China Updated its Cybersecurity Review Regime

Background

The concept of security review was first introduced into law by the Cyber Security Law (CSL), which requires operators of critical information infrastructure (CII) to apply for national security review on their procurement of network product and services if it may impact national security. Shortly before the CSL took effect, the CAC published the Measures on Security Review of Network Product and Services in May 2017 (2017 Measures). In the 2017 Measures, the security review focuses on procurement of “important network products and services for networks and information systems relevant to national security”. Apparently, the scope of the security review has exceeded that as contemplated under the CSL. There was no reported cases of security review while this regulation was effective.

In April 2020, the CAC replaced the 2017 Measures with the Measures on Cybersecurity Review (2020 Measures). This time, CAC released the regulation jointly with 11 other ministries and started to use the notion “cybersecurity review” instead of security review. The scope of review in this version has been reduced to “procurement of network product and services by the CII operators, which impacts or may impact national security”, which is consistent with the CSL.

The enforcement under this regulation had remained inactive until early July 2021 when the CAC issued its decision to conduct cybersecurity review on three internet companies that just launched their IPO in the United States in the previous month, namely Didi, Manbang and Boss Zhipin. The decision was unexpected at the time as the scope of CII was not clear (and is still unclear to date), and very little details have been released about the ongoing reviews so far. The main questions are that if the cybersecurity review was initiated under CSL and the 2020 Measures, whether any of the companies had been identified as a CII operator and which procurement activities have triggered the cybersecurity review.

Shortly after the decision to investigate Didi and others in July, the CAC revised the 2020 Measures and issued a draft for public consultation in mid-July 2021. Notably, the draft extends the scope of cybersecurity review to cover data processing activities and overseas listings of certain data processors. This change gives rise to the speculation that the draft is a retrospective attempt to provide a legal ground for the decision issued earlier to initiate cybersecurity review. The Measures are the final version of the draft and we will look into the key changes in below section.

Highlights of Key Changes

I. Extended scope

The Measures extend the scope of cybersecurity review from procurement by CII operators to also include data processing activities by network platform operators (NPOs) that impact or may impact national security. We set out below some key issues.

Who are NPOs?

The Measures fail to define NPOs. In fact, we have not seen this concept in any other regulations published so far, but similar terms exist. For instance, in the draft Administrative Regulations for Network Data Security (Draft Regulations) published by the CAC, internet platform operators are defined as data processors that provide internet platform services to users, including information dissemination, social network, transactions, payment and audio and video services.

Despite the lack of any clear guidance, the scope of NPOs should be similar with that of the internet platform operators, although we hope that the CAC will keep its use of terms consistent in the future.

Interplay with data security review

The Measures cited the Data Security Law (DSL) as its legal basis, which authorises authorities to conduct national security review over data processing activities that impact or may impact national security. DSL proposes to establish a data security review regime.

Apparently, the CAC relies upon the DSL to include data processing activities of NPOs in the scope of cybersecurity review. On the other hand, the cybersecurity review should be viewed as part of the data security review regime as it only covers the NPOs. As such, the Measures also provide that any regulations on data security review will also apply in addition to the Measures, although no such regulations have been published to date.

Data processing risks

Under the Measures, CAC will consider the risks of core data, important data or a large amount of personal information being stolen, leaked, destroyed and illegally used or exported. However, the Measures go no further to specify how the CAC will assess such risks. NPOs should start to self-assess their data processing activities relating to core data, important data and personal information against the existing laws, regulations and standards and evaluate whether their processing activities will involve risks that could trigger the cybersecurity review.

II. Foreign listings of NPOs

Notably, an NPO must also apply for a cybersecurity review over its proposed listing outside China, if the NPO controls over one million users’ personal information. However, the ambiguity in the drafting of the provisions has given rise to some questions.

