China – Cyber Security Review Rules.

Issue

Points to note

Implications and other commentary

Affected parties

• >  Certain online products and services used by the following parties in the PRC must undergo national security review:

  • >  critical information infrastructure (“CII”) operators that affect national security;

  • >  all departments of the Communist Party and government ministries; and

  • >  “key industries” (including the finance, telecom and energy sectors).

• >  The Draft does not further elaborate on the Cybersecurity Law’s range of industries and sectors containing CII (see our earlier alert). While further rules will be needed to define these, some guidance on cybersecurity inspection (released by the Office of the Central Leading Group for Cyberspace Affairs) suggests that certain tests as to the level of public dependency may be applied for a given system or network to be considered CII.

• >  In addition, the Draft provides that key online products and services that are used by PRC information systems impacting security or public interest must undergo national security review.

• >  As regards scope of parties affected, the Draft does not extend the principles of the National Security Law and the Cybersecurity Law.

• >  The Draft empowers the CAC to coordinate security reviews in accordance with the requests of the government, industry associations, businesses and the market. No attempt is made to further define the circumstances in which the CAC may initiate such reviews.

• >  In “key industries”, the review is to be conducted by
  the respective industry regulators, such as the China Banking Regulatory Commission, Ministry of Industry and Information Technology and National Development and Reform Commission. However, the Draft is unclear as to how the review is triggered in an industry context.

• >  A CAC official is reported to have clarified that the Draft
  is intended to prohibit the purchase of online products and services that have failed to pass a review initiated by the authorities and that the review will only be triggered when there is a request from relevant authorities, industry associations or businesses.

Review standards

> Online products and services under review will be assessed for “security and controllability” with a focus on the risks of:

• >  someone illegally gaining control of, interfering with or disrupting the operation of online products and services;

• >  the process of development, delivery and provision of technical support for products and key product components;

> These criteria, which are not defined in the National Security Law or Cybersecurity Law, will be a key part of how the review regime is implemented by the CAC in accordance with its National Cyberspace Security Strategy. They are unfortunately only addressed in broad terms, with no implementation guidance at this stage.

Issue

Points to note

Implications and other commentary

• >  product and service providers illegally collecting, storing, processing or making use of user information; and

• >  unfair competition or prejudice to users’ interests through providers exploiting user dependency on their products and services.

> The security and credibility of the product and services providers (in addition to the products themselves) will be scrutinised as part of the review.

• >  In addition to technical concerns with performance,
  the Draft aims to ensure that the procurement of online products and services in the PRC safeguards the nation’s cyberspace security and sovereignty.

• >  The underlying concerns are more clearly expressed in the National Cyberspace Security Strategy and include political interference, insurrection and key (energy, transport, communication and finance) infrastructure paralysis resulting from network interference or invasion, and international competition for control of strategic resources and rulemaking in cyberspace, as well as cyber-terrorism and escalation of the cyber arms race.

• >  The extent of information which vendors will be requested to supply is not addressed in the Draft. Overseas vendors in particular will be concerned to ensure that sensitive information is not passed to the PRC authorities, and with any information requests being used to deter entry into the PRC market (even though the Draft does not have express local content requirements).

• >  The Draft mentions other undefined review criteria, including transparency and credibility. How these will be applied remains to be seen.

Review bodies and decisions

• >  An inter-ministerial cyber security review committee (the “Review Committee”) is to be established by the CAC, in collaboration with other relevant ministries, to issue further policies, implement the review regime and have overall responsibility for security review decisions.

• >  Nationally-accredited third party experts will also be hired to assess compliance with the prescribed review standards (taking into account standards applicable to the relevant
  IT systems), on which the Review Committee will base its decisions.

• >  While the Draft mentions disclosure of some details of the Review Committee’s decisions, it is unclear from the Draft to what extent each of the Review Committee’s decisions will be made public or if only the experts’ evaluation reports will be published on an ad hoc basis.

• >  The concept of a Review Committee is a new addition of the Draft. It is also unclear who or which third party firms will comprise the nationally-accredited experts.

• >  It appears that the Review Committee’s remit is broader than reviewing compliance with the prescribed standards and criteria, and given the Committee’s composition, may include other political and inter-departmental factors.

• >  Given the Review Committee’s broad power and the vagueness of the criteria, it is disappointing that the Draft does not expressly provide for reasons for the Committee’s decisions to be published or any dispute resolution process.

• >  If the fact of failed tests is released to the public, product and service providers may face both reputational damage and even unwanted disclosure of competitively sensitive technical or service information. This may dissuade some market entrants.

Timeframe

> No timelines are provided in the Draft for the effectiveness of the new proposed rules, the establishment of the Review Committee, the accreditation of the third party experts or the initiation, conduct and completion of the review process.

> It appears that further work and rules to implement the Draft will be required before the Cybersecurity Law comes into effect in June 2017.