China Issued Amended Cybersecurity Review Measures – Technology
Recently, thirteen relevant Chinese government agencies (e.g.
Cyberspace Administration of China, National Development and Reform
Commission of China, China Securities Regulatory Commission, etc.)
jointly released amended Cybersecurity Review Measures (the
"New Measures") to amend and supersede the prior version
of such measures issued on April 13, 2020. The New Measures will
become effective on February 15, 2022.
According to Article 4 of the New Measures, the abovementioned
thirteen Chinese government agencies will work together to
establish the working mechanism of national cybersecurity review.
The Cybersecurity Review Office, housed in the Cyberspace
Administration of China, will be responsible for developing the
rules and regulations related to cybersecurity review, as well as
organizing and coordinating the cybersecurity review process.
When Cybersecurity Review is Triggered
- Voluntary Application.
Article 2 of the New Measures states that, if the purchase of
network products and services by an operator of critical
information infrastructure, or the data processing activities of a
network platform operator, affects or may affect national security,
then cybersecurity review shall be conducted.
Article 7 of the New Measures states that if a network platform
operator which controls the personal information of more than 1
million users seeks offshore public listing, such operator
must apply to the Cybersecurity Review Office for a
cybersecurity review.
The New Measure does not provide a detailed definitions of
certain key words in the above rules, such as "control"
and "users"; these may need to be further explained and
clarified by future rules or guidelines.
- Initiated by Relevant Agencies.
Article 16 of the New Measures states that, if any of the
abovementioned 13 government agencies thinks any network products
or services, or any data processing activities affect or may affect
national security, the Cybersecurity Review Office should report
such concern to the Office of the Central Cyberspace Affairs
Commission. Once the Office of the Central Cyberspace Affairs
Commission confirms that cybersecurity review should be conducted
to address such concern, the Cybersecurity Review Office should
conduct cybersecurity review with respect to such products or
services, or activities.
- Public Reporting.
Article 3 of the New Measures states that, the cybersecurity
review should integrate proactive review, continuous supervision,
and public oversight. Article 19 of the New Measures states that,
the Cybersecurity Review Office can strengthen its continuous
supervision through accepting reports from the public. Therefore
any person or entity can report potential case requiring
cybersecurity review to the Cybersecurity Review Office, and if the
Cybersecurity Review Office believes a review is necessary, it can
commence such review (the initiation procedures of such review
would be similar to those applicable to the review described in
Section 2 above).
Definition of Network Products and Services
To clarify what constitutes "the purchase of network
products and services by an operator of critical information
infrastructure" (which may trigger cybersecurity review if
national security is implicated), Article 21 of the New Measures
defines that, for the purpose of the New Measures, "network
products and services" mainly means core network equipment,
important communications products, high-performance computers and
servers, mass storage devices, large databases and application
software, network security equipment, cloud computing services, and
other network products and services that have a significant impact
on the security of critical information infrastructure, network
security and data security. As such, even transactions in the
ordinary course of business of an operator of critical information
infrastructure (e.g., the purchase of certain type of storage
devices or application software) could be on the radar of the
cybersecurity review, as long as such transactions may affect
national security.
National Security Risks to be Considered
Article 10 of the New Measures provides a list of national
security risk factors that would be considered during the
cybersecurity review of a proposed transaction, which includes,
among others, the following: (1) whether the critical information
infrastructure would be illegally controlled, interfered with or
damaged after the use of the relevant products and services; (2)
whether any disruption in the supply of the relevant products and
services would cause continuous harm to the critical information
infrastructure operations; (3) whether the relevant products and
services are secure, open, transparent, and have multiple supply
sources, whether the suppliers are reliable, and whether the supply
of such products and services may be disrupted by political,
diplomatic, trade and other factors; (4) whether there is a risk
that core data, important data or large amount of personal
information would be stolen, disclosed, destroyed or illegally used
or illegally transferred cross-border; (5) whether the public
listing of the relevant entity would present risk that foreign
governments may illegally influence, control, or maliciously use
any critical information infrastructure, core data, important data
or large amount of personal information. This list gives guidelines
to any party which desires to engage in a self-assessment re the
cybersecurity review outcome of its intended transactions.
Penalties
Article 20 of the New Measures states that, any critical
information infrastructure operator or network platform operator
who violates the provisions of the New Measures are subject to
penalties in accordance with the provisions of China's Cyber
Security Law and China's Data Security Law. A detailed
discussion of such provisions is out of the scope of this post, but
we will discuss those laws in subsequent blog posts.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss