In July 2021, China’s Cybersecurity Review Office (“CRO”), an office established under the Cyberspace Administration of China (“CAC”), the agency responsible for coordinating the implementation of China’s Cybersecurity Review System, announced that it had initiated cybersecurity reviews against four mobile applications operated by three Chinese companies, including Didi Chuxing (“Didi”), Yunmanman, Huochebang and BOSS Zhipin. It was the first time that CRO publicly announced the initiation of cybersecurity reviews against companies after the Measures for Cybersecurity Review (the “2020 Measures”) took effect on 1 June 2020.
Further to the announcements, on 10 July 2021, CAC issued the Revision Draft of Measures for Cybersecurity Review (Exposure Draft) (the “2021 Exposure Draft”) to solicit public opinions. According to Article 6 of the 2021 Exposure Draft, operators who possess personal information of over a million users must apply for cybersecurity reviews before listing abroad. Besides, any procurement of network products by a Critical Information Infrastructure Operators (“CIIO”), or any data activities by data processor that affect or may affect national security (“NS Data Processor”, together with CIIO, the “Cybersecurity Review Targets”), shall go through the cybersecurity reviews in accordance with the provisions.
On 17 August 2021, the State Council of China announced that it had passed the Regulation on the Security Protection of Critical Information Infrastructure (the “CII Regulation”), which was formulated under Cybersecurity Law (“CSL”) and meant to ensure the security of CII as well as maintain cybersecurity.
As China passed the Personal Information Protection Law (“PIPL”) on 20 August 2021, and the Data Security Law (“DSL”) will soon come into force on 1 September 2021, Cybersecurity Review Targets may face a new era of data compliance scrutiny. This post provides a brief introduction to the Cybersecurity Review Targets and Cybersecurity Review System under China’s laws and regulations, explains the Cybersecurity Review Target’s compliance obligations in procurement and running CII, and analyzes the legal consequences for breach of cybersecurity laws and regulations, so as to provide more background on recent enforcement actions regarding cybersecurity reviews initiated by the CAC.
Is your company a NS Data Processor?
The concept of “Data Processor” is not clearly defined in the 2021 Exposure Draft. We may examine its connotation in light of relevant provisions in other cybersecurity and data protection laws. Based on the DSL and the PIPL, “Data Processor” shall include the network operators who are engaged in the collection, storage, use, processing, transmission, provision, trading and publication of data. Compared to CIIO, Data Processors will cover a wide range of objects without prior approval from the relevant authorities.
Is your company a CIIO?
“Critical Information Infrastructure Operators”, or CIIO, means the operators of information infrastructure in important industries and sectors (such as public communications and information services, energy, transport, water conservancy, finance, public services and e-government affairs), the disruption, destruction or data leakage of which could result in catastrophic and far-reaching damage to the national security, economic and social well-being and public interests. Both domestic and foreign-invested companies can be CIIOs.
In accordance with Article 9 of CII Regulation, the CII protection departments shall formulate the detailed rules for the accreditation of CII in the future. Currently, in accordance with Article 31 of CSL and Article 2 of CII Regulation, a company can preliminarily evaluate whether its network system constitutes a CII and thus the company constitutes a CIIO based on the following questions:
The answer of “yes” to any of the above two questions means that the company may fall into the scope of CIIO. Furthermore, the above questions regarding scope of CII are far from exhaustive, and CII may also cover any other networks or applications whose failure could harm the national security, economic and social well-being and public interests.
Under the 2020 Measures, competent industrial regulators have the power to accredit lists of CIIO. While in practice there has been no published lists of CIIO yet, industrial regulators in different industries have reached out to some companies confirming that they are CIIOs.
What are Cybersecurity Review Targets’ Compliance Obligations under Cybersecurity Review System?
1. What Is the Compliance Obligation under Cybersecurity Review System?
The CSL provides overarching principles and high-level requirements for CII compliance. Under the 2020 Measures, in line with the framework set out by the CSL, only CIIOs were required to apply for cybersecurity review by the CRO when procuring network products or services. This narrower application has been extended under the 2021 Exposure Draft to an NS Data Processor’s data processing activity that affects or may affect national security and/or its public listing abroad.
Under the 2021 Exposure Draft, the Cybersecurity Review Targets shall be subject to cybersecurity reviews conducted and organized by the CRO under the following circumstances:
- Where CIIOs procure the network products or services which affect or may affect national security;
- Operators (including CIIOs and NS Data Processors) who possess personal information of over a million users must apply for cybersecurity reviews before listing abroad;
- Where any member department of cybersecurity review working mechanism is of the opinion that the network products or services, data processing activities by NS Data Processors or listing abroad of operators affects or is likely to affect national security.
2. How is the Cybersecurity Review Procedure Triggered?
The review will be triggered under two pathways: (a) CIIO and NS Data Processors applying for the review if they foresee any risk; and (b) the CAC initiating the review ex officio.
Pathway Ⅰ: applying for cybersecurity review by CIIO and NS Data Processors
The Cybersecurity Review Targets shall carry out self-anticipation for the potential national security risks and report “risky purchase” to the CRO for cybersecurity reviews under the 2021 Exposure Draft, and the following application materials shall be submitted for the review:
- Application form;
- An analytical report on whether national security is affected or may be affected;
- The purchase document/agreement, the contract to be executed, or the IPO materials to be filed;
- Other materials needed for the cybersecurity review.
