PRC Promulgated Measures for Cybersecurity Reviews

On 28 December 2021, 13 ministries and commissions including the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security of the People's Republic of China etc. adopted the Measures for Cybersecurity Reviews (“Measures”). They will take effect on 15 February 2022.

1. Background

The previous version of the Measures for Cybersecurity Reviews (2020 version) ("Old Measures") was promulgated on 13 April 2020 and has taken effect since 1 June 2020. The Old Measures mainly focused on critical information infrastructure operators' ("CIIOs") obligations to conduct cybersecurity review. Following the promulgation of the PRC Data Security Law ("DSL") on 10 June 2021, the Cyberspace Administration of China published the Measures for Cybersecurity Reviews (Revision Draft for Comment) ("Draft Measures") on 10 July 2021, which extended the scope of cybersecurity reviews to certain data handling activities in order to strengthen regulations on data security. The Measures were further adjusted based on the Draft Measures and finally promulgated on 28 December 2021.

2. Key Aspects of the Measures

The Measures cover the following key aspects:

- Application scope

- A CIIO's obligations related to cybersecurity reviews

- A network platform operator's special obligation of cybersecurity reviews for listing overseas

- Authorities' initiation of cybersecurity reviews

- Procedures of cybersecurity reviews

3. Application Scope

Article 2 of the Measures stipulates that, if the procurement of any network product or service by a CIIO or data handling activities conducted by a network platform operator affects or may affect national security, a cybersecurity review shall be conducted. Further, according to Article 21, the term “network product or service” mainly refers to any core network equipment, important communication product, high-performance computer or server, mass storage equipment, large database or application, network security equipment, cloud computing service or any other network product or service that has an important impact on the security of any critical information infrastructure, network security and data security.

By contrast, the application scope of a cybersecurity review under the Old Measures is limited to a CIIO's procurement of any network product or service which affects or may affect national security. The Draft Measures extend the application scope of a cybersecurity review to cover a data handler's data handling activities which affect or may affect national security. Compared with the Draft Measures, the Measures replace the term "data handler" with "network platform operator". However, the Measures do not provide a definition of who qualifies as "network platform operator". According to Article 73.9 of the Regulations on Network Data Security Management (Draft for Comment) (published on 14 November 2021, not yet effective, "Draft Regulations"), "Internet platform operator" refers to a data handler who provides Internet platform services such as information publishing, social networking, transaction, payment, or audio-visual services. By reference to the aforesaid definition, "network platform operator" may also refer to a data handler who provides similar services through a network. Therefore, after the Measures take effect, both, CIIOs' procurement of network products and services and network platform operators' data handling activities which affect or may affect national security shall be subject to cybersecurity reviews. Nevertheless, cybersecurity reviews are not general obligations applicable to all network platform operators' data handling activities. Only certain network platform operators as we stated under Item 5 below are obliged to voluntarily apply for cybersecurity reviews. For other network platform operators, there is no clear stipulation of voluntary application for cybersecurity reviews yet.

4. A CIIO's Obligations Related to Cybersecurity Reviews

Article 5 of the Measures requires a CIIO to predict and evaluate any potential national security risk that may arise after the procurement of network products and services. If national security is affected or may be affected, the CIIO shall apply for a cybersecurity review. Further, the relevant authorities for protection of critical information infrastructure may develop prediction guidelines in their respective sectors or industries.

Further according to Article 6 of the Measure, when a cybersecurity review is applied for due to the procurement of network products and services by a CIIO, the CIIO shall incorporate certain contractual clauses in the procurement document, agreement or other relevant documents in order to facilitate the cybersecurity review. A CIIO shall require the provider of the product or service to cooperate with the cybersecurity review, including undertaking not to take advantage of the provision of the product or service to illegally acquire user data or illegally control or operate user equipment, and not to interrupt the supply of the product or any necessary technical support service without justified reasons.

5. A Network Platform Operator's Special Obligation of Cybersecurity Reviews for Listing Overseas

Article 7 of the Measures stipulates that a network platform operator that has the personal information of more than one million users must apply for a cybersecurity review when it seeks to list overseas. Compared with the Draft Measures, the Measures narrow the application scope of this special obligation from data handlers to network platform operators, which seems to exclude the operators who provide e-commerce services for their own products or services.

As to this special obligation imposed on listing overseas, it is important to understand the territorial boundary of "overseas" in this special obligation. The Measures do not make any distinction between listing in Hong Kong and listing overseas. Therefore, it is unclear whether a network platform operator that has more than one million users' personal information must apply for a cybersecurity review when it seeks to list in Hong Kong. According to Article 13 of the Draft Regulations, a data handler's listing overseas who handles more than one million individual's personal information and a data handler's listing in Hong Kong which affects or may affect national security are two separate and independent circumstances which trigger cybersecurity reviews. By reference to the Draft Regulations, listing overseas is likely to exclude the circumstance of listing in Hong Kong. Based on the interpretation of the Draft Regulations, the special obligation as stipulated by the Measures may not apply to a network platform operator which has the personal information of more than one million users and applies for listing in Hong Kong. However, whether these kinds or circumstances are really exempted, remains to be confirmed by relevant authorities' implementation of the Measures.

