Alert 07.09.21
Alert
Alert
07.22.21
On July 2, 2021, China’s Cybersecurity Review Office (CRO) of the Cyberspace Administration of China (CAC) initiated a cybersecurity review against Didi Chuxing (Didi), a leading Chinese ride-hailing company that had just gone public on June 30, 2021 on the NYSE. On July 5, 2021, the CRO announced the investigation and cybersecurity review of three other mobile applications, including truck-booking platforms Yunmanman and Huochebang, operated by Full Truck Alliance. The other application is the job recruiting platform Boss Zhipin. Like Didi, Full Truck Alliance and Boss Zhipin began their listings in the U.S. in June 2021. These cybersecurity reviews were initiated according to the requirements under China’s National Security Law, Cybersecurity Law and the Measures on Cybersecurity Review (Current Review Measures). This is the first time that CRO/CAC has initiated cybersecurity reviews against business operators since the Current Review Measures came into effect on June 1, 2020.
Only eight days after the Didi case, on July 10, 2021, the CAC published an amended draft of the Current Review Measures for public comment (Draft Amended Measures) to expand the scope of circumstances subject to cybersecurity review and include data security as one of the factors for review, among other proposed changes. We summarize in this article the key requirements and developments under the evolving cybersecurity review regime in China.
1. Scope of cybersecurity review
The following activities are subject to cybersecurity review:
(1) Purchase of network products and services by critical information infrastructure operators (CII Operators) that affects or may affect national security
The Current Review Measures require the procurement of network products and services by CII operators which impact or may impact national security to undergo a security review.
- Network products and services
The Current Review Measures also define the scope of network products and services, which include core network equipment, high-performance computers and servers, large-volume storage equipment, large databases and software, network security equipment, cloud computing services and other network products and services that may have a significant impact on the security of critical information infrastructure (CII).
The Draft Amended Measures further add “important communications products” to the above defined scope of network products and services.
- CII (critical information infrastructure)
Neither the Cybersecurity Law nor the Current Review Measure and the Draft Amended Measures provides a specific scope and definition for CII, but the Cybersecurity Law broadly defines CII as key information infrastructure which, if destroyed, disabled, or subject to data leaks, may seriously endanger national security, national welfare or the public interest.
The Trial Guidelines on Determining Critical Information Infrastructure, published by CAC in 2019, include a list of key industrial sectors or businesses that would constitute CII, such as public communications and information services, energy, water conservation, finance, public service and other information infrastructure that, once damaged, disabled or subject to a data leak, may severely threaten the national security, national economy, people's livelihood and public interests. According to the trial guidelines, CII also includes network, (such as public news networks, Party and government networks), network service platforms (such as instant messaging, online shopping, online payment, search engines, emails, forums, maps, audio and video, etc.) that affect large segments of the general public, banking and other financial institutions, medical institutions, large-scale data centers, and cloud service platforms, etc.
Furthermore, in a press release regarding the promulgation of the Current Review Measures, an official of CAC indicated that operators in the following sectors are likely to be designated as CII Operators: telecommunications, radio and television; national defence and defence technologies; public transportation, including highways, waterways, railways and civil aviation; public sanitary and public health; finance; social security insurance; energy; water conservancy; postal services; and emergency response.
(2) Data processing activities conducted by data processors (Data Processors) that affect or may affect national security
The Draft Amended Measures add data processing by Data Processors that impact or may impact national security in the scope of activities that subject to cybersecurity review. This provision is consistent with the newly adopted Data Security Law of China, under which any data processing activity that affects or may affect national security must go through a security review.
According to the Data Security Law, “Data” refers to any record of information in electronic or other forms. This means that in addition to digital and cyber information, information recorded in other forms (such as hard copywritten records of information) also constitute data. “Data processing” activities include, without limitation, the collection, storage, use, processing, transmission, provision and disclosure of data.
(3) Public listings outside China
The Draft Amended Measures also require that CCI Operators and Data Processors that possess personal information of over one million individuals shall be subject to cybersecurity review when listing their securities outside China.
Article 16 of the Draft Amended Measures further provides that if a member of the Cybersecurity Working Committee believes that any network product or service, data processing activity or company listing overseas affects or may affect national security, the CRO shall conduct cybersecurity review after obtaining approval from the Central Cyberspace Affairs Commission.
