New compliance challenges for online platform operators are posed by the Measures for Cybersecurity Reviews, jointly issued by the Cyberspace Administration of China (CAC) and 12 other ministerial-level authorities on 4 January 2022.
SCOPE OF SUBJECTS
The key targets of cybersecurity review are network products and services procured by critical information infrastructure operators (CIIOs). Additionally, operators conducting data processing activities that impact or could impact national security are also included in its scope.
With respect to operators that intend to list abroad, the above-mentioned measures expressly provide that “operators that control the personal information of more than one million users with an intention for foreign listing must file for cyber-security review with the Cyberspace Administration of China”.
The concept of “foreign listing” is used but not expressly defined in the measures. However, taking into account this expression in the Regulations for the Administration of Network Data Security (Draft for Comment) and the practice of regulators, the measures likely aim to exempt operators proposing to list in Hong Kong from obligation to proactively file for cyber-
It should be noted that the measures additionally bestow on the regulator the power to conduct reviews ex officio on its own initiative. Accordingly, it cannot be ruled out that, in practice, certain enterprises proposing to list in Hong Kong with operations involving the processing of large quantities of sensitive data will proactively file for cybersecurity review in the interest of prudence.
The measures define materials required to be provided as “listing application documents, such as those for initial public offerings (IPOs)”. However, taking into consideration current filing practice, in addition to IPOs, an operator proposing to list abroad by such means as a special purpose acquisition company (SPAC) acquisition, reverse takeover/shell listing (RTO), or direct public offering on the internet (DPO) should proactively file for cybersecurity review.
The measures do not expressly include China concept stock companies already listed abroad within the scope of proactive filings, but the regulator may conduct security review ex officio on their routine data processing activities and reconsider their foreign listing status.
FOCUS OF REVIEW
In cybersecurity review, the regulator will give priority to assessing the security of the operator’s network products or services, as well as the reliability of its supply channels.
Specifically, an operator would pay attention to its internet-related information services with public opinion attributes or social mobilisation capabilities, its use of personal information for algorithmic recommendations, its collection of sensitive personal information, and its cybersecurity and data security protection.
Priorities that the regulator will focus on also include: “The risks of theft, leakage, destruction and illegal use or cross-border transfer of core data, key data or a large quantity of personal information; and the risks of critical information infrastructure, core data, key data or a large volume of personal information being influenced, controlled or maliciously used by a foreign government after the foreign listing.”
Accordingly, an operator needs to pay attention to its co-operation with government authorities, institutions and research institutions, as well as cross-border transfer of data.
An operator is required to file for cybersecurity review before submitting its listing application to the foreign securities regulator. The outcome of a filing could be: (1) no review required; (2) review results indicate that there will be no impact on national security, and the foreign listing may continue; or (3) review results indicate that that there will be impact on national security, and the foreign listing is not permitted. Under either of the first two circumstances, the operator may continue to apply to the foreign securities regulator for listing.
The CAC has appointed the China Cybersecurity Review Technology and Certification Centre to accept the materials, conduct pro forma reviews of the filing materials and arrange review details. Once an operator submits the filing materials to the Centre and passes the pro forma review, the filing materials are transferred to the CAC, signalling the start of the review period specified in the measures.
The CAC will determine within 10 working days whether a review is required, and issue a written notice. Once the cybersecurity review procedure is underway, the operator will receive a review conclusion notice at the earliest within 45 working days. In complex cases, the procedure may be extended to a maximum of 150 working days.
For optimum odds of successfully passing cybersecurity review, the authors recommend that companies:
- Follow closely the regulatory trend for protection of personal information, avoid collecting personal information not connected with its services, particularly those of sensitive nature, and continually improve policies on protection of user information;
- Pay close attention to recognition criteria of key data subsequently issued by regulators and comply with requirements concerning protection of key data, assessment of security risks, localisation of data; systematically establish a data security impact assessment system and an internal compliance governance system; conduct prior assessments of high-risk data processing activities, and conduct data compliance audits on an ongoing basis;
- Further improve review on security of network product and service supply chains, conduct in advance compliance assessments of suppliers, bind them with contracts, and carry out relevant interim and ex post audits;
- Before providing data to the overseas exchange and regulator, seek the advice of the CAC, CSRC and other competent authorities in accordance with laws and regulations, and formulate internal systems targeting the above-mentioned requirements; and
- Pay close attention to the issue and implementation of subsequent complementary review criteria.
Kevin Duan is a partner at Han Kun Law Offices. He can be contacted on +86 10 8516 4123 or by email at firstname.lastname@example.org
Cai Kemeng is a partner at Han Kun Law Offices. He can be contacted on +86 10 8516 4289 or by email at email@example.com