China to enhance cybersecurity review measures
China Data Protection Alert
A few days ago, Cyber Administration of China (CAC) has shaken the online business sector with the cybersecurity review on Didi (world’s biggest online ride-hailing company) and other three online business companies to prevent data security risks, citing the 'Cybersecurity Review Measures' (see our previous article on this topic).
Following the big move, on July 10, 2021, CAC published at its website the draft amended Cybersecurity Review Measures (Draft), seeking for public opinions until July 25. Based on the recently enacted Data Security Law, the Draft aims to establish the rules for the national security review system to better prevent the cybersecurity and data security related risks. In a nutshell, the Draft contains the following new features:
- The cybersecurity review will not only be applied to Critical Information Infrastructure Operators (CIIOs), but also data processors as well as the suppliers of products and services for those operators.
- The review will be triggered not only by application of the CIIOs and other data processors if they foresee any risk but also can be initiated by the government authorities.
- The scope of review will not only limited to cybersecurity risk, but will also consider data security, supply chain security, national security, and the legal compliance status of the suppliers. In case an operator which holds personal data of more than 1 million users will list in a foreign country, it must apply for cybersecurity review.
- The timeline for the reviewing process is extended. The standard process may take up to 70 working days and the special review process may take 3 months more and would be extendable.
Below we give you more details on the amended Cybersecurity Review Measures.
1. Affected Entities
Under the Draft, the cybersecurity review may affect the following three categories of entities:
(1) CIIOs: The current Cybersecurity Review Measures already stated that CIIOs shall undergo the cybersecurity review before CAC when procuring network products and services, which mainly refer to core network equipment, important telecommunication products, high performance computers and servers, mass storage device, large data base and application programs, network security equipment, cloud computing services and other network products and services which may have significant influence to the security of the critical information infrastructures.
(2) Data Processors: The Draft further expands its scope to cover non-CIIOs, which means that it would be possible for any data processors to be subject to cybersecurity review in case their data processing is considered “affecting or may affect national security”.
(3) Product and Service Suppliers: Apart from the CIIOs and Data Processors (who are both referred to as “Operators”) which are the direct targets of cybersecurity review, the suppliers to those Operators, i.e. the companies which provide products and services, may also be affected by cybersecurity review. The Draft requires that the Operators shall, through the procurement documents and agreements, request the suppliers of products and services to cooperate in cybersecurity review, including to commit that it will not illegally acquire user data through products and services, or illegally control or manipulate user’s equipment, and will not suspend the supply of products or necessary technical supporting services without reasonable cause. Due to the above, it has been recommended that the parties should apply for cybersecurity review before the signing of the procurement contract or they should specify in the contract that the contract will be effective only if the products or services pass the cybersecurity review.
2. Implementation of Cybersecurity Review
(1) Initiation of Cybersecurity Review
Cybersecurity review may be triggered by the operators or by any government authority which is a member of the “Cybersecurity Review Working System”.
a. Application for Cybersecurity Review. The Draft requires the operators to apply for cybersecurity review in two circumstances:
i. In case an operator foresees the network products and services procured will bring national security risk. The measures have authorized relevant government authorities regulating the Critical Information Infrastructures (CIIs) in different sectors to produce their respective sectoral guidelines to identify national security risks of the network products and services.
ii. In case an operator which holds personal data of more than 1 million users will list in a foreign country, it must apply for cybersecurity review. Taking into account the huge population of China, this is not a high threshold. As this is the first time Chinese regulations using a specific data amount as threshold, it is possible that this threshold will be cited to define other cybersecurity and data protection related reviews.
b. Government Initiated Cybersecurity Review. In case a member of Cybersecurity Review Working System is of the view that there is any network product and service, data processing activities and listing in foreign country affecting or may affect national security, the Office of Cybersecurity Review may apply for the approval of CAC in order to initiate a cybersecurity review.
(2) Reviewed Documents
The Operators will be required to submit relevant materials to CAC for review, which include an analysis report on the impact on national security, the procurement documents, agreements, contracts to be signed or IPO filing documents.
