Within the legislation structure of China’s Cyber-security, Data security, and Personal Information Protection, the Measures for Cybersecurity Review (“Measures”), with a capacity of merely 22 articles, is the administrative regulations that will directly guide and govern the security review procedures based on the PRC Cybersecurity Law. Therefore it has a significantly important hierarchic and effectual level in the legislative structure and directly connects to the administration and law enforcement practice. As for the spirit and underlying purpose of this legislation, important considerations have been granted to national security.
On July 12th, 2021, for the first time since the taking effect of the PRC Measures for Cybersecurity Review (effective from June 1st 2020), the State Internet Information Office released the Cybersecurity Review Measures (Revised Draft for Comments) ( hereinafter referred to as the “Draft”).
The recent incident concerning DIDI and data security issues has had a great impact on this Draft.
More specifically, on June 11th, 2021, DIDI Chuxing, a unicorn enterprise that had merged with Uber and enjoying a monopoly in the Chinese marketplace, officially submitted an SEC filing for an IPO in the United States. On June 30th, only 20 days after the submission, DIDI was successfully registered and listed on the New York Stock Exchange. Then, on July 2nd, 2021, The China National Network Information Office launched a Cybersecurity review on DIDI’s activity in China, requiring all DIDI’s apps to be taken off of online App stores for rectification, and stopping the registration of new users during the review period on the grounds that DIDI was suspected of collecting and using private information in serious violation of laws and regulations. As of the date of this article, the normal operation of DIDI has not been restored.
The review of DIDI is the first publicly launched cybersecurity review process by the Chinese authorities since the Cybersecurity Law has taken effect. The disputes regarding data security and transferring data overseas caused by DIDI’s alleged package-selling of user data to the United States was very likely to be the direct reason why DIDI was subject to the review.
Article 6 of the Draft directly adds: “An operator applying for a listing overseas must apply to the CRC for a cybersecurity review if it is in possession of the personal information of more than 1 million users.” In the case of DIDI’s aforementioned incident, it is difficult not to see the similarities to their current position and the wording of this draft article.
In addition, the Draft also directly extended the special review procedure to three months, which was originally meant to be completed within 45 days. This is applicable as the relevant authorities have since gained first-hand practical experience in the cybersecurity review case of DIDI.
Furthermore, Article 10 of the Draft refines the Cybersecurity review factors from “The risk of theft, leakage, corruption of the key data” to “The risk of theft, leakage, corruption or illegal use or export of any critical or key data or a large amount of personal information”. Personal information and user data are to be included in the review and protection objects. The Draft has shown a clear direction for how protection wil be carried out, which will provide a practical introduction for the start of the Cybersecurity review procedure.
Although it is only a revised Draft released at this time, without certainty whether this version will be subject to further modifications in subsequent deliberations, it can be perceived from this Draft that the DIDI incident has made the Chinese government aware of potential national security problems behind the user data held by the Internet giants, and shows the urgency and importance the government attaches to monitoring the security of such data going abroad.
Alongside the entry into force of the Data Security Law on September 1st, 2021, the introduction of other subsequent relevant laws, regulations, and measures, and the overall turbulence occurring within the international political environment, the Chinese government may wish to devote an unprecedented level of attention to online security. Companies should therefore be well prepared for higher threshold of supervision in this area in the near future.