China’s New Cybersecurity Review Process Takes Effect
On February 15, 2022, the Cyberspace Administration of China (CAC) and 12 other Chinese government departments issued the New Measures for Cybersecurity Review (NMCR), as part of an ongoing effort to regulate tech companies operating in China.
China’s ongoing effort to implement cybersecurity and data privacy regulations began in large part in June 2017 with the implementation of The Cybersecurity Law of the People’s Republic of China, which requires network operators in China to adopt and implement several privacy procedures pursuant to their “security protection duties,” including the adoption of new data retention policies, the creation or amendment of internal security management and operating rules, and the adoption of technical measures and reporting policies that enhance organizational cybersecurity.
The NMCR replaces the Measures for Cybersecurity Review (MCR), which was issued in April 2020 and requires critical information infrastructure operators (CIIOs) to undergo a review process before launching network products and services that the CAC determines to be an influence on national security. Article 21 of the New Measure clarifies that “network products and services” refers to “core network equipment, important telecommunications products, high-performance computers and servers, large-capacity storage devices, large-scale databases and application software, cybersecurity equipment, cloud computing services, and other important network products and services that have important influence on the security of CII, cybersecurity and data security.” The NMCR makes several substantial amendments to the MCR regulatory provisions, by establishing new reporting requirements, and a process for cybersecurity reviews.
Voluntary Application for Review
Under the NMCR, CIIOs acquiring a network product or service, as defined by Article 21, and online platform operators that conduct “data handling activities that influence or may influence national security” are required to conduct a cybersecurity review in accordance with the regulation.
Additionally, when a network platform operator controlling the personal information of more than 1 million users seeks “offshore public listing,” then that operator is required to apply for a review by the Cybersecurity Review Office. The Cybersecurity Review Office (CRO) is under the Purview of the CAC and has the “responsibility of formulating cybersecurity review systems and standards and organizing cybersecurity reviews.”
Mandated Application for Review
If any of the 13 regulatory agencies that issued the NMCR determine that a CIOO’s data processing activities–or a network product or service–affect or may affect national security, the CRO has the power to report that concern to the CAC. The CAC will then be tasked with confirming the CRO’s concerns and conducting a cybersecurity review of the organization.
Public Reporting Requirements
NMCR asserts that the cybersecurity review process should ensure the protection of intellectual property rights, prior review and ongoing supervision over the process, and the commitment and social supervision of the organization. Additionally, NMCR allows the CRO to accept reports from the public regarding the need for cybersecurity review of an organization.
Procedure for Cybersecurity Review
Parties that have been flagged for cybersecurity review are required to submit a written declaration reporting on how their organization has influenced or could influence national security.
If the CRO deems it necessary, it will conduct a review process which, according to Article 10 of the NMCR, considers the following factors in assessing the cybersecurity of the party:
- The risks associated with the use of the product or service and the impacts it could have on CII;
- Information about the product or service, including the security, openness, transparency, diversity, and reliability of its sources;
- The compliance history of the provider for the product or service with Chinese national laws, regulations, and department rules; and
- The risks associated with a potential breach and data loss.
Timeline for Review Process
The OCR will, within 10 working days, provide the potentially violating party with written notice of their determination for whether the cybersecurity review is required. If the OCR determines it necessary to conduct a review, it must complete the preliminary review within 30 working days of issuing the written notice. However, in “cases involving complex situations,” the deadline for preliminary review may be extended 15 working days. Any of the 13 agencies responsible for NMCR may issue written notice of their review findings and suggestions within 15 working days of the suggested review conclusion. The review process must generally be completed within 90 working days—subject to extension in complex situations.
Potential Impact of the New Measures
As with any other cybersecurity regulatory scheme, the provisions of the NMCR are intended to protect the data collected, retained, and utilized in the cyber activities of Chinese organizations. But these measures could also have implications for China’s economic outlook. If the EU or the U.S. determine that these regulatory efforts by the Chinese government are insufficient, they could prevent EU and U.S. businesses from utilizing Chinese online services,
Recent reports show an uptick in GDPR enforcement action by the EU’s Information Commissioner’s Office (ICO). Many rulings have been handed down across the EU regarding businesses’ use of cloud services based out of the United States, including a July 2020 ruling where the Court of Justice of the EU found United States data privacy protections to be insufficient, posing a risk to all of the consumers in the EU if their systems are utilized.