Recently, the State Internet Information Office, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the Chinese Bank, the State Administration for Market Regulation, the State Administration of Radio and Television, the China Securities Regulatory Commission, the State Secrets Administration, the State Cryptography Administration and other thirteen departments jointly revised and issued the "Network Security Review Measures" (hereinafter referred to as the "Measures"), which will be implemented from February 15, 2022.
The Measures include situations in which network platform operators carry out data processing activities that affect or may affect national security into network security reviews, and make it clear that network platform operators with more than 1 million users' personal information must apply for network security review to the Cyber Security Review Office when going public abroad. According to the actual needs of the review, the CSRC has been added as a member unit of the network security review work mechanism, and the national security risk assessment factors have been improved.
In response to a reporter's question, the relevant person in charge of the State Internet Information Office said, "On September 1, 2021, the Data Security Law was officially implemented, which clearly stipulates that the state shall establish a data security review system. Based on this, we have revised the Measures for Network Security Review, including situations such as the impact or potential impact of national security by network platform operators in carrying out data processing activities, and clearly requiring network platform operators with more than 1 million users' personal information to apply for network security review when going public abroad, with the main purpose of further ensuring network security and data security and safeguarding national security. ”
The person in charge stressed that network platform operators should apply for network security review before submitting listing applications to foreign securities regulators.
It is understood that the Cyber Security Review Office is located in the State Internet Information Office, and the specific work is entrusted to the China Cyber Security Review Technology and Certification Center. Under the guidance of the Cyber Security Review Office, the China Cyber Security Review Technology and Certification Center undertakes tasks such as receiving the declaration materials and conducting formal examination of the declaration materials. The China Cyber Security Review Technology and Certification Center has set up a network security review consultation window.
Regarding the data processing activities involved in the network security review, the above-mentioned person in charge said that according to the Data Security Law, data processing activities include data collection, storage, use, processing, transmission, provision, disclosure and other activities. The Measures focus on situations in which network platform operators carry out the above-mentioned data processing activities, which affect or may affect national security.
Regarding the possible results of the network security review of network platform operators going abroad to apply for listing, the relevant person in charge of the state internet information office said, "Opening up to the outside world is the basic national policy of our country, and we always support domestic enterprises to rationally use the overseas capital market for financing and development in accordance with laws and regulations." The "Measures" make it clear that "network platform operators who have 1 million users' personal information must apply for network security review when going public abroad", and there may be three situations in which the network security review is declared: first, there is no need for review; second, after initiating the review, after research and judgment does not affect national security, they can continue to go abroad to list the procedure; third, after initiating the review, those who affect national security are not allowed to go abroad for listing.
Nandu reporter inquired about the original text of the "Measures", article 5 of which pointed out that where critical information infrastructure operators purchase network products and services, they should prejudge the national security risks that may be brought about by the products and services after they are put into use. Where it affects or may affect national security, a network security review shall be reported to the Network Security Review Office. Departments for the security protection of critical information infrastructure may formulate guidelines for pre-judgment in their respective industries and fields.
Article 6: For procurement activities that declare network security reviews, critical information infrastructure operators shall require product and service providers to cooperate with network security reviews through procurement documents, agreements, and so forth, including undertaking not to take advantage of the facilities of providing products and services to illegally obtain user data, illegally control and manipulate user equipment, and not to interrupt product supply or necessary technical support services without legitimate reasons.
Article 7 of the Measures points out that network platform operators who hold the personal information of more than 1 million users must apply for network security review to the Cyber Security Review Office if they go public abroad. Parties applying for network security review shall submit the following materials: a declaration; an analysis report on the impact or potential impact on national security; procurement documents, agreements, contracts to be signed, or listing application documents such as an initial public offering (IPO) to be submitted; and other materials required for network security review work.
In addition, the Measures clarify that network security reviews focus on assessing the following national security risk factors for relevant targets or situations:
The risk of critical information infrastructure being illegally controlled, interfered with or destroyed by the use of products and services;
Disruption of the supply of products and services to the business continuity of critical information infrastructure;
The security, openness, transparency, diversity of sources, reliability of supply channels and the risk of supply disruption due to political, diplomatic, trade and other factors of products and services;
Compliance of product and service providers with Chinese laws, administrative regulations and departmental rules;
The risk of core data, important data or a large amount of personal information being stolen, leaked, destroyed, and illegally used or exported;
There is a risk that critical information infrastructure, core data, important data or a large amount of personal information will be affected, controlled, or maliciously exploited by foreign governments, as well as network information security risks;
Other factors that can compromise critical information infrastructure security, network security, and data security.
These Measures shall take effect as of February 15, 2022. The Measures for Network Security Review promulgated on 13 April 2020 shall be abolished at the same time.
It is worth noting that the relevant departments have previously organized network security reviews of critical information infrastructure procurement network products and services, and launched network security reviews of Didi, Yunmanman, Truck Gang, BOSS direct employment, etc., to effectively prevent procurement activities, data processing activities and national security risks that may be brought about by foreign listings.
It is understood that the online recruitment platform BOSS Direct Hire landed on the NASDAQ on June 11, 2021; on June 22, 2021, the merger of two Chinese freight platforms "Truck Gang" and "Yunman" formed the Manbang Group listed on the New York Stock Exchange. On June 30, 2021, Didi was listed on the New York Stock Exchange in the United States under the ticker symbol "DIDI". After 156 days of listing in the United States, Didi announced on December 3, 2021 that it would start delisting on the New York Stock Exchange and start preparations for listing in Hong Kong. In July 2021, in order to prevent national data security risks, safeguard national security, and protect the public interest, in accordance with the National Security Law of the People's Republic of China and the Cybersecurity Law of the People's Republic of China, the Cybersecurity Review Office implemented a network security review of Didi Chuxing in accordance with the Measures for Network Security Review. In order to cooperate with the network security review work and prevent the expansion of risks, "Didi Chuxing" stopped new user registration during the review period.
Nandu reporter Manningning
![The United States is here to stir up trouble again! Chinese-funded acquisition of South Korean semiconductor giant plans to "abort"[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)