On July 2 and July 5, 2021, China’s Cybersecurity Review Office (“CRO”), an office established under the Cyberspace Administration of China (“CAC”) responsible for coordinating the implementation of China’s Cybersecurity Review framework (more details about this framework can be found in our previous blogpost, available here), announced that it had initiated cybersecurity reviews against four mobile applications operated by three Chinese companies:  Didi Chuxing (“Didi”), Yunmanman, Huochebang and BOSS Zhipin (announcements are available here and here).

According to CRO’s announcements, these cybersecurity reviews were initiated based on requirements under the National Security Law (“NSL”), the Cybersecurity Law (“CSL”) and the Measures on Cybersecurity Review (“Measures”) and are aimed at “preventing national data security risks, maintaining national security and safeguarding public interests.”  This is the first time that CRO publically announced the initiation of cybersecurity reviews against companies after the Measures took effect on June 1, 2020.  Per the announcements, these apps are prohibited from registering new user accounts during the review period.

Separately, on July 4, CAC ordered the Didi app to be removed from Chinese app stores on the ground that the app seriously violated Chinese laws and regulations by “illegally collecting and using personal information” (the announcement is available here).  It is unclear whether this “take down” order is related to CRO’s ongoing cybersecurity review of Didi.

This post explains the requirements and procedures of cybersecurity review under the Measures, analyzes the focus of the current review against these three companies, and provides more background on recent enforcement actions against apps illegally collecting and processing personal information.

What is “Cybersecurity Review” Under the Measures?

According to Article 35 of the CSL, operators of Critical Information Infrastructure (“CII Operators”) are required to undergo a security review if the procurement of “network products and services” implicates China’s national security.  To implement this requirement, CAC and other relevant government agencies jointly released the Measures on April 27, 2020, replacing the Measures on the Security Review of Network Products and Services (Trial) issued in 2017.  The Measures took effect on June 1, 2020.

Under the Measures, “network products and services” that may be subject to this review cover a wide range of products and services, including “core network equipment, high-capability computers and servers, high-capacity data storage, large databases and applications, network security equipment, cloud computing services,” and other network products or services that have an important impact on CII (Article 20, Measures).  When carrying out the review, the following factors will be considered (Article 9, Measures), including:

  • CII’s risk of being illegally manipulated, interfered with, or undermined, and the risk of the loss, breach, and destruction of important data caused by the use of network products and services;
  • Damage to the business continuity of CII caused by supply disruptions of network products and services;
  • The security, openness, transparency, and source diversity of the network products and services, the reliability of supply channels, and the risk of supply disruptions due to political, diplomatic, and trade factors;
  • Whether the provider has been in compliance with Chinese laws and regulations; and
  • Other factors that could compromise CII security and national security.

The Measures establish a high-level interagency cybersecurity review body.  Led by CAC, the review body consists of members from eleven government agencies (“Members”), including, for instance, the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security, the Ministry of National Security, and the State Administration for Market Regulation.  As a dedicated working body under the CAC, CRO is responsible for shaping policies and coordinating the enforcement of the cybersecurity review framework (Article 4, Measures).

Once the review process is initiated, in regular cases, CRO and Members will complete the review and issue a written notification to the CII Operator within 45 working days (which may be extended by 15 business days, depending upon review complexity).  If a special review process is triggered (i.e., when CRO and Members cannot reach unanimous agreement in the regular review process), CRO and Members will take another 45 working days (which may be extended, depending upon review complexity) to complete the process (Article 12, Measures).  A flowchart specifying the above review process can be found here.

What is the Focus of the Current Cybersecurity Reviews?

Based on the official FAQ released by CAC in April 2020, CAC believes that CII is critical for safeguarding China’s national security, maintaining social stability, and protecting public interests.  Thus, the cybersecurity review mechanism has been established to address national security risks associated with CII’s procurement of products and services and the Measures aimed to provide additional guidance in evaluating these supply chain risks (Official FAQ released by CAC available here).

In the current cybersecurity reviews of Didi and other Chinese companies, it is possible that the scope of the review will expand to assess the more broadly defined “national data security risks,” rather than the prior narrow focus on the supply chain risks of CII Operators.  Although not mentioned in CRO’s announcements, commentators noted in Global Times that “in the listing process in the US, some important data and personal information held by Chinese companies may be revealed due to the US regulation request” and thus “(public) listing in the US could lead to security risks.”  Therefore, these reviews may focus on “risks associated with cross-border transfer of important data and personal information.”

Notably, this type of review addressing broadly defined “data security risks” could reflect a regulatory trend in China: the Data Security Law (“DSL”), which was enacted on June 10, 2021 and will take effect on September 1, 2021, calls for the establishment of a system for “national security review” to examine any data activities that are deemed to pose risks to national security (Article 24, DSL).  It is possible that more reviews will be initiated under the DSL once it takes effect.

Enforcement Actions Against Mobile Applications

Apart from the cybersecurity review on Didi, CAC also separately announced on July 4 that the Didi app must be removed from app stores due to its violation of personal information protection rules.  While the announcement issued by CAC only explicitly refers to the CSL as its legal basis, China has also released several regulations and national standards that impose personal information protection requirements on app operators over the last few years.  For example, both the Regulation on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications and the draft Interim Rules on Managing Personal Information Protection of Mobile Internet Applications were released in 2021.

Based on these rules, multiple agencies have launched various enforcement actions during the past year.  For example, in addition to the action against the Didi app, CAC issued a notice on May 21, 2021 requiring 105 mobile applications that “violate the principle of necessity, collecting personal information that is irrelevant to the service that [is] offered etc.” to take corrective actions.  MIIT has also taken actions against app operators that illegally collect and process the personal information of app users.

As noted above, it is unclear whether the removal of the Didi app from app stores is connected with the cybersecurity review.  But it highlights that CAC has multiple tools at its disposal to address both national security risks and concerns over the protection of personal information.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.