On May 24, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures on Cybersecurity Review (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here). The comment period ends on June 24, 2019.

The publication of these Draft Measures marks a critical step forward in implementing the cybersecurity review, which is designated by Article 35 of China’s Cybersecurity Law (“CSL”) to safeguard the procurement of network products and services by Critical Information Infrastructure (“CII”) operators that may impact the national security of China. To implement Article 35 of the CSL, the CAC previously released the Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”) on May 2, 2017, which established a process for CAC to conduct a cybersecurity review in a range of key sectors. (For more information, please see Covington’s alert on the Trial Measures here). These Draft Measures update the review process and, once finalized, will replace the previous Trial Measures.

With the stated goal to improve the cybersecurity protection of CII, the Draft Measures introduce the concept of “security and controllability.” To ensure “security and controllability,” product and service providers must not (i) illegally access users’ data, (ii) illegally control or manipulate users’ devices, or (iii) seek any illegitimate interest or force users to upgrade their network products and services by exploiting the dependence of users on those products and services (Article 18).

The Draft Measures also offer more guidance on the scope, criteria and specific stages of the review process, as explained below.

Scope of Review

The Draft Measures provide that when a CII operator seeks to procure network products and services, if such procurement may affect China’s national security it must follow the cybersecurity review process laid out in the Draft Measures (Article 2). This process includes a self-assessment of risks associated with the procurement and, if the self-assessment flags specific risks, then a mandatory review by CAC.

First, before procuring any network products or services, CII operators are required to assess the potential risks associated with such products or services and generate a security risk report. The security risk report may later be submitted to CAC as part of the cybersecurity review.

Second, CII operators are obliged to apply for a cybersecurity review (conducted by the Cybersecurity Review Office) if the risk report shows that the products or services to be procured could result in any of the following situations (Article 6):

  • shutdown of the entire CII or inoperability of core parts of CII;
  • breach, loss, damage or cross-border transfer of a “massive” volume of personal information or other important data;
  • supply chain security threats that could compromise the operation, maintenance, technical support or upgrading of CII; or
  • other potential risks that may materially harm the security of CII.

Several governmental agencies are also empowered to proactively initiate a cybersecurity review if the respective agency believes that the procurement of certain network products or services may affect national security (Article 19), presumably even if the CII operator does not apply for the cybersecurity review when procuring the specific products or services. It is unclear from the wording of Article 19 whether the Chinese government may also exercise this “proactive review” discretion for non-CII operators.

Third, when a CII operator seeks to procure network products and services subject to a cybersecurity review, the Draft Measures require that the CII operator specifies in its procurement agreements that the provider must assist the CII operator with the cybersecurity review, and the procurement is dependent upon successful completion of the cybersecurity review. This is to say that the procurement agreement cannot take effect unless the products or services pass the cybersecurity review (Article 7).

Review Agencies

Led by CAC, a national cybersecurity review body will consist of members from eleven government agencies (“Members”), including the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of National Security, the Ministry of Commerce, the Ministry of Finance, the People’s Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, and the State Cryptography Administration.

Under this national cybersecurity review body, a Cybersecurity Review Office will be created to serve a coordinating role in shaping policies and supervising the enforcement of review results (Article 5).

Substantive Criteria: Secure and Controllable

When conducting cybersecurity reviews, Members will assess the national security risks associated with the procurement of certain network products and services. More specifically, the review will focus on the following risks (Article 10):

  • implications for the continuous, secure and stable operation of CII, including the possibility of being manipulated, interfered or otherwise disrupted;
  • the possibility of breach, loss, damage or cross-border transfer of a “massive” volume of personal information or other important data;
  • the “controllability, transparency and supply-chain security” of the products and services, including the possibility of supply chain disruption due to political, diplomatic, or trade relations (or other non-technical reasons);
  • influence on technologies and industries relating to national defense, military industry and CII;
  • whether the provider has been in compliance with Chinese laws and regulations, as well as the “responsibilities and obligations” the provider undertakes;
  • whether the product or service provider has “received funds from foreign governments” or is “controlled” by a foreign government; and
  • other risks that could compromise CII security and national security.

Some of the risks have been described vaguely and their precise meaning are not entirely clear. But, it is clear that Members will have ample discretion to evaluate how a particular procurement may affect China’s national security, including looking into the background of the provider.

Review Process

The Draft Measures provide that the cybersecurity review process is divided into two phases: (i) the preliminary review, and (ii) the special review.

Preliminary Review

Upon receipt of the required application materials, the Cybersecurity Review Office will complete its review within 30 days, with a possibility of a 15-day extension for complex cases (Article 9).

The Cybersecurity Review Office will then issue a review recommendation within 15 days and circulate it to Members for comments. The review recommendation could be either “pass”, “conditional pass” or “fail.” Member agencies are required to provide their comments within 15 days, and if a unanimous conclusion is reached, then the Cybersecurity Review Office will notify the applicants of the review result in writing; otherwise, a special review will be triggered (Article 11).

Special Review

In the event of a special review, the Cybersecurity Review Office will first consult with relevant government agencies and experts, and then will circulate an updated review recommendation to the Member agencies to consider and provide their comments. Then, the Cybersecurity Review Office will submit the updated review recommendation to the Central Cyber Affairs Commission (the party organ that supervises CAC) for approval (Article 12).

The special review will be completed within 45 days and could be extended for complex cases. The Draft Measures are silent with regards to how long the special review process could be extended (Article 13).

Tags: China, Cybersecurity
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a…

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s “40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Read more about Yan LuoEmail
Show more Show less
Photo of Nicholas Shepherd Nicholas Shepherd

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national…

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national implementing laws, EU/UK direct marketing laws, emerging state privacy laws in the United States, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border data transfers, data breach response, artificial intelligence, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements on transparency, consent, lawful processing, data sharing, and related issues.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick now leverages his multi-faceted legal background and international experience from the U.S. to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Read more about Nicholas ShepherdEmail
Show more Show less