GC Agenda China: May 2017

Practical Law UK Articles w-008-3946 (Approx. 10 pages)

GC Agenda China: May 2017

by Brad Herrold, Consultant and Practical Law China

CAC issues trial measures on security review of network products and services

On 2 May 2017, the Cyberspace Administration of China (CAC) issued the Measures on the Security Review of Network Products and Services (for Trial Implementation).

The CAC circulated a draft version of the measures in February 2017 (see Legal update: CAC circulates draft security review measures for network products and services).

The measures partially implement the Cybersecurity Law of the People's Republic of China 2016 (2016 Cybersecurity Law) by imposing a security review procedure in relation to the procurement of:

Important network products and services purchased for networks and information systems that relate to national security.
Network products and services purchased by operators of critical information infrastructure (CII), such as public communications and information services, energy, transportation, water conservation, finance, public service and e-government and other critical infrastructure, that are likely to affect national security.

As in the draft, the focus of the security review in the measures centres on a risk analysis of the "security and controllability" of a network product or service. Factors for consideration in relation to the risk assessment include:

Security risks associated with the product or service itself and the risk that the product or service may be illegally controlled, interfered with or suspended.
Security risks in the supply chain of the product and key components arising during their production, testing, delivery and technical support.
Risks that the provider of the product or service may take advantage of their vendor position to illegally collect, store, process or use the information of users.
Risks that the provider of the product or service may take advantage of users' reliance to jeopardise cybersecurity or infringe upon the interests of users.
Other risks that may endanger national security.

The final version deleted a provision in the draft that required the Communist Party and government departments, as well as "key sectors", to purchase on a priority basis only network products and services that have passed a security review.

The CAC will establish a cybersecurity review commission to formulate cybersecurity review policy and a cybersecurity review office to implement security reviews through a combination of experts, third-party evaluations, laboratory testing, onsite inspection, online monitoring and background investigation.

The measures will take effect on 1 June 2017, together with the 2016 Cybersecurity Law (for more information, see Legal update, China passes Cybersecurity Law).

For more coverage of this development, see Legal update, CAC issues trial measures on security review of network products and services.

Market reaction

Paul McKenzie, Managing Partner, Morrison & Foerster, Beijing and Shanghai

"The measures are the first associated with implementation of the 2016 Cybersecurity Law to have been issued in final form, notwithstanding that the law comes into effect 1 June. They leave open as many questions as they answer. The law will require operators of 'critical information infrastructure' to undertake security review in relation to purchases of network products and services that 'may affect national security'. What counts as 'critical information infrastructure' and what specific products and services are likely to be regarded as affecting national security? These threshold questions still await guidance from regulators."

Action items

GC for manufacturers and suppliers of network products and services, as well as operators of CII, will want to closely study the measures and the 2016 Cybersecurity Law and work with the CAC and industry regulators to assess the application of the measures to their specific businesses and, if applicable, to understand and implement the security review procedure.

CAC issues new rules on internet news information services

On 2 May 2017, the CAC issued the Provisions on the Administration of Internet News Information Services, which will take effect 1 June 2017.

The CAC circulated a draft of the provisions in January 2016 (see Legal update, SIIO circulates revised draft regulations on internet news services).

The final version augments similar rules under the same name legislation promulgated in 2005.

Under the provisions, the term "news information" carries largely the same meaning as under the 2005 rules, that is, reports and comments on:

Social and public affairs such as politics, economy, military affairs and foreign affairs.
Social emergencies.

Like the 2005 rules, the provisions prohibit foreign investment in this sector and require a provider of internet news information services to obtain an internet news information service licence (互联网新闻信息服务许可) from the CAC or its competent local counterpart.

The provisions, however, expand the scope of "internet news information services" to reflect technological changes that have occurred since 2005 and govern all internet news and information services provided to the public, through forms such as websites, applications, forums, blogs, micro-blogs, public accounts, instant messaging tools and webcasts.

Unlike the 2005 rules, private investment in the editorial business of any internet news information service provider is expressly prohibited, and the business operation and editorial functions of the service provider must be separated.

