CAC releases final form of revised Cybersecurity Review Measures
No sooner had tech watchers bid farewell to 2021’s regulatory reboot of the Chinese digital economy, the release by the Cyberspace Administration of China (“CAC”) of the final form of its revisions to the Cybersecurity Review Measures (“CRM”) jolted markets back to the previous year’s sense of trepidation.
Published in July last year, the draft updates to the CRM had left many PRC issuers looking at overseas listings with questions about their route to market. This was principally due to the proposal in that draft that any businesses possessing more than 1 million individuals’ personal data would first need to complete a CAC-led cybersecurity review.
Indeed, the China Securities Regulatory Commission’s inclusion as a co-issuer of the final CRM shows the importance of these measures to overseas listings. The securities regulator is separately proposing to reform these fundraisings through draft rules issued by it on 24 December.
The final form of the CRM will come into effect on 15 February 2022. Few substantive changes have been made compared to the July draft, but some of the key points and their possible implications for the tech businesses are highlighted below.
Narrower but unclear scope of application
The final CRM retains the provision that originally unsettled capital markets by applying what had largely been an unused cybersecurity review mechanism – at least until last summer – to businesses holding over 1 million individuals’ personal information. That said, the most significant change in the CRM seems to be to narrow the scope of these businesses to only “network platform operators”. However, there is no definition of “network platform” in the CRM so which businesses amount to network platforms is unclear.
We anticipate that this ambiguity could concern some prospective issuers and the sponsor teams advising them, as there is no ready-made definition in other legislation either. While previous rules and guidelines like the draft Network Data Security Management Regulations (“Draft Regulations”) and the Anti-Monopoly Guidelines on Platform Economy arguably imply that there should be a matching functionality on the “platform”, initial consultations via the CAC’s newly-established enquiry desk (see more on the CCRC below) seem to suggest that any information system that processes data could constitute a network platform. This broad position contradicts our proposition above that self-operated websites or apps for selling a business’s own merchandise or services could be distinguished from third-party platforms in the assessment of the applicability of cybersecurity review.
Ambiguity may remain until further guidance is disseminated by the Chinese authorities.
Hong Kong SAR excluded from review? – Yes and no
The reference to a “foreign listing” in July’s draft measures triggered extensive discussion about whether a listing in Hong Kong SAR was exempt from a cybersecurity review. Then, November’s Draft Regulations provided that a data processor’s Hong Kong listing, if it impacts or may impact national security, would trigger a cybersecurity review (subject to rules to be released).
With the publication of the final CRM, some authoritative commentators believe that the final form rules indicate that a Hong Kong listing does not fall within the scope of a cybersecurity review. Their argument is two-fold:
First, the CAC is the lead drafter of both the CRM and the Draft Regulations. Since the CAC has now finalised the CRM without the Draft Regulations’ explicit reference to Hong Kong SAR, the CAC will adjust the Draft Regulations to reflect the same position, even though these regulations have higher status in the PRC legislative system.
Secondly, a Chinese company’s Hong Kong listing would clearly involve cross-border transfers of data (including personal information) from the mainland to stakeholders in the SAR. Thus, the appliable PRC cross-border data transfer restrictions would apply, giving the PRC authorities another channel through which to vet data security before a Chinese company’s Hong Kong IPO can proceed. Indeed, the CRM reinforces that CAC’s Cybersecurity Review Office can initiate cybersecurity reviews of data processing activities that impact national security, so regulator intervention remains a possibility when proactive officials are in place.
On the other hand, the Draft Regulations do not conclusively state that that their newly-introduced trigger for review of Hong Kong listings would be subject to the same “state provisions” as other foreign listings that are covered by the state’s CRM. Indeed, from the closed door briefings between the China Securities Regulatory Commission and the SAR’s IB divisions, we understand that Hong Kong listings were expected to have an easier route than foreign venues. However, that was not to say that there could not be checks and balances for Hong Kong IPOs with respect to cybersecurity, even if not the formal review under the CRM. We think it best to wait-and-see the next cut of the Draft Regulations.
