Overseas listing review clarifies that a large number of personal information is included in the risk assessment

Zhou Yingmei, a reporter of the Economic Observation Network

On January 4, the official WeChat account of the Cyberspace Administration of China (CAC) released a message showing that the CAC and 13 other departments recently jointly revised and issued the Measures for Network Security Review (hereinafter referred to as the "Measures"), which were revised in accordance with the newly implemented Data Security Law and other laws and regulations, and will be formally implemented on February 15, and the original measures implemented on June 1, 2020 will be abolished.

Previously, as mentioned in the July Draft measures, "network platform operators who hold more than 1 million users' personal information must apply for network security review to the Cyber Security Review Office if they go public abroad", and Article 7 of the newly revised Measures clearly stipulates.

In addition to the procurement documents, agreements, contracts to be signed, etc., the materials submitted by the platform operator for the network security review have been added to the IPO listing application documents. It also requires platform enterprises to apply for network security review before submitting listing applications to foreign securities regulators.

Zhao Zhanzhang, a lawyer at Beijing Yunjia Law Firm, said that the vast majority of individual users of Internet company platforms exceed 1 million, so overseas listings are basically within the scope of review.

"For Internet companies with a relatively large user base, going overseas for listing does not need to be considered for the time being." After the security review of the overseas listing of platform enterprises is clearly stipulated, Bai Jian, president of Polyway, believes that the overall enterprise level is still expected, but it is more clear. "For enterprises, capital strategy needs to be considered more, especially for overseas investment funds."

Compared with the original method, the newly revised method has also changed from 12 to 13 joint leading departments. According to the actual needs of the review, the CSRC will be added as a member unit of the network security review work mechanism.

Compare where the original method has changed

The newly revised measures are formulated in accordance with laws and regulations such as the National Security Law, the Cybersecurity Law, the Data Security Law, and the Regulations on the Security Protection of Critical Information Infrastructure, and are revised on the basis of the Cybersecurity Review Measures implemented on June 1, 2020.

In addition to clarifying that "a network operation platform with 1 million pieces of user information" must be declared for review when going abroad for listing, the new measures also add two security risk factors that are the focus of the review. Including: the risk of core data, important data or a large amount of personal information being stolen, leaked, destroyed, and illegally used or illegally exported abroad; the risk that critical information infrastructure, core data, important data or a large amount of personal information is affected, controlled, or maliciously used by foreign governments, as well as network information security risks.

It's all about the security risks of a lot of personal information leaving the country. The previous security risk assessment was mainly the risk of critical information infrastructure being illegally controlled and damaged, the security of products and services, and the harm of supply interruption to critical information infrastructure business.

Zhao Zhanzhang, a lawyer at Beijing Yunjia Law Firm, said that the network security review focuses on assessing the risk factors affecting national security, and ultimately decides the results of the review accordingly, as well as the specific impact of the network security review on platform companies.

According to the introduction, there may be the following three situations in the network security review: first, there is no need for review; second, after initiating the review, after the review is initiated, those who have not affected national security can continue to go abroad for listing procedures; third, after initiating the review, those who have been judged to affect national security are not allowed to go abroad for listing.

In addition, the newly revised measures also make it clear that "the special review procedure shall generally be completed within 90 working days, and the complicated circumstances may be extended." "Compared with the special review procedure provided for in the original measures, it was completed in 45 working days, which has been extended. The general procedure for accepting network security review is the same as the original measures, and the Network Security Review Office believes that platforms that need to carry out network security reviews may complete the preliminary review within 30 working days from the date of receiving the written notice, and if the situation is complicated, it may be extended by 15 working days.

How to affect the platform

Zhao Zhanzhan said that the censorship system is mainly considered from the two levels of network security and national security, and the information that user information is illegally provided to overseas or these platforms should be provided by foreign regulators may involve China's network security and national security.

"It is impossible to estimate how long the special review process will last, and the cybersecurity review time of Didi, Manbang and BOSS Direct Employment has exceeded 90 working days." Zhao Zhanzhan said that the extension of the review time will directly affect the listing process of enterprises listed overseas.

On the other hand, in the company's operation, companies facing network security review will usually take certain measures during the network security review stage to prevent further expansion of security risks, such as stopping new user registration, removing products, etc. The review time is long, which will have a significant impact on business operations.

Bai Jian believes that in addition to affecting overseas listings, another important point is that enterprise data processing must be very cautious and careful, "in the future this aspect should be a red line." ”

The cybersecurity review is focused and also involves a large number of data processing activities. According to the Data Security Law, data processing activities include activities such as data collection, storage, use, processing, transmission, provision, disclosure, etc. The newly revised measures focus on situations in which network platform operators carry out the above-mentioned data processing activities, which affect or may affect national security.

In addition, Bai Jian said that it is to serve the B-side of the enterprise, although its own user base may not be so much, but the end customer's user base may be more than this, this aspect of the enterprise can not fail to pay attention to this method.

A securities industry official said that cybersecurity censorship has become stricter, and no company is easy. "Those who do not plan to be listed in the short term or have completed the listing are the same, and they need to be reviewed by themselves, and the security review department will also conduct spot checks."