The one million threshold

One question is about the threshold. The language used in the Measures still fails to clarify whether the threshold should be one million users’ personal information or one million pieces of users’ personal information, although the former seems to be more widely accepted. As an issue common to all the thresholds set by the CAC in its regulations, there is no indication as how to calculate the volume of personal information.
Interestingly, while the Measures provide that the cybersecurity review will consider risks relevant to CII, core data, important data and a large volume of personal information that are resulted in by the listing, the threshold for voluntary application for cybersecurity review only reflects the volume of personal information. It is not clear whether this is a neglection or intended by the CAC.

Hong Kong listings

Another issue is whether listings in Hong Kong will be considered ones outside of China and therefore subject the data processors to the obligations of applying for the cybersecurity review. The Measures, as in the draft, neglect to make it clear. The provisions of the Draft Regulations on cybersecurity review differentiate between listings outside China and listings in Hong Kong but do not exclude Hong Kong listings from the scope of voluntary cybersecurity review.

It appears that the current wording of the Measures will not subject Hong Kong listings to the voluntary cybersecurity review. Having said that, it is still possible that the CAC may initiate the cybersecurity review if it considers that a Hong Kong listing impacts national security. The CAC should clarify the applicability of the cybersecurity review to Hong Kong listings as soon as possible and reconcile the Measures with the Draft Regulations.

Listings through VIE

The Measures have not defined the concept of listing, but under the recent draft Administrative Regulation on Issuance of Securities and Listings by Domestic Companies overseas listings will include direct listings and indirect listings, which may include listings through a variable interest entity (VIE). Under this draft regulation, an overseas listing should go through the applicable security review process if required. Therefore, a listing via VIE outside of China will very likely fall under the Measures.

What will be considered in the review?

Moreover, the CAC fails to explicitly explain, in the Measures or on other occasions, why listings outside China will be considered data processing activities that impact or may impact national security. Data processing is defined under the DSL as the collection, storage, use, handling, transmission, provision and public disclosure of data. Therefore, it is likely to be the data processing activities involved in the listing process and the continuous status of being listed that will fall under the cybersecurity review. Such data processing activities may include providing personal information, core data and important data to foreign regulatory bodies, judicial bodies, law-enforcement authorities, and other parties and any other processing activities as required for compliance with foreign laws and orders.

The Measures provide that the cybersecurity review should take into account, among other things, the risks of the CII, core data, important data or a large amount of personal information being affected, controlled or maliciously used by foreign governments and network information security risks after listing. It seems that if any of the above-mentioned data processing activities relevant to the proposed listing may carry such risks, then the proposed listing may not get the clearance after the cybersecurity review. For assessment purposes, the NPO is required to submit its listing application materials to the CAC for review.

III. Procedures and enforcement

The Measures have not made any significant changes to the cybersecurity review procedures. The review process may be initiated by the CII operators or NPOs voluntarily or by the CAC itself. Interestingly, for voluntary application, the Measures only expressly provides for the scenarios where the NPOs propose to be listed outside China and CII operators procures network products or services. It is not clear whether there will be other specified scenarios where NPOs must also voluntarily file for cybersecurity review.

Notably, for cases where the relevant ministries cannot reach a consensus, the case will follow a special review procedure, and the statutory time limit has been extended from 30 working days to 90 or longer.

Besides, the CII operators and NPOs may be required to take preventative and risk-mitigating measures during the review process.

Given that the scope of CII, core data and important data is not clear, the Measures still fall short of fully enforceable. However, considering the on-going cybersecurity review over Didi and others, we cannot rule out the possibility that the CAC will initiate new cybersecurity reviews after the Measures take effect.

Conclusion

The Measures have extended the cybersecurity review to processing of core data, important data and personal information by the NPOs. In particular, NPOs that intend to list outside of China will now need to apply for cybersecurity review over their listings if they process personal information of over one million users.

Despite that the scopes of CII, core data and important data are yet to be specified, the CAC may still elect to enforce the Measures. NPOs should start to assess whether their processing activities impact or may impact national security and therefore trigger the cybersecurity review process.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected]