.jpg)
14 March, 2017
On 4 February 2017, the Cyberspace Administration of China published draft rules on the national security review of online products and services used by PRC information systems (the “Draft”).
The Draft seeks to put in place a national framework for security review of certain online products and services, as foreshadowed in the National Security Law, the Cybersecurity Law and the National Cyberspace Security Strategy. In this alert, we consider key principles and implications of the Draft.
China publishes draft rules on enhanced security review of online products and services On 4 February 2017, the Cyberspace Administration of China (the “CAC”) published draft rules on the national security review of online products and services used by PRC information systems (the “Draft”).
The Draft seeks to put in place a national framework for security review of certain online products and services, as foreshadowed in the National Security Law, the Cybersecurity Law and the National Cyberspace Security Strategy.
This framework is intended to operate in addition to the existing certification and technical standards with which IT products and services procured in the PRC are required to comply (which are not affected by the Draft).
Industry players (particularly those in key industries such as finance) and vendors of online products and services will need to consider how to comply with the review regime and monitor further cyber and sectoral rules and the practice as the regime develops. The Draft’s consultation period lasts one month.
Issue: Affected parties
Points to note
Certain online products and services used by the following parties in the PRC must undergo national security review:
- critical information infrastructure (“CII”) operators that affect national security;
- all departments of the Communist Party and government ministries; and
- “key industries” (including the finance, telecom and energy sectors).
- The Draft does not further elaborate on the Cybersecurity Law’s range of industries and sectors containing CII. While further rules will be needed to define these, some guidance on cybersecurity inspection (released by the Office of the Central Leading Group for Cyberspace Affairs) suggests that certain tests as to the level of public dependency may be applied for a given system or network to be considered CII.
- In addition, the Draft provides that key online products and services that are used by PRC information systems impacting security or public interest must undergo national security review.
Implications and other commentary
- As regards scope of parties affected, the Draft does not extend the principles of the National Security Law and the Cybersecurity Law.
- The Draft empowers the CAC to coordinate security reviews in accordance with the requests of the government, industry associations, businesses and the market. No attempt is made to further define the circumstances in which the CAC may initiate such reviews.
- In “key industries”, the review is to be conducted by the respective industry regulators, such as the China Banking Regulatory Commission, Ministry of Industry and Information Technology and National Development and Reform Commission. However, the Draft is unclear as to how the review is triggered in an industry context.
- A CAC official is reported to have clarified that the Draft is intended to prohibit the purchase of online products and services that have failed to pass a review initiated by the authorities and that the review will only be triggered when there is a request from relevant authorities, industry associations or businesses
Issue: Review standards
Points to note
Online products and services under review will be assessed for “security and controllability” with a focus on the risks of:
- someone illegally gaining control of, interfering with or disrupting the operation of online products and services;
- the process of development, delivery and provision of technical support for products and key product components;
- product and service providers illegally collecting, storing, processing or making use of user information; and
- unfair competition or prejudice to users’ interests through providers exploiting user dependency on their products and services.
- The security and credibility of the product and services providers (in addition to the products themselves) will be scrutinised as part of the review.
Implications and other commentary
These criteria, which are not defined in the National Security Law or Cybersecurity Law, will be a key part of how the review regime is implemented by the CAC in accordance with its National Cyberspace Security Strategy. They are unfortunately only addressed in broad terms, with no implementation guidance at this stage.
- In addition to technical concerns with performance, the Draft aims to ensure that the procurement of online products and services in the PRC safeguards the nation’s cyberspace security and sovereignty.
- The underlying concerns are more clearly expressed in the National Cyberspace Security Strategy and include political interference, insurrection and key (energy, transport, communication and finance) infrastructure paralysis resulting from network interference or invasion, and international competition for control of strategic resources and rulemaking in cyberspace, as well as cyber-terrorism and escalation of the cyber arms race.
- The extent of information which vendors will be requested to supply is not addressed in the Draft. Overseas vendors in particular will be concerned to ensure that sensitive information is not passed to the PRC authorities, and with any information requests being used to deter entry into the PRC market (even though the Draft does not have express local content requirements).
- The Draft mentions other undefined review criteria, including transparency and credibility. How these will be applied remains to be seen.
Issue: Review bodies and decisions
Points to note
- An inter-ministerial cyber security review committee (the “Review Committee”) is to be established by the CAC, in collaboration with other relevant ministries, to issue further policies, implement the review regime and have overall responsibility for security review decisions.
- Nationally-accredited third party experts will also be hired to assess compliance with the prescribed review standards (taking into account standards applicable to the relevant IT systems), on which the Review Committee will base its decisions.
- While the Draft mentions disclosure of some details of the Review Committee’s decisions, it is unclear from the Draft to what extent each of the Review Committee’s decisions will be made public or if only the experts’ evaluation reports will be published on an ad hoc basis.
Implications and other commentary
- The concept of a Review Committee is a new addition of the Draft. It is also unclear who or which third party firms will comprise the nationally-accredited experts.
- It appears that the Review Committee’s remit is broader than reviewing compliance with the prescribed standards and criteria, and given the Committee’s composition, may include other political and inter-departmental factors.
- Given the Review Committee’s broad power and the vagueness of the criteria, it is disappointing that the Draft does not expressly provide for reasons for the Committee’s decisions to be published or any dispute resolution process.
- If the fact of failed tests is released to the public, product and service providers may face both reputational damage and even unwanted disclosure of competitively sensitive technical or service information. This may dissuade some market entrants.
Issue: Timeframe
Points to note
- No timelines are provided in the Draft for the effectiveness of the new proposed rules, the establishment of the Review Committee, the accreditation of the third party experts or the initiation, conduct and completion of the review process.
Implications and other commentary
- It appears that further work and rules to implement the Draft will be required before the Cybersecurity Law comes into effect in June 2017.
References:
Online Products and Services Security Review Measures (Draft) (网络产品和服务安全审查办法(征求意见稿)), CAC, 4 February 2017
Cybersecurity Law of the People’s Republic of China (中华人民共和国网络安全法), National People’s Congress Standing Committee, 7 November 2016
National Security Law of the People’s Republic of China (中华人民共和国国家安全法), National People’s Congress Standing Committee, 1 July 2015
National Cyberspace Security Strategy (国家网络空间安全战略), CAC, 27 December 2016
For further information, please contact:
Jian Fang, Partner, Linklaters
jian.fang@linklaters.com