In addition, the provisions require an internet news information service provider to:

Perfect information security, the real-time inspection of public information, and emergency response systems.
Only provide services to users who are registered under their real identity, and protect users' personal information.
When reprinting news information, indicate the original author and title, and ensure the source of the news information can be traced.
Prominently display the internet news information service licence number on its website, establish a convenient complaint reporting channel, and timely respond to complaints.

For more coverage of this development, see Legal update, CAC issues new rules on internet news information services.

Market reaction

Gordon Milner, Partner, Morrison & Foerster, Hong Kong

"The core regulatory regime governing internet services in China has been extensively re-engineered over the past two years. Many of the provisions, such as the real-name registration and information security requirements, bring the 2005 rules into line with that regime. Others, such as the expansion to cover new media channels and technologies, capture apps which historically have occupied a grey area in the law. Moreover, the requirements to separate editorial functions and cite sources represent new material steps in a trend toward tightening control over editorial content and clamping down on the viral spread of stories the authorities consider 'fake news'."

Action items

The provisions expressly prohibit foreign investment in this sector. Counsel for all domestic providers of internet news information services, no matter the application, should take immediate steps to initiate or tighten mechanisms to ensure compliance with the provisions, including separating editorial and business functions, ensuring the traceability of published information, protecting personal data, and responding to consumer complaints and the demands of regulators.

China further opens market to foreign-invested banks

On 10 March 2017, the China Banking Regulatory Commission (CBRC) issued the Notice on Matters concerning the Operation of Certain Business by Foreign-invested Banks.

The notice further opens the market for certain financial products and services to foreign-invested banks, and in some cases to the China branches of foreign banks.

Specifically, the notice permits:

Banks organised in China as wholly foreign-owned enterprises (WFOEs) and Sino-foreign equity joint ventures (EJVs) to engage in various activities without first obtaining an administrative licence from the CBRC. For example, underwriting treasury bonds, and directly investing in domestic banking financial institutions (simplifying the investment process by removing the requirement to obtain approval from the parent bank groups of WFOE and EJV banks).
Banks organised in China as WFOEs and EJVs, and the China branches of foreign banks, to engage in various activities without first obtaining an administrative licence from the CBRC. For example, custodial business, financial advisory services and comprehensive financial services for their overseas bond issuance, listings, mergers and acquisitions, financing and other activities in co-operation with their parent banking group.

These changes are subject to the administrative licensing and other requirements of the CBRC and other administrative departments.

For more coverage of this development, see Legal update, China further opens market to foreign-invested banks.

Market reaction

Ren Gulong, Partner, Anjie Law Firm, Beijing

"The CBRC notice will promote competition in the banking industry by facilitating the business of foreign-invested banks in China. In the short term, it will not significantly impact China's banking industry since current foreign-invested banks account for a small percentage of China's total banking assets. In the long term, however, as the financial demands of Chinese enterprises expand globally, domestic banks will face challenges from international banks, which have a global network and are more sophisticated in universal banking business."

Action items

GC for foreign-invested banks and the China branches of foreign banks will want to inform business colleagues in China and abroad of any expanded business opportunities presented by the notice, as well as the reporting and other administrative requirements for each new product and service.

CAC issues rules on internet content administrative enforcement procedures

On 2 May 2017, the CAC issued the Provisions on the Administration of Internet Information Content Administrative Enforcement Procedures (互联网信息内容管理行政执法程序规定), which will take effect 1 June 2017.

The provisions establish unified, nationwide procedures for implementing and supervising the administrative enforcement of China's internet content rules in accordance with the 2016 Cybersecurity Law.

The provisions also include links to document templates that must be used by the CAC and its subordinate offices (each, a CAC office) at each stage in a case. The templates serve to standardise the procedures for administrative enforcement and increase transparency.

