The Cyberspace Administration of China (CAC) issued a notice at 12:00 a.m. on 10 July 2021 to publicly solicit comments on the Cybersecurity Review Measures (Revised Draft for Comment)(the “Draft for Comment”) (for previous interpretations of the Cybersecurity Review Measures, please see the article: Innovations and Changes of Cybersecurity Review Measures). Considering the recent regulatory measures taken by CAC, the Cyber Security Review Office and other regulators on a number of enterprises, this article will address some of the key points of the Draft for Comment for your reference.
II. Interpretation of Key Points
This article focuses on two key aspects of the Draft for Comment - one is the new key issues, and the other is the basic issues. We will interpret from these two aspects respectively.
New key issues (please see the table at the end of the article for the comparison between the Draft for Comment and the current version)
1) Who is the Draft for Comment applicable to?
The Draft for Comment applies to critical information infrastructure (CII) operators as well as data processors. Given that data processors are new subjects, we understand that even if an enterprise is not a CII operator or is not sure whether it is a CII operator, it is likely subject to the regulation of the Draft for Comment if it conducts data processing activities and such activities affect or may affect national security.
2) If an enterprise is subject to the Draft for Comment, under what conditions would it be required to apply for cybersecurity review?
If an enterprise is a CII operator or data processor, it is required to apply for or pass cybersecurity review if any of the following conditions is met:
Application for security review
Where CII operators procure a network product or service which affect or may affect national security;
Operators (CII operators and data processors) with the personal information of more than one (1) million users who intend to go public abroad.
Where any member of the cybersecurity review working mechanism is of the opinion that the network product or service, data processing activities or listing in a foreign country affects or is likely to affect national security.
3) Do enterprises intending to list in Hong Kong need to apply for cybersecurity review? Do they also need to meet compliance requirements such as the requirements for cross-border data transfer?
As the expression used in the Draft for Comment is “listing in a foreign country” rather than “offshore listing” [typically understood to mean a jurisdiction outside of the Chinese Mainland], we understand that there may be some differences between the two.
Referring to the interpretations of “embarkation” and “disembarkation” under the Law of the People's Republic of China on Administration of Embarkation and Disembarkation, we understand that “offshore” regions include Hong Kong SAR, Macao SAR and Taiwan region.
As for the distinction between “domestic” and “foreign”, we understand that “domestic” should generally include Hong Kong SAR, Macao SAR and Taiwan region, while “foreign” refers to “countries and regions other than the People’s Republic of China (PRC)”.
Based on the above understanding, we believe that it is relatively unlikely that a Hong Kong listing will be considered as “listing abroad”. However, given that our interpretation of “offshore” and “foreign” is based on research and reference to the laws of other fields, and that the terms are not clearly defined in the Draft for Comment, we cannot rule out the possibility that such concepts may have other meanings. It is recommended that enterprises follow closely the relevant legal developments.
As defined in the Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment, “cross-border data transfer” mainly refers to “one-off or continuous activities in which network operators provide overseas institutions, organizations or individuals with the personal information and important data collected and produced during operations within the territory of the PRC through the Internet or other means, such as direct provision, conducting business, provision of services or products”. Therefore, considering the distinction of “domestic” and “offshore”, and the above interpretation, we believe that, for Hong Kong listings, post-listing data transfer to Hong Kong should still be considered as cross-border data transfer, and therefore enterprises need to comply with the provisions on cross-border data transfer in the Cybersecurity Law, Data Security Law and supporting measures.
4) Does “one million user personal information” mean one million pieces of personal information or the personal information of one million users?
The Guidance for Operations of National Cybersecurity Inspection contains similar requirements in the section “Identification of CII”. The factors to be examined in identifying CII include “the number of registered users exceeds ten million”, “the average number of daily visits exceeds one million”, and “causing the leakage of personal information of more than one million individuals”. All these provisions are made from the perspective of the number of personal information subjects rather than the quantity of personal information.
Since the legislative purpose of the Guidance for Operations of National Cybersecurity Inspection is similar to that of the Draft for Comment, i.e., to strictly regulate the entities or activities (including but not limited to listings abroad) that may affect a large number of individuals in order to protect economic and livelihood interests, we believe that the “one million user personal information” in the Draft for Comment is more likely to refer to the personal information of one million individuals.
