(Yicai Global) Dec. 13 -- There have been ongoing discussions about Didi Global’s delisting from the US stock market and listing on the Hong Kong exchange.  This shows that Chinese companies need to carefully consider issues related to national security, economic development, and public interest when processing data and sending it out of the country. Companies also need to pay attention to how the relevant laws and regulations require “The Cybersecurity Review: Application and Evaluation” since this will impact firms’ initiatives and business needs.

Insights Into the “Cybersecurity Review” System

On June 30, three days after Didi’s listing in the US, the Cybersecurity Review Office under the Cyberspace Administration of China (CAC) initiated a cybersecurity review against the ride-hailing platform as per its Measures for Cybersecurity Review. The CAC subsequently established the cybersecurity review system by passing the revised draft of the Measures for Cybersecurity Review (revised Draft for Solicitation of Comments: http://www.cac.gov.cn/2021-07/10/c_1627503724456684.htm). Under China’s Data Security Law, the cybersecurity review is designed to target all data-processing entities, although, in most cases, reviews will only be conducted on the operators of crucial information-related infrastructure.  

Article 24 of the Data Security Law says, “The State establishes a data security review system to conduct national security reviews on data processing activities that affect or may affect national security.” The Regulations of Online Data Security Management further refines the definition of “the data-processing activities that impact or may impact national security” as stated in the Measures for Cybersecurity Review (a draft version for soliciting public opinions: http://www.cac.gov.cn/2021-11/14/c_1638501991577898.htm). A relatively complete data security review system will be built once the draft version becomes law.

The Regulations put the provision for the cybersecurity review, including the data security review, in “Chapter Two: General Provisions”, rather than in the chapters regarding the protection of personal information, the safety of important data, the cross-border security management of data, and the obligations of the Internet-based platform operators. It is easy to see the Regulations’ intent. First, all data processors should pay attention to whether they need to file for the cybersecurity review. Second, the data-processing activities on which the review focuses include those involving both personal information and important data as well as specific cross-border scenarios.

Institutional Features of the “Cybersecurity Review” in the Regulations

The Regulations, formulated in accordance with the Data Security Law, pay particular attention to the cybersecurity review system. What are the data processing activities that affect or may affect national security? This provision has yet to be developed in the Data Security Law. Article 6 of Measures for Cybersecurity Review states that “operators with personal information of more than 1 million users going public abroad must file a cybersecurity review with the Cybersecurity Review Office.” Article 13 of the Regulations provides richer context. There are three main points worth noting:

First, the scope of “data resources” that needs to be declared for the cybersecurity review is broad. The first item under the Regulations’ Article 13 proposes that data processors who “gather and master a large amount of data resources related to national security, economic development, and public interest” should apply for a cybersecurity review. The term “data resources” only appears once. If you carefully compare important data (data that may endanger national security and public interest once it has been tampered with, destroyed, leaked, illegally obtained, or used illegally) and core data (data related to national security, the lifeblood of the national economy, important people’s livelihood, and major public interests, etc.), it can be seen that the scope of “data resources” managed by platform operators who need to file for cybersecurity reviews includes, but is not limited to, important data and core data.

Second, the Regulations distinguish between the objective conditions and subjective judgment in the application for a cybersecurity review. It is worth noting that all items in Article 13 “affect or may affect national security” except for the second one. As for the second item, “data processors who process personal information of more than one million people and go public in foreign markets” is an objective condition. Platforms meeting this condition are presumed to “affect or may affect national security”. As for the other items, whether or not they affect national security and if a security review is necessary, depends on the companies’ subjective assessment.

Third, the Regulations require mandatory security reviews of operations and R&D centers overseas. Article 13 specifies the situations where “large internet platform operators set up headquarters, operation centers, or R&D centers abroad”, meaning that once such a situation exists, the CAC and relevant authorities will directly give mandatory reporting orders and the operator needs not determine whether to apply for a cybersecurity review. This clause also indicates that setting up operations and R&D centers abroad constitutes a higher level of data risk.

The Declaration and Assessment of Cybersecurity Review’s Space for Discretion

The review is generally strict, but we must be aware that companies still have the discretion to decide the nature of their data processing behavior, especially with respect to the third item "Data Processors to List in Hong Kong". The fourth item adds the clause “other data processing behaviors which affect or are likely to affect national security”, but the situations are different where data processors choose to go public in Hong Kong or overseas.

We must accurately understand what the lawmakers were thinking when they made the rules. Firms which have collected personal data from more than 1 million users must report to the authorities for a cybersecurity review if they are going public overseas. Firms choosing to list in Hong Kong with personal data of more than 1 million domestic users can assess whether the data they have collected will pose any risks to national security, economic development and the public interest in deciding to apply for a review.

Platforms and companies are in an important position in the data processing and cross-border data flow business. How they assess their own cyber and data security, according to the related laws and regulations, and find the balance between objective conditions and subjective judgment will impact not only their business’s development but also the national economy and the people's livelihood. Here, it’s important to understand what the lawmakers were thinking:

First, the cybersecurity review stresses assessment. Assessment is a basic principle in the cybersecurity review and is explicitly shown in Article 5 of the Measures for Cybersecurity Review. Therefore, a safety assessment is a legal obligation for data processors. Second, the CAC has foreseen the risk of misreporting caused by giving data processors discretion to assess, so it has developed a clear system of preventive measures. Please refer to Article 32 of the Regulations. Third, even in cases of misreporting, the authorities can still conduct cybersecurity reviews of the data operators based on their annual data security appraisal reports. Fourth, the penalty is more severe for violating Article 32 than Article 13 of the Regulations.

Before the Regulations, the Cybersecurity Law, the Personal Information Protection Law (http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml), and the Data Security Law targeted personal information and important data in cross-border data flow. However, the Regulations target a wider scope of data, including non-personal information and unimportant data. The Regulations differ from Article 38 of the Personal Information Protection Law in providing exemptions for personal data going overseas from the security review and contract obligations but is stricter in terms of personal consent. Because of these changes, at least two aspects of the Regulations are likely to be modified:

First is the security assessment system for data going overseas. Article 2 of the Security Assessment Measures for Data Going Overseas (Draft for Comment: http://www.cac.gov.cn/2021-10/29/c_1637102874600858.htm) does not cover “non-personal information and unimportant data” and is likely to have provisions on the security assessment of “non-personal information and unimportant data” in the future. Second is the coverage of standard contracts. The earliest provisions on standard contracts are in the Personal Information Protection Law, which targeted personal data. Future standard contracts are likely to not only cover important data but also “non-personal information and unimportant data”.

(Fang Shishi, director of Internet Governance Research Center, Institute of Journalism under the Shanghai Academy of Social Sciences)