A Close Reading Of China’s New Cybersecurity Review Measures In Effect Feb 15 2022
On January 4, the first working day of 2022, the Cyberspace Administration of China (CAC), in conjunction with 12 other authorities – including the China Securities Regulatory Commission (CSRC) – finally promulgated the high-profile Cybersecurity Review Measures (hereafter the “Measures”).
The new Measures, which will come into force from February 15, 2022, spell out the legal basis, scope of application, government bodies in charge, content, and procedures for cybersecurity review.
The Main Message
The Measures will subject two main groups – critical information infrastructure (CII) operators as well as network platform operators – to a cybersecurity review, under the following circumstances:
- For CII operators, if they purchase network products and services, which affects or may affect national security.
(Based on the Regulation on the Security and Protection of CII, CII operators refer to operators of information infrastructure in important industries and sectors, such as public communications and information services, energy, transport, water conservancy, finance, public services, e-government services, and national defense)
- For network platform operators, if they conduct data processing activity, which affects or may affect national security; or if they hold personal information of more than one million users and plan to list their shares overseas.
(The Measures don’t define the network platform operators. For a network platform operator with more than one million users, it could be any data-rich consumer tech company.)
The CAC began revising the Cybersecurity Review Measures on July 10, 2021, days after the announcement of the investigation into the ride-hailing firm Didi Chuxing.
The revision was to supersede the original Measures that were effective from June 1, 2020, which focused on reviews of the procurement of ICT (information communication technology) equipment and services by CII operations – in other words, CII supply chain reviews.
With a new aim to protect cybersecurity and data security, the draft revision started incorporating data processing activities and foreign IPOs into the scope of review, which in part echoed the Data Security Law (DSL) adopted on June 10, 2021.
What’s New In The 2021 Measures?
Compared with the original file, the 2021 Cybersecurity Review Measures have made the following amendments:
- It adds the DSL and the Regulation on the Security and Protection of CII, both effective from September 1, 2021, as the legal basis of the Measures.
- It incorporates data processing activities implicating national security into the scope of review. (According to the DSL, “data processing” includes the collection, storage, use, processing, transmission, availability, and disclosure of data, etc.)
- It incorporates foreign listings by internet platform operators with data of more than one million users into the scope of review. Besides, IPO materials (like prospectuses) are required to be submitted when applying for the cybersecurity review.
- It adds the CSRC as a member under the cybersecurity review working mechanism.
- It improves the factors for the assessment of national security.
- It extends the reviewing time for the special review process to 90 working days.
Will Hong Kong IPOs Be Exempt From Cybersecurity Reviews?
Among all the changes, the newly added Article 7 of the revamped Measures has attracted most attention. It stipulates that:
“Where any network platform operator who possesses the personal information of more than one million users seeks foreign listings (“国外上市”), it shall file an application with the Office of Cybersecurity Review for cybersecurity review.”
As the draft and final versions of the Measures both use the term “foreign listings” (“国外上市”), instead of “offshore listings” (“境外上市”) – the former term is often interpreted as listing outside of China, like in the US, and excluding listing in Hong Kong, while the latter term would include Hong Kong, many lawyers and bankers speculate the wording indicates that mainland companies pursuing IPOs in Hong Kong may be exempt from the cybersecurity review process.
Such discussion took place in November when the CAC issued a draft of the Network Data Security Management Regulation. The regulation specifically mentioned Hong Kong listings as requiring special vetting if they involve matters of national security, and separated Hong Kong listings from foreign listings in two perspective items.
According to Caixin’s report citing several lawyers involved in Hong Kong IPOs, “the city’s bourse recently started to ask mainland companies whether they could be subject to cybersecurity reviews. The inquiries have extended to non-Internet companies. At the moment, companies are required only to submit a legal document drawn up by mainland lawyers outlining the likelihood of a cybersecurity review.”
China’s Cybersecurity Review Process
Who Implements The Cybersecurity Review?
The Office of Cybersecurity Review (OCR), a subordinate office under the CAC, will entrust the China Cybersecurity Review Technology and Certification Center (CCRC) to conduct the review, the CAC said in a press conference.
