China has further strengthened its legislation on data security in view of the popularity of cross-border transactions of Chinese internet-based companies
In 2020, China escalated the national security review (NSR) system from a set of circulars issued by the State Council and the Ministry of Commerce (MOFCOM) to the national law level. China expanded the scope of NSR to capture transactions between two foreign parties involving a Chinese company or Chinese interests ("Transactions with China Interests") with the promulgation of the PRC Foreign Investment Law (FIL) and its implementation regulations.
In December 2020, China's National Development and Reform Commission (NDRC) and MOFCOM jointly released the Measures for Security Review of Foreign Investments. While these new FISR measures expand the scope of NSR compared to previous NSR-related rules, they continue to describe targeted sectors in broad strokes, leaving substantial room for interpretation and clarification.
In addition to the NSR system, MOFCOM promulgated the Provisions on the Unreliable Entity List (UEL) in September 2020, under which foreign individuals and entities who are on the UEL may be restricted or prohibited from investing in China. The detailed implementation rules and the proposed list of the unreliable entities have yet to be released.
In 2021, China further strengthened its legislation on data security in view of the popularity of cross-border transactions of Chinese internet-based companies. In particular, China promulgated the PRC Data Security Law (DSL) at the national law level on June 10, 2021, under which China established a data security review system under the NSR regulatory regime.
In response to the DSL, the Cyberspace Administration of China (CAC) released the Draft Amended Measures for Cyber Security Review (for public comment) in July 2021 to include more triggering events of cybersecurity review and expand the reviewing scope. Since the amended measures are, at this writing, still in draft form, the implementation of such rules are subject to further clarification and guidance from the relevant regulatory authorities.
The NDRC has already started monitoring Transactions with China Interests from a national security reviews perspective
In 2011, a ministerial NSR panel was established by MOFCOM and NDRC pursuant to a set of rules issued by the State Council in the same year. The panel is responsible for conducting NSR of foreign investments in Chinese domestic enterprises. In furtherance of the 2011 NSR Rules, China's State Council issued additional rules in April 2015, expanding the NSR process to foreign investments in various free trade zones in China.
On July 1, 2015, China promulgated the PRC National Security Law (NSL), which is China's most comprehensive national security legislation at the national law level. However, the NSL's provisions do not detail how the security review processes and measures will be implemented by the relevant regulatory authorities.
On January 1, 2020, the FIL came into effect and reiterated, albeit briefly, that China will establish a security review system for foreign investments. On December 19, 2020, NDRC and MOFCOM jointly released the new FISR measures to amend and reiterate the existing NSR-related rules, pursuant to which a working office to be jointly led by NDRC and MOFCOM becomes the authority conducting foreign investment security review (the FISR Office).
SCOPE OF NATIONAL SECURITY REVIEW
According to the new FISR measures, a foreign investment transaction is subject to security review when either of the following is true:
- The transaction is in sectors related to national defense and security, such as arms and arms-related industries or in geographic locations in close proximity to military facilities or defense-related industries facilities (the Military Defense Test)
- The transaction involves critical sectors significant for national security, such as critical agricultural products, critical energy and resources, critical equipment manufacturing, critical infrastructure, critical transportation services, critical cultural products and services, critical information technology and internet products and services, critical financial services and key technologies, and will result in foreign investors' obtaining actual control of the invested enterprise (the Sensitive Sector Test)
Consistent with the FIL, the new FISR measures define "foreign investments" as direct or indirect investment activities conducted by foreign investors, including investments to initiate a new project or establish a new enterprise in China, either independently or jointly with other investors; acquisition of equity interest or assets of an enterprise in China; and investments through other structures in China.
In practice, the NDRC has already started monitoring Transactions with China Interests from an NSR perspective. For example, MOFCOM might notify NDRC during the antitrust filing process of any transactions (including for Transactions with China Interests) with potential national security concerns, and NDRC will request the relevant parties to provide relevant information and initiate the NSR process if it confirms there is a national security concern.
