1. Cybersecurity Review Measures to Implement Laws

The State Security Law, effective on July 1, 2015, for the first time vowed to establish a review and regulation system and mechanism for State security and to carry out security review against foreign investment, key technologies, and network information technology products and services that affect or may affect State security (Article 59 of the State Security Law). As part of the efforts to safeguard State security in cyberspace, the Cybersecurity Law, effective on June 1, 2017, requires security review by Cyberspace Administration of China (“CAC”) and other competent authorities of any purchase of network products and services by critical information infrastructure operators that may affect State security (Article 35 of the Cybersecurity Law). The Data Security Law, effective on September 1, 2021, plans to establish a data security review system to review data processing activities that affect or may affect State security and further provides that a security review decision is final and unappealable.

CAC has enacted the Cybersecurity Review Measures and its Revisions to implement the above laws.

2. Security Review Targets Purchase of Network Products and Services and Data Processing Activities

Briefly, any purchase of network products and services by critical information infrastructure operators and data processing activities by data processors that affect or may affect State security require cybersecurity review (critical information infrastructure operators and data processors, collectively the “Operators”). 

Critical information infrastructure: under the Security Protection Regulations for Critical Information Infrastructure, critical information infrastructure is designated by industrial information infrastructure protection regulators. Regulators will inform operators of the designated infrastructure and will fill the infrastructure with the State Council.

Network products and services: mainly core network equipment, important communication products, high-performance computers and servers, mass storage devices, large databases and application software, cybersecurity equipment, cloud computing services, and other network products and services that have a significant impact on the security of critical information infrastructures.

Data processing: the Data Security Law defines data processing broadly, involving collection, storage, use, processing, transmission, provision and disclosure of data.

State security: according to the State Security Law, State security refers to the condition in which the state power, sovereignty, unity and territorial integrity, people’s welfare, sustainable economic and social development, and other vital interests of the State shall relatively face no danger or encounter no internal and external threats, as well as the capability to safeguard sustainable safety condition. Vagueness and broadness of the above definition largely increase the difficulty in understanding the criteria of security review which is “affect or may affect State security”, especially considering that Operators concerned are required to prejudge whether their purchase of network products and services would affect or may affect State security and, if yes, are obligated to apply for security review. Thankfully, the Cybersecurity Review Measures and its Revision shed certain light on how to assess the potential State security concern (please refer to Section 5 for details).

There is also a catch-all clause for the discretion of the government: where member authorities of cybersecurity review working mechanism deem that network products and services, data processing activities or overseas IPOs affect or may affect State Security, the Office of Cybersecurity Review under CAC may initiate security review after receiving approval from the Central Cyberspace Affairs Commission (“CCAC”).

3. Revised Measures Stresses Overseas IPOs

The Revised Measures add an Article 7, which expand the reporting and application obligation to include any Operator concerned who possesses the personal information of more than one million users and goes public abroad.

The investigation over the IPO of DiDi has illustrated that regulators in China are seeking to curb overseas IPOs of domestic enterprises potentially exposed to State security risks. The Article 7 adopts a higher standard for IPO enterprises, as qualified overseas IPOs are linked to cybersecurity reviews without exception. This reflects the view of regulators in China that enterprises holding large scales of personal information are almost invariably linked to national and cybersecurity risks.

Notably, the Revised Measures used “become listed in other countries” throughout instead of the more common expressions such as “listed on foreign exchanges”. This way of expression seems to imply that enterprises to be listed on the Stock Exchange of Hong Kong will not be subject to cybersecurity review under the new Article 7. This could be interpreted as a concession to allow domestic enterprises to achieve their fund-raising targets through IPOs on a foreign market, while maintaining the risk of data exposure at an acceptable level.

4. Revisions in Response to the Data Security Law

The Revised Measures provides that data processors and data processing as subjects of cybersecurity reviews alongside critical information infrastructure operators and purchasing activities respectively. In Article 10, the Revised Measures quote the classification of core data and important data from the Data Security Law for assessing the risks from the potential purchase of network products and services and data processing. This means that cybersecurity reviews conducted under the Revised Measures will also cover all types of data processors and processing activities as defined in the Data Security Law.

5. Risk Factors to be Considered in Cybersecurity Reviews

CAC will consider the following main risk factors when conducting cybersecurity review:

• Risks of illegal control, interference or destruction of critical information infrastructure resulting from the use of network products and services;
• Harms caused by supply interruption of network products and services to the business continuity of critical information infrastructure;
• Security, openness, transparency and diversity of sources of network products and services, reliability of supply channels, and risks of supply interruption due to political, diplomatic, trade or other factors;
• Information on compliance with Chinese laws, administrative regulations and departmental rules by network product and service providers;
• Risks of theft, leakage, damage, illegal use or cross-border transfer of core data, important data or large quantity of personal information;
• Risks of influence, control or malicious use of critical information infrastructure, core data, important data or large quantity of personal information by foreign governments after overseas listing; and
• Other factors that may endanger critical information infrastructure security and national data security.

6. Procedures of the Cybersecurity Review

The current Cybersecurity Review Measures requires special review process to be completed within 45 working days, which can be “appropriately extended” for complicated cases. The Revised Measures extended this limit to 90 working days, and allows it to be simply “extended” for complicated cases. The actual review will be conducted by China Cybersecurity Review Technology and Certification Center.

To briefly summarize the procedures, the Office of Cybersecurity Review under CAC is generally responsible for conducting review with assistance from member authorities of cybersecurity review working mechanism. The Office of Cybersecurity Review will decide whether a review is needed, conduct preliminary review, solicit member authorities on the preliminary review conclusions, conduct special review if needed, and liaise with Operators throughout the process. In the case of a special review, the Office of Cybersecurity Review will report to CCAC for approval before making the final conclusion.

The following flow chart represents the process prescribed in the Revised Measures.

For Chinese enterprises currently listed or seeking IPOs on exchanges in other countries, it is advisable to follow closely on this recent legislation, and prepare to meet the more stringent compliance standard for data protection.