The CCRC will undertake the tasks of receiving the filing materials and conducting formal examination of the submissions under the guidance of the OCR. The CCRC will also set up a window for cybersecurity review consultation.
CII And Network Platform Operators Applying For Cybersecurity Review
Network platform operators holding data of more than one million users are required to proactively apply to the OCR for a security review before they apply to foreign securities regulators to list.
Operators voluntarily filing an application for cybersecurity review should submit the following materials:
- A written declaration;
- An analysis report concerning the impact or possible impact on national security;
- The procurement document, agreement, contract to be entered into, or IPO materials to be submitted, etc.; and
- Other materials necessary for cybersecurity reviews.
The OCR initiating The Review
When members under the cybersecurity review working mechanism deem a network product or service or a data processing activity as affecting or potentially affecting national security, the OCR can also report to the CCRC for approval and initiate a cybersecurity review in accordance with the Measures.
The Reviewing Time And Process
- Upon receipt of the submitted materials, the OCR will, within 10 working days, determine whether the review is required and notify the operator in writing.
- If the OCR deems it as necessary to conduct a cybersecurity review, it will complete the preliminary review within 30 working days from the date of issuing the written notice.
- If the case is complicated, the said time my be extended by 15 working days.
- When conducting the preliminary review, the OCR will formulate review findings and suggestions and send them to members of the cybersecurity review working mechanism and other relevant authorities for comments. Members of the cybersecurity review working mechanism and relevant authorities will give a written reply within 15 working days upon receipt of the review findings and suggestions.
- If members of the cybersecurity review working mechanism have conflicting opinions, the case will be handled through a special review procedure, which should be completed within 90 working days in general and may be extended if the case is complicated.
In aggregate, the general review process takes up to 70 working days from the start of the application. For the special review process, the maximum reviewing time required can be more than 160 working days, or more than eight months.
How Will China Assess For National Security Risks?
When carrying out the cybersecurity review, the OCR will focus on the assessment of national security risks that may be brought about by procurement activities, data processing activities, and overseas listing. The following factors are taken into account (the last three items are newly added, zeroing in on protecting core or important data and personal information):
- Risks of illegal control, interference, or destruction of CII brought about by the use of products and services;
- The harm caused by supply interruption of products and services to the business continuity of CII;
- Security, openness, transparency, and diversity of sources of products and services, reliability of supply channels, and risks of supply interruption due to political, diplomatic, trade, or other factors;
- Information on compliance with Chinese laws, administrative regulations, and departmental rules by product and service providers;
- Risks of theft, disclosure, damage, illegal use, or cross-border transfer of core data, important data or large amounts of personal information (newly added);
- Risks of influence, control, or malicious use of critical information infrastructure, core data, important data, or large amounts of personal information by foreign governments after overseas listing (newly added); and
- Other factors that may endanger CII, cybersecurity, and national data security (newly added).
Most revisions in the new Cybersecurity Review Measures relates to risks associated with data processing activities. It also emphasizes the data security risks arising from Chinese market entities listed overseas, which reflects China’s growing concerns that foreign regulators could gain access to sensitive data from Chinese entities listed on foreign stock markets, particularly in the US.
In fact, the promulgation of the new Measures was preceded by a string of decisions by Chinese authorities to boost the oversight of offshore listings by Chinese companies. On December 24, 2021, the CSRC unveiled a set of rules imposing new filing requirements for Chinese companies seeking to sell shares directly or indirectly overseas. On December 27, the new negative lists for foreign investment access allowed companies in foreign investment-restricted sectors to go public overseas, but at the same time required them to obtain approval from relevant regulators in advance.
In the mid- to long-term, mainland companies, especially those whose businesses impact cybersecurity, data security, and are subject to foreign investment restriction, will face a stringent review process when seeking offshore listings.
The practical processes are still a black box for many companies, and even a conundrum for officials, as it will not be easy to secure the data without compromising the potential economic loss caused by data blocking. Thus, more detailed rules and guidelines can be expected along with the implementation of the new Cybersecurity Review Measures. Presently, it may very well be that many mainland companies hold out their IPO plans, shift towards Hong Kong IPOs, or navigate a route that does not trigger cybersecurity or data security red flags