Specifically, the provisions contain the following key requirements:

Jurisdiction. Cases must be managed by the CAC office in the jurisdiction where a violation occurs, except where it must be transferred to a higher-level CAC office, a separate administrative department or the judiciary (if the facts of the case suggest criminal activity).
Case filing. Investigators must recuse themselves from a case, or a party can require recusal, if an investigator (or a close relative) is a party or has a direct interest in the case.
Investigation and evidence collection. Investigators may collect electronic data, that is, data that is stored, processed or transmitted in digital form, provided the collection is lawful and conforms to national and industry standards and technical specifications. Parties and responsible persons must confirm transcripts and other evidence, or the investigator must record the refusal or failure to confirm.
Hearings and interviews. CAC offices must notify parties of their procedural rights to request a hearing before a CAC office makes a major administrative penalty decision.
Punishment decisions and service. If a party fails to make a statement or defence within three business days after receipt of a Notice of Administrative Punishment Opinion (行政处罚意见告知书), it waives this right.

For more coverage of this development, see Legal update, CAC issues rules on internet content administrative enforcement procedures.

Market reaction

Chuan Sun, Partner, Morrison & Foerster, Hong Kong

"The provisions are the first procedural rules issued under the 2016 Cybersecurity Law and aim to standardise the administrative law enforcement activities with respect to internet information content. The provisions contain detailed procedural requirements and template documents that will enhance the transparency and efficiency of the enforcement process. That said, it remains to be seen how effectively the provisions will be implemented by the local CAC offices."

Action items

No specific action is required as a result of this development. However, counsel should be aware of, and should ensure that external counsel fully understands, the procedures for implementing and supervising the administrative enforcement of China's internet content rules, as well as the substance of the template documents.

SPC and SPP release interpretation on criminal infringement of personal information

On 9 May 2017, the Supreme People's Court (SPC) and the Supreme People's Procuratorate (SPP) jointly released the Interpretation on Several Issues on the Application of Law to the Adjudication of Criminal Cases involving the Infringement of Citizens' Personal Information (关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释), which takes effect 1 June 2017.

The interpretation clarifies certain terms related to criminal infringement of citizens' personal information under the ninth amendment to the Criminal Law of the People's Republic of China 1997, which provides for criminal sentences for "serious" and "particularly serious" offences.

The interpretation defines "personal information" as various information recorded by electronic or other means that can be used alone or in combination with other information to identify a natural person's identity or reflect the activities of a natural person, such as name, identity document number, account password, property status, and location.

"Serious" offences include obtaining, selling or providing citizens' personal information:

On the whereabouts, communications content, credit information or property information, and of 50 pieces or more.
On personal factors that may affect personal and property security (such as health and transaction information), and of 500 pieces or more.
On other personal information, and of 5,000 pieces or more.
That generates illegal gain of RMB5,000 or more.
When obtained while performing duties or providing services, and the sum of the quantities or amounts exceed half of these thresholds.
When one has been subject to criminal penalties for infringing upon a citizen's personal information or has been subject to administrative penalties within two years.
When certain kinds of personal information are illegally obtained during legitimate business activities, and either the offence generates illegal gain of RMB50,000 or more, or the perpetrator has been subject to criminal penalties for infringing upon a citizen's personal information or has been subject to administrative penalties within two years.

"Particularly serious" offences include infringement involving quantities or amounts ten times these thresholds, or where the act either:

Causes serious consequences such as death, serious injury, mental disorder or kidnapping.
Results in significant economic losses or an adverse social impact.

The person in charge and other directly responsible persons are subject to punishment as individuals where a business or other unit infringes upon a citizen's personal information.

For more coverage of this development, see Legal update, SPC and SPP release interpretation on criminal infringement of personal information.

Market reaction

Jeanette Chan, Partner, Paul, Weiss, Rifkind, Wharton & Garrison, Hong Kong

"In addition to providing much needed definitions for the key terms in Article 253 of the 1997 Criminal Law, the interpretation sets forth more clearly the conviction and sentencing criteria for the infringement of personal information. The sentencing criteria in general have been lowered to crack down on the rampant leaking of personal data. In particular, companies that violate Article 253 will be fined and senior management and other persons directly responsible will be sanctioned."