2. CSRC added to the Cybersecurity Working Committee
The highest authority of the Cybersecurity Working Committee is the Central Cyberspace Affairs Commission. Under the Current Review Measure, the Cybersecurity Working Committee is led by the CAC and consists of 11 other government agencies, including (i) the National Development and Reform Commission, (ii) the Ministry of Industry and Information Technology, (iii) the Ministry of Public Security, (iv) the Ministry of State Security, (v) the Ministry of Finance, (vi) the Ministry of Commerce, (vii) the People’s Bank of China, (viii) the State Administration for Market Regulation, (ix) the State Radio and Television Administration, (x) the National Administration of State Secrets Protection and (xi) the State Cryptography Administration.
The China Securities Regulatory Commission (CSRC) is added by the Draft Amended Measures as a new member of the Cybersecurity Working Committee. It is likely that CSRC will be heavily involved in any cybersecurity review on companies seeking overseas listing.
The CRO is established under the CAC and is responsible for formulating relevant rules and standards for cybersecurity review and organizing cybersecurity review with the relevant members of the Cybersecurity Working Committee mentioned above.
3. Review criteria
The following national security risk factors shall be taken into account in cybersecurity review over purchases of network products and services, data processing activities and overseas listings:
(1) Risks of critical information infrastructure being illegally controlled or subject to interference or destruction after the product or service is put into use;
(2) Harm caused by the disruption of the supply of the product or service to the business continuity of critical information infrastructure;
(3) Security, openness, transparency and diversity of sources of the product or service, the reliability of supply channels, and risks of supply disruption due to political, diplomatic, trade and other factors;
(4) Compliance with Chinese laws, administrative regulations and departmental rules by the provider of the product or service;
(5) Risks of core data, important data or a large amount of personal information being stolen, leaked, destroyed, or illegally used or exported overseas;
(6) Risk of critical information infrastructure, core data, important data or a large amount of personal information being influenced, controlled, or maliciously used by foreign governments after overseas listings; and
(7) Other factors that may endanger the security of critical information infrastructure and national data security.
Items (5) and (6) are newly added by the Draft Amended Measures to emphasize the focus on data security risks as part of the cybersecurity review. These items echo the newly passed Data Security Law, which will take effect on September 1, 2021 and provides a further legal basis for the Chinese authorities to enforce data security requirements.
4. Obligations of CII Operators and Data Processors and impact on suppliers
Under the Current Review Measures and the Draft Amended Measures, CII Operators and Data Processors are required to conduct a pre-assessment regarding whether the network products and/or services to be purchased present or may present potential national security risks. If so, CII Operators and Data Processors are obligated to submit an application to the CRO under CAC for a cybersecurity review before undertaking the procurement of such products and services. This means that the applications for cybersecurity review are required to be submitted before the execution of any purchase agreement, and the effectiveness of the purchase agreement will be subject to the completion of the cybersecurity review with affirmative approval.
With respect to procurements that are subject to a cybersecurity review, CII Operators and Data Processors are required to include in the purchase agreements with the suppliers specific provisions regarding each supplier’s undertaking that it will not obtain user data illegally; illegally control and manipulate user equipment by taking advantage of providing products and services; and that it will not suspend product supply or necessary technical support without legitimate reasons. Multinational companies with subsidiaries in China with global supply chain agreements will also be required to seek commitments from their global supply chains regarding compliance with the above compliance obligations, or seek domestic alternatives.
The cybersecurity review requirement may impact the competitiveness of network products and services supplied by foreign suppliers to CII Operators and Data Processors. From a national security perspective, foreign suppliers may be deemed to be of higher risk, so that CII Operators and Data Processors may be more willing to purchase from Chinese domestic suppliers to try to provide more certainty by avoiding cybersecurity review and consequent delays in products/service delivery, as well as possible increases in supply chain costs.
In general, the Current Review Measures and the Draft Amended Measures are intended to improve supply chain safety, national security and personal data security. Furthermore, the Draft Amended Measures target companies seeking overseas listings that possess significant personal information, and the Measures include data security risks as one of the key factors for cybersecurity review. While some concepts (such as core data, important data, national security, etc.) need to be further clarified to provide more certainty for business operators, business operators need to review their supply chains of cyber products and services as well as data processing activities to assess the necessity of cybersecurity review.
It is also suggested that multinational and domestic suppliers to China should have a sound understanding of Chinese buyers and their business and pay special attention to CII Operators and Data Processers. Furthermore, the suppliers should also consider formulating and enhancing the data security protection protocol and functions of their supplied products and prepare strategies on how to assist with their Chinese customers in complying with the statutory obligations (such as applicable data localization and security assessment requirements) under the Cybersecurity Law, Data Security Law, and Personal Information Protection Law, and relevant implementing measures and rules.