Foreign investors interested in sensitive industries may wish to conduct a comprehensive pre-transaction analysis
REVIEW PROCESS AND TIMELINE
The new FISR measures have provided the typical timeline and process for the security review of a foreign investment transaction. The stages are as follows:
- Preliminary review. Upon receipt of an application for foreign investment security review, the FISR Office will make a preliminary decision on whether the transaction is subject to general review within 15 working days, and inform the applicants of its decision in writing
- General review. If the FISR Office decides that the transaction should be subject to general review at the conclusion of the preliminary review, it will conduct and complete the general review within 30 working days after the date on which its preliminary review decision is made. Upon completion of the general review, the FISR Office will provide written notice to the applicants whether the proposed transaction is approved or subject to special review if it affects or may affect national security
- Special review. If the FISR Office determines that a proposed transaction should be subject to special review at the conclusion of the general review, the FISR Office will conduct and complete the special review within 60 days after its commencement. Under special circumstances, the FISR Office may extend the special review at its own discretion and notify the applicants of its decision of the extension in writing. The FISR Office will issue its final decision to applicants after the completion of the special review
During FISR Office's review, foreign investors are prohibited from making the proposed investment. The review of a foreign investment transaction must be completed prior to the closing of a foreign investment transaction that is subject to a review.
Generally, the outcomes of a foreign investment security review can be any of the following:
- If a foreign investment transaction will not affect national security, the FISR Office will approve the transaction
- If a foreign investment transaction will or may impact national security, but the impact can be eliminated and the relevant parties accept mitigation measures, the FISR Office may approve the transaction with mitigation measures
- If a foreign investment transaction fails the security review, the FISR Office will reject the transaction
The decision of security review is final. A decision made by the FISR Office may not be administratively reconsidered or contested in court.
UNRELIABLE ENTITY LIST
In September 2020, MOFCOM promulgated the Provisions on the UEL, under which foreign individuals and entities listed on the UEL may be restricted or prohibited from investing in China. As of this writing, MOFCOM has not yet released the UEL.
The provisions state that the working group formed by various ministerial-level regulatory authorities, which is responsible for formulating the UEL, would consider various factors, such as the potential harm to state sovereignty, national security, national interests and Chinese entities/individuals in determining whether to include a foreign entity/individual in the UEL.
Implementation of the provisions on the UEL is primarily led by MOFCOM, which could also involve other relevant departments to form the working group that gives MOFCOM broad discretion in deciding whether to place a foreign entity on the list.
The consequence of being on the UEL is that foreign entities or individuals may face one or more of the following:
- Restriction or total ban on trading and investing in China
- Restriction or revocation of work permits or residence authorization
- Imposition of monetary fines according to the severity of the circumstances
- Other penalties or measures at the discretion of the working mechanism
MEASURES FOR CYBERSECURITY REVIEW
In the context of the increasingly active participation of domestic internet companies in cross-border activities, China promulgated the DSL at the national law level to further strengthen the regulation on data processing activities and safeguard the data security on June 10, 2021.
In particular, the DSL clearly states that China will establish a data security review system, and NSR will be conducted against data processing activities that affect or may affect the national security.
One month after the promulgation of the DSL, the CAC issued the draft amended Measures for Cyber Security Review for public comment. The draft CSR measures broaden the scope of cybersecurity review to capture data processing activities, and expands the regulatory and enforcement agencies to include the China Securities Regulatory Commission. In particular, the draft CSR measures require network operators that hold personal information of more than one million users to report to CAC before going public on foreign stock exchanges.
Based on recent cybersecurity enforcement activities, we expect that the final amended Measures for Cyber Security Review will be released soon. Foreign investors who have already invested or plan to make investments in China should pay close attention to the change of the legislative landscape with respect to data security.
HOW FOREIGN INVESTORS CAN PROTECT THEMSELVES
- Foreign investors should continue to be mindful of the NSL, FIL, DSL, UEL and other new NSR legislation, and pay special attention to transactions that might fall within the industries that are more likely to trigger national security concerns
- Foreign buyers should be cautious when completing transactions before obtaining national security approval, as they might be forced to divest the acquired assets if the transaction ultimately fails the security approval process
- Due to enforcement uncertainties and the broad scope of captured industries, foreign investors interested in sensitive industries may wish to conduct a comprehensive pre-transaction analysis, and to consider scheduling pre-application consultations with officials from the FISR Office to determine the NSR risk before commencing the formal application process
- The promulgation of the DSL indicates that China has been making a continued effort to implement a more structured and comprehensive system to strengthen the review and enforcement on transactions that might have national security implications
- Although China has introduced much new legislation in recent years to establish a comprehensive NSR regime, the vague language of the new rules leaves substantial room for interpretation and clarification
- Although not explicitly stipulated under relevant NSR laws and regulations, it is likely that the reviewing authority may consider whether a foreign investor is, directly or indirectly, in connection with any foreign governments or any political parties of a foreign country when evaluating foreign investment transactions
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2021 White & Case LLP