On July 11, the Cybersecurity Administration of China (CAC) issued a draft of the revised version (the Draft) of the Measures on Cybersecurity Review (网络安全审查办法(修订草案征求意见稿)). The revision, once finalized, would serve as the legal basis for the cybersecurity reviews launched recently. The Draft solicits comments, which are due by July 25.

Currently there are four ongoing cybersecurity reviews under the Cybersecurity Review Office, including one for Chinese ride-hailing app Didi Global. All four investigations involve companies that recently had Initial Public Offerings in the United States. There had been some speculation about the basis for conducting these particular cybersecurity reviews, but the Draft provides a clearer legal framework for the investigations. The seriousness with which the Chinese government is taking data has become clear to Chinese companies.  According to reports, ByteDance, the Chinese company that owns TikTok, postponed the plan for its offshore listing after China's tightening on cybersecurity and data security.

According to Zuo Xiaodong, vice president of the China Academy of Information Security, the Draft is to implement Article 24 of the Data Security Law, which requires the government to establish a data security review mechanism. The Data Security Law was passed on June 10 and will take effect on September 1, 2021. In addition, the Draft is part of the implementation of the State Council's recent opinions on cracking down on illegal securities activities, which requires improvements to laws and regulations on data security, cross-border data flow and management of confidential information.

Compared to the previous version, the Draft broadens the scope of the cybersecurity review, adds two more factors for the cybersecurity review, and extends the review period for the special review procedure.

Who would be subject to cybersecurity review?

Article 2 of the Draft expands the application of cybersecurity review to cover data processing activities conducted by data processors. Previously, it only applied to the purchase of network products and services by critical information infrastructure (CII) operators. A CAC official previously stated at a press conference that important network and information system operators in many sectors would also be subject to the requirements in the Measures. The Draft seems to incorporate this statement into the regulation.

The Draft also broadens the scope of network products and services to include important telecom equipment. The relevant products and services purchased by CII operators would be subject to cybersecurity review. (Article 21) The Draft maintains other categories of network products and services in the earlier version, including core network equipment, high-capability computers and servers, high-capacity data storage, large databases and applications, network security equipment, cloud computing services, and other services or products that are important to CII.

Triggers of the cybersecurity review

As with the earlier version, there are two ways for a cybersecurity review to start: an application filed by a company or self-initiation by a government agency. The Draft added a new condition for companies’ applications. Article 6, which is a new provision, states that any operators (CII operators or data processors) that possess personal information of over 1 million users shall apply for a cybersecurity review.

The Cybersecurity Review Office may also initiate a cybersecurity review, based upon the opinions of its members and with approval by the Central Cyberspace Affairs Commission, if network products and services, data processing activities, or listing in a foreign nation impact or may impact national security. (Article 16) The latter two scenarios, data processing and listing in a foreign nation, are both added in the Draft, potentially leading to an increase of cybersecurity reviews for technology companies.  

The Cybersecurity Review Office is an interagency group consisting of members of 13 agencies, including the CAC, the National Development and Reform Commission (NDRC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security, the Ministry of National Security, the Ministry of Commerce, the Ministry of Finance, the People’s Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, the State Cryptography Administration, and the Securities Regulatory Commission. (Article 4) The Securities Regulatory Commission is newly added by the Draft.

The Draft keeps a provision in the older version that requires operators to predict the potential national security risks associated with products or services they plan to purchase and apply for a cybersecurity review if there is or may be any national security risk.

Elements considered in the cybersecurity review

The Draft added two more elements in Article 9, on top of the original five elements, that the Cybersecurity Review Office should evaluate during the review:

  • The risk of key data, important data, or a large amount of personal information being stolen, leaked, destroyed, and illegally used or exiting the country;
  • The risk that critical information infrastructure, key data, important data, or a large amount of personal information will be affected, controlled, or maliciously used by foreign governments after listing in foreign countries.

The other five factors the Cybersecurity Review Office should consider include:

  • The risk of CII  being illegally controlled, interfered with, or destroyed;
  • The damage of any supply disruption of products and services to the continuing operation of CII;
  • The safety, openness, transparency, diversity of the product and service, reliability of supply channels, and the risk of supply disruption due to political, diplomatic, and trade factors
  • Product and service providers’ compliance with Chinese laws, administrative regulations, and departmental regulations
  • Any Other factors that may jeopardize the security of CII and national data security.

Timeframe of the cybersecurity review

The Draft also extended the period of special review from 45 working days to 3 months. (Article 14) Similar to the previous version, special reviews can be extended even more and the Draft does not provide a maximum time period within which a special review should be completed.