September 23, 2020

Volume X, Number 267

September 23, 2020

Subscribe to Latest Legal News and Analysis

September 22, 2020

Subscribe to Latest Legal News and Analysis

September 21, 2020

Subscribe to Latest Legal News and Analysis

“Cybersecurity Review” Takes Shape in China

When China’s Cybersecurity Law was enacted last November, one question (among many) that surfaced was how the government would implement the “national security review” that the law requires for certain network products and services.  The law, which takes effect this June, provides that any network products and services that might affect national security procured by operators of critical information infrastructure must clear a “national security review,” but left that term unexplained. Last week, the nation’s leading internet regulator—the Cyberspace Administration of China (“CAC”)—stepped in to elaborate, at least in part.

On February 4, CAC issued a draft regulation outlining the contours of the “cybersecurity review” required by the new law and opened a one-month window for receiving public comments.  The name change (“cybersecurity” in lieu of “national security”) seems purely cosmetic; consistent with the Cybersecurity Law, the review process focuses on safeguarding China’s national security in cyberspace.  To that end, the draft regulation sheds light on some of CAC’s priorities, while raising new questions about what businesses must do to comply.

First, the regulations appear to contemplate a two-tier compliance system: Government agencies, Communist Party organs, and entities in “key sectors” would be prohibited from procuring any network products and services that have not passed the cybersecurity review, while other critical infrastructure operators would enjoy greater leeway, though any procurement that “may affect national security” is still subject to review. Although the “key sectors” with the strictest obligations include sectors “such as” finance, telecommunications, and energy, it is unclear whether other sectors will join their ranks.  As for other sectors, the regulations do not explain how regulators will determine if certain procurement activities “may affect national security.”

Second, the agencies will focus on ensuring that products and services are “secure and controllable.” This standard, the draft regulations explain, aims to mitigate several distinct risks—the risk that products or services will be “unlawfully controlled, interfered with, or interrupted”; the risks associated with “research and development, delivery, and technical support”; the risks that products or services will become a means to “illegally collect, store, process, or utilize users’ data”; and the risk that providers will leverage user reliance to “engage in unfair competitive practices or otherwise harm consumers.”  The “secure and controllable” standard, then, encompasses not only the more obvious goal of guarding against hacking or interference, but also a distinct and more expansive interest in protecting consumers and their data.  Additionally, to be “secure and controllable” also requires adequate protection against “possible harms to national security and the public interest,” terms that leave ample room for interpretation.

Lastly, the regulations sketch out the cybersecurity review’s core elements—“laboratory testing, on-site inspection, online monitoring, and review of background information.” What each of these elements means in practice, however, remains to be seen.

Public comments are due by March 4.

© 2020 Covington & Burling LLPNational Law Review, Volume VII, Number 39


About this Author

Yan Lou, Regulatory and public policy lawyer, Covington
Of Counsel

Yan Luo advises clients in a broad array of regulatory matters in connection with international trade, cybersecurity and antitrust/competition laws in the U.S., EU and China.

With previous work experience in Washington, DC and Brussels before relocating to Beijing, Ms. Luo has fostered her government and regulatory skills in all three capitals. She is able to strategically advise international companies on Chinese regulatory matters and represent Chinese companies in regulatory reviews in other markets.

Theodore J. Karch, Covington, intellectual property attorney

Ted Karch advises clients in a range of industries on the legal and reputational risks inherent in today’s data-driven world. His practice involves advising on US federal and state data privacy and cybersecurity laws as well as international privacy rules, including the EU General Data Protection Regulation (GDPR) and China’s Cybersecurity Law.

Mr. Karch helps clients navigate issues that arise in developing and launching innovative products. He has advised clients on practical solutions for approaching issues implicated by laws involving biometric data, online behavioral advertising, geolocation information, genetic privacy, children’s privacy, student privacy, and unfair and deceptive practices. This advice often spans multiple jurisdictions, including the US, the EU, and China, among others.

In addition, Mr. Karch advises clients in managing their intellectual property portfolio, especially copyright and trademark assets.

Victor D. Ban, Covington Burling, Litigation attorney

Victor Ban is an associate in the Washington office who helps clients navigate international trade matters and complex disputes. His experience includes assisting companies and governments in connection with World Trade Organization (WTO) dispute settlement, antidumping and countervailing duty investigations, trade compliance assessments under U.S. law and international agreements, trade agreement negotiations, and international arbitration. He has handled matters before the U.S. Department of Commerce, the U.S. International Trade Commission, U.S. Customs and Border...