Action items

GC for any company that gathers or stores the personal information of Chinese nationals, including employees, customers, suppliers, will want to review the interpretation and Article 253 of the 1997 Criminal Law, explain to senior management the corporate penalties and personal liability at stake, and ensure that documented steps are taken to avoid leaks and unauthorised uses of this personal data.

SAIC issues opinions to push full digitisation of enterprise registration

On 10 April 2017, the State Administration for Industry and Commerce (SAIC) issued the Opinions on Implementing the Full Digitisation of Enterprise Registration (关于推行企业登记全程电子化工作的意见).

The opinions call on the SAIC's local counterparts to complete the digitisation of China's enterprise registration system by the end of October 2017.

The main tasks for implementing a nationwide online registration system for all types of enterprises are to:

Develop enterprise registration procedural standards by, optimising registration procedures, standardising documentary requirements and forms, using various complementary methods (such as the continued provision of onsite registration services and paper business licences) and using information technology to improve efficiency, particularly in the review process.
Accelerate the construction of the electronic registration system by completing the enterprise electronic registration management system, standardising the administration of system users, accepting electronic signatures, establishing a traceability mechanism to ensure the integrity of the system and incorporating innovative service functions such as mobile notifications.
Strengthen the management of electronic archives by collecting electronic versions of application documents, examination forms, database documents and images (which will have the same legal effect as paper archives), saving permanent electronic files, introducing search functions (with protections for personal and proprietary information) and ensuring prompt and complete electronic file transfers, where necessary.
Strengthen information disclosure and credit supervision by promptly publishing basic information and business licenses and linking to the national enterprise credit information system, and strengthening disciplinary measures for providing fraudulent information and materials.

For more coverage of this development, see Legal update, SAIC issues opinions to push full digitisation of enterprise registration.

Action items

No specific action is required as a result of this development, but counsel should be aware of the government’s efforts to digitise business registration generally and work with officials at the competent administration(s) for industry and commerce to identify and implement specific changes going forward.

MOFCOM issues new rules on automobile sales

On 5 April 2017, the Ministry of Commerce (MOFCOM) issued the Administrative Measures for Automobile Sales, which will take effect 1 July 2017.

The measures will replace the Implementing Measures for the Administration of Automobile Brand Sales 2005 (汽车品牌销售管理实施办法), which are currently in effect.

The old measures standardised the distribution of automobiles in China by requiring dealers to obtain authorisation from a manufacturer or other supplier and sell only that brand of vehicle, leading to the formation of the existing authorised dealer "4S" (sale, spare part, service, and survey) distribution model.

The new measures further open the automobile distribution market by:

Permitting authorised and unauthorised dealers to sell multiple brands of vehicles.
Restricting suppliers' ability to abuse their leverage over dealers and, ultimately, over consumers.

Specifically, the measures require (among others):

Suppliers and dealers to provide certain certificates, manuals and other documents upon delivery.
Dealers and after-sales service providers to specify and document the quality of spare parts.
Suppliers and dealers to establish consumer complaint systems and to respond to complaints within seven business days.

The measures also prohibit suppliers from engaging in anti-competitive behaviour, including (among others):

Requiring dealers to have sales, after-sales services and other functions at the same time.
Prescribing the types and quantity of whole vehicles or spare parts in stock, or the sales volume of dealers, unless agreed with the dealer.
Restricting dealers from selling vehicles and spare parts or providing after-sales services for other suppliers.
Tying products and services not ordered by dealers.
Interfering with a dealer's human resources, financial management and other autonomous business matters.
Restricting the resale of suppliers' products among dealers.

The measures also prohibit suppliers from selling directly to consumers within a dealer's designated sales territory, unless agreed with the dealer.

For more coverage of this development, see Legal update, MOFCOM issues new rules on automobile sales.

Action items

GC for companies engaged in the manufacture or sale of automobiles in China will want to closely study the measures, review existing distribution arrangements, inform clients on the potential for increased competition (or the opportunities for new distribution channels), and advise clients against engaging in anti-competitive behaviour.

GC Agenda China: May 2017 | Practical Law