On July 2 and July 5, 2021, China’s Cybersecurity Review Office (“CRO”), an office established under the Cyberspace Administration of China (“CAC”) responsible for coordinating the implementation of China’s Cybersecurity Review framework (more details about this framework can be found in our previous blogpost, available here), announced that it had initiated cybersecurity reviews against four mobile applications operated by three Chinese companies: Didi Chuxing (“Didi”), Yunmanman, Huochebang and BOSS Zhipin (announcements are available here and here).
According to CRO’s announcements, these cybersecurity reviews were initiated based on requirements under the National Security Law (“NSL”), the Cybersecurity Law (“CSL”) and the Measures on Cybersecurity Review (“Measures”) and are aimed at “preventing national data security risks, maintaining national security and safeguarding public interests.” This is the first time that CRO publically announced the initiation of cybersecurity reviews against companies after the Measures took effect on June 1, 2020. Per the announcements, these apps are prohibited from registering new user accounts during the review period.
Separately, on July 4, CAC ordered the Didi app to be removed from Chinese app stores on the ground that the app seriously violated Chinese laws and regulations by “illegally collecting and using personal information” (the announcement is available here). It is unclear whether this “take down” order is related to CRO’s ongoing cybersecurity review of Didi.
This post explains the requirements and procedures of cybersecurity review under the Measures, analyzes the focus of the current review against these three companies, and provides more background on recent enforcement actions against apps illegally collecting and processing personal information.
What is “Cybersecurity Review” Under the Measures?
According to Article 35 of the CSL, operators of Critical Information Infrastructure (“CII Operators”) are required to undergo a security review if the procurement of “network products and services” implicates China’s national security. To implement this requirement, CAC and other relevant government agencies jointly released the Measures on April 27, 2020, replacing the Measures on the Security Review of Network Products and Services (Trial) issued in 2017. The Measures took effect on June 1, 2020.
Under the Measures, “network products and services” that may be subject to this review cover a wide range of products and services, including “core network equipment, high-capability computers and servers, high-capacity data storage, large databases and applications, network security equipment, cloud computing services,” and other network products or services that have an important impact on CII (Article 20, Measures). When carrying out the review, the following factors will be considered (Article 9, Measures), including:
- CII’s risk of being illegally manipulated, interfered with, or undermined, and the risk of the loss, breach, and destruction of important data caused by the use of network products and services;
- Damage to the business continuity of CII caused by supply disruptions of network products and services;
- The security, openness, transparency, and source diversity of the network products and services, the reliability of supply channels, and the risk of supply disruptions due to political, diplomatic, and trade factors;
- Whether the provider has been in compliance with Chinese laws and regulations; and
- Other factors that could compromise CII security and national security.
The Measures establish a high-level interagency cybersecurity review body. Led by CAC, the review body consists of members from eleven government agencies (“Members”), including, for instance, the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security, the Ministry of National Security, and the State Administration for Market Regulation. As a dedicated working body under the CAC, CRO is responsible for shaping policies and coordinating the enforcement of the cybersecurity review framework (Article 4, Measures).
Once the review process is initiated, in regular cases, CRO and Members will complete the review and issue a written notification to the CII Operator within 45 working days (which may be extended by 15 business days, depending upon review complexity). If a special review process is triggered (i.e., when CRO and Members cannot reach unanimous agreement in the regular review process), CRO and Members will take another 45 working days (which may be extended, depending upon review complexity) to complete the process (Article 12, Measures). A flowchart specifying the above review process can be found here.
What is the Focus of the Current Cybersecurity Reviews?
Based on the official FAQ released by CAC in April 2020, CAC believes that CII is critical for safeguarding China’s national security, maintaining social stability, and protecting public interests. Thus, the cybersecurity review mechanism has been established to address national security risks associated with CII’s procurement of products and services and the Measures aimed to provide additional guidance in evaluating these supply chain risks (Official FAQ released by CAC available here).
In the current cybersecurity reviews of Didi and other Chinese companies, it is possible that the scope of the review will expand to assess the more broadly defined “national data security risks,” rather than the prior narrow focus on the supply chain risks of CII Operators. Although not mentioned in CRO’s announcements, commentators noted in Global Times that “in the listing process in the US, some important data and personal information held by Chinese companies may be revealed due to the US regulation request” and thus “(public) listing in the US could lead to security risks.” Therefore, these reviews may focus on “risks associated with cross-border transfer of important data and personal information.”
Notably, this type of review addressing broadly defined “data security risks” could reflect a regulatory trend in China: the Data Security Law (“DSL”), which was enacted on June 10, 2021 and will take effect on September 1, 2021, calls for the establishment of a system for “national security review” to examine any data activities that are deemed to pose risks to national security (Article 24, DSL). It is possible that more reviews will be initiated under the DSL once it takes effect.
Enforcement Actions Against Mobile Applications
Apart from the cybersecurity review on Didi, CAC also separately announced on July 4 that the Didi app must be removed from app stores due to its violation of personal information protection rules. While the announcement issued by CAC only explicitly refers to the CSL as its legal basis, China has also released several regulations and national standards that impose personal information protection requirements on app operators over the last few years. For example, both the Regulation on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications and the draft Interim Rules on Managing Personal Information Protection of Mobile Internet Applications were released in 2021.
Based on these rules, multiple agencies have launched various enforcement actions during the past year. For example, in addition to the action against the Didi app, CAC issued a notice on May 21, 2021 requiring 105 mobile applications that “violate the principle of necessity, collecting personal information that is irrelevant to the service that [is] offered etc.” to take corrective actions. MIIT has also taken actions against app operators that illegally collect and process the personal information of app users.
As noted above, it is unclear whether the removal of the Didi app from app stores is connected with the cybersecurity review. But it highlights that CAC has multiple tools at its disposal to address both national security risks and concerns over the protection of personal information.