6. Authorities' Initiation of Cybersecurity Reviews

Article 16 of the Measures entitles member organizations of the cybersecurity review mechanism led by the Central Cyberspace Affairs Commission ("CCAC") to initiate cybersecurity reviews. According to Article 4 of the Measures, member organizations of the cybersecurity review mechanism refer to the 13 ministries and commissions which jointly promulgate the Measures (a full list of names can be found in Item 7 a) below). If member organizations of the cybersecurity review mechanism deem that any network product or service or any data handling activities affect or may affect national security, they shall report the same to the CCAC. After the CCAC approves the initiation of cybersecurity review, member organizations of the cybersecurity review mechanism shall conduct the cybersecurity review in accordance with the Measures. Therefore, in addition to a CIIO's or a network platform operator's voluntary application for cybersecurity reviews, the member organizations of the cybersecurity review mechanism are also entitled to trigger cybersecurity reviews whenever they deem necessary.

Further, Article 16 of the Measures provides that the concerned CIIO or network platform operator shall take measures to prevent and reduce risks during the review period as required by the cybersecurity review, which is a new provision not mentioned in the Old Measures or the Draft Measures. According to the practice under the Old Measures, possible measures to prevent and reduce risks may include suspension of registration of new users, suspension of download of apps, divestiture of relevant data assets and suspension of provision of network products and services.

7. Procedures for Cybersecurity Reviews

a) Cybersecurity review mechanism

Article 4 of the Measures provides that, led by the CCAC, the Cyberspace Administration of China, in collaboration with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the China Securities Regulatory Commission, the National Administration of State Secrets Protection and the State Cipher Code Administration, i.e. the thirteen joint promulgators of the Measures, establish the cybersecurity review mechanism. In addition, the Cybersecurity Review Office ("CRO") which is set up under the Cyberspace Administration of China shall be responsible for developing the relevant policies and rules and organizing cybersecurity reviews.

b) Application documents

Article 8 of the Measures clarifies that the following documents are required for applying for a cybersecurity review:

- A written application;

- An analysis report on the effect or potential effect on national security;

- The procurement document, agreement or contract to be executed, or initial public offering ("IPO") and other listing application documents to be submitted; and

- Any other materials required for the cybersecurity review

c) Timeframe of a cybersecurity review

ccording to Article 9 of the Measures, the CRO shall determine whether a review is required and notify the concerned CIIO or network platform operator in writing within 10 working days upon receiving the application documents for a cybersecurity review.

Further, according to Article 11 of the Measures, if the CRO deems it necessary to conduct a cybersecurity review, it shall complete a preliminary review, including forming a review conclusion and recommendations and sending the same to the member organizations of the cybersecurity review mechanism as well as the relevant authorities to solicit opinions, within 30 working days from the date of issuing the written notification to the concerned CIIO or network platform operator. In a complicated case, such time limit may be extended by 15 working days.

As the next step, the member organizations of the cybersecurity review mechanism as well as the relevant authorities shall reply with written opinions within 15 working days after receipt of a review conclusion and recommendations according to Article 12 of the Measures. If the member organizations of the cybersecurity review mechanism as well as the relevant authorities reach a consensus, the CRO will notify the concerned CIIO or network platform operator of the review conclusion in writing. However, if a consensus is not reached, the CRO will handle the case under a special review procedure and notify the same to the concerned CIIO or network platform operator.

As to the special review procedure, Article 13 of the Measures provides that the CRO shall hear the opinions of the relevant organizations and authorities and conduct a thorough analysis and assessment to form a further review conclusion and recommendations. Afterwards, the CRO shall solicit opinions of the member organizations of the cybersecurity review mechanism as well as the relevant authorities and report the review conclusion and recommendations to the CCAC for approval. Upon obtaining approval, the CRO shall finalize the review conclusion and notify the same to the concerned CIIO or network platform operator in writing. According to Article 14 of the Measures, a special review procedure shall be generally completed within 90 working days. In a complicated case, the time limit may be extended.

In addition, according to Article 15 of the Measures, the concerned CIIO or network platform operator or a product or service provider shall cooperate to provide any supplementary materials as required by the CRO. Therefore, the actual time spent on conducting the cybersecurity review may be more than the aforesaid timeframe because the time used for submitting any supplementary materials shall not be counted towards the time limit for cybersecurity review.

8. Conclusion

In conclusion, a CIIO's procurement of any network product or service or a network platform operator's data handling activities are likely to be subject to cybersecurity reviews. Specifically, the Measures require a network platform operator which has more than one million users' personal information to conduct a cybersecurity review when it seeks to list overseas. In addition, member organizations of the cybersecurity review mechanism have discretion to determine whether a cybersecurity review should be initiated. According to the press release regarding the Measures, the China Cybersecurity Review Technology and Certification Center is delegated by the CRO to receive the cybersecurity review applications and conduct formality reviews. Therefore, we recommend that two types of companies, i.e. CIIOs and those network platform operators which have more than one million users' personal information and seek listing overseas, pay close attention to the CRO's implementation of cybersecurity reviews in the coming future and making independent consultancy with the China Cybersecurity Review Technology and Certification Center for specific questions on a case-by-case basis. As to other types of network platform operators, they are not very likely to be subject to cybersecurity reviews unless the member organizations of the cybersecurity review mechanism consider that their data handling activities affect or will affect national security.