Depending on how broadly the CAC casts its jurisdictional net, we may see the uncertainty of cybersecurity reviews and the hardened stance in the US towards Chinese issuers generally cause the Hong Kong Stock Exchange, the Shanghai STAR board and the new Beijing Stock Exchange to, in effect, become the only real options for Chinese tech IPOs for a foreseeable period.
Nonetheless, Chinese issuers seeking to list overseas will also need to consider the alternative trigger under the CRM of processing that impacts or may impact national security. In particular, this trigger has wide application regardless of whether a Hong Kong listing or listing in a foreign venue occurs, so Chinese firms will need to assess their businesses in the context of the key rules discussed above.
Select ancillary changes to the CRM
Introduction (Article 1). The final CRM references “protecting cybersecurity and data security” as a purpose of the rules and expressly includes the Regulations for the Security Protection of Critical Information Infrastructure, which were released on 30 July 2021 (after the July draft of the CRM was released). These additions are relevant to scoping those businesses that might be caught by the CRM as operators of critical information infrastructure (“CII”), as these regulations make clear that industry regulators will designate this category of organisation in due course.
Definitions (Article 2). The drafting has been tidied up by including the new concept of “party(ies)” to represent CII operators and network platform operators. The newly-introduced wording helps readers to understand that both categories of organisation will be subject to cybersecurity review, whereas some read the draft CRM to suggest that only CII operators were subject to the new requirements.
Submission materials (Article 8). “IPO materials etc.” is replaced by “IPO and other listing application documents” as the documents stipulated for submission together with a cybersecurity review application. Sponsors, in particular, will see it as good news that the revised description seems narrower – only including “listing application documents” and not requiring delivery of their supporting working papers, for example.
Review timeline (Article 14). The special review procedures are clarified as lasting up to 90 working days, instead of 3 months which was a bit vague and shorter.
Rectification work (Article 16). This provision requires the subject of a cybersecurity review to “take risk precaution and mitigation measures” as required by the review. This new addition enables the Cybersecurity Review Office to take injunctive actions before it concludes a specific review. Although ongoing cybersecurity reviews known in the market suggest that interim actions are being imposed in some cases, the clarification of the regulators’ powers under the CRM is helpful from a transparency perspective.
Risk factors (Article 10). “Network information security risk”is included in the list of risk factors to be considered in the review of a potential overseas listing and “cybersecurity” generally in all reviews. This broadens the scope of factors that the PRC regulators could flag as problematic, but was arguably covered in the spirit of the previous draft’s limbs of the test.
Scope of products and services (Article 21). The characteristics of impacting “cybersecurity and data security” are added to more widely define the network products and services that could trigger cybersecurity review in a CII operator’s procurement. CII operators’ procurement teams will need to be aware of this broadened scope and the resulting increased compliance requirements from more cybersecurity reviews.
Other laws (Article 22). The last provision of the CRM has been expanded as follows: “In the case of any national rules for data security review or security review for foreign investment, such rules shall also be complied with.” This supplement emphasises the likelihood that a data security review mechanism may be introduced pursuant to Article 24 of the Data Security Law and it and the cybersecurity review under the CRM are separate and distinct again from the national security review relevant to foreign investment.
Useful information from CAC officer’s responses
In response to press enquiries publicised together with the final CRM, a CAC officer clarified that a prospective issuer must submit its application for cybersecurity review before its submission of any IPO application materials to foreign securities regulators. The officer also introduced the China Cybersecurity Review Technology and Certification Centre (or CCRC) as the body that the Cybersecurity Review Office will entrust to collect application documents and conduct the formal examination under the CRM.
We had understood from an industry insider last September that the CAC was deliberating setting up a channel for cybersecurity review-related consultations which would possibly be made public by the end of 2021. It now makes sense that the CCRC is the route that the CAC was planning for these enquiries as the contact information of the CCRC has been now been provided for this very purpose. We expect this Beijing landline and email inbox to be busy, assuming China’s tech starlets still wish to access foreign markets as a source of growth capital and investment returns for founders and early backers.
For further information, please contact:
Alex Roberts, Counsel, Linklaters