PRC Legal Update – Measures for Cyber Security Review

On 28 December 2021, PRC government published the new Measures for Cyber Security Review, which came into effect on 15 February 2022 (the “Measures”) and will replace the previous version has been effective since 1 June 2020 (the “Old Measures”).

Highlights below are some key points of the Measures as well as important progress comparing to the Old Measures.

Scope of Application

Comparing to the Old Measures, the Measures extend the scope of cyber security review to network platform operators, in addition to critical information infrastructure operators (“CIIOs”) as prescribed under the Old Measures. However, the Measures are silent on the definition of network platform operators. We also have not seen other effective laws or regulations having a clear definition of network platform operators. Taking the Regulations on Network Data Security Management (Draft for Comments) released by Cyberspace Administration of China on 14 November 2021 as a reference, internet platform operators refer to the data processors that provide users with information release, social contact, exchange, payment, audio, visual and other Internet platform services. We reasonably expect that the definition of network platform operators should be similar to the definition of internet platform operators as set out above.

Cyber Security Review Obligations

Both CIIOs and network platform operators will now be subject to an obligation to conduct cyber security review proactively.

In terms of network platform operators, they are obliged to evaluate cyber security risks to the extent data handling activities may affect national security. Data handling activity is not a defined term in the Measures; rather, it is a very broad concept used in different laws and regulations in relation to cyber security and data protection. As the Measures refer to the Data Security Law effective as of 1 September 2021 as one of its superordinate laws, data handling activity is defined to cover collection, storage, use, processing, transmission, provision, disclosure, etc. of data, thereof. Besides the general obligation of cyber security review imposed on the companies, the Measures do not have specific requirements in this regard except for the obligations for overseas listings (please refer to the next session for details).

In terms of CIIOs, when CIIOs purchase network products and services, they should prejudge the national security risks that may arise after the products and services are put into use. If such products or services may affect national security, CIIOs are obliged to proactively present this to the cyber security review office for a cyber security review. When the application for cyber security view is triggered due to procurement activities, CIIOs should ask the providers of products or services to cooperate, such as committing not to take advantage of the convenience of producing products/services to illegally obtain user data or illegally control and manipulate user devices in the procurement agreements.

Special Obligations for Overseas Listings

For network platform operators that possess the personal information of more than one million users, such network platform operators should apply to the cyber security review office if they are planning to undertake an overseas IPO or listing.

This is a new requirement comparing to the Old Measures, which is consistent with the change that the Measures add China Securities Regulatory Commission (responsible for listing approval and filing) as one of its competent governmental authorities.

As written in the Measures, companies to be listed in Hong Kong seem to have been exempted from the cyber security review obligations, as the provisions in the Measures clearly refer to listing “in foreign countries”. Nevertheless, the authority could initiate the cyber security review by itself (after obtaining proper approval internally) if it believes the network product or service or a data handling activity may affect national security, even if such threshold of one million users’ personal information is not met.

Conclusion

The digital age is creating more chances as well as compliance risks and threats, and the corresponding law and regulations are to be updated or amended continuously and gradually.

The Measures have implied that the governance and administration of cyber security regime is becoming more and more tight and detailed, and we would expect more detailed regulations, rules and policies to be promulgated in the near future, as supplementary to the Measures.

********

If you have any question or comment on this topic or any other matters related to foreign companies doing business in China or Chinese investments in Europe, please do not hesitate to contact Magnusson’s China Group.

Our China Group team has almost two decades of experience advising Chinese companies who conduct business in the Baltic Sea Region and local clients who conduct business in China.

We have Chinese qualified lawyers in our group as well as Mandarin speakers in most of our offices. Our lawyers are able to offer a comprehensive range of services in Mandarin and the local languages and have considerable experience of helping Chinese businesses who are looking to set up operations in the Baltic Sea Region.

Moreover, we are also there to support and advise local businesses looking to take advantage of the many opportunities that China offers. Our services include M&A and investments, dispute resolution, employment law, foreign investment screening, regulatory advice, e-trade and personal data and commercial contracts.