When China’s Cybersecurity Law was enacted last November, one question (among many) that surfaced was how the government would implement the “national security review” that the law requires for certain network products and services.  The law, which takes effect this June, provides that any network products and services that might affect national security procured by operators of critical information infrastructure must clear a “national security review,” but left that term unexplained.  Last week, the nation’s leading internet regulator—the Cyberspace Administration of China (“CAC”)—stepped in to elaborate, at least in part.

On February 4, CAC issued a draft regulation outlining the contours of the “cybersecurity review” required by the new law and opened a one-month window for receiving public comments (see original Chinese here and our analysis here).  The name change (“cybersecurity” in lieu of “national security”) seems purely cosmetic; consistent with the Cybersecurity Law, the review process focuses on safeguarding China’s national security in cyberspace.  To that end, the draft regulation sheds light on some of CAC’s priorities, while raising new questions about what businesses must do to comply.

First, the regulations appear to contemplate a two-tier compliance system: Government agencies, Communist Party organs, and entities in “key sectors” would be prohibited from procuring any network products and services that have not passed the cybersecurity review, while other critical infrastructure operators would enjoy greater leeway, though any procurement that “may affect national security” is still subject to review. Although the “key sectors” with the strictest obligations include sectors “such as” finance, telecommunications, and energy, it is unclear whether other sectors will join their ranks.  As for other sectors, the regulations do not explain how regulators will determine if certain procurement activities “may affect national security.”

Second, the agencies will focus on ensuring that products and services are “secure and controllable.” This standard, the draft regulations explain, aims to mitigate several distinct risks—the risk that products or services will be “unlawfully controlled, interfered with, or interrupted”; the risks associated with “research and development, delivery, and technical support”; the risks that products or services will become a means to “illegally collect, store, process, or utilize users’ data”; and the risk that providers will leverage user reliance to “engage in unfair competitive practices or otherwise harm consumers.”  The “secure and controllable” standard, then, encompasses not only the more obvious goal of guarding against hacking or interference, but also a distinct and more expansive interest in protecting consumers and their data.  Additionally, to be “secure and controllable” also requires adequate protection against “possible harms to national security and the public interest,” terms that leave ample room for interpretation.

Lastly, the regulations sketch out the cybersecurity review’s core elements—“laboratory testing, on-site inspection, online monitoring, and review of background information.” What each of these elements means in practice, however, remains to be seen.

Public comments are due by March 4.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

Yan is named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Yan is a Certified Information Privacy Professional (CIPP/Asia) by the International Association of Privacy Professionals and an active member of the American Bar Association’s Section of Antitrust Law.