Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: Revised Cybersecurity Review Measures

The Cyberspace Administration of China ('CAC') announced, on 4 January 2022, that it along with 12 other departments had revised the Cybersecurity Review Measures ('the Measures'). The Measures were approved at the 20th meeting of the CAC on 16 November 2021 and entered into effect on 15 February 2022. OneTrust DataGuidance breaks down the key provisions, obligations, and procedure of the Measures.

ASKA / Signature collection / istockphoto.com

Definitions and scope

The Measures outline the aim of ensuring the security of the critical information infrastructure ('CII') supply chain, network, and data security, as well as maintaining national security, in line with the aims found in the Personal Information Protection Law of the People's Republic of China ('PIPL'), and the Data Security Law of the People's Republic of China ('DSL') (Article 1 of the Measures).

In particular, the Measures provide that where critical information infrastructure operators ('CIIO') purchase network products and services, and network platform operators conduct data processing activities that affect or may affect national security, they must conduct a national security review (Article 2 of the Measures).  

More specifically, the Measures highlight that when a CIIO purchases network products and services, it must prejudge the national security risks that may arise after the products and services are put into use. If it affects or may affect national security, a cybersecurity review must be reported to the Cybersecurity Review Office, which is the body responsible for cybersecurity review and is located within the CAC (Articles 4 and 5 of the Measures).  

Furthermore, the Measures add a specific basis for reviews concerning procurement activities. CIIOs must require product and service providers to comply with a cybersecurity review through procurement documents, including a commitment, during the provision of products and services, not to illegally acquire users' personal data services, illegally control and manipulate user equipment, or interrupt product service unnecessarily (Article 6 of the Measures).

In addition, the Measures provide another obligation specific to network platform operators, namely that publicly listed companies require that network platform operators that hold the personal information of more than 1 million users must apply for a network security review when listing abroad.  (Article 7 of the Measures).

Review submission

Importantly, when applying for a cybersecurity review, a CIIO or network platform operator must include the following material (Article 8 of the Measures):

  • a declaration form;
  • analysis reports that affect or may affect national security;
  • procurement documents, agreements, contracts to be signed, initial public offering, and other listing application documents to be submitted; and
  • other materials required for the network security review work.

In response, the Cybersecurity Review Office will, within ten working days of receiving application materials that meet the requirements provided in Article 8 of the Measures, determine whether a review is necessary and notify applicable parties in writing (Article 9 of the Measures).

Assessment factors

The cybersecurity review focuses on assessing the following national security risk factors for relevant objects or situations (Article 10 of the Measures):

  • the risk of illegal control, interference, or destruction of CII brought about by the use of products and services;
  • the harm to business continuity of the critical infrastructure caused by the interruption of the supply of products and services;
  • the security, openness, transparency, and diversity of sources of products and services, the reliability of supply channels, and the risk of supply disruptions due to political, diplomatic, trade, and other factors;
  • the compliance of product and service providers with Chinese law, administrative regulations, and departmental rules;
  • the risk of core data, important data, or a large amount of personal information being stolen, leaked, damaged, illegally used, or illegally exiting the country;
  • there is a risk that key information infrastructure, core data, important data, or a large amount of personal information will be influenced, controlled, or maliciously used by foreign governments in the listing, as well as network information security risks; and
  • other factors that may endanger the security of CII, network security, and data security.

Furthermore, the Measures detail that should the parties or network product and service providers believe that the reviewers are not objective, impartial, or fail to undertake the obligation to keep the information learned during the review work, they may report to the CAC or relevant departments (Article 18 of the Measures).

Timeframe and review methods

Alongside these factors, the Measures set out that if the Cybersecurity Review Office considers it necessary to conduct a cybersecurity review, it will complete the preliminary review within 30 working days from the date of sending a written notice to the party concerned, including forming a review conclusion, recommendation, and sending the review to the CAC, member units, and relevant departments' for the solicitation of opinions (Article 11 of the Measures). 

In addition, the Measures detail that member units and relevant departments must reply within 15 working days of the date of the receipt of the review conclusion and recommendation.

Should the member units and relevant departments of the cybersecurity review agree, the Cybersecurity Review Office will notify the relevant parties of the review in writing. Should the relevant member units and relevant departments of the cybersecurity review disagree they will be dealt with in accordance with special review procedures, and the parties will be notified (Article 12 of the Measures).

On the potential requirement to conduct a special review procedure, the Measures outline such a procedure may be completed within 90 working days and may be extended if the situation is complicated (Article 14 of the Measures).

In relation to the provision of materials for special review procedures, where the Cybersecurity Review Office requires supplementary materials, the parties, product and service providers must cooperate. Equally, The time to submit supplementary materials does not count towards the review time (Article 15 of the Measures).

The Measures entered into force on 15 February 2022 and on the same date repealed the Cybersecurity Review Measures of 13 April 2020 (Article 23 of the Measures).

Harry Chambers Privacy Analyst
[email protected]