranging from intelligence surveillance, to the development of targeted bio-weapons.

According to ODNI and the FBI some risks could include: foreign adversaries using genomic information for surveillance or coercion of military, intelligence, or political officials and to act against dissidents located in the U.S., using U.S. human genomic information to identify and take action against individuals in genetic subpopulations, and advance dual-use technology that could enable development of novel biological weapons. The U.S. intelligence community has been making this argument for several years and has testified publicly that large-scale genomic databases could theoretically inform the development of biological agents designed to affect specific genetic profiles.

In a research paper on Assessing Privacy Vulnerabilities in Genetic Data Sets: Scoping Review authors Mara Thomas, Nuria Mackes, Asad Preuss-Dodhy, Thomas Wieland, and Markus Bundschus also looked into the cyber security and privacy risks based on genomic information. There summarised results are shown below highlighting the nine features of genomic data and their relevance for privacy attacks:

What Is Driving the Western Regulatory Response Now?

The life sciences industry now sits at the intersection of some of the most consequential national security decisions governments are making, and while it is easy to point at AI, this regulatory shift reflects the convergence of several developments that have been building simultaneously across the globe since the 1970s.

Strategic Control in China: Human genetic resources have been classified as national assets subject to state sovereignty in China as early as 1998, under the Interim Measures for the Administration of Human Genetic Resources. That classification has been progressively formalized through the Regulations on the Management of Human Genetic Resources of 2019 and the Biosecurity Law of 2020, which places human genetic resources within a national security and biosecurity paradigm. Western regulators have, in effect, observed a country that has long treated this data as a controlled strategic resource, and concluded that a reciprocal framework is necessary.

Accumulating Health Data: In addition China state-linked actors have visibly been accumulating health and genomic data. The most notorius example is BGI, China's largest genomics company, which expanded globally through sequencing services, research partnerships, and the distribution of testing infrastructure to over 180 countries during the COVID-19 pandemic. BGI's China National GeneBank, established in Shenzhen with government backing, describes its mission as serving China's strategic needs.

The U.S. Department of Defense designated BGI a Chinese military company in 2021, and the Commerce Department sanctioned several BGI affiliates. The BIOSECURE Act, passed by the U.S. Senate in August 2024, went further, seeking to bar named Chinese biotechnology companies from contracting with U.S. government agencies. The concern was not that BGI was violating privacy rules. The concern was that data collected through entirely commercial activity was flowing into infrastructure accessible to the Chinese state.

China's own Regulatory Framework: China's first regulatory framework for human genetic resources, issued jointly by the Ministry of Science and Technology and the former Ministry of Health in 1998 as the Interim Measures for the Administration of Human Genetic Resources, required government approval for the collection, preservation, and transfer abroad of biological samples and genetic data.

The framework was explicitly grounded in a national competitiveness, as the Ministry of Science and Technology described domestic genetic materials, particularly those relating to ethnic groups, disease lineages, and population pedigrees, as strategic resources for the life sciences and biomedical industries. This framing had no equivalent in Western privacy law at the time, but looked a lot like export controls.

This is most apparent in the 2022 release of he Detailed Rules for the implementation of the Regulations on the Management of Human Genetic Resources, (Good english summary here), particularly on the eligibility of foreign entities. It had:

• 50% Rule: According to Article 12, an organization or individual is deemed to be “foreign” if a foreign entity owns or controls 50% or more of the shares.

• License Requirements: for collection, preservation, international cooperation and export

• End-use verification requirements: Applicants must ensure that there is not harm to the public health, national security, or public interests of China and meet other standards related to legality and ethical review.

  
  

Between 2015 and 2018, China's Ministry of Science and Technology published six administrative penalty decisions under the earlier Interim Measures, covering cases including BGI transmitting human genetic data abroad without prior authorization and WuXi AppTec exporting human serum mislabeled as canine serum. The rules had teeth, and the Chinese government demonstrated willingness to use them.

Since then, the framework has been progressively formalized. The Regulations on the Management of Human Genetic Resources of 2019, as amended in 2024, and the Implementation Rules of 2023 require administrative licensing for the collection, storage, use, and international transfer of genetic data.

China's Biosecurity Law of 2020 also elevated the classification of human genetic resources to a matter of state sovereignty, embedding them within a biosecurity paradigm tied explicitly to national security.

Circumvention Tactics to Obtain Data: According to US ODNI experts, "China employs commerical tactics to obtain access to large, diverse human genomic datasets." This included obfuscation of their country of origin to obtain access to human genomic information, using methods familiar to sanctions compliance processionals, like front companies or frequent name changes.

