The Cyberspace Administration of China (“CAC”), together with 11 other authorities, has jointly issued the Measures for Cybersecurity Review (the “Measures”), which will take effect on June 1, 2020, and the currently-effective Measures for Examining the Security of Network Products and Services will be repealed simultaneously.
The Measures, developed on the basis of State Security Law and Cybersecurity Law, aim to ensure the safety of the supply chain of critical information infrastructure and guarantee national security. Where the purchase of network products and services by an operator of critical information infrastructure (the "Operator") influences or may influence state security, the Operator shall notify the Cybersecurity Review Office, which is under the CAC, and a cybersecurity review shall be conducted pursuant to the Measures. Based on the Measures, an Operator shall be recognized by the relevant department as protecting critical information infrastructure.
During a cybersecurity review, the state security risk, which may be generated by the purchase of network products and services, will be evaluated and the following factors taken into consideration (among others):
- the risk of illegal control over, disturbance or destruction of critical information infrastructure and the risk of critical data being stolen, divulged or damaged after the use of products and services;
- damage to the continuity of critical information infrastructure business, due to interruption of supply for the products or services;
- the security, openness, transparency and the diversity of sources of products or services, the dependability of the supply chain, and the risk of supply interruption due to factors such as politics, diplomacy or trade;
- conditions of compliance with state laws, administrative regulations and department rules by the provider of products or services; and
- other factors which may endanger the safety of critical information infrastructure and state security.
In declaring a purchase for a cybersecurity review, the Operator shall submit the following materials: (1) a declaration statement; (2) the analysis report of the effect or possible effect on state security; (3) a purchase document, agreement or contract intended to be signed, etc.; and (4) other materials required by a cybersecurity review.
According to the Measures, during purchase activity with a cybersecurity review having been declared, the Operator shall require the provider of products or services, via a purchase document or agreement, to coordinate the cybersecurity review. This includes not illegally acquiring user data, or illegally controlling or manipulating user facilities using advantageous position of providing products and services, and not interrupting the supply of products or necessary technical support services without justification.
The Cybersecurity Review Office shall provide written notification to the relevant Operator if it thinks a cybersecurity review is required and shall complete the preliminary review within 30 working days of such written notification. The time limit may be extended by 15 working days if the case is complicated. As for special review, it shall be completed within 45 working days normally, but the time limit may be extended if the case is complicated. The time for supplemental document submission is not included in these time limits.
According to the Measures, the relevant organizations and personnel involved in the cybersecurity review shall maintain strict confidentiality with regard to the commercial secrets and intellectual property rights of the enterprises. They shall also bear responsibility for the confidentiality of nonpublic materials submitted by operators and other nonpublic information acknowledged during the review, and must not disclose to any irrelevant party, nor for purposes other than the review.
Under Article 65 of the Cybersecurity Law, where operators of critical information infrastructure use network products or services that have neither been reviewed for security, nor passed the cybersecurity review, they shall be ordered by the relevant competent departments to stop using such products or services, and a fine of no less than one, but no more than ten times the purchase amount shall be imposed. As for the persons directly in charge or otherwise directly responsible, a fine of no less than RMB 10,000 but no more than RMB 100,000 shall be imposed.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code