Insights on the Measures for Cybersecurity Review by the Cyberspace Administration of China

Right after the Cyberspace Administration of China (CAC) announced the removal of 25 Didi-related apps from app stores on July 9, 2021, the CAC has begun soliciting public opinion on the Measures for Cybersecurity Review, or the Measures for short, on July 10, 2021. The close date for comments and feedback is July 25, 2021. The Measures purports to ensure the security of critical information infrastructure (CII), core data, important data, and personal information and enumerates conditions where a cybersecurity review is necessary for a company.

When should a firm be reviewed?

In general, if a company’s purchased network products and services can affect China’s national security, a cybersecurity review conducted by the CAC is a must. Specifically, the CAC states that a company should perform an introspective assessment on potential national security risks posed by the network products and services it has purchased. Then, if they will affect or may affect national security, the company should report for a cybersecurity review by the CAC.

Why now? What is the intent of the new regulations?

To publish the Measures now is not a random choice. On December 18, 2020, President Biden signed the Holding Foreign Companies Accountable Act, requiring audit inspections on foreign firms about to be listed in U.S. stock exchanges, esp. Chinese firms, into law. The required audit inspections would expose operational data from Chinese businesses, causing potential data security risks. On June 3, 2021, President Biden signed an Executive Order (E.O.) to address the threat from securities investments. A new list of 59 Chinese companies which are prohibited from U.S. investments. Thus, the publication of the Measures by the CAC is likely to be a response to the potential data security risks posed by the U.S. law amendment and a reaction to President Biden’s current intransigent attitudes on China.

What are the consequences of non-compliance?

Non-compliance would incur a shutdown at worst. According to the Measures, non-compliance will be handled by the Cybersecurity Law and the Data Security Law. The two scenarios of retribution for the non-compliance by the Data Security Law are followed:

1. Relevant departments will order a correction and give a warning; A fine of not less than100,000 RMB ($15,460) but not more than 1,000,000 RMB ($154,600) will be imposed on the company; The person(s) directly in charge of the activity will be imposed a fine of not less than 10,000 RMB ($1,546) but not more than 100,000 RMB ($15,460).

2. For a more severe situation, a fine of not less than 1,000,000 RMB ($154,600) but not more than 10,000,000 RMB ($1,546,000) shall be imposed; Relevant businesses may be ordered to suspend; The relevant business license may be revoked; The person(s) directly in charge of the activity will be imposed a fine of not less than 100,000 RMB ($15,460) but not more than 1,000,000 RMB ($154,600).

‍

Where are the new policies going in the future?

The Measures for Cybersecurity Review is only a starting point for the Chinese authority to consolidate national data security and cybersecurity. More specific provisions and regulations in this field are expected.    

The retribution about the non-compliance is in accordance with the Data Security Law, which will come into effect on September 1, 2021, so the implementation of the Measures should be on September 1, 2021, or later.

A comprehensive interagency data governance system, attempted by the Chinese policymakers, is still in its early stage, but the authority is now facilitating efforts to approach such a goal. Since the Cybersecurity Law was published in 2017, the Chinese policymakers have been targeting personal information protection, the first area of data security China has tackled, and the protection of the so-called “important data” and “core data” whose leakage affects national security. Thus, laws regarding the maintenance of important data and core data security are expected in the future.

According to China’s 14th five-year plan, cybersecurity laws and regulations corresponding to new technology, such as the cloud, big data, artificial intelligence, blockchain, and the Internet of Things, are expected. In addition, critical information infrastructure will include data from more industries and the Chinese government, so penalties for cybersecurity incidents and data breaches are expected to be further toughened.

Concerns about the Measures

‍

1. The Measures requires critical information infrastructure operators (CII operators) and data processors to submit cybersecurity review requests, but the vagueness of defining CII operators makes companies uncertain about the need to fulfill the corresponding obligation. Whether a company is identified as a CII operator depends on the Chinese government’s position toward the company. In other words, the government has the final call on categorizing an enterprise as a CII operator. The Measures does entail various technologies and sectors that would reserve a cybersecurity review for a company, but direct contact with the CAC to determine the necessity of a review is encouraged.

2. CII operators must conduct introspective anticipations on their potential national security risks, but the problem is the lack of guidance on risk anticipation by industry. The Measures only claims that relevant departments should formulate risk anticipation guidelines for different industries, meaning those guidelines are still inexistent. Such a situation will leave companies with no criteria to follow for risk estimation. Before those by-industry guidelines being published, companies are encouraged to adopt Article 10 of the Measure as the criteria to assess potential risks.  

3. Will cybersecurity reviews become an approach to discriminate foreign companies’ products and services? The short answer is “not likely.” As per the press conference on the Measures, the official in charge of the CAC has mentioned opening-up as one of China’s basic national strategies, so the cybersecurity reviews required by the Measures this time is more likely to indicate a bottom-line regarding data security instead of a measure to hamper foreign companies’ operation in China.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          

‍