Besides, the CIIOs shall, through purchase documents and agreements, require product and service providers to cooperate with cybersecurity reviews under Article 6 of the Measures.
Pathway IⅠ: the CRO initiating the review ex officio
If a network product or service is deemed by the member departments of cybersecurity review working mechanism to affect or potentially affect national security, the CRO shall submit it to the Central Cyberspace Affairs Commission for approval and conduct the review in accordance with the provisions of these Measures.
3. What is the Cybersecurity Review Procedure?
In accordance with the Revision Draft of Measures for Cybersecurity Review (Exposure Draft), the whole procedure of cybersecurity review is as follows:
What Are Legal Consequences for Breach?
In terms of legal consequences of breaching the cybersecurity review obligations, Article 20 the 2021 Exposure Draft has cited CSL and DSL as the bases. According to the CSL, any Cybersecurity Review Target failed in applying for cybersecurity review or using any products and services failed to pass cybersecurity review would be subject to a fine up to 10 times of the price of procured products or services, and the responsible person will be subject to a fine up to CNY 100,000. Besides, the competent department has the power to order the entity to cease its use of such products or services.
While according to DSL, breaching of data security obligations may lead to a maximum fine of CNY 10 million in case of severe violation.
In practice, if the competent departments believe that the company is not fulfilling its cybersecurity review obligations as a CIIO or a NS Data Processor, they may conduct investigations and assessments immediately and issue various penalties. The penalties depend on the severity of the violation and may include administrative warnings and ordered rectification, and administrative fines. Once the cybersecurity review is triggered, the regulatory body may order app stores to remove the apps of such Cybersecurity Review Target or prohibit new users from registering for such apps. For example, under the orders of CAC, the app of Didi Chuxing has been banned from all the app stores in China and required to rectify the relevant problems, the apps of Yunmanman, Huochebang and Boss Zhipin have been banned from new users’ registration.
What Should Cybersecurity Review Targets Do in Operation to Meet the Compliance Obligations?
The 2021 Exposure Draft further enhance the cybersecurity and data security supervision after the CSL and DSL. The implementation of the measures will pose significant impact on the Cybersecurity Review Targets in China. Therefore, the companies that may fall into the scope of Cybersecurity Review Targets should take these implications into account in daily business, put efforts in the security and data protection compliance in order to meet the obligations under CSL, DSL and other relevant laws and regulations.
1. Procurement Compliance
Apart from the CIIOs and NS Data Processors which are the direct targets of cybersecurity review, the suppliers to these Cybersecurity Review Targets, i.e. the companies which provide products and services, may also be affected by cybersecurity review. The 2021 Exposure Draft requires that the Cybersecurity Review Targets shall, through the procurement documents and agreements, request the suppliers of products and services to cooperate in cybersecurity review, including to commit that it will not illegally acquire user data through products and services, or illegally control or manipulate user’s equipment, and will not suspend the supply of products or necessary technical supporting services without reasonable cause. Due to the above, it has been recommended that the parties should apply for cybersecurity review before the signing of the procurement contract or they should specify in the contract that the contract will be effective only if the products or services pass the cybersecurity review.
2. MLPS Requirements and Data Security Protection
The system of Multi-level Protection for Cybersecurity (“MLPS”) was a system previously established by the CSL, and the DSL reemphasizes the importance of the MLPS. MLPS certification requires companies to assess the current state of their information and network systems with servers located in China and the risks associated with them. Under the MLPS, companies are required to evaluate and determine the level of their information and network systems, based on the impact on national security, social order, and economic interests if the systems are destroyed or attacked, from the lowest level 1 to the highest level 5. Companies will be subject to various technical requirements depending on the classification of the systems. More administrative procedures are required if a company is classified as level 2 or above.
DSL imposes multiple obligations for data security, including establishing and improving a data security management system; organizing data security training; taking technical and other necessary measures to ensure data security; enhancing risk supervision; and taking appropriate measures to prevent data breaches, etc.
3. Data Categorization and Important Data Protection
Article 21 of the DSL provides that the government will publish an important data catalogue at the national level, and each region and department shall determine their own catalogues of important data accordingly. Therefore, if Cybersecurity Review Targets process data that falls under the important data catalogues, the following requirements will apply:
- Designation of responsible person: Companies processing important data should designate persons responsible for data security and establish data security management bodies to ensure compliance with their data security obligations.
- Risk assessments: Companies processing important data should periodically carry out risk assessments for their data processing activities and submit a risk assessment report to the relevant government authority.
4. Cross-border Data Transfer
The Cybersecurity Review Targets should attach importance to the compliance of cross-border data transfer. under the CSL, all personal information and important data collected or generated by CIIOs within the territory of China should be stored in China in principle; if a CIIO need to transfer such data outside China, it should go through a security assessment approved by the competent authority. Furthermore, in accordance with the DSL, the government will further formulate relevant regulations on the cross-border transfer of important data by companies other than CIIOs. Despite the implementing rules are to be further published by the government, it seems that even if companies do not constitute CIIOs, they may also be subject to restrictions on cross-border transfers if they process data that falls under the important data catalogues, which should be pay attention to by relevant companies.
Gloss