The Cyberspace Administration of China (the "CAC"), in conjunction with 12 other government departments (collectively, the "Working Mechanism"), issued the New Measures for Cybersecurity Review (the "New Measures") on January 4, 2022. The New Measures amends the Measures for Cybersecurity Review (Draft Revision for Comments) (the "Draft Measures") released on July 10, 2021 and will come into effect on February 15, 2022.
By way of background, China's Cybersecurity Law1 for the first time raised the requirement of cybersecurity review for critical information infrastructure operators' (the "CIIO") activities of purchasing network products and services, which may influence national security.2 Following the Cybersecurity Law, the CAC issued the Measures for Cybersecurity Review in April 2020 (the "2020 Measures"). On July 2, 2021, the CAC announced the very first cybersecurity review on Didi, a giant Chinese car-hailing service provider, citing the Cybersecurity Law, the 2020 Measures, and the National Security Law.3 On July 10, 2021, the CAC issued the Draft Measures, expanding the application scope of the cybersecurity review to cover data processors, if data processors' activities affect or may affect national security.4 The New Measures follows the expanded application scope under the Draft Measures, although it refers to network platform operators instead of data processors. Under the New Measures, both CIIOs and network platform operators need to pay attention whether their business activities may be subject to cybersecurity review in China.
This client alert provides a summary of the key points of the New Measures.
CIIOs and network platform operators should apply for cybersecurity review if national security will or may be affected
The New Measures provides that CIIOs who purchase network products and services and network platform operators (网络平台运营者) who carry out data processing activities should apply for cybersecurity review if national security will or may be affected.5
For CIIOs, they are obliged to evaluate any national security risk that may arise after the use of network product or service when procuring such product or service.6 Under the New Measures, the term "network product or service" mainly refers to any core network equipment, important communications product, high-performance computer or server, mass storage equipment, large database or application, network security equipment, cloud computing service or any other network product or service that has an important influence on the security of any critical information infrastructure.7 If national security will or may be affected, a CIIO needs to apply to the Cybersecurity Review Office (the "CRO") for a cybersecurity review.
For network platform operators, the New Measures provide that their data processing activities will be subject to cybersecurity review if such activities will or may affect national security.8 "Data processing activities" is a broad concept under relevant laws and regulations. For example, the Chinese Data Security Law defines "data processing" as "the collection, storage, use, processing, transmission, provision and disclosure of data."9 The New Measures only provide specific rules for public listings of certain network platform operators and does not give much guidance on what other specific types of data processing activities may be of the Chinese authority's focus for cybersecurity review.
In addition, the member organizations of the Working Mechanism can initiate cybersecurity review if they consider national security is or may be affected by any network product or service, or data processing activities.10
The New Measures list the following main factors for assessing national security risk during cybersecurity review.11
- The risk of any critical information infrastructure being illegally controlled, tampered with or sabotaged after any product or service is used;
- The risk of an interruption in the supply of any product or service endangering the continuity of any critical information infrastructure;
- The security, openness, transparency, diversity of sources and reliability of any supply channel of any product or service, and the risk of its supply being interrupted due to political, diplomatic, trade or other factors;
- The compliance of the provider of any product or service with the laws, administrative regulations, and departmental rules of China;
- The risk of any core data, important data or a large amount of personal information being stolen, leaked, destroyed, illegally used, or illegally transferred abroad;
- The risk of any critical information infrastructure, core data, important data, or a large amount of personal information being affected, controlled, or maliciously used by foreign governments, as well as any network information security risk;
- Any other factor that may endanger the security of any critical information infrastructure, network security or data security.12
Network platform operators "to be listed in foreign countries" must apply for cybersecurity review
The New Measures provide that if a network platform operator who possesses personal information of more than one million users plans to be listed in foreign countries, it must apply for cybersecurity review.13 Unlike the Draft Regulations on Cyber Data Security Management (《网络数据安全管理条例(征求意见稿)》) issued on November 14, 2021, the New Measures do not seem to require companies to be listed in Hong Kong to apply for cybersecurity review, as the New Measures use the term "to be listed in foreign countries" (国外上市).
Nonetheless, as discussed above, the member organizations of the Working Mechanism have the authority to initiate a cybersecurity review if they consider the data processing activities in connection with a proposed listing will or may affect national security.14 Therefore, there is still likelihood that a network platform operator's proposed listing in Hong Kong may be subject to cybersecurity review.
