Following Didi, on 5th July 2021, three more apps were announced to be investigated for cybersecurity review and suspended from new user registration. Two of them are truck-booking platforms, called Yunmanman and Huochebang, both under the Full Truck Alliance. The other app is a job recruiting platform Boss Zhipin. Full Truck Alliance and Boss Zhipin, together with China's top ride-hailing platform Didi who was cracked with the same probe three days before, all began their listing in the US for less than a month. Their common identities as freshly US-traded companies make it dubious that China is targeting overseas listing tech companies or wrestling with data sovereignty amidst the potential threats posed by US regulatory oversight.

However, we pay attention to the other side of the coin. We understand this as a signal that cybersecurity review will become a focus of future enforcement in the field of data protection laws and correspondent probes will become normalized in China. Therefore, it would be practical and urgent to understand when a cybersecurity review will be triggered, what it implicates, and what its consequences would be.

What Is a Cybersecurity Review?

The announcements of the probes cited two statutes – Article 59 of the National Security Law, which requires national security review of products and services involving network information technology that affect or may affect national security, and Article 35 of the Cybersecurity Law, which requires national security review of network products and services that may affect national security. Pursuant to the two provisions, the Cyberspace Administration of China ("CAC"), together with eleven other government departments (mostly ministry-level), jointly released the Measures on Cybersecurity Review ("Measures"). It became effective on June 1, 2020 and is the specific implementing rule for the cybersecurity review at issue.

The Measures, in line with the Cybersecurity Law, limit the applicable scope to critical information infrastructure operator ("CIIO"). Article 2 of the Measures provides that any purchase of network products and services by CIIOs that may impact national security shall be subject to security review. Therefore, the launch of investigations implies that Didi, Full Truck Alliance and Boss Zhipin are likely all determined as CIIOs.

In practice, the determination of CIIO remains ambiguous. The Cybersecurity Law provides a definition that it refers to important industries and sectors such as public communications, information service, energy, transport, water conservation, finance, public service and e-government, and other critical information infrastructure that, once damaged or disabled, or the data on which is disclosed, may severely threaten the national security, national economy, people's livelihood or public interests. Thereafter, the CAC and other competent departments attempted to promulgate rules of determining CIIO, but those drafts did not materialize by now. If it were not for these disclosed probes, the identification of CIIO might never have been released. Based on our experience, usually competent authorities will proactively reach out to companies that are determined as CIIOs and inform them of the determination.

What Triggers a Cybersecurity Review?

According to the language of the Measures, only CIIO's purchase of network products and services triggers cybersecurity review. Network products and services are defined as those that would have an important impact on the security of critical information infrastructure, such as core network equipment, high-performance computers and servers, large-capacity storage equipment, large databases and application software, network security equipment, cloud computing services. Moreover, such purchase would trigger review only when it affects or may affect national security.

As to the trigger of review proceeding, generally speaking, a CIIO shall apply for cybersecurity review prior to such purchase. On the other hand, Article 15 of the Measures indicates the possibility that competent authorities could launch the review proceeding on their own initiative, which is exactly how these probes began.

The announcements additionally provided a piece of information that these probes were launched to prevent "national data security risks." If read in combination with Article 9 of the Measures, which lists the risk of important data being stolen, leaked or destroyed as one of the national security risks under consideration, it would be reasonable to expect that the security concerns underlying the probes are about important data. For example, in the draft of the Rules on the Administration of Automobile Data Security released by the CAC to solicit public comments, important data in auto sector was defined to include, among others, highly sophisticated mapping data and the data on the types of road vehicles and traffic flow – highly likely collected and processed by Didi and Full Truck Alliance as online logistic service providers. In this regard, the recent enactment of China's Data Security Law makes it clear that in the future sectoral authorities and local government agencies will promulgate concrete catalogues of important data within their duties, which would be important for CIIOs to decide whether data-related security concerns will arise and consequently a cybersecurity review will be triggered.

What Would the Review Procedure Be Like?