As transaction documents will be disclosed to the government authorities for cybersecurity review, parties should take such possible disclosure into account when doing transactions.
(3) Cybersecurity Risks
The cybersecurity review will focus on the following risks:
i. The risks of the CII being illegally controlled, interfered or damaged due to the deployment of product and service;
ii. The harm to the business continuity of the CII due to the suspension of the product and service supply;
iii. The safety, openness, transparency, diversity in source, reliability of supply channel and other risks of supply suspension due to political, diplomatic, trade and other reasons;
iv. The status of the supplier of products and services in compliance with the Chinese laws, administrative regulations and departmental rules;
v. Risks of theft, leakage, damage and illegal use or cross-border transfer of core data, important data or massive personal information;
vi. Risks of the CII, core data, important data or massive personal information being influenced, controlled or maliciously used by foreign government after listing in foreign country;
vii. Other factors which may undermine the safety of CIIs or national data security.
The cybersecurity review will focus on (i) cybersecurity risk, (ii) supply chain risk, (iii) third party supplier’s legal compliance risk, (iv) data security risk, and (v) national security risk. Therefore, the suppliers of network products and services who have lower risk level, more reliable supply capacity, less exposure to political, diplomatic and trade instability, and have a better legal compliance status will become more competitive in the Chinese market.
3. Cybersecurity Review Process and Timeline
Cybersecurity reviews are mainly handled by China Cybersecurity Review Technology and Certification Center (CCRTC) which will accept the application documents, conduct formality review, and organize the substantive review under the supervision of CAC’s Office of Cybersecurity Review.
The cybersecurity review consists of a standard review process which will be completed within 70 working days in case the members of “Cybersecurity Review Working System” could reach unanimous. Otherwise, the special review process will be triggered and it would normally be completed within 3 months, with possible extension in complex cases.
4. Legal Liabilities
In terms of legal liabilities of breaching the cybersecurity review obligations, the Draft has cited Cybersecurity Law and Data Security Law. According to the Cybersecurity Law, any entity failed in applying for cybersecurity review or used any products and services failed to pass cybersecurity review would be subject to a fine up to 10 times of the price of procured products or services, and the responsible person will be subject to a fine up to CNY 100,000.
While according to Data Security Law, breaching of data security obligations may lead to a maximum fine of CNY 10 million in case of severe violation.
The draft amendment of the Cybersecurity Review Measures will further enhance the cybersecurity and data security supervision after the Data Security Law. In the meantime, there are still doubts in the current draft measures, and some of the systems and rules also rely on the further promulgation of other supporting regulations. Having said so, there is no doubt that the implementation of the measures will not only affect Chinese data processors, but will also pose significant impact on the network equipment and service providers both in China and aboard.
Therefore, those companies should take these implications into account in their business, put efforts in the security and data protection compliance in order to take advantage of the security concerns and convert them to their competitive advantages. Garrigues will also continue to pay close attention to the amendment process of the Cybersecurity Review Measures and share our observations.
 There is no publicly available list of CIIOs but it has been recommended that important network and information system operators in sectors such as telecommunications, radio and television, energy, finance, transportation, civil aviation, postal services, water conservancy, emergency administration, hygiene and health, social security, national defense technology and industry should consider cybersecurity review.
 Important telecommunication products are newly included in the list of network products in this amendment to the Cybersecurity Review Measures.
 The members of this system include CAC, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, Ministry of National Security, Ministry of Finance, Ministry of Commerce, People’s Bank of China, State Administration for Market Regulation, National Radio and Television Administration, China Securities Regulatory Commission (CSRC), National Administration of State Secret Protection and State Cryptography Administration. CSRC has been newly included to enhance the regulation on companies listing in foreign country.
 For example, in the latest draft of Personal Information Protection Law, it is provided that the data processor who processes personal data above certain amount would be subject to security assessment before transferring the personal data to a third country.