China's Cybersecurity Law became effective on June 1, 2017. It provides additional national security review requirements and standards for companies engaged in or seeking to engage in network and data operations in China.
The ministerial review panel established by China's Ministry of Commerce (MOFCOM) pursuant to a rule issued by the State Council in 2011 (the 2011 Rule) is responsible for conducting national security reviews of foreign investments in domestic enterprises.
In addition to the 2011 Rule, China is in the process of implementing a comprehensive set of rules and regulations governing national security reviews for foreign investments. On July 1, 2015, China promulgated the new PRC National Security Law (the NSL), which is China's most comprehensive national security legislation to date. However, the NSL's main provisions do not detail how these security measures will be implemented by the relevant agencies and local authorities.
As such, the NSL's full impact on individuals and corporations in the private sector will remain unclear until relevant implementation measures are issued.
According to the 2011 Rule, MOFCOM reviews foreign-investment transactions following voluntary filings by the parties to the transaction, referrals from other governmental agencies or reports from third parties.
Under China's current regulatory system, a national security review filing applies only to mergers and acquisitions involving Chinese companies and foreign investors under circumstances provided under the 2011 Rule. The 2011 Rule prescribes that a foreign investor must apply for a national security review if the investor acquires equity in, and/or assets of, a domestic enterprise in China. In contrast, a transaction between two foreign parties involving interests in Chinese companies is not subject to the national security review requirement.
TYPES OF DEALS REVIEWED
MOFCOM has circulated an unofficial list of industries in which a national security review for a foreign investment transaction is likely to be triggered. These industries mainly include military or military-related products or services, national defense-related products or services, agricultural products, energy, resources, infrastructure, significant transportation services, key technology and heavy equipment manufacturing.
SCOPE OF THE REVIEW
The scope of review focuses on the overall risk profile and impact that various M&A transactions may have on China's national security, defense, economy and public interest.
Foreign investors targeting assets in free trade zones are subject to more stringent national security review rules. The ministerial review panel has wider discretion to terminate or restrict foreign investment transactions in these zones because, while the 2011 Rule gives the panel authority to review foreign investors that obtain "actual control" over companies in the industries listed above, rules governing free trade zones indicate that the panel is allowed also to regulate any foreign investor that has a "significant impact" on investees within the industries listed above.
Greenfield investments and investments in cultural and internet businesses established within these free trade zones through offshore and other contractual arrangements are also subject to national security reviews.
TRENDS IN THE REVIEW PROCESS
The NSL's promulgation indicates that China is attempting to implement a more structured and comprehensive system to keep a closer eye on economic deals that might have security implications. As of now, it is unclear what direction China's national security review will take due to the lack of implementation measures for the NSL. Further, the NSL specifically discusses the need for the state to pay particular attention to cybersecurity and network data protection for national security purposes. Article 25 of the NSL provides that China shall "build a network and information security safeguard system, enhance network and information security protection capabilities… achieve safe and controllable network and core information technology, critical infrastructures and information systems…."
Therefore, as part of China's overall national security initiative, China's Cybersecurity Law (the CSL) became effective on June 1, 2017. It provides additional national security review requirements and standards for companies engaged in or are seeking to engage in network and data operations in China. As such, companies must be mindful of the cybersecurity and network protection requirements under the CSL as the law places additional national security scrutiny for network operators in China.
The CSL primarily focuses on data security protection requirements and standards for critical information infrastructure operators, network operators and financial institutions to protect their networks from interference, damage and unauthorized access, along with the prevention of data leaks, thefts and falsification of information.
The Cyberspace Administration of China (CAC) serves as the primary governmental authority supervising and enforcing the CSL. A tiered network security protection will be further introduced in the future and various network operators shall comply with their corresponding level of network security requirements.
The CAC has issued various measures to supplement and clarify certain requirements of the CSL. Some of them are still in the proposed draft form. In particular, on April 11, 2017, the CAC published a draft proposal, Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data, together with the draft guideline on the valuation methods in August 2017. These draft rules extend the data localization requirement under the CSL for critical information infrastructure operators to other network operators, requiring such operators to undergo security assessments in order to transfer data to destinations outside of China. At this point, these drafts have not been published as final regulations; however, they represent a real possibility of what the final regulations could require.
Besides the rules on trans-border data transmission control, the Measures for the Security Review of Network Products and Services was finalized and came into effect along with the CSL on June 1, 2017, which provides detailed provisions regarding the security review standards of network products or services purchased by critical information infrastructure operators that may affect national security. The measures focus on verifying whether such products or services are "secure and controllable" and the review process will take the form of a security risk assessment of the products or services purchased by these operators. In light of the above, we expect that China will continue to issue implementation and national security review standards and requirements under the CSL, specifically targeting companies seeking to operate as critical information infrastructure operators or other network operators in China. In light of the NSL and the CSL, foreign investors should continue to monitor the developments of China's national security review process.
HOW FOREIGN INVESTORS CAN PROTECT THEMSELVES
Until issuance of implementation rules to the NSL, foreign investors should continue to be mindful of the terms and conditions of the 2011 Rule and pay special attention to transactions that might fall within the industries that are likelier to trigger national security concerns for MOFCOM. Buyers should also be cautious when completing transactions before obtaining a national security approval, since buyers might be forced to divest the acquired assets if the transaction ultimately fails the security approval process. Due to enforcement uncertainties and the broad scope of captured industries, foreign investors interested in sensitive industries often schedule voluntary meetings with MOFCOM officials to determine the national security review risk before commencing the formal application process.
REVIEW PROCESS TIMELINE
The timeline used in practice and details of the national security review process in China are unclear, as information related to each individual application is not publicly available. The notional timeline below is based on the 2011 Rule:
MOFCOM will submit an application to a ministerial panel for review within five working days if the application falls within the scope of review.
The panel will then solicit written opinions from relevant departments to assess the security impact of the transaction. It could take up to 30 working days to complete the general review process.
The panel will then conduct a special review of the application if any written opinion states that the transaction may have security implications and will conduct a more detailed security assessment of the overall impact of the transaction. A final decision from the review panel will be issued within 60 working days of the start of the special review.
2018 UPDATE HIGHLIGHTS
- The CSL became effective on June 1, 2017. The CSL primarily focuses on the security protection of data and information for critical information infrastructure operators and other network operators.
- Throughout 2017, the CAC issued various draft and final measures aiming to provide more clarity to the CSL and the scope of its implementation. The CAC also made multiple proposals for public comment on additional measures aiming to extend the data localization requirement under the CSL to cover other network operators, which would require all such operators to undergo security assessments in order to transfer data to destinations outside of China.
- We expect to see further developments and clarification on the scope and impact of the CSL in the near future, and companies should keep a close eye on how the measures proposed and finalized by the CAC under the CSL would affect their business and operations going forward.
Generally, the outcomes of a national security review are as follows:
- The investment may be approved by MOFCOM, including with mitigation conditions
- MOFCOM will terminate a foreign investment project if it fails the national security review
- If the Chinese government has national security concerns about a transaction that is not submitted for approval, parties could be subject to sanctions or mitigation measures, including a requirement to divest the acquired Chinese assets
- A foreign investor may withdraw its application for national security review only with MOFCOM's prior consent
- Decisions resulting from a national security review may not be administratively reconsidered or litigated
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2018 White & Case LLP