As the first implementing rules for the Cybersecurity Law, the Draft Measures define the framework for the Chinese cybersecurity review system, which may impose significant influence on entities’ digital assets and future IT solutions. Related entities are suggested to closely monitor its development.
On Saturday, February 4, the Cybersecurity Administration of China (CAC, also translated as China Internet Information Office) released the Security Review Measures for Network Products and Services (Draft) (“Draft Security Review Measures”). Please see attached the courtesy translation by AnJie and the CAC website (http://www.cac.gov.cn/2017-02/04/c_1120407082.htm). Public comments are due March 4, 2017.
The Draft Security Review Measures appear to implement elements of the National Security Law and Cybersecurity Law. The 16 articles address some of the most challenging concepts and issues in the cybersecurity review mechanism stipulated in the Cybersecurity Law.
1. The purpose of the Draft Security Review Measures is to enhance “securable and controllable level of the network products and services”, ensure the safety of the supply chain and implement the National Security Law and Cybersecurity Law. (Art. 1)
2. Art. 2 and Art. 11 deal with the scope of application. Art. 2 generally stipulates that “important” network products and services concerning the “national security and public interest” should be subject to security review. Art. 11 further specifies that the network products and services purchased by Critical Information Infrastructure (CII) operators should go through security review as long as “it may impact national security.” (Art. 2, 11)
Comment: Art. 35 of Cybersecurity Law only requires security review for CII related products and services. However, Art. 59 of the National Security Law requires security review for “foreign investment…that affect or may affect national security, construction projects that involve national security matters, and other major matters and activities to effectively prevent and resolve national security risks.”
There may be a legal question as to whether the Draft Security Review Measures are effectively expanding the scope of the security review beyond the law.
3. The security review is to focus on four kinds of risks endangering “security and controllability,” including (1) instability, (2) threat to supply chain integrity, (3) illegal data retention, and (4) abuse of user dependency (the risk that providers may conduct unfair competition and harm users “by taking advantage of dependency of the users”). (Art. 4)
Comment: Some of these “risks” may exceed the scope of cybersecurity.
4. The CAC will align with other government departments to establish a Network Security Review Office and engage experts. Third parties certified by the CAC will undertake particular reviews. (Art. 5, 6, 7, 8, 12, 13)
Comment: This may raise concerns regarding the competency and neutrality of third parties conducting security review activities.
5. The finance, telecom, and energy sector regulators will conduct security reviews separately, while security reviews in other sectors are to be organized by CAC. (Art. 9)
6. The party and government agencies, as well as “key industries” should place a priority on procuring network products and services which have passed security review and should not procure products and services that have failed to pass security review. (Art. 10)
Comment: The scope of “key industries” is unclear.
7. The Network Security Review Office will have the authority to issue a security evaluation report on the security level of relevant providers on an ad hoc basis. (Art. 14)
Comment: It may be worth considering whether such reports may expose providers’ trade secrets or other legitimate interests.