For international life sciences companies, the practical consequence of this regulatory framework mean that genetic samples and genomic data generated through clinical or research activity in China are not regulated as records belonging to individual patients, but rather as resources belonging to the state .

The US/EU Regulatory Architecture Taking Shape

In response to the developing threats along with the increasing capabilities to make those threats reality, western regimes have started scrambling to catch-up with the regulatory needs.

The United States

Useful & Interesting Documents (linked)

In February 2024, effective April 2025, President Biden signed Executive Order 14117, Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, covering genomic sequences, health records, and biometric data. The countries of concern included China, Russia, Iran, North Korea, Venezuela and Cuba.

Interestingly, it was the DOJ itself directly that drafted these rules and the DOJ's own documentation describes it as establishing "what are effectively export controls" on sensitive personal data, including bulk genomic data, biometric identifiers, and personal health data. Enforcement sits with the DOJ's National Security Division. Penalties include civil fines of up to $368,136 per violation and criminal sanctions of up to 20 years' imprisonment for wilful violations, comparable to those of traditional export controls.

Transactions are divided between prohibited transactions, such as data brokerage and transfers of bulk genomic data to covered parties, and restricted transactions, such as vendor, employment, or investment agreements with counterparties connected to countries of concern.

A written Data Compliance Program, covering data flow mapping, counterparty due diligence, and ongoing audit requirements, is mandatory for organizations engaging in restricted transactions, with full audit obligations applying from October 6, 2025.

Then came the BIOSECURE Act, which was signed into law on December 18, 2025. From a legal process point of view this was interesting, because it was included as part of the National Defense Authorization Act, the annual legislation through which Congress funds the American military. This Act restricted US federal contractors and grant recipients from using biotechnology equipment or services from designated "biotechnology companies of concern." This included companies like BGI Genomics and MGI Tech, which are already listed by the Department of Defense as Chinese military companies operating in the United States.

The European Union

The European Union is still far behind the US and China in terms of regulatory controls on genomic data, especially at it struggles to balance regulation with the push to advance the bio technology industry. However, it has taken initial steps.

In the EU, genomic data is considered a special category of the GDPR (article 9), subject to significantly heightened requirements for transfer and access. However groundwork was established as part of the proposed European Biotech Act. While aimed at promoting biotech advancements and the prioritization of the industry in the EU economy, also introduces harmonized rules for the prevention of biotechnology misuse. These include screening and reporting obligations for certain high-risk products and benchtop nucleic acid synthesis equipment. In addition, an Advisory Group on Biosecurity was also defined to monitor emerging risks, including those posed by AI models in biological applications.

Though less robust, The European Health Data Space Regulation, Regulation (EU) 2025/327 entered into force in 2025. The stated purpose is to facilitate health research and innovation through harmonized cross-border access to health data, but it also now routes that access through EU-governed infrastructure and national health data access bodies. This provides a framework such that secondary use of European health data is in theory subject to European institutional oversight.

According to the Regulation, data users can only "obtain access through a data-permit regime that imposes strict purpose limitation, secure-environment processing, and a prohibition on attempts at re-identification. Secondary use is permitted only inside a ring-fenced legal and technical environment, with the Health Data Access Bodies instructed to balance societal benefits with strong procedural and technical safeguards."

Though not related to the data itself, in November 2025, the European Union updated its Dual-Use Control List to include, for the first time, certain life sciences tools, alongside quantum technologies and advanced semiconductor manufacturing equipment. This is part of a new category of autonomous controls on emerging technologies that member states believed warranted restriction ahead of any multilateral consensus.

Where This Trend Is Heading

We can expect health data, and genomic data in particular, to be increasingly seen through the same strategic lens of other critical commodities like rare earth minerals and semiconductors. Several factors suggest the trajectory will continue toward broader and more stringent controls, including the increasing analytical value of health data as AI capabilities improve, the scalability of datasets from smaller sample sizes, and the unpredictability of current geopolitics.

Allied governments are likely to develop their own parallel frameworks, creating a patchwork of overlapping data control regimes analogous to the existing landscape of export control regulations across the U.S., EU, and UK. The complexity that trade compliance teams in the life sciences sector currently manage around physical goods and technology will, over time, extend to complex health data flows as well.

The current enforcement posture of the US DOJ's National Security Division, and increasing willingeness of European regulators to pursue enforcement, suggests that organizations should treat these obligations with the rigor applied to any national security-adjacent compliance program.

Follow for Part 3 of the Life Sciences & National Security Series: Trade Compliance Approaches for Strategic Data