Alert January 24, 2022

China Issues Revised Measures on Cybersecurity Review Over Network Operators

In response to recent data security concerns arising from overseas listings of Chinese internet companies operating in the People’s Republic of China (the “PRC”), the Cyberspace Administration of China (the “CAC”) has issued revised measures to expand the types of businesses and circumstances that would require cybersecurity review by the CAC. This has impacted and could potentially impact a broad range of data-rich tech companies.

On January 4, 2022, the CAC issued the revised Measures on Cyberspace Security Review (the “Revised Measures”), which will come into effect on February 15, 2022. Under existing rules, operators of critical information infrastructure[1] (“CII”) intending to procure network products and services that may affect national security are required to undergo cybersecurity review. The Revised Measures expand the scope of reviewed business entities to include network platform (“NP”) operators intending to engage in certain activities, such as applying to list abroad.

The Revised Measures establish a Cybersecurity Review Office (the “CRO”), an administrative body within the CAC, to formulate the regulations for cybersecurity review and to lead the cybersecurity review process. Applicable CII operators and NP operators are required to submit an application to the CRO, and the CRO will assess whether a cybersecurity review is required.

Scope of Application

If an entity is a CII operator or a NP operator, it is required to apply for cybersecurity review if any of the following three conditions is met:

  1. The CII operator proposes to procure network products and services that affect or may affect national security;

  2. The NP operator proposes to carry out data processing activities that affect or may affect national security; or

  3. The NP operator controls personal information of more than 1 million users, and proposes to apply for overseas listing.

The Revised Measures use the term “overseas listings,” which is often interpreted in other PRC rules and regulations as listings outside of China, for instance in the U.S., and excludes listings in Hong Kong. Therefore, although the term “overseas listings” is not defined in the Revised Measures, it is speculated that condition 3 above would exclude NP operators looking to list in Hong Kong.

According to the Revised Measures, (a) “network products and services” include core network equipment, high-capability computers and servers, high-capacity data storage, large databases and applications, network security equipment, cloud computing services, and other network products or services that significantly impacts CII security, cybersecurity, or data security, and (b) “data processing” means the collection, storage, use, processing, transmission, provision, and disclosure of data.

Cybersecurity Review Process and Timeframe

According to the Revised Measures, the process and timeframe of cybersecurity review will be as follows:

 Stage Actions  Time Limits 
 The applicant submits application documents to the CRO.
“Go”/“No-Go” Decision The CRO shall evaluate whether a cybersecurity review is required. 10 working days after the CRO receives the application documents.
 The CRO notifies the applicant of its determination as to whether a cybersecurity review is required or not.
Preliminary Review 
(only if the CRO determines that that a cybersecurity review is required)
 
The CRO shall complete its preliminary review and circulate its determination and recommendation to other government agencies that are members of the cybersecurity review initiative (“CRI Members”)[2] . 30 working days after the CRO notifies the applicant of the “go” decision, provided that the timeframe may be extended by 15 working days if the circumstances are complicated. 
Inter-Agency Review CRI Members shall review the CRO’s determination and recommendation and respond to the CRO with their comments.  15 working days after CRI Members receive the CRO’s determination and recommendation.
 If CRI Members’ comments align with the CRO’s determination and recommendation, the CRO shall notify the applicant of the final decision.
Special Review
(only if CRI Members and the CRO do not reach a unanimous decision)
 
The CRO shall consider CRI Members’ opinions, conduct in-depth analysis, and update its determination and recommendation and once again seek comment from the CRI Members. Thereafter, the CRO shall submit their joint decision to the Central Cybersecurity and Information Committee for approval. 90 working days, provided that the timeframe may be extended if the circumstances are complicated
 After the Central Cybersecurity and Information Committee approves the decision, the CRO shall notify the applicant of the final decision.

The Revised Measures provide that if the CRO requests additional information from the applicant, the applicant shall cooperate and the time for the applicant to prepare and provide such information will not count towards the time limits described above. In other words, the clock will stop while the applicant is preparing responses to the CRO, and accordingly the actual review timeline may be longer than the time limits provided in the Revised Measures.

It is also worth noting that if any CRI Member identifies any network products, services or data processing activities that affect or may affect national security, upon obtaining the approval by the Central Cybersecurity and Information Committee, such CRI Member may initiate cybersecurity review without first receiving an application from the reviewed party.

National Security Factors in Cybersecurity Review

In addition, the Revised Measures added more factors to be considered in assessing national security risks in a cybersecurity review. In particular, the Revised Measures highlight potential national security risks in NP operators’ overseas listings as they may enable foreign governments to exert influence or control over CII, core data, important data, or massive personal information.

The Revised Measures list the following factors that should be evaluated in a cybersecurity review:

  1. Risks of CII being illegally controlled, interfered or sabotaged if the products or services at issue are implemented;

  2. Potential harms to CII’s business continuity if the products or services at issue are interrupted;

  3. Safety and transparency of the products or services at issue and the reliability and diversity of the sources of such products or services;

  4. Compliance of the suppliers of the products or services at issue with the PRC laws, regulations and rules;

  5. Risks of theft, leakage, destruction, illegal use, or export of core data, important data, or massive personal information;

  6. Risks of CII, core data, important data, or massive personal information being influenced, controlled or maliciously used by foreign governments if the proposed overseas listing gets through; and

  7. Other factors that may jeopardize the security of CII, cyberspace and/or data.

Overseas Listings

Regarding overseas listings, the CAC further clarified in its press release that under the Revised Measures, there will be three possible outcomes of an NP operator’s application for cybersecurity review in respect of its proposed overseas listing, either:

  1. The CRO determines that the listing does not require a cybersecurity review;

  2. The CRO determines that the listing requires a cybersecurity review and following the review it determines that there is no national security concern and the NP operator can proceed with the listing; or

  3. The CRO determines that the listing requires a cybersecurity review and following the review it determines that there is national security concern and the NP operator shall not proceed with the listing.

Effect

While the Revised Measures are expected to have a damping effect on PRC companies’ sluggish interest in going public in the U.S., they also provide a clear path forward for Chinse companies that are not CII operators or NP operators (for example, biotech companies) to get listed overseas.

Goodwin Procter LLP and its affiliates have offices in the U.S., England, France, Germany, Hong Kong and Luxembourg, and do not practice PRC law. The information contained in this publication is based upon the current understanding of Goodwin lawyers active in the firm’s Asia practice.


[1] According to Article 2 of the Regulation on Protecting the Security of Critical Information Infrastructure, a critical information infrastructure refers to any network facility or information system of important industries and fields (such as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, and the science, technology and industry for national defense) that, in the event such facility or system is destroyed, loses its function or experiences data leakage, may seriously endanger national security, national economy and livelihood, and public interest.

[2] According to the Revised Measures, CRI Members include the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the China Securities Regulatory Commission, the National Administration of State Secrets Protection and the State Cryptograph Administration.