Search This Section
11 Jul 2021
Following the recent cybersecurity reviews imposed on domestic Internet companies such as DIDI and Full Truck Alliance Group after their public offerings in the United States, on July 10, 2021, the Cyberspace Administration of China ("CAC") released new Measures for Cybersecurity Review (Revised Draft for Comment) (the "Revised Draft Measures"), which is proposed to revise the existing Measures for Cybersecurity Review (the "Existing Measures") that have been in effect for just over a year. This Revised Draft Measures comes after the recent promulgation of the PRC Data Security Law on June 10, 2021 (“Data Security Law”), which place increased emphasis on China’s data protection regime and the existing Cybersecurity Review regime, which will be further consolidated and integrated, reflecting regulators’ increased focus on data security issues. Key points of the Revised Draft Measures are summarized below.
1. Expansion of Cybersecurity Review Subjects and Trigger Conditions
Under the Revised Draft Measures, "data processors" would be included among the applicable subjects of relevant cybersecurity reviews. The Revised Draft Measures no longer limits the scope of cybersecurity review procedures to only critical information infrastructure operators ("CIIOs"), but extend it to the wider concept of data processors. In particular, data processors would be required to undergo cybersecurity reviews if their data processing activities affect or may affect issues of national security, even if such parties are not CIIOs.
Following the same logic, data processing activities would also be included among the subject matter of cybersecurity reviews. Specifically, the Revised Draft Measures expands regulated activities to include "data processing activities" that affect or may affect national security, and the regulated activities would no longer be limited to just the "procurement of network products and services". According to the Data Security Law, data processing activities are broadly defined to include the collection, storage, use, processing, transmission, provision, and publication of data.
2. Cybersecurity Reviews Would Become a Precondition for Certain Companies Seeking to List Outside of the Country
Article 6 of the Revised Draft Measures provides that "where companies with personal information of more than 1 million users intend to conduct listings outside of the country, they must apply to the Office of Cybersecurity Reviews for cybersecurity reviews". Therefore, any data processors with personal information of more than 1 million users that intend to list outside of the country would need to undergo cybersecurity reviews (regardless of whether their data processing activities affect or may affect national security). Notably, the use of “outside of the country” instead of “overseas” in the legislative drafting leads us to believe that, according to customary legislative practices, the scope of such requirements would likely not include listings in Hong Kong, as regulators instead view the Hong Kong Special Administrative Region as part of the PRC and therefore not “outside of the country”.
Additionally, the Revised Draft Measures appears to envision greater coordination of mechanisms aimed at cybersecurity reviews when such procedures are triggered by a listing “outside of the country”. The Revised Draft Measures would add the China Securities Regulatory Commission (“CSRC”) to the group of PRC regulatory authorities tasked with overseeing cybersecurity review mechanisms. This particular revision aligns with the data security regulatory responsibilities set forth in the Opinions on Strictly Cracking Down on Illegal Securities Activities in Accordance with the Law jointly issued by the General Office of the Central Committee of the Communist Party of China and the State Council on July 6, 2021.
Although the Revised Draft Measures technically do not specify whether cybersecurity reviews need to be completed by PRC companies prior to listings "outside of the country", considering the overall content of the Revised Draft Measures and the regulatory nature of cybersecurity review procedures, we are of the view that such procedures should essentially be interpreted as a prerequisite to applicable listings outside of the country and proposed IPO materials would need to be furnished to regulatory authorities before carrying out such listings.
3. The Revised Draft Measures Would Supplement Review Factors for Listings Outside of the Country
Article 10 of the Revised Draft Measures further adds data-based national security risk factors that would need to be considered in the course of conducting cybersecurity reviews. Such factors include: (1) the risk that core data, important data or large amounts of personal information may be stolen, leaked, damaged, illegally used or transmitted abroad; and (2) the risk that core data, important data, or large amounts of personal information may be influenced, controlled, or maliciously used by foreign governments after a PRC company lists "outside of the country”. In the case of listings "outside of the country” by PRC companies, if the competent authorities believe that a listing by data processors may result in the cross-border transfer of important data or large amounts of personal information, or if they believe that large amounts of personal information or important data could potentially be controlled or influenced by foreign governments, then such authorities would be entitled to conclude that the proposed listing "outside of the country” may jeopardize national security.
It is worth noting that, although the aforementioned rules regarding listings "outside of the country" are technically only envisioned for PRC companies possessing personal information of over 1 million users, in practice, considering the expanded application scope mentioned above and the review factors that have been supplemented by the Revised Draft Measures, we believe that even if a PRC company possesses personal information of less than 1 million users, such company should not rule out the possibility of being required to perform cybersecurity reviews if the Revised Draft Measures are adopted and promulgated (substantially in their current form), especially if there is a risk or appearance that the core data, important data or personal information under the control of such company could be influenced, controlled or maliciously used by foreign governments. Accordingly, all PRC companies that seek to list on foreign exchanges should be aware of these new regulations and take them seriously.
4. Cybersecurity Review Results May Materially Adversely Affect Listings Outside of the Country
The Revised Draft Measures includes the Data Security Law as its legislative basis. The Data Security Law provides: "The State shall establish a data security review system, under which data processing activities that affect or may affect national security shall be subject to national security review." The Data Security Law further explicitly stipulates that "the decisions issued in connection with security reviews made in accordance with the law shall be final," which means that the review results under the Revised Draft Measures would be binding not only on companies undergoing such reviews, but also on the government authorities involved in carrying out cybersecurity review. This includes an array of various government authorities (such as the CSRC, the Ministry of Commerce, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the State Administration for Market Regulation, the National Development and Reform Commission, CAC, etc.). In short, if the conclusion of a security review identifies that a proposed listing “outside of the country” may invite data security risks, then such regulators would be empowered to intervene and may materially adversely affect the proposed listing “outside of the country”.
5. Extension of the Special Review Period
According to the Existing Measures, the statutory timeframe for general security reviews is 70 working days (calculated from the submission of complete materials), and at least a further 45 working days are required if a “special review process” is triggered (i.e., in the event that regulators overseeing the review are unable to reach agreement on the conclusion of the cybersecurity review). However, under the Revised Draft Measures, the special review process would be extended from 45 working days to 3 months, subject to further extension should complications arise. In addition, the cybersecurity review adopts a "clock-stopping” mechanism, according to which time spent preparing supplementary materials would not be counted toward the statutory review period. Therefore, in practice, regulators would have considerable discretion to extend such periods even further.
6. Enhanced Liability
Finally, with having the Data Security Law as the legal basis of the Revised Draft Measures, it also would supplement the potential penalties that may be issued under the Data Security Law. Compared to the Cybersecurity Law, the Data Security Law now allows for heavier punishment of companies that violate data security regulations. The Data Security Law increases the maximum amount of fines from RMB 1 million under the Cybersecurity Law to RMB 10 million under the new framework, and it also specifies that if an entity violates the management systems of national core data in a manner that endangers national sovereignty, national security, or China’s development interests, such entity may be ordered to suspend its relevant business to cease operations until rectification measures have been adopted, or to have its business permits and operating licenses revoked. In the event that such a violation amounts to criminal activity, responsible parties may also be held criminally liable in accordance with PRC law.