On 4 January, the State Internet Information Office (hereinafter referred to as the "Cyberspace Administration of China") and 13 other departments jointly issued the Measures for Network Security Review (Revised Edition) (hereinafter referred to as the "Measures"), which came into effect on 15 February 2022.
Thirteen departments jointly issued the "Network Security Review Measures".
The Measures include a total of 23 articles in the scope of network security reviews, including situations such as the impact or potential impact of national security on the data processing activities carried out by network platform operators, and require network platform operators with more than 1 million users' personal information to apply for network security review when going public abroad.
So, does listing in Hong Kong mean that companies are not subject to cyber security reviews? Some experts told Nandu reporters that the listing of enterprises with more than 1 million users' personal information does not mean that they will not be subject to network security review, but they do not need to take the initiative to declare, such as the members of the network security review work mechanism think that there is a risk or be reported, it may still be subject to review. The conditions, procedures and time required for filing and review have become important factors for enterprises to go to the United States or go public in Hong Kong.
Listing in Hong Kong does not require active declaration, but it may still be subject to cybersecurity review
Since Didi Chuxing's listing in the United States last year was "suspended", the network security review has received widespread attention from the industry.
On July 2 last year, the Cyberspace Administration of China said that it would implement a network security review of Didi Chuxing; on the 16th, the Cyberspace Administration of China, together with the Ministry of Public Security, the Ministry of State Security and other six departments, jointly entered Didi Chuxing to carry out network security reviews. A month ago, Didi Chuxing announced the launch of the delisting work of the New York Stock Exchange and the preparation of listing in Hong Kong.
When answering a reporter's question on the Measures, the relevant person in charge of the Cyberspace Administration of China said that the main purpose of revising the Measures is to further ensure network security and data security and safeguard national security. There may be three situations in which network platform operators go abroad to apply for network security review for listing: first, there is no need for review; second, after initiating the review, after the review is initiated, those whose national security is not affected may continue to go abroad for listing procedures; third, after initiating the review, those who have been judged to affect national security are not allowed to go to foreign listing.
The Measures make it clear that network platform operators who hold the personal information of more than 1 million users must apply for network security review to the Cyber Security Review Office if they go public abroad. Compared with the Draft for Comments, paragraph 6 of Article 10 of the Measures, does the change from "foreign listing" to "listing" mean that an enterprise listing in Hong Kong does not need to undergo a cyber security review?
Zuo Xiaodong, vice president of the China Academy of Information Security, who is familiar with the work of network security legislation, believes that enterprises listed in Hong Kong do not need to voluntarily apply for network security review, but this does not mean that they will not be subject to network security review.
He introduced that there are three conditions for the initiation of network security review: one is to make an active declaration; the second is to submit a review that the member units of the network security review work mechanism believe are risky; and the third is social reporting. The member units of the network security review work mechanism are 13 issuing units, including the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Central Bank of China, and so forth.
"Listing in Hong Kong is only procedurally not requiring voluntary declaration, but according to the second and third conditions, no matter whether it is listed or not, where it is listed, once the data processing behavior, network products and services are risky, they can be submitted for review." Zuo Xiaodong said.
A data compliance lawyer who did not want to be named also said that if the member units of the network security review mechanism believe that there are factors that affect or may affect national security in the process of listing in Hong Kong, they can submit a review, and the enterprise listed in Hong Kong needs to cooperate with the relevant network security review process, but the listing of the enterprise in Hong Kong is not a situation of actively declaring a network security review.
Xiong Dingzhong, chief partner of Qing law firm, said that the choice of enterprises to list in Hong Kong or abroad is essentially a business decision, and an important reason why many enterprises chose to list in Hong Kong before was that the subject, specific content and process mechanism of the network security review were not clear enough, so there will be many uncertain risks in listing abroad. "In contrast, they (enterprises) prefer to choose a place like Hong Kong with certain conclusions."
He believes that after the Measures make it clear that enterprises listed abroad are subject to a network security review, enterprises have a clear understanding of the compliance costs such as the conditions, processes and time required for their own declaration of security reviews, and these factors have become important factors in determining their visit to the United States or Hong Kong. If a company determines that the difference in revenue between its foreign listing and its listing in Hong Kong can be higher than the cost of compliance, it may still choose to go abroad to list.
The relevant person in charge of the above-mentioned Cyberspace Administration of China said that network platform operators should apply for network security review before submitting listing applications to foreign securities regulators. The Cyber Security Review Office is located in the State Internet Information Office, and the specific work is entrusted to the China Cyber Security Review Technology and Certification Center.
The content of the information may be one of the risk factors assessed for the review
Nandu reporters compared the "Measures" before the revision and the draft for comments released last year and found that the official version added the "Regulations on the Security Protection of Critical Information Infrastructure" as a legal basis on the basis of the draft for comments in July last year. In addition, in terms of the objects of network security review, the Measures clearly define data processors as "network platform operators".
Zuo Xiaodong believes that the use of the expression "network platform operator" in the revised "Measures" is not the basis for distinguishing whether an enterprise should be subject to a network security review, the focus is on whether it has more than 1 million users' personal information, "When an enterprise has more than 1 million users' personal information, it is almost unimaginable if it does not involve providing services through the network." ”
Paragraph 6 of Article 10 of the Measures stipulates that the national security risk factors that are the focus of online review include the risk that there is critical information infrastructure, core data, important data or a large amount of personal information being affected, controlled, or maliciously used by foreign governments on the listing, as well as network information security risks.
Nandu reporter found that in addition to changing the "foreign listing" to "listing" in the draft for comments, the official version also added "network information security risk". Zuo Xiaodong believes that the "network information security risk" points to the information content security risk, that is, the large-scale proliferation of illegal and harmful information.
"At present, there are more and more cases of using artificial intelligence, blockchain, deep forgery, targeted push and other technologies to disseminate illegal and harmful information and undermine network security facilities, and technical risks have been intertwined with ideological risks, and going abroad to list activities will directly deal with foreign institutions, and this risk has to be prevented." He wrote.
In addition, article 16 of the Measures adds that in order to prevent risks, the parties concerned shall take measures to prevent and reduce risks in accordance with the requirements of the network security review during the review period. Zuo Xiaodong said that this article generally does not apply to the situation of actively declaring online review, and applies to the member units of the review mechanism that believe that it affects or may affect national security and social reporting.
Xiong Dingzhong believes that since it takes a certain amount of time to carry out a network security review, the purpose of the regulations is to allow enterprises to avoid acts that may lead to risk amplification as much as possible during the period under investigation and within the scope of their business. This means that when the relevant departments conduct cybersecurity reviews, companies should handle the data in a more conservative and cautious manner and avoid passing it on until the results of the review are obtained.
He further explained that if a company plans to list in the United States, it is likely that its filing for security review will also be preparing for listing at the same time. If the listing process of the enterprise happens to enter a key node during the security review, if the enterprise needs to provide some basic data or audit papers, according to the provisions of the Measures, the enterprise should not provide the above materials at this time, but need to wait until the review results come out before deciding.
Written by: Nandu reporter Sun Chao trainee reporter Fan Wenyang
![Gansu's network security department cracked a case of illegal intrusion into cameras for "voyeurism"[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)