Regulations last checked for updates: Apr 27, 2025

Title 28 - Judicial Administration last revised: Apr 18, 2025
All TitlesTitle 28Chapter IPart 202Subpart E - Subpart E—Exempt Transactions
View all text of Subpart E [§ 202.501 - § 202.511]
§ 202.510 - Drug, biological product, and medical device authorizations.

(a) Exemption. Except as specified in paragraph (a)(2) of this section, subparts C, D, J, and K (other than § 202.1102 and § 202.1104) of this part do not apply to a data transaction that

(1) Involves “regulatory approval data” as defined in paragraph (b) of this section and

(2) Is necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device, or a combination product, provided that the U.S. person complies with the recordkeeping and reporting requirements set forth in §§ 202.1101(a) and 202.1102 with respect to such transaction.

(b) Regulatory approval data. For purposes of this section, the term regulatory approval data means sensitive personal data that is de-identified or pseudonymized consistent with the standards of 21 CFR 314.80 and that is required to be submitted to a regulatory entity, or is required by a regulatory entity to be submitted to a covered person, to obtain or maintain authorization or approval to research or market a drug, biological product, device, or combination product, including in relation to post-marketing studies and post-marketing product surveillance activities, and supplemental product applications for additional uses. The term excludes sensitive personal data not reasonably necessary for a regulatory entity to assess the safety and effectiveness of the drug, biological product, device, or combination product.

(c) Other terms. For purposes of this section, the terms “drug,” “biological product,” “device,” and “combination product” have the meanings given to them in 21 U.S.C. 321(g)(1), 42 U.S.C. 262(i)(1), 21 U.S.C. 321(h)(1), and 21 CFR 3.2(e), respectively.

(d) Examples—(1) Example 1. A U.S. pharmaceutical company seeks to market a new drug in a country of concern. The company submits a marketing application to the regulatory entity in the country of concern with authority to approve the drug in the country of concern. The marketing application includes the safety and effectiveness data reasonably necessary to obtain regulatory approval in that country. The transfer of data to the country of concern's regulatory entity is exempt from the prohibitions in this part.

(2) Example 2. Same as Example 1, except the regulatory entity in the country of concern requires that the data be de-anonymized. The transfer of data is not exempt under this section, because the data includes sensitive personal data that is identified to an individual.

(3) Example 3. Same as Example 1, except country of concern law requires foreign pharmaceutical companies to submit regulatory approval data using (1) a registered agent who primarily resides in the country of concern, (2) a country of concern incorporated subsidiary, or (3) an employee located in a country of concern. The U.S. pharmaceutical company enters into a vendor agreement with a registered agent in the country of concern to submit the regulatory approval data to the country of concern regulator. The U.S. pharmaceutical company provides to the registered agent only the regulatory approval data the U.S. pharmaceutical company intends the registered agent to submit to the country of concern regulator. The transaction with the registered agent is exempt, because it is necessary to obtain approval to market the drug in a country of concern. The U.S. pharmaceutical company must comply with the recordkeeping and reporting requirements set forth in §§ 202.1101(a) and 202.1102 with respect to such transaction, however.

(4) Example 4. Same as Example 1, except the U.S. company enters a vendor agreement with a covered person located in the country of concern to store and organize the bulk U.S. sensitive personal data for eventual submission to the country of concern regulator. Country of concern law does not require foreign pharmaceutical companies to enter into such vendor agreements. The transaction is not exempt under this section, because the use of a covered person to store and organize the bulk U.S. sensitive personal data for the company's regulatory submission is not necessary to obtain regulatory approval.

(5) Example 5. A U.S. pharmaceutical company has obtained regulatory approval to market a new drug in a country of concern. The country of concern regulator requires the U.S. pharmaceutical company to submit de-identified sensitive personal data collected as part of the company's post-marketing product surveillance activities to assess the safety and efficacy of the drug to the country of concern regulator via a country of concern registered agent to maintain the U.S. pharmaceutical company's authorization to market the drug. Sharing the de-identified sensitive personal data with the country of concern regulator via the country of concern registered agent to maintain marketing authorization is exempt from the prohibitions and restrictions in subparts C and D of this part.

(6) Example 6. A U.S. medical device manufacturer provides de-identified bulk U.S. personal health data to a country of concern regulator to obtain authorization to research the safety and effectiveness of a medical device in the country of concern. Country of concern law requires medical device manufacturers to conduct such safety research to obtain regulatory approval to market a new device. The prohibitions and restrictions of subparts C and D of this part do not apply to the de-identified regulatory approval data submitted to the country of concern regulator to obtain authorization to research the device's safety and effectiveness.

authority: 50 U.S.C. 1701
source: 90 FR 1706, Jan. 8, 2025, unless otherwise noted.
cite as: 28 CFR 202.510
© 2014 CustomsMobile | Disclaimer | Privacy | About