On July 10, the Cyberspace Administration of China dropped a bombshell on the country’s tech sector.
The country’s powerful internet regulator proposed changes to the country’s year-old Cybersecurity Review Measures that would require companies seeking to list in the US to first pass a national security review.
The draft proposal appears to be a way to ensure Chinese firms can’t go public overseas as demanded by their foreign investors without first satisfying national security concerns regarding their handling of user data. According to the Wall Street Journal, ride-hailing Didi was asked by Chinese authorities to halt its listing until it completed network security checks but went ahead with the June 30 IPO anyway. The regulator opened a cybersecurity review into Didi on July 2, and a week later issued the new draft rules.
The national security probe of Didi came out of the Cybersecurity Review Office, a fairly new department set up under the new cybersecurity rules. It is also tasked with carrying out reviews related to the procurement of products and services, seen as a crucial way for Beijing to ensure the security of the supply chain for critical infrastructure.
But the revised measures, which are open to public comment until July 25, turn the office into a new gatekeeper for Chinese tech companies aiming to list overseas, alongside China’s securities and foreign exchange watchdogs, substantially increasing its power.
What is China’s Cybersecurity Review Office?
The Cybersecurity Review Office was created in April last year, when China announced its existence in the original version of the Cybersecurity Review Measures. Though the office is part of the internet regulator, the CAC, it includes the involvement of 11 other ministries including the People’s Bank of China, the Ministry of Public Security, and the Ministry of National Security.
The July 10 changes expand the targets under scrutiny from infrastructure operators to also include data processing firms, which can in theory include any tech firm. Moreover, they mandate that any company with more than 1 million users’ personal information must seek a review by the Cybersecurity Review Office before pursuing an overseas listing.
According to a press conference last year, an entity within the office called the China Cybersecurity Review Technology and Certification Center is responsible for receiving materials, doing an initial review, and planning the review process in the case of supply chain certification. The South China Morning Post reported that it’s likely it will also carry out this work for the pre-IPO reviews.
In addition, the China Securities Regulatory Commission joins the CAC and the 11 ministries previously involved in the office to “form a national cybersecurity risk review working mechanism.”
However, though the office will undertake organization of cybersecurity reviews, when it comes to law enforcement actions stemming from the reviews, only the CAC itself has the power to act based on current rules, said Xia Hailong, a lawyer with Shanghai Shenlun law firm, whose practice focuses on tech regulations.
Is there a comparable US regulator?
China isn’t the only country to be concerned about “critical infrastructure.” Government agencies to assess weakness in such infrastructure exist in the US and the UK, for example, generally playing advisory roles to government and industry.
Under the US Department of Homeland Security, there’s the Cybersecurity & Infrastructure Agency (CISA) which offers other government agencies and private operators voluntary assessments of their vulnerabilities. The UK meanwhile has the Centre for the Protection of National Infrastructure, and the National Cyber Security Centre, the lead government agency for cybersecurity. The latter, for example, has oversight for efforts to annually assess vulnerabilities due to the UK’s use of Huawei products in its telecom infrastructure.
While the Chinese cybersecurity office has some similarities to the Committee on Foreign Investment in the United States, in that CFIUS is also built upon interdepartmental collaboration and concerned with national security-related issues, Angela Zhang, associate professor of law at the University of Hong Kong, said they’re not equivalent to each other.
“In China, there is another national security review regime which deals with foreign acquisitions of domestic assets, and the power is vested mostly in the National Development and Reform Commission and the Ministry of Commerce,” she said. That regime, which goes back to 2011, also became more formalized this year.
The two also have different targets for scrutiny. The review office targets the whole internet industry, covering all companies of such nature; while CFIUS can scrutinize foreign investment into any US companies, so covers all industries and firms, said Xia, the lawyer.
How will pre-IPO national security review work?
The revised measures stipulate that firms being reviewed need to submit IPO materials, procurement documents, and an analysis of the potential impact of planned activities on national security.
The new rules add that issues to be examined include the risk of important data or a large amount of personal information being stolen, leaked, illegally used, or flowing overseas. The risk that critical information infrastructure, important data, or personal information could be “influenced, controlled, or maliciously used” by foreign governments has also been added as one of the aspects to be reviewed.
Since the reviews can last anywhere from 45 days for more routine cases, to several months for “complex cases,” a direct impact on overseas IPOs is that the planning stage will take far longer.
Another deeper worry is the broadness and vagueness of the measures, which could push up the compliance costs of companies that are already scrambling to figure what exactly the regulators want.