Filing under new cybersecurity review measures
NOTNew compliance challenges for online platform operators are posed by the Measures for Cybersecurity Reviews, jointly released by the Cyberspace Administration of China (CAC) and 12 other ministerial-level authorities on January 4, 2022.
SCOPE OF TOPICS
The primary targets of cybersecurity scrutiny are network products and services purchased by Critical Information Infrastructure Operators (CIIOs). Moreover, operators carrying out data processing activities which have or could have an impact on national security are also included in its scope.
With regard to operators who intend to register abroad, the aforementioned measures expressly provide that “operators who control the personal information of more than one million users intending to registering overseas must file an application for cybersecurity examination with the Cyberspace Administration of China.”
The concept of “foreign listing” is used but is not expressly defined in the measures. However, given this expression in the Network Data Security Administration Regulations (draft for comment) and the practice of regulators, the measures are likely to exempt operators offering to register in Hong Kong from the requirement to proactively file cyber-
It should be noted that the measures further confer on the regulator the power to carry out ex officio examinations on its own initiative. Accordingly, it cannot be ruled out that, in practice, some companies offering to register in Hong Kong with operations involving the processing of large amounts of sensitive data proactively submit themselves to cybersecurity scrutiny for the sake of caution.
The measures define the documents to be provided as “listing application documents, such as those for initial public offerings (IPOs)”. However, given current filing practice, in addition to IPOs, a trader offering to list overseas by means such as acquiring a Special Purpose Acquisition Company (SPAC ), a reverse takeover/sham listing (RTO), or a direct public offering on the Internet (DPO) must file a proactive request for a cybersecurity review.
The measures do not expressly include Chinese joint-stock companies already listed overseas under proactive filings, but the regulator may conduct an ex officio security review of their routine data processing activities and reconsider. their foreign listing status.
PURPOSE OF THE REVIEW
As part of the cybersecurity review, the regulator will prioritize assessing the security of the operator’s network products or services, as well as the reliability of its supply channels.
Specifically, an operator would pay attention to its Internet-related information services having public opinion attributes or social mobilization capabilities, its use of personal information for algorithmic recommendations, its collection of sensitive personal information, and its cybersecurity and data security protection.
Priorities the regulator will focus on also include: “Risks of theft, leakage, destruction and unlawful use or cross-border transfer of essential data, key data or large amounts of personal information; and the risks that a critical information infrastructure, master data, key data or large volume of personal information will be influenced, controlled or used for malicious purposes by a foreign government after registration abroad .
Accordingly, an operator should pay attention to its cooperation with government authorities, institutions and research institutes, as well as cross-border data transfer.
A trader is required to file an application for a cybersecurity review before submitting its listing application to the foreign securities regulator. The result of a filing could be: (1) no examination required; (2) the results of the review indicate that there will be no national security implications and the overseas registration may proceed; or (3) examination results indicate that there will be an impact on national security, and overseas enrollment is not permitted. In either of the first two circumstances, the operator may continue to seek registration with the foreign securities regulator.
The CAC appointed the China Cybersecurity Certification and Examination Technology Center to accept documents, conduct pro forma examinations of filing documents, and arrange examination details. Once an operator submits the filing documents to the Center and passes the pro forma review, the filing documents are transferred to the CAC, signaling the start of the review period specified in the measures.
The CAC will determine within 10 business days whether a review is necessary and issue a written opinion. Once the cybersecurity review process has been initiated, the operator will receive notice of the conclusion of the review no earlier than 45 business days. In complex cases, the procedure can be extended up to a maximum of 150 working days.
NOTICE OF COMPLIANCE
To maximize the chances of passing the cybersecurity exam, the authors recommend that companies:
- Closely monitor regulatory developments in the protection of personal information, avoid collecting personal information not related to its services, in particular those of a sensitive nature, and constantly improve policies for the protection of user information;
- Pay particular attention to key data recognition criteria subsequently issued by regulators and comply with requirements regarding key data protection, security risk assessment, data localization; Systematically establish a data security impact assessment system and an internal compliance governance system; perform due diligence assessments of high-risk data processing activities and perform data compliance audits on an ongoing basis;
- Further improve the security review of supply chains of network products and services, conduct compliance assessments of suppliers in advance, bind them by contracts, and carry out relevant intermediate and ex post audits;
- Before providing data to the foreign stock exchange and regulator, seek advice from the CAC, CSRC and other competent authorities in accordance with laws and regulations, and formulate internal systems targeting the above requirements; and
- Pay particular attention to the issue and implementation of subsequent additional review criteria.
Kevin Duan is a partner at Han Kun Law Offices. He can be contacted at +86 10 8516 4123 or email [email protected]
Cai Kemeng is a partner at Han Kun Law Offices. He can be contacted at +86 10 8516 4289 or by email at [email protected]