Draft amended regulation to reshape China’s cybersecurity review
Draft amended regulation to reshape China’s cybersecurity review
On July 10, 2021, only 13 months after the current Measures for Cybersecurity Review took effect on June 1, 2020 (“2020 Measures"), the Cyberspace Administration of China (“CAC", or “国家互联网信息办公室" in Chinese) issued the draft amended Measures for Cybersecurity Review (“2021 Draft") to solicit the general public’s comments. The commenting period ended on July 25, 2021.
Echoing the Data Security Law of China (“DSL") just released on June 1, 2021, the 2021 Draft broadens the scope of cybersecurity review to cover data processors’ data processing activities. Also, against the backdrop of the recent cybersecurity enforcement cases, the 2021 Draft addresses the regulators’ concerns over the security of data held by Chinese companies listed or to be listed on a foreign stock exchange.
I.Historical Development of the Cybersecurity Review System
The Cybersecurity Law of China (“Cybersecurity Law"), which took effect on June 1, 2017, for the first time, introduced the concept of “national security review" for cybersecurity purpose. It mandates that if a critical information infrastructure operator (“CIIO") procures any network product or service that may impact the national security, the procurement must be subject to the national security review.
The Measures for Security Review of Network Products and Services (for Trial Implementation), which took effect on June 1, 2017 (“2017 Measures"), emphasized security review on network products and services but did not distinguish CIIOs’ procurement of network products and services from that of non-CIIOs.
The 2017 Measures was replaced and superseded by the 2020 Measures on June 1, 2020. The 2020 Measures focuses on CIIOs’ procurement of network products and services, and, for the first time, defines the term “network products and services".
DSL, which was released just one month before the 2021 Draft and is to take effect on September 1, 2021, broadens the scope of cybersecurity review to include any data processing activity that impacts or may impact national security.
The 2021 Draft (i) provides more detailed rules for cybersecurity review on data processing activities, (ii) includes additional triggering events for cybersecurity review, (iii) adds on more assessment factors, and (iv) extends the reviewing time for the special review process.
II. Add New Triggering Events for Cybersecurity Review
The 2021 Draft includes DSL as an additional legislative basis and adds new statutory causes to trigger cybersecurity review.
A. Triggering Events under the 2020 Measures
Under the 2020 Measures, there are two scenarios under which a cybersecurity review will be triggered:
1. if a CIIO procures any network product or service, which impacts or may impact the national security, it must undergo cybersecurity review; or
2. if any member of the cybersecurity review working mechanism, which is to be established by certain Chinese ministry-level authorities that may have the needs to request or participate in national security review, (each, a “Member Agency"), believes that any network product or service impacts or may impact national security, it may work with the Cybersecurity Review Office underneath the CAC to initiate a cybersecurity review.
B. Additional Triggering Events under the 2021 Draft
1. Data Processing Activities Conducted by Data Processors
If a data processor conducts any data processing activity that impacts or may impact national security, it must go through cybersecurity review.
Compared with the 2020 Measures, there are following changes in the 2021 Draft:
a. not only CIIOs, but also all data processors may be subject to cybersecurity review, if other conditions are met; and
b. not only procurement of network products and services, but also data processing activities, will be subject to cybersecurity review, if other conditions are met.
Pursuant to DSL, “data processing" includes collection, storage, usage, processing, transmission, provision, and disclosure of data, which is a very broad concept and covers almost all network activities. Therefore, the 2021 Draft, if adopted and becomes effective, may subject more enterprises and network operations to cybersecurity review.
2. Foreign Listings by Operators[1] Possessing More Than 1 Million Individual Users’ Personal Information
Several days before the release of the 2021 Draft, against the backdrop of the tightening cybersecurity law enforcement, the General Office of the State Council of the People’s Republic of China issued the “Opinions on Lawfully and Severely Combating Illegal Securities Activities" on July 6, 2021, ordering the regulators to improve relevant laws and regulations on cross-border data transfer and enhance the data security responsibilities of the foreign listed companies.
To address the regulator’s concerns over the foreign-listed companies, the 2021 Draft (i) includes China Securities Regulatory Commission (“CSRC") as a new Member Agency and (ii) requires an Operator possessing more than 1 million individual users’ personal information to undergo cybersecurity review before its listing on a foreign stock exchange. Some critical issues, however, have yet to be further clarified by regulators either in the final version or in a later interpretation. For example:
a. Whether an Operator that has been listed on a foreign stock exchange should be subject to cybersecurity review
It is unclear whether an existing foreign-listed company that possesses a large amount of personal information can be exempt from cybersecurity review, as the 2021 Draft is silent in this respect. Another concern is that even if it can be exempted, the regulatory authorities may still conduct cybersecurity review on it for other reasons or at discretion.
b. What does “possessing" mean
There is no definition of “possessing" in the 2021 Draft. Thus, it is unclear whether an Operator, such as a public cloud operator, who is entrusted with its customer data but has no access to or control over the same, will be covered by this scenario.
c. Whether an Operator to be listed on Hong Kong Stock Exchange (“SEHK") is covered by this scenario
The 2021 Draft only mentions listings on foreign stock exchanges. Many commentators speculate that listings on SEHK should be excluded, as Hong Kong SAR is a part of China, and hence SEHK should not be deemed as a foreign stock exchange. However, this has yet to be clarified by the regulators.
