On the first working day of the new year, the revised version of the measures for network security review was officially released.
The measures include the situation that the data processing activities carried out by network platform operators affect or may affect national security into the network security review, and it is clear that network platform operators who master the personal information of more than 1 million users must apply to the Network Security Review Office for network security review . According to the actual needs of the review, the measures also add the CSRC as a member unit of the network security review mechanism, and improve the national security risk assessment factors.
million user network platform operator
overseas listing must be reported
Article 7 of the measures stipulates that network platform operators with personal information of more than 1 million users must apply to the Network Security Review Office for network security review when they go abroad for listing.
In this regard, Tian Xuan, vice president of Wudaokou School of finance of Tsinghua University, told Shanghai Securities News that this is to maximize China’s data security on the basis of the principle of prudential supervision. Especially in today’s highly information age, data security has risen to the height of national security.
Tian Xuan said, “the network security review was launched in the United States in the 1980s. After entering the 21st century, the United States has gradually strengthened and improved the national security review and led the international standards. After that, many countries have established a national security review mechanism combining technical and administrative means, which is flexible and strict to protect national interests.”
Guo song, a lawyer of Taihe Tai (Shenzhen) law firm, told reporters, “the revision of the network security review measures can be described as keeping pace with the times, fully considering the urgency and necessity of practical supervision, and coming down in one continuous line with the current network security laws and regulations.”
The network security law, which came into force on June 1, 2017, requires that “the procurement of network products and services by operators of key information infrastructure may affect national security” shall pass the national security review organized by the national network information department in conjunction with relevant departments of the State Council.
The data security law, which came into force on September 1, 2021, proposed that “the state establishes a data security review system to conduct national security review on data processing activities that affect or may affect national security”. Since then, the “network security review system” has been formally established.
The measures for data exit security assessment publicly solicited opinions on October 29, 2021 proposed that personal information processors handling personal information of one million people should apply for data exit security assessment when providing personal information abroad.
“Therefore, we can understand that network operators who ‘control or process personal information to one million people’ can be regarded as’ key information infrastructure operators’. Therefore, important nodes such as listing should pass network security review.” Guo Song said.
some traditional enterprises
also has the obligation to apply for review
Article 7 of the measures also raises another question: although some enterprises have more than 1 million users’ personal information, they belong to traditional enterprises (such as garment manufacturing enterprises, food production enterprises, etc.) and are obviously not Internet enterprises, so do they belong to the audited object?
In this regard, experts believe that when an enterprise has mastered the personal information of more than 1 million users, it is almost unimaginable if it does not involve providing services through the network. In a sense, these enterprises also belong to “data processors”. Therefore, the industry in which the enterprise is located is not the reason to judge whether it applies for network security review.
Guo Song added, “some large-scale chain dental clinics, chain ophthalmic clinics, chain medical and beauty clinics and gene testing institutions also have a lot of user information. If they reach the standard of one million, they should also apply for review in time.”
The relevant person in charge of the state Internet Information Office explained, “Opening to the outside world is China’s basic national policy. We always support domestic enterprises to make rational use of overseas capital markets for financing and development in accordance with laws and regulations. There may be three situations in applying for network security review: first, there is no need for review; second, after starting the review, if it is judged that it will not affect national security, it can continue to go abroad for listing; third, after starting the review, it is judged that it will affect national security , it is not allowed to go abroad for listing. ”
This means that some enterprises engaged in entity business are likely to get a reply of “no review” or “review passed” after declaration. The measures focus on situations where network platform operators carry out data processing activities that affect or may affect national security.
CSRC joins the network security review mechanism
Another highlight of the measures is to increase the CSRC as a member of the network security review mechanism according to the actual needs of the review.
Tian Xuan believes that “by adding the CSRC as a member unit of the network security review mechanism, a strict coordination mechanism has been established. It is impossible to try to avoid the network security review by changing the form. China’s network security implementation ability and security level will be effectively improved.”
Guo Song said, “the Department Reform carried out by the CSRC before helps to perform the review function. In June 2020, the CSRC updated its internal functional department and added a new science and Technology Supervision Bureau. The institutional functions of the science and Technology Supervision Bureau include ‘responsible for building a centralized and unified management data system, carrying out data standardization governance, promoting the construction of big data platform and regulatory data sharing’.”
(Shanghai Securities News)
