On 10th July, 2021, China's central Internet regulator, the Cyberspace Administration of China ("CAC"), released a draft of revising the Cybersecurity Review Measures to solicit public comments. Existing Cybersecurity Review Measures were promulgated on 13th April, 2020 and went into effect on 1st June, 2020 (hereafter as the "2020 rules"). The 2020 rules were made to implement China's Cybersecurity Law and aimed at addressing only the risks to national security and business continuity posed by the procurement of network products and services by critical information infrastructure operators. But enforcement actions under the 2020 rules have never been taken, or disclosed, until on 2nd July, 2021 China's top ride-hailing platform Didi Chuxing was announced to be probed for cybersecurity review two days after its IPO in the U.S., closely followed by two similar probes against other Internet companies that were also US-listed very recently.
Recent background of Didi's probe makes the revision of Cybersecurity Review Measures very eye-catching. Particularly, it introduces the requirement of a mandatory review of any business with personal information of more than one million users that seeks to list its securities abroad. It unequivocally shows Chinese regulators' concerns about data security and cross-border data transfer related to overseas listings, especially when international tensions on data sovereignty continue to grow. For businesses in China, it also signals that cybersecurity review will become a focus of future enforcement in the field of data protection laws and correspondent probes will become normalized in China.
Here are the highlights of the proposed changes.
Data Security Law Added as an Enabling Statute
The 2020 rules were made pursuant to two statutes – the National Security Law and the Cybersecurity Law. Specifically, Article 35 of the Cybersecurity Law requires a security review of the procurement of network products and services by critical information infrastructure operators that may affect national security, which was the only triggering event of security review under the 2020 rules.
The revised rules add an enabling statute, the Data Security Law, enacted last month on 10th June and not effective until 1st September 2021. Article 24 of the Data Security Law provides that any data processing activity that affects or may affect national security shall go through a security review, which becomes another triggering event under the revised rules.
It should be noted that the data processing activities that could trigger a security review is not limited to those of critical information infrastructure operators, but any "data handlers." The definition of "data handler" is not provided in the revised rules or the Data Security Law. If read in combination with the Personal Information Protection Law under deliberation, the Chinese version of GDPR which is believed will pass soon, a data handler actually means data controller under GDPR. Therefore, it remains to be clarified whether the "data handler" here could bridge with the Personal Information Protection Law, or is even broader to include data processors that are entrusted by data controllers to handle data processing.
A corresponding change in this regard is that the revised rules emphasize the risks associated with data security. Previously, the 2020 rules have already mentioned the risks of important data being stolen, leaked or damaged as a consideration under security review. The revised rules list it as a separate reviewing standard – whether core/important data or a large amount of personal data would be stolen, leaked, damaged or illegally exploited or moved overseas. Core data is a category within important data that applies stricter management as newly established by the Data Security Law.
Explicitly Addressing Overseas IPO as a Trigger
The revised rules add a provision specifically targeted at overseas IPOs. In Article 6, it stipulates that if any data handler that has personal information of more than one million users is seeking to list its securities abroad, it must file for a review. In such a case, IPO related materials to be filed with foreign authorities shall also be submitted to the CAC for review. The term "abroad" is phrased as excluding Hong Kong, thus a Hong Kong IPO does not trigger a mandatory review hereunder.
On this point, two more corresponding changes are made under the revised rules. First, China Securities Regulatory Commission is added as a member of the cybersecurity review working mechanism and will work with twelve other government departments on this. Second, as to the reviewing standards, it is added as a risk of national security to be reviewed whether critical information infrastructure, core/important data, and a large amount of personal data would be influenced, controlled or maliciously exploited by foreign governments after an overseas IPO.
By this amendment, the CAC is outspoken about its data security concerns related to overseas IPOs. On 6 July, 2021, the Central Committee of the Communist Party of China and the State Council jointly issued a document on the crackdown on illegal activities in securities market, which specifically mentioned the enhancement of data security, cross-border data transfer, and the administration of classified information related to overseas listings. Both suggest that data security is indeed of particular concern for Chinese regulators. In a nation with a population of 1.4 billion, the threshold of one million users is pretty low for an Internet firm operating in China, making it an easy trigger of a security review.
Prolonging Special Process of Review
Pursuant to the 2020 rules, without a special process a cybersecurity review can be completed within 45 working days: including 10 working days for the review of the necessity of cybersecurity review, and 30 working days for preliminary review. In complicated cases, the said time of preliminary review can be extended by 15 working days, leading to a total of 60 working days. But if a special process is launched because a unanimous agreement cannot be reached by the members, the review could be extended by another 45 working days (therefore, a total of 105 working days) and can be further extended if necessary (then no time limit provided).
The revised rules change the special process from 45 working days to 3 months. It will prolong the special process by about one month. Still, if further extension is warranted, then no time limit applies.
Implications
Considering the revised rules incorporate requirements under the Data Security Law, which will come into effect on 1st September 2021, it is very likely that the new Cybersecurity Review Measures will be enacted around the same time. The immediate effect of China's recent regulatory pressure is that many tech companies are announcing withdrawals of overseas IPOs. Other businesses should attach as much importance to the regime of cybersecurity review as data security related concerns are undoubtedly leveling up in China.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
