China Issued Amended Cybersecurity Review Measures
Recently, thirteen relevant Chinese government agencies (e.g. Cyberspace Administration of China, National Development and Reform Commission of China, China Securities Regulatory Commission, etc.) jointly released amended Cybersecurity Review Measures (the “New Measures”) to amend and supersede the prior version of such measures issued on April 13, 2020. The New Measures will become effective on February 15, 2022.
According to Article 4 of the New Measures, the abovementioned thirteen Chinese government agencies will work together to establish the working mechanism of national cybersecurity review. The Cybersecurity Review Office, housed in the Cyberspace Administration of China, will be responsible for developing the rules and regulations related to cybersecurity review, as well as organizing and coordinating the cybersecurity review process.
When Cybersecurity Review is Triggered
Article 2 of the New Measures states that, if the purchase of network products and services by an operator of critical information infrastructure, or the data processing activities of a network platform operator, affects or may affect national security, then cybersecurity review shall be conducted.
Article 7 of the New Measures states that if a network platform operator which controls the personal information of more than 1 million users seeks offshore public listing, such operator must apply to the Cybersecurity Review Office for a cybersecurity review.
The New Measure does not provide a detailed definitions of certain key words in the above rules, such as “control” and “users”; these may need to be further explained and clarified by future rules or guidelines.
Initiated by Relevant Agencies.
Article 16 of the New Measures states that, if any of the abovementioned 13 government agencies thinks any network products or services, or any data processing activities affect or may affect national security, the Cybersecurity Review Office should report such concern to the Office of the Central Cyberspace Affairs Commission. Once the Office of the Central Cyberspace Affairs Commission confirms that cybersecurity review should be conducted to address such concern, the Cybersecurity Review Office should conduct cybersecurity review with respect to such products or services, or activities.
Article 3 of the New Measures states that, the cybersecurity review should integrate proactive review, continuous supervision, and public oversight. Article 19 of the New Measures states that, the Cybersecurity Review Office can strengthen its continuous supervision through accepting reports from the public. Therefore any person or entity can report potential case requiring cybersecurity review to the Cybersecurity Review Office, and if the Cybersecurity Review Office believes a review is necessary, it can commence such review (the initiation procedures of such review would be similar to those applicable to the review described in Section 2 above).
Definition of Network Products and Services
To clarify what constitutes “the purchase of network products and services by an operator of critical information infrastructure” (which may trigger cybersecurity review if national security is implicated), Article 21 of the New Measures defines that, for the purpose of the New Measures, “network products and services” mainly means core network equipment, important communications products, high-performance computers and servers, mass storage devices, large databases and application software, network security equipment, cloud computing services, and other network products and services that have a significant impact on the security of critical information infrastructure, network security and data security. As such, even transactions in the ordinary course of business of an operator of critical information infrastructure (e.g., the purchase of certain type of storage devices or application software) could be on the radar of the cybersecurity review, as long as such transactions may affect national security.
National Security Risks to be Considered
Article 10 of the New Measures provides a list of national security risk factors that would be considered during the cybersecurity review of a proposed transaction, which includes, among others, the following: (1) whether the critical information infrastructure would be illegally controlled, interfered with or damaged after the use of the relevant products and services; (2) whether any disruption in the supply of the relevant products and services would cause continuous harm to the critical information infrastructure operations; (3) whether the relevant products and services are secure, open, transparent, and have multiple supply sources, whether the suppliers are reliable, and whether the supply of such products and services may be disrupted by political, diplomatic, trade and other factors; (4) whether there is a risk that core data, important data or large amount of personal information would be stolen, disclosed, destroyed or illegally used or illegally transferred cross-border; (5) whether the public listing of the relevant entity would present risk that foreign governments may illegally influence, control, or maliciously use any critical information infrastructure, core data, important data or large amount of personal information. This list gives guidelines to any party which desires to engage in a self-assessment re the cybersecurity review outcome of its intended transactions.
Article 20 of the New Measures states that, any critical information infrastructure operator or network platform operator who violates the provisions of the New Measures are subject to penalties in accordance with the provisions of China’s Cyber Security Law and China’s Data Security Law. A detailed discussion of such provisions is out of the scope of this post, but we will discuss those laws in subsequent blog posts.