7/10/21 China Cybersecurity Review Measures (Revised)

Author: Rui Ma

I'll try to keep this short, since I've had enough of writing about laws and regulations recently, but I think there are a few facts that could affect the market in the near term.

So first, you probably know by now that there is a Cybersecurity Review Office (CRO) that will be deciding the fate of Didi (and $YMM, $BZ as well). On July 10, 2021, a revised version of the Cybersecurity Review Measures was put forth for public comments. Here's a brief history and some context:

First, there are multiple agencies ("member units") involved in this review. 12, to be exact. Besides CAC, PBOC, SAMR, and of course the national security department are all involved. The original process, proposed in 2019 and as outlined in Chinese in the below graphic, shows pretty clearly that the review could easily exceed 90 days:

• It takes 30-45 working days (the extra 15 days are for "complicated situations") for the CRO to have a set of preliminary suggestions and to get opinions from the member units
• The member units will take 15 days to review. If there is agreement, a written document will be delivered to the company under review
• If there is disagreement, the company will be informed as well, but a 45-day special review process will also be opened. Note that extensions may be granted as needed:
• The CRO will consult relevant departments, professional organizations and experts for deeper analysis and come up with suggestions
• The suggestions will be sent to the member units and conclusions sent to the Central Cybersecurity and Information Commission for approval
• Note that it may take extra time for the company to come up with materials / data for submission, and those days are not counted in the days above

The law was passed on April 27, 2020 and enacted on June 1, 2020 (in Chinese).

Now, let's look at these new revised rules that have just been proposed. Comments are open through July 25, 2021. The key differences are:

• The CAC + 11 other regulatory bodies all remain, but there is one additional agency, and that is the CSRC
• Companies with the data of more than 1 million users must apply for a cybersecurity review with the Office before listing abroad
• It was noted by someone on Twitter that 1 million users is the threshold used by CFIUS for its own investigations into the national security risk of foreign investments. Since China loves looking to the West for precedents, the connection does not surprise me.
• Documents to be submitted for review now mentions explicitly "IPO materials"
• Considerations for the review have been modified and now include a few changes, including these 2 extra clauses:
• The risk of core data, important data or a large amount of personal information being stolen, leaked, destroyed, and illegally used or exited the country;
• The risk that key information infrastructure, core data, important data, or a large amount of personal information will be affected, controlled, or maliciously used by foreign governments after listing in foreign countries;
• The review process remains the same, but if a special investigation is triggered in the case of disagreement amongst the member units, then the special review is up to 3 months (double the 45 days of the first version). And as before, extensions may be granted.

Does "foreign country" include Hong Kong? Most people think it shouldn't, so here's to hoping HKEX listings do not trigger mandatory reviews, but I do not think it's a given that they will be immune. The original intent of the cybersecurity law wasn't just to protect against foreign misuse, so there must be other occasions for investigation as well. Nonetheless, all of the changes this time seem to be highly targeted against foreign listings -- including CSRC, new clauses, etc. -- so that avenue does seem quite difficult now. And with special investigations taking 45 days + 3 months + extensions, the new frictions could really slow down listings to a trickle, which is what the government is rumored to have intended (and seems to be signaling quite strongly). Your thoughts?