3. Under the 2020 Measures, the Member Agencies and Cybersecurity Review Office can only initiate cybersecurity review on CIIO’s procurement of network products and services, when they deem necessary. The 2021 Draft gives them more power by enabling them to initiate cybersecurity review on any data processing activities or foreign listings, when they deem necessary.
III. More Factors to Be Considered During a Cybersecurity Review
Compared with the 2020 Measures, the 2021 Draft includes more factors for consideration in a cybersecurity review.
A. Factors to be Considered under the 2020 Measures
Under the 2020 Measures, a cybersecurity review mainly focuses on national security risks arising from a CIIO’s procurement of any network product or service. Specifically, the following factors need to be considered:
1. whether the critical information infrastructure (“CII") involved will be illegally controlled, impeded, or damaged after using the network product or service;
2. whether the CII can continue to function if the supply of the network product or service is cut off;
3. whether the network product or service is safe, open, transparent, and available from multiple supply sources, whether the supply channels are reliable, and whether the supply thereof will be cut off due to any political, diplomatic, or trade reason;
4. whether the provider of the network product or service complies with Chinese laws and regulations; and
5. any other factors that may endanger the security of the CII or national data security.
B. Additional Factors to be Considered under the 2021 Draft
Under the 2021 Draft, a cybersecurity review will also focus on national security risks arising from data processing activities and foreign listings. Specifically, the following additional factors need to be considered:
1. whether core data, important data, or a large amount of personal information will be stolen, disclosed, damaged, or illegally utilized or transferred out of China; and
2. whether CII, core data, important data, or a large amount of personal information will be impacted, controlled, or maliciously utilized by a foreign government after a foreign listing.
The term “important data" first appeared in the Cybersecurity Law, but still lacks a definition. According to DSL, different ministries and different local governments need to formulate detailed important data catalogs for their respective industries and regions. DSL also defines “core data" as “data that matters to national security or any lifelines of national economy, important aspects of people’s livelihood, or material public interests, etc.", which could be more critical and more sensitive than important data. However, its detailed scope has yet to be clarified. Also, the threshold of amount that constitutes “a large amount" needs to be clarified as well.
It is noteworthy that, similar to the 2020 Measures, there is no risk assessment criteria under the 2021 Draft. Therefore, the regulators may have a great deal of discretion in the review.
IV. Longer Period for a Cybersecurity Review
According to the 2020 Measures, the maximum period for an ordinary cybersecurity review can be 70 working days, and, if a special review is needed, there will be additional 45 working days. The 2021 Draft extends the special review period from 45 working days to 3 months.
V.Add Important Communication Products into the Definition of Network Products and Services
The scope of “network products and services" directly relates to the scope of cybersecurity review. Under the 2020 Measures, network products and services refer to “core network equipment, high-performance computers and servers, mass storage devices, large databases and application software, cybersecurity equipment, cloud computing services, and other network products and services that have a significant impact on the security of critical information infrastructure". The 2021 Draft newly includes “important communication products" into the definition of “network products and services", strengthening the supervision on the means for information and data transfers.
VI.What Operators Need to Do to Face New Challenges
Facing the new challenges brought about by the tightening cybersecurity regulations and law enforcement, we would suggest the following:
1. Operators who are data processors, particularly those who may be deemed to possess core data, important data, or a large amount of personal information, may want to (a) process data in compliance with relevant laws and regulations, (b) regularly conduct self-assessment on their data processing activities and consult legal professionals for advice, if necessary, and (c) monitor further legislation and interpretations on key terms and requirements, such as the detailed scope of “important data" and “core data", and communicate with relevant authorities for clarifications, if necessary.
2. Operators to be listed on foreign stock exchanges, particularly those possessing a large amount of personal information, may want to (a) establish internal data compliance systems to guide and regulate their data processing activities and conduct self-assessment before foreign listings, (b) select their listing venues with caution, and consider geopolitical and regulatory risks, and (c) seek regulators’, such as CAC’s and CSRC’s opinions/guidance before foreign listings.
3. Operators who may be deemed as CIIOs, particularly those in the supply chain of network products and services, may want to (a) monitor further interpretations on the scope of CIIO and network products and services, and conduct self-assessments on whether they are subject to such scope, and (b) if yes, establish and improve their procurement systems and conduct self-checks to see whether there may be any impact on national security when they purchase network products and services.
The 2021 Draft is still at the public commenting stage. Some of the questions will hopefully be clarified when it is promulgated. However, we expect the 2021 Draft to be finalized soon, leaving not much time for Operators to prepare for compliance. We suggest that Operators study the 2021 Draft and prepare for its implementation when finalized.
[Note]