The Cyberspace Administration of China, the National Development and Reform Commission and 13 other government departments jointly revised and issued the “Measures for Network Security Review” on Tuesday, which will come into force on February 15, 2022.
The measures add various data processing activities carried out by network platform operators, affecting or possibly affecting national security, into the network security review. Furthermore, the document makes it clear that network platform operators with the personal information of more than one million users must be reviewed by the Network Security Review Office carrying out public listings abroad.
According to the actual needs of the review, the China Securities Regulatory Commission was added as a member of the network security review mechanism, and the national security risk assessment factors were improved.
It is worth noting that the document only puts forward requirements for enterprises to be listed abroad, and doesn’t mention Hong Kong, which means that enterprises planning to list there do not need to conduct network security reviews. However, regulators emphasize that enterprises aiming to be listed in Hong Kong should still take data security seriously.
In addition, the official made it clear for the first time that network security reviews and data security reviews are not equal. Paragraph 2 of Article 22 of the “Measures” document points out that if the state has other provisions on data security reviews and foreign investment security reviews, it shall comply with them at the same time. Article 24 of the Data Security Law implemented on September 1, 2021 stipulates that the state shall establish a data security review system to conduct national security reviews on data processing activities that either affect or may affect national security.