According to the Measures, the Cybersecurity Review Office of CAC is responsible for accepting applications of cybersecurity review and conducting preliminary review, and the specific work shall be done by China Cybersecurity Review Technology and Certification Center. Besides, the members of the cybersecurity review working mechanism – eleven other departments under the State Council whose duties more or less involve cybersecurity of specific areas – and the relevant critical information infrastructure protection departments will also be required by the Cybersecurity Review Office to provide review comments.

When it comes to the timeframe, generally the cybersecurity review can be completed within 45 working days: including 10 working days for the review of the necessity of cybersecurity review, and 30 working days for preliminary review. In complicated cases, the said time of preliminary review can be extended by 15 working days, leading to a total of 60 working days. But if a special process is launched because a unanimous agreement cannot be reached by the members, the review could be extended by another 45 working days (therefore, a total of 105 working days) and can be further extended if necessary (then no time limit provided).

There are five standards as to the associated risks of national security to be reviewed. The first, as mentioned above, is the risks of critical information infrastructure being illegally controlled, interfered or destroyed, or of important data being stolen, leaked or destroyed as caused by the use of the product or service. Considering the aforesaid reference to data security in the government announcements, the first risk factor is more likely than the rest ones under consideration in these probes. Other factors include: (a) the damage to the stability of critical information infrastructure business in case of supply interruption; (b) the safety, openness, transparency and diversity of supply, the reliability of supply chain, and the risks of supply interruption as a result of political, diplomatic, trade or any other factor; (c) compliance with Chinese laws and relevant rules; and (d) a catch-all item – other factors that may endanger critical information infrastructure security or national security.

What Are the Legal Consequences?

Failing to apply for cybersecurity review may incur administrative punishments under the Cybersecurity Law. Specifically, the CIIO who uses products or services which have not undergone or have failed the cybersecurity review shall be ordered by the competent authority to stop such use and shall be subject to a fine equivalent to more than 1 but less than 10 times the purchase price, and the person directly in charge and other directly liable persons shall be subject to a fine of ranging from RMB10,000 (approx. USD 1,500) to RMB100,000 (approx. USD 15,000). While monetary sanctions are not extremely serious for these listed companies, the order to stop using the product or service that fail the review may cause really trouble for their business operation.

From Cybersecurity Review to Data Security Review

Other than the cybersecurity review regime under discussion, China's Data Security Law provides that a data security review regime will be established. According to its Article 24, any data processing activity that affects or may affect national security shall go through a security review. However, as the Data Security Law is still in its grace period (it will become effective on 1 September 2021) and so far there are no implementing rules on this, it is not clear yet how a data security review will be carried out.

If cybersecurity review probes are getting intense, it could be reasonably expected that enforcement activities related to data security review, after the effectiveness of the Data Security Law, will also be similarly active. It would be particularly so if the international tensions on data sovereignty continue to grow. For example, on 6 July, 2021, the Central Committee of the Communist Party of China and the State Council jointly issued a document on the crackdown on illegal activities in securities market, which specifically mentioned the enhancement of data security, cross-border data transfer, and the administration of classified information related to overseas listings. It suggests that data security is indeed of particular concern for Chinese regulators, and both cybersecurity review and data security review may become their pillars.

Conclusion

Although the cybersecurity probes against Didi, Full Truck Alliance and Boss Zhipin seem to be unexpected, this alert briefly explains what to worry about in future enforcement actions in this area. First, it is critical to know whether you are a CIIO, which based upon our experience is usually informed by competent authorities. Second, if determined as a CIIO, it should be considered whether any national security concerns arise, according to the five standards described above. Particularly, the Didi probe shows the emphasis placed on the security of important data – as always – and the recent enactment of the Data Security Law and its implementing rules will be worthy of attention for the identification of important data. In addition, the reliability of supply chain is also of particular concern, especially against the background of growing frictions in international relations. Finally, additional attention should be paid to enforcement tendencies other than cybersecurity review, for example, data security review under the Data Security Law, as these regimes will work together to shape the enforcement landscape in the future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.