On May 24, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures on Cybersecurity Review (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here). The comment period ends on June 24, 2019.
The publication of these Draft Measures marks a critical step forward in implementing the cybersecurity review, which is designated by Article 35 of China’s Cybersecurity Law (“CSL”) to safeguard the procurement of network products and services by Critical Information Infrastructure (“CII”) operators that may impact the national security of China. To implement Article 35 of the CSL, the CAC previously released the Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”) on May 2, 2017, which established a process for CAC to conduct a cybersecurity review in a range of key sectors. (For more information, please see Covington’s alert on the Trial Measures here). These Draft Measures update the review process and, once finalized, will replace the previous Trial Measures.
With the stated goal to improve the cybersecurity protection of CII, the Draft Measures introduce the concept of “security and controllability.” To ensure “security and controllability,” product and service providers must not (i) illegally access users’ data, (ii) illegally control or manipulate users’ devices, or (iii) seek any illegitimate interest or force users to upgrade their network products and services by exploiting the dependence of users on those products and services (Article 18).
The Draft Measures also offer more guidance on the scope, criteria and specific stages of the review process, as explained below.
Scope of Review
The Draft Measures provide that when a CII operator seeks to procure network products and services, if such procurement may affect China’s national security it must follow the cybersecurity review process laid out in the Draft Measures (Article 2). This process includes a self-assessment of risks associated with the procurement and, if the self-assessment flags specific risks, then a mandatory review by CAC.
First, before procuring any network products or services, CII operators are required to assess the potential risks associated with such products or services and generate a security risk report. The security risk report may later be submitted to CAC as part of the cybersecurity review.
Second, CII operators are obliged to apply for a cybersecurity review (conducted by the Cybersecurity Review Office) if the risk report shows that the products or services to be procured could result in any of the following situations (Article 6):
- shutdown of the entire CII or inoperability of core parts of CII;
- breach, loss, damage or cross-border transfer of a “massive” volume of personal information or other important data;
- supply chain security threats that could compromise the operation, maintenance, technical support or upgrading of CII; or
- other potential risks that may materially harm the security of CII.
Several governmental agencies are also empowered to proactively initiate a cybersecurity review if the respective agency believes that the procurement of certain network products or services may affect national security (Article 19), presumably even if the CII operator does not apply for the cybersecurity review when procuring the specific products or services. It is unclear from the wording of Article 19 whether the Chinese government may also exercise this “proactive review” discretion for non-CII operators.
Third, when a CII operator seeks to procure network products and services subject to a cybersecurity review, the Draft Measures require that the CII operator specifies in its procurement agreements that the provider must assist the CII operator with the cybersecurity review, and the procurement is dependent upon successful completion of the cybersecurity review. This is to say that the procurement agreement cannot take effect unless the products or services pass the cybersecurity review (Article 7).
Led by CAC, a national cybersecurity review body will consist of members from eleven government agencies (“Members”), including the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of National Security, the Ministry of Commerce, the Ministry of Finance, the People’s Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, and the State Cryptography Administration.
Under this national cybersecurity review body, a Cybersecurity Review Office will be created to serve a coordinating role in shaping policies and supervising the enforcement of review results (Article 5).
Substantive Criteria: Secure and Controllable
When conducting cybersecurity reviews, Members will assess the national security risks associated with the procurement of certain network products and services. More specifically, the review will focus on the following risks (Article 10):
- implications for the continuous, secure and stable operation of CII, including the possibility of being manipulated, interfered or otherwise disrupted;
- the possibility of breach, loss, damage or cross-border transfer of a “massive” volume of personal information or other important data;
- the “controllability, transparency and supply-chain security” of the products and services, including the possibility of supply chain disruption due to political, diplomatic, or trade relations (or other non-technical reasons);
- influence on technologies and industries relating to national defense, military industry and CII;
- whether the provider has been in compliance with Chinese laws and regulations, as well as the “responsibilities and obligations” the provider undertakes;
- whether the product or service provider has “received funds from foreign governments” or is “controlled” by a foreign government; and
- other risks that could compromise CII security and national security.
Some of the risks have been described vaguely and their precise meaning are not entirely clear. But, it is clear that Members will have ample discretion to evaluate how a particular procurement may affect China’s national security, including looking into the background of the provider.
The Draft Measures provide that the cybersecurity review process is divided into two phases: (i) the preliminary review, and (ii) the special review.
Upon receipt of the required application materials, the Cybersecurity Review Office will complete its review within 30 days, with a possibility of a 15-day extension for complex cases (Article 9).
The Cybersecurity Review Office will then issue a review recommendation within 15 days and circulate it to Members for comments. The review recommendation could be either “pass”, “conditional pass” or “fail.” Member agencies are required to provide their comments within 15 days, and if a unanimous conclusion is reached, then the Cybersecurity Review Office will notify the applicants of the review result in writing; otherwise, a special review will be triggered (Article 11).
In the event of a special review, the Cybersecurity Review Office will first consult with relevant government agencies and experts, and then will circulate an updated review recommendation to the Member agencies to consider and provide their comments. Then, the Cybersecurity Review Office will submit the updated review recommendation to the Central Cyber Affairs Commission (the party organ that supervises CAC) for approval (Article 12).
The special review will be completed within 45 days and could be extended for complex cases. The Draft Measures are silent with regards to how long the special review process could be extended (Article 13).