Also, it is worth noting that the New Measures do not specify the types of public listings that will be subject to cybersecurity review. Therefore, different forms of public listings, such as initial public offering ("IPO"), special purpose acquisition company ("SPAC"), reverse takeover ("RTO"), direct listing, may all be subject to cybersecurity review if a network platform operator meets the statutory threshold mentioned above.
Cybersecurity review procedure and review department
Under the New Measures, the cybersecurity review procedure is as follows:
- When a CIIO or a network platform operator applies to the CRO for cybersecurity review, the CRO should determine and notify the applicant in writing whether or not a cybersecurity review will be carried out within ten business days upon receiving all application materials.15
- The CRO may determine that no cybersecurity review is required.16 If the CRO decides to conduct a cybersecurity review, the preliminary review should be completed within 30 business days from the date of written notification to the applicant. In the event of a complex case, the review may take up to an additional 15 business days.17 The preliminary review result and recommendation will be subject to opinions from the member organizations of the Working Mechanism and relevant departments. The member organizations of the Working Mechanism and relevant departments shall reply with opinions in writing within 15 business days upon receiving the preliminary review result and recommendation.18
- If the member organizations of the Working Mechanism and the relevant departments cannot reach a consensus, it will trigger a special review procedure and the applicant will be notified should such a case arise.19 The special review procedure should generally be completed within 90 business days on top of the regular review period discussed above. In the event of a complex case, the special review procedure can be extended and no time limit of such extension is provided under the New Measures.20
It is unclear whether the outcome of cybersecurity review is final or subject to administrative appeal. Also, it remains unclear, in the event that an applicant does not pass the cybersecurity review, how soon the applicant can rectify the situation and re-submit the application.
The China Cybersecurity Review Technology and Certificate Center (the "CCRC"), at the direction of the CRO, will carry out the substantive review work, including accepting and assessing application materials. The CCRC sets up a consultation window for the cybersecurity review and its contact details are mentioned in the CAC's answers to journalists regarding the New Measures.21
Taking precautionary and mitigating measures during cybersecurity review
The New Measures require a cybersecurity review applicant to take precautionary and mitigating measures during the process of the cybersecurity review.22 It remains unclear what precautionary and mitigating measures an applicant is expected to take voluntarily and what mitigating measures the authority may have power to order the applicant to take. During the current cybersecurity review of Didi, the relevant government authority ordered Didi to suspend new user registration and to remove Didi's application from application stores. This indicates that the relevant government agencies have a wide range of powers to request precautionary and mitigating measures that may have a direct impact on an applicant's business.
1 Issued by the Standing Committee of the National People's Congress on November 7, 2016 and effective as of June 1, 2017.
2 Article 35 of the Cybersecurity Law.
3 http://www.cac.gov.cn/2021-07/02/c_1626811521011934.htm. On July 5, the CAC again announced cybersecurity reviews on Yunmanman and Huochebang, two truck-hailing service providers, and Boss Zhipin, an online recruitment application. http://www.cac.gov.cn/2021-07/05/c_1627071328950274.htm.
4 Article 2 of the Draft Measures.
5 Article 2 of the New Measures.
6 Article 5 of the New Measures.
7 Article 21 of the New Measures.
8 Article 2 of the New Measures.
9 Article 3 of the Data Security Law. Data Security Law is issued by the Standing Committee of the National People's Congress on June 10, 2021 and effective as of September 1, 2021.
10 Article 16 of the New Measures.
11 Article 10 of the New Measures.
12 Article 10 of the New Measures.
13 The original Chinese text of Article 7 of the New Measures is as follows: “掌握超过100万用户个人信息的网络平台运营者赴国外上市,必须向网络安全审查办公室申报网络安全审查。”
14 Article 16 of the New Measures.
15 Article 9 of the New Measures.
16 Question 2 of the CAC's answers to journalists regarding the New Measures, http://www.cac.gov.cn/2022-01/04/c_1642894602460572.htm.
17 Article 11 of the New Measures.
18 Article 11 and 12 of the New Measures.
19 Article 12 of the New Measures.
20 Article 14 of the New Measures.
21 Question 5 of the CAC's answers to journalists regarding the New Measures, http://www.cac.gov.cn/2022-01/04/c_1642894602460572.htm.
22 Article 16 of the New Measures.
Xue Feng and Zihan Ma at White & Case contributed to this Client Alert.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2022 White & Case LLP
