New Measures Aims to Strengthen Cybersecurity Review in China

Initially promulgated in April 2020, the Cybersecurity Review Measures provides procedures for cybersecurity reviews in relation to national security under the State Security Law and Cybersecurity Law. On July 10, 2021, the Cyberspace Administration of China (“CAC”) issued a notice seeking public comments on a new Draft Revision to the Cybersecurity Review Measures (the “Draft Revision”) after the Standing Committee of China National Congress promulgated the Data Security Law in June 2021.

1. Cybersecurity Review Measures is to Implement Laws

The State Security Law, effective on July 1, 2015, for the first time vowed to establish a review and regulation system and mechanism for State security and to carry out security review against foreign investment, key technologies, and network information technology products and services that affect or may affect State security (Article 59 of the State Security Law). As a part of the efforts to safeguard State security in cyberspace, the Cybersecurity Law, effective on June 1, 2017, requires security review by CAC and other competent authorities of any purchase of network products and services by critical information infrastructure operators that may affect State security (Article 35 of the Cybersecurity Law). The Data Security Law, which is to be effective on September 1, 2021, plans to establish a data security review system to review data processing activities that affect or may affect State security and further determines that a security review decision is final and unappealable. 

CAC has enacted the Cybersecurity Review Measures and its Draft Revision to implement the above laws.

2. Security Review Targets Purchase of Network Products and Services and Data Processing Activities

Briefly, any purchase of network products and services by critical information infrastructure operators and data processing activities by data processors that affect or may affect State security require cybersecurity review (critical information infrastructure operators and data processors, collectively the “Operators”). 

• Critical information infrastructure :  No clear definition has been given so far. The Cybersecurity Law vaguely provides that those critical information infrastructures in important industries and sectors such as public communications, information service, energy, transport, water conservancy, finance, public service and e-government, and other critical information infrastructure that, once damaged, disabled, or have data disclosed, may severely threaten the national security, national economy, people’s livelihood and public interests, will receive extra protection on the basis of the graded system for cybersecurity protection. Specifically, critical information infrastructure operators subject to security review are those who have been certified by critical information infrastructure protection authorities. It is expected that government will release regulation on the specific scope and security measures for critical information infrastructures and their operators.  

• Network products and services:  They mainly refer to core network equipment, important communication products, high-performance computers and servers, mass storage devices, large databases and application software, cybersecurity equipment, cloud computing services, and other network products and services that have a significant impact on the security of critical information infrastructures.

• Data processing:  The Data Security Law defines data processing broadly, involving collection, storage, use, processing, transmission, provision and disclosure of data.

• State security: According to the State Security Law, State security refers to the condition in which the state power, sovereignty, unity and territorial integrity, people’s welfare, sustainable economic and social development, and other vital interests of the State shall relatively face no danger or encounter no internal and external threats, as well as the capability to safeguard sustainable safety condition. Vagueness and broadness of the above definition largely increase the difficulty in understanding the criteria of security review which is “affect or may affect State security”, especially considering that Operators are required to prejudge whether their purchase of network products and services would affect or may affect State security and, if yes, are obligated to apply for security review. Thankfully, the Cybersecurity Review Measures and its Draft Revision shed certain light on how to assess the potential State security concern (please refer to Section 5 for details).

There is also a catch-all clause for the discretion of the government: where member authorities of cybersecurity review working mechanism deem that network products and services, data processing activities or overseas IPOs affect or may affect State Security, the Office of Cybersecurity Review under CAC may initiate security review after receiving approval from the Central Cyberspace Affairs Commission (“CCAC”).

3. Draft Revision Stresses Overseas IPOs

Under the current Cybersecurity Review Measures, cybersecurity review applies only to operators of critical information infrastructures.

The Draft Revision adds an Article 6, which expands the reporting and application obligation to include any operator who possesses the personal information of more than one million users and goes public abroad. 

The investigation over the IPO of DiDi has illustrated that regulators in China are seeking to curb overseas IPOs of domestic enterprises potentially exposed to State security risks. The Article 6 adopts a higher standard for IPO enterprises, as qualified overseas IPOs are linked to cybersecurity reviews without exception. This reflects the view of regulators in China that enterprises holding large scales of personal information are almost invariably linked to national and cybersecurity risks.

Notably, the Draft Revision uses the expression “become listed in other countries” throughout the amended articles, rather than more common expressions such as “listed on foreign exchanges”. The choice of expression in the Draft Revision seems to imply that enterprises to be listed on the Stock Exchange of Hong Kong will not be subject to cybersecurity review under the new Article 6. This could be interpreted as a concession to allow domestic enterprises to achieve their fund-raising targets through IPOs on a foreign market, while maintaining the risk of data exposure at an acceptable level.

4. Revisions in Response to the Data Security Law

The Draft Revision has added data processors and data processing as subjects of cybersecurity reviews alongside critical information infrastructure operators and purchasing activities respectively. Article 10 quotes the classification of core data and important data from the Data Security Law for assessing the risks from the potential purchase of network products and services and data processing. This means that cybersecurity reviews conducted under the Draft Revision will also cover all types of data processors and processing activities as defined in the Data Security Law.

5. Risk Factors to be Considered in Cybersecurity Reviews

CAC will consider the following main risk factors when conducting cybersecurity review:

(1) Risks of illegal control, interference or destruction of critical information infrastructure resulting from the use of network products and services;

(2) Harms caused by supply interruption of network products and services to the business continuity of critical information infrastructure;

(3) Security, openness, transparency and diversity of sources of network products and services, reliability of supply channels, and risks of supply interruption due to political, diplomatic, trade or other factors;

(4) Information on compliance with laws of China, administrative regulations and departmental rules by network product and service providers;

(5) Risks of theft, leakage, damage, illegal use or cross-border transfer of core data, important data or large quantity of personal information;

(6) information infrastructure, core data, important data or large quantity of personal information by foreign governments after overseas listing; and

(7) Other factors that may endanger critical information infrastructure security and national data security.

6. Procedures of the Cybersecurity Review

The current Cybersecurity Review Measures requires special review process to be completed within 45 working days, which can be “appropriately extended” for complicated cases. The Draft Revision extends this limit to 3 months, and allows it to be simply “extended” for complicate cases.

To briefly summarise the procedures, the Office of Cybersecurity Review under CAC is generally responsible for conducting review with assistance from member authorities of cybersecurity review working mechanism. The Office of Cybersecurity Review will decide whether a review is needed, conduct preliminary review, solicit member authorities on the preliminary review conclusions, conduct special review if needed, and liaise with Operators throughout the process. In the case of a special review, the Office of Cybersecurity Review will report to CCAC for approval before making the final conclusion.

The following flow chart represents the process prescribed in the Draft Revision.

For Chinese enterprises currently listed or seeking IPOs on exchanges in other countries, it is advisable to follow closely on this recent legislation, and prepare to meet the more stringent compliance standard for data protection.