Recently, the State Internet Information Office, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the Chinese Bank, the State Administration for Market Regulation, the State Administration of Radio and Television, the China Securities Regulatory Commission, the State Secrets Administration, the State Cryptography Administration and other thirteen departments jointly revised and issued the "Network Security Review Measures" (hereinafter referred to as the "Measures"), which will be implemented from February 15, 2022.
The relevant person in charge of the State Internet Information Office said that network security review is an important legal system in the field of network security, and since the implementation of the original Measures on June 1, 2020, it has played an important role in ensuring the security of the supply chain of critical information infrastructure and safeguarding national security. In order to implement the requirements of laws and regulations such as the Data Security Law, the State Internet Information Office and relevant departments have revised the Measures.
The Measures include situations in which network platform operators carry out data processing activities that affect or may affect national security into network security reviews, and make it clear that network platform operators with more than 1 million users' personal information must apply for network security review to the Cyber Security Review Office when going public abroad. According to the actual needs of the review, the CSRC has been added as a member unit of the network security review work mechanism, and the national security risk assessment factors have been improved.
The relevant person in charge of the State Internet Information Office said that the revision of the Measures is of great significance to ensuring national network security and data security.
interlocution
There may be three outcomes for filing a cybersecurity review
The relevant person in charge of the State Internet Information Office answered reporters' questions on issues related to the "Measures for Network Security Review.".
Q: Please briefly introduce the background of the revision of the "Measures"?
A: Cybersecurity review is an important legal system in the field of cyber security. Since its implementation on 1 June 2020, the original Measures have played an important role in ensuring the security of the critical information infrastructure supply chain and safeguarding national security by reviewing the procurement activities of critical information infrastructure operators and initiating a review of some important products.
On September 1, 2021, the Data Security Law came into effect, clearly stipulating that the state shall establish a data security review system. Based on this, we have revised the Measures for Network Security Review, including situations such as the impact or potential impact of national security by network platform operators in carrying out data processing activities, and clearly requiring network platform operators with more than 1 million users' personal information to apply for network security review when going public abroad, with the main purpose of further ensuring network security and data security and safeguarding national security.
Q: What are the possible results of network platform operators going abroad to apply for network security review?
A: Opening up to the outside world is China's basic national policy, and we always support domestic enterprises to rationally use the overseas capital market for financing and development in accordance with laws and regulations. The "Measures" make it clear that "network platform operators who hold the personal information of 1 million users must apply for network security review when going public abroad", and there may be three situations in which the network security review is declared: first, there is no need for review; second, after initiating the review, after research and judgment does not affect national security, they can continue to go abroad to list procedures; third, after initiating the review, those who affect national security are not allowed to go to foreign listing.
Q: How to understand the data processing activities involved in cybersecurity reviews?
A: According to the Data Security Law, data processing activities include activities such as data collection, storage, use, processing, transmission, provision, and disclosure. The Measures focus on situations in which network platform operators carry out the above-mentioned data processing activities, which affect or may affect national security.
Q: When will network platform operators apply for listing abroad for network security review?
A: Network platform operators should apply for network security review before submitting a listing application to foreign securities regulators.
Q: How to submit the application materials for the network security review of foreign listings?
A: The Cyber Security Review Office is located in the State Internet Information Office, and the specific work is entrusted to the China Cyber Security Review Technology and Certification Center. Under the guidance of the Cyber Security Review Office, the China Cyber Security Review Technology and Certification Center undertakes tasks such as receiving the declaration materials and conducting formal examination of the declaration materials. The China Cyber Security Review Technology and Certification Center has set up a network security review consultation window. Source: China Netinfo
analyse
Personal data can be inferred from national circumstances
According to article 2 of the Measures for Network Security Review, in addition to critical information infrastructure operators purchasing network products and services, network platform operators carrying out data processing activities that affect or may affect national security shall also conduct a network security review. The Cyberspace Administration of China pointed out that data processing activities include data collection, storage, use, processing, transmission, provision, disclosure and other activities. Qin Hailin, president of CCID Consulting Of the CCID Research Institute of the Ministry of Industry and Information Technology, explained that this revision is an inevitable requirement for the development of big data.
Qin Hailin said: "Because now many To C companies collect personal data, but through personal data, you can actually use big data analysis methods to understand the basic behavior of people in this part of the country, and you can also judge the economic and social activities of the country and the region." Then it is a very important message for an individual country. ”
The domestic ranking of 1,000 Apps can exceed one million monthly active users
Article 7 of the Measures makes it clear that network platform operators who have more than 1 million users' personal information must apply for a network security review to the Cyber Security Review Office if they go public abroad. Some organizations have released lists showing that even apps ranked in the top 1,000 in China have more than 1 million monthly active users. According to expert analysis, considering that these apps will collect users' personal information to a greater or lesser extent, this means that Internet platforms that go abroad to list basically have to apply for network security review.
The Measures also add the CSRC as a member of the network security review work mechanism. Qin Hailin believes that this is mainly due to the actual need to consider the review, "because listed companies also have their own rules, which (information) can be disclosed, which can not be disclosed, the CSRC is to participate in, is to speak out." Other departments do not know what some of the requirements of listed companies are, what the openness of financial data is, and after the CSRC adds it, it will strengthen the supervision of the company's overall operation. ”
The listing of enterprises should be in line with national security
In terms of national security risk assessment factors, the Measures add two articles, namely: the risk of core data, important data or a large amount of personal information being stolen, leaked, destroyed, and illegally used or illegally exported; the risk that critical information infrastructure, core data, important data or a large amount of personal information is affected, controlled or maliciously used by foreign governments, and the risk of network information security.
Qin Hailin said: "Even if you add the 'traffic light' of national security, there is a monitoring of the growth of the enterprise, not how you maximize the benefits." Because many enterprises are listed, the capital market has an assessment of it, and a high evaluation of the capital market does not mean that the strength and competitiveness of this enterprise must be strong, and this premise is also another, that is, to meet national security. ”
Central Broadcasting Network
![Network platforms with more than 1 million users must apply for network security review when listing abroad[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)