Hours after an action against ride-hailing giant DiDi Chuxing, the Cyberspace Administration of China (CAC) launched new cybersecurity reviews of three more online services on Monday, including newly-listed truck-hailing service providers (Yunmanman and Huochebang) and an online recruitment app (Boss Zhipin). The stated purpose is to prevent data security risks and to protect national security. Again, during the cybersecurity review, these companies are not allowed to register new users. Data security is a big focus for the Chinese government in a broader attempt to regulate the technology sector which has grown largely unchecked over the years. In June, China passed a new Data Security Law that lays out how companies collect, store and use data. On the other hand, it is also focusing on antitrust and financial technology regulation. In April, e-commerce giant, Alibaba was slapped with a $2.8 billion fine in a antitrust probe and a food delivery firm Meituan is at the moment being investigated for the same reason.
The Measures for Cybersecurity Review was promulgated on April 27 last year by CAC. The Measures, consisting of 22 articles, were promulgated under the authority of the National Security Law and the Cyber Security Law to implement Articles 35 and 59 of the latter statute which established a cybersecurity review requirement on network products and services procured by operators of critical information infrastructure (“CII”) which bears upon national security. The Measures require that CII operators conduct an assessment of potential national security risk exposure prior to procurement of network products or services. If it is determined based on such assessment that the products or services to be procured present potential national security concerns, the CII operator must apply to CAC’s Cybersecurity Examination Office (CEO) for a cybersecurity review. Because of this, the Measures impose an obligation on CII operators to apply for a cybersecurity review when they intend to procure network products and services which present or may present a national security concern (Article 2). The term “may present” is not subject to a reasonableness qualifier which increases the likelihood that the scope of application of the Measures will be broadly construed.
The above incidents that took place during the course of these couple of days have proved that Cybersecurity Law and laws on national security, which provide prohibitive compliance obligations, do have teeth that can bite enterprises real hard. All of this suggest to us that a pre-prepared compliance plan on data safety needs to be in place so as to avoid heavy disruption in business operation. What is important is that significant compliance foresight is required of these enterprises in dealing with China’s data regulators. The compliance climate is unlike before and a great deal of thought should be put into such a plan.
_________
The author, Henry Chen, licensed to practice law in China and New York, is a senior partner at the Dentons office in Shanghai. Before joining Dentons, Henry was AP Compliance Director of Ford. Henry Chen is also Certified Information Security Personnel (CISP) and Critical Information Infrastructure Personnel (CIIP).
Henry Chen is a drafter of China national standard (draft) Information security technology-Cyber-data process security specification (信息安全技术 网络数据处理安全规范).
Henry's practice areas include cyber security and data governance, FCPA, anti-bribery and fraud investigations, economic sanctions and trade controls, compliance management systems, corporate matters and dispute resolution. You can reach Henry by sending an email to henry.chen@dentons.cn. Henry is the author of the book Risk Management on Commercial Bribery in China and the book Compliance Risks of Enterprises in Globalization: Outbreak and Control.
Warren Geng is the executive editor of The Compliance Reviews.