China Publishes Revised Cybersecurity Review Measures.

Legal News & Analysis - Asia Pacific - China - Cybersecurity

China Publishes Revised Cybersecurity Review Measures.

 

22 July 2021

 

Asia Pacific Legal Updates

 

Introduction

On 10 July, the Cybersecurity Administration of China (“CAC”) released a draft of the revised Cybersecurity Review Measures1 for public consultation until 25 July (the “2021 Measures”). Release of these rules comes at a time of increased focus on mainland Chinese companies seeking to list in the US.
 

This alert aims to summarise some of the key implications of the 2021 Measures relevant to mainland Chinese enterprises as well as their investors and advisors.
 

Regulatory framework
 

In the past 10 days, the CAC has announced a number of cybersecurity investigations into Chinese mobile app operators following their recent US listings. Reviews of tech players for national security reasons have largely been unprecedented, notwithstanding the enactment of the Cybersecurity Law more than four years ago. However, enforcement in this area may rise following recent developments.
 

The last version of the Cybersecurity Review Measures was released in April 2020 and came into effect in June that year (the “2020 Measures”). The 2021 Measures refresh China’s cybersecurity review mechanism following the publication of the Data Security Law (the “DSL”)2 exactly one month before. The DSL will come into force on 1 September this year and form the second of the three key laws in mainland China’s cybersecurity framework alongside the Cybersecurity Law (the “CSL”)3 and the forthcoming Personal Information Protection Law (the “PIPL”)4 . In fact, the PIPL is also expected to be released soon following its third reading by the Standing Committee of the National People’s Congress and will provide a sound foundation of data security and data management rules on which to continue building out a digital economy that already provides approximately 40% of mainland China’s GDP growth5 . See our previous alerts on the DSL and PIPL for more details.

Broader scope of application
 

The applicability of China’s cybersecurity review process has been extended under the 2021 Measures to any business operator that holds the personal information of more than one million users when it intends to seek a foreign listing. With the number of mainland China’s netizens approaching one billion 6 , this threshold would catch a significant proportion of mainland Chinese platforms given their huge user bases.
 

The 2021 Measures do not expressly indicate whether Chinese enterprises that have already filed to list abroad will be subject to this review requirement or whether further issuances by listed companies are in-scope of the review.
 

By comparison, under the 2020 Measures, in line with the framework set out by the CSL7 , only operators of critical information infrastructure (“CII”) were required to apply for review by the Cybersecurity Review Office (the “CRO”) when procuring network products or services. This narrower application has been extended under the 2021 Measures to any data processor that conducts data processing activities that affect or may affect national security.
 

Review process
 

Compared with the 2020 Measures, the timeline for completion of any cybersecurity review process has been extended:
 

Step  Details  Timing
Go/no-go decision CRO to decide if it will conduct a cybersecurity review 10 working days from receipt of an application
Preliminary review If a review is commenced, CRO will complete a preliminary review and send recommendations to a designated body of members of the network security review mechanism and certain government departments for further consideration 30 working days from providing a written notification to the applicant
Government ministry and department review Members of the network security review mechanism and the designated departments to comment on the recommendations before the applicant is notified of the findings 15 working days from being brought into the review process 
Special review CRO will conduct an in-depth analysis of the case if the members of the network security review mechanism and the designated departments consider that a special review process should be undertaken given the nature of the business in question 3 months, extended from 45 working days under the 2020 Measures
Complex case CRO may further extend the timetable for special review procedures in complex cases Timing of any extension is subject to the complexity of the case
Supplementary information requests   Review clock is stopped where the CRO requests additional materials to be submitted Incentivises applicants to be efficient in responding to requests in order to minimise potential impact to their listing timetables or other business activities, as applicable

 

The China Securities Regulatory Commission (the “CSRC”) has been added in the 2021 Measures to the list of mainland Chinese authorities that are to be involved in formulating the national network security review mechanism. This change under the 2021 Measures means that the CSRC can instruct the CRO to obtain approval from the Central Cyberspace Affairs Commission to conduct a cybersecurity review of any proposed foreign public offering of a mainland Chinese operator where the capital markets regulator considers the listing affects or is likely to affect China’s national security. 
 

 

Substance of review
 

In line with the other changes described above, the cybersecurity review mechanism has been expanded from the 2020 Measures to include assessment of the possible national security risks arising from foreign listings. More specifically, factors relevant to the review now also include:
 

  •  the risk of theft, disclosure, destruction and illegal use or export of core data8 , important data9 or large amounts of personal information; and
     
  •  the risk to CII, core data, important data or large amounts of personal information from the influence, control or malicious exploitation by foreign governments. 


Confidentiality concerns
 

The 2021 Measures include an additional requirement compared with the 2020 Measures for disclosure of the applicant company’s “IPO materials” where it is seeking a foreign listing. However, the scope of this vague term is undefined, so it is unclear whether applicants would need to disclose all documents, for example documents produced by their financial advisors and lawyers in connection with the IPO process in addition to those documents submitted to foreign listing authorities.
 

The CRO is under an obligation to keep all materials submitted to it confidential and the applicant has a right of appeal where it feels confidentiality has been breached.
 

Sanctions
 

Sanctions that could be imposed for breach of the 2021 Measures are stated to be those set out under the CSL and DSL. This is noteworthy because of the sharp increase in fines under the final form of the DSL, with the maximum penalty being RMB10 million (or approximately USD 1.56 million) and/or suspension or revocation of the company’s business licence.
 

Conclusion
 

The release of the 2021 Measures is widely perceived as part of the larger trend of increased regulatory focus over cybersecurity issues and mainland Chinese companies seeking a foreign listing. Further clarifications and guidance on the 2021 Measures will be welcomed by market participants, including international investors and advisors that have benefited from the phenomenal growth of mainland China’s tech industry and the foreign listing of leading mainland Chinese tech companies. The impact of the proposed rules on listing timetables – and in certain cases listing certainty – when seeking to raise capital on other foreign listing venues, will be an important factor for issuers and advisors to consider.  
 

 

For further information, please contact:

 

Gilbert Li, Partner,  Linklaters

[email protected]