5) How to understand “the operators “with” personal information”? If an operator only provides storage or transfer services, or entrusts other third parties such as cloud service providers to process personal information, is it subject to regulation?
We understand that the expression of operators “with” personal information is similar to the concept of “controller”, therefore we can refer to the definition of controller for its interpretation. However, there is no clear legal distinction between controllers and processors in China. Due to increasingly stringent regulations, we recommend that enterprises include both physical data control and data processing in a legal context in this category and apply for cybersecurity review.
6) What materials are required to be submitted for cybersecurity review? What IPO materials need to be provided?
The application materials should include:
An analysis report concerning the impact or possible impact on national security;
The procurement document, agreement, contract to be concluded or IPO documents to be submitted, among others; and
Other materials required for the cybersecurity review.
Specifically, with reference to data security laws and other related legislation, we believe that an analysis report may contain a number of elements such as supply chain security, data security and compliance, cross-border data transfer, and jurisdictional conflict resolution mechanisms. For the purpose of the review, we believe that IPO documents may include prospectuses, but whether they include working papers remains to be clarified.
7) How long will the cybersecurity review take and will it affect the listing process?
In accordance with the Draft for Comment, the Cybersecurity Review Office shall, within ten (10) working days of receiving the declaration materials for review, determine whether the review is required and notify the operators in writing. Where the Cybersecurity Review Office deems it necessary to conduct a cybersecurity review, it shall complete the preliminary review within thirty (30) working days from the date of issuing a written notice to the operators; if the case is complicated, the said time limit may be extended by fifteen (15) working days. Members of the cybersecurity review working mechanism and relevant CII protection departments shall give a written reply to the operator within fifteen (15) working days of receiving the suggested finding. If the members of the cybersecurity review working mechanism have not reached a unanimous agreement on the suggested finding, the case shall enter the special review process. The special review process shall generally be completed within three (3) months, and may be extended if the case is complicated.
In conclusion, the general procedure takes a maximum of 70 (10+30+15+15=70) working days as of the date of application. However, the maximum duration of the special review process is 70 working days + 3 months + n working days ≈ 135 + n working days, that is, the actual calendar days needed to complete such a process may reach 180 days (6 months) or more.
（click to enlarge image）
8) Effective date of the Draft for Comment
Considering the recent cybersecurity review enforcement developments and the focus of the Draft for Comment on the regulation of activities such as listings aboard, we do not rule out the possibility that the Draft for Comment will take effect soon. However, even if it has not come into effect or it will come into effect at a later date, considering that some enterprises have already been investigated and punished, it’s understood that enterprises can reduce their risk to a certain extent by preparing countermeasures in advance, rather than defend on the ground that the Draft for Comment has not come into effect.
1) What are critical information infrastructure operators?
Critical Information Infrastructure includes the information infrastructure in such important industries and fields as public communications and information services, energy, transportation, water conservancy, finance, public services and e-government and CII that may result in serious damage to state security, the national economy and the people’s livelihood and public interest if it is destroyed, loses functions or encounters data leakage. However, the specific scope and security protection measures of CII have not been officially promulgated yet.
In accordance with the Guiding Opinions on Implementing the Graded Protection System for Cybersecurity and the Security Protection System for Critical Information Infrastructure promulgated by the Ministry of Public Security in 2020, competent and regulatory authorities in charge of such important industries and fields as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government and science and technology industry for national defense shall develop the rules for the identification of CII in such industries and fields and file the same with the Ministry of Public Security for record. In addition, they shall include eligible basic networks, large private networks, core business systems, cloud platforms, big data platforms, Internet of things, industrial control systems, intelligent manufacturing systems, new Internet, emerging communication facilities and other key objects under protection into CII.
2) What are competent authorities for cybersecurity review?
Competent authorities for cybersecurity review mainly include the cybersecurity review working mechanism of the PRC and the Cybersecurity Review Office.
Among them, the cybersecurity review working mechanism is established by the CAC in concert with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People’s Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, China Securities Regulatory Commission, the National Administration of State Secrets Protection and the State Cryptography Administration.
Cybersecurity Review Measures
In this article, any reference to Hong Kong, Macao and Taiwan shall be construed as a reference to the Hong Kong Special Administrative Region of the PRC, the Macao Special Administrative Region of the PRC and the Taiw