China has developed its own national security review regime over the past years, but the review process and relevant rules and guidance continue to be subject to further clarifications
In addition to the industries listed under the 2011 Rules, foreign investments in the industries related to culture and information technology products and services are within the scope of national security review.
A ministerial review panel (MRP) was established by China's Ministry of Commerce (MOFCOM) and the National Development and Reform Commission (NDRC) in 2011 pursuant to a set of rules issued by the State Council in the same year ("the 2011 Rules"), which is responsible for conducting national security reviews of foreign investments in Chinese domestic enterprises.
China has expected to issue implementing guidelines and more detailed implementation regulations governing such national security review for foreign investments, but so far, such regulations and guidance have not been issued. On July 1, 2015, China also promulgated the PRC National Security Law (NSL), which is China's most comprehensive national security legislation to date. However, the NSL's provisions do not detail how these security review processes and measures will be implemented by the relevant agencies and local authorities.
Under the 2011 Rules, the MRP reviews foreign-investment transactions following voluntary filings by the parties to the transaction, referrals from other governmental agencies or reports from third parties. A foreign investor must apply for a national security review if the investor acquires equity in, and/or assets of, a domestic enterprise in China in certain sectors, but in contrast, a transaction between two foreign parties involving interests in Chinese companies is generally not subject to the national security review requirement.
TYPES OF DEALS REVIEWED
MOFCOM has circulated an unofficial list of industries for which a national security review for a foreign investment transaction is likely to be triggered. These industries mainly include military or military-related products or services, national defense-related products or services, agricultural products, energy, resources, infrastructure, significant transportation services, key technology and heavy equipment manufacturing. However, since this is not an official publication, it may only have reference value to the determination of whether such filing is required.
SCOPE OF THE REVIEW
The scope of review focuses on the overall risk profile and impact that various M&A transactions may have on China's national security, defense, economy and public interest.
Foreign investments in free trade zones are subject to broader national security review rules. In addition to the industries listed under the 2011 Rules, foreign investments in the industries related to culture and information technology products and services are within the scope of national security review. Furthermore, the national security review rules for free trade zones have expanded the review scope of foreign investments to include greenfield investments and investments through offshore and other contractual agreements that affect or may affect the national security.
TRENDS IN THE REVIEW PROCESS
The NSL's promulgation indicates that China is attempting to implement a more structured and comprehensive system to keep a closer eye on economic deals that might have security implications. However, it is unclear what direction China's national security review will take due to the lack of implementation measures for the NSL. The NSL also discusses the need for the state to pay particular attention to cybersecurity and network data protection for national security purposes. Article 25 of the NSL provides that China shall "build a network and information security safeguard system, enhance network and information security protection capabilities…achieve safe and controllable network and core information technology, critical infrastructures and information systems."
As part of China's overall national security initiative, China's Cybersecurity Law (CSL) became effective on June 1, 2017. It provides additional national security review requirements and standards for companies engaged in or seeking to engage in network and data operations in China. As such, companies must be mindful of the cybersecurity and network protection requirements under the CSL, as the law places additional national security scrutiny for network operators in China.
The CSL primarily focuses on data security protection requirements and standards for critical information infrastructure operators, network operators and financial institutions to protect their networks from interference, damage and unauthorized access, along with the prevention of data leaks, thefts and falsification of information.
The Cyberspace Administration of China (CAC) serves as the primary governmental authority supervising and enforcing the CSL. A tiered network security protection will be further introduced in the future, and various network operators shall comply with their corresponding level of network security requirements.
The CAC has issued various measures to supplement and clarify certain requirements of the CSL. Some of them are still in the proposed draft form. In particular, on April 11, 2017, the CAC published a draft proposal, Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data, together with the draft guideline on the valuation methods in August 2017. These draft rules extend the data localization requirement under the CSL for critical information infrastructure operators to other network operators, requiring such operators to undergo security assessments in order to transfer data to destinations outside of China. At this point, these drafts have not been published as final regulations; however, they represent a real possibility of what the final regulations could require.
Besides the rules on transborder data transmission control, the Measures for the Security Review of Network Products and Services was finalized and came into effect along with the CSL on June 1, 2017, which provides detailed provisions regarding the security review standards of network products or services purchased by critical information infrastructure operators that may affect national security. The measures focus on verifying whether such products or services are "secure and controllable," and the review process will take the form of a security risk assessment of the products or services purchased by these operators.
Further, on May 21, 2019, the CAC published the Draft Measures for Cyber Security Review. The draft measures provide the specific circumstances that require cyber security review when a critical information infrastructure operator purchases network products and services. In particular, the draft measures provide for detailed materials and information to be submitted for cyber security review and the timeline of the cyber security review. Although the draft measures are in draft form, they provide the guidance on how the security review will be carried out. In light of the above, China is expected to continue to issue implementation and national security review standards and requirements under the CSL, specifically targeting companies seeking to operate as critical information infrastructure operators or other network operators in China.
In addition to the NSL and the CSL, China has promulgated the Foreign Investment Law (FIL) in March 2019, which will become effective on January 1, 2020. It has reiterated that China will establish a security review system for foreign investment under which the security review can be conducted for any foreign investment that affects or may affect the national security. In light of the NSL, the CSL and the FIL, foreign investors should continue to monitor the developments of China's national security review process.
HOW FOREIGN INVESTORS CAN PROTECT THEMSELVES
Until issuance of implementation rules to the NSL, foreign investors should continue to be mindful of the terms and conditions of the 2011 Rules and pay special attention to transactions that might fall within the industries that are likelier to trigger national security concerns for MOFCOM. Non-Chinese buyers should also be cautious when completing transactions before obtaining a national security approval, since such buyers might be forced to divest the acquired assets if the transaction ultimately fails the security approval process. Due to enforcement uncertainties and the broad scope of captured industries, foreign investors interested in sensitive industries often schedule voluntary meetings with MOFCOM officials to determine the national security review risk before commencing the formal application process.
REVIEW PROCESS TIMELINE
The timeline used in practice and details of the national security review process in China are unclear, as information related to each individual application is not publicly available. The timeline below is based on the 2011 Rules:
- MOFCOM will submit an application to a MRP for review within five working days if the application falls within the scope of review
- MRP will solicit written opinions from relevant departments to assess the security impact of the transaction. It could take up to 30 working days to complete the general review process
- MRP will conduct a special review of the application if any written opinion states that the transaction may have security implications and will conduct a more detailed security assessment of the overall impact of the transaction. A final decision from the review panel will be issued within 60 working days of the start of the special review
2019 UPDATE HIGHLIGHTS
- The CSL became effective on June 1, 2017. The CSL primarily focuses on the security protection of data and information for critical information infrastructure operators and other network operators
Throughout recent years, the CAC issued various draft and final measures aiming to provide more clarity to the CSL and the scope of its implementation. The CAC also made multiple proposals for public comment on additional measures aiming to extend the data localization requirement under the CSL to cover other network operators, which would require all such operators to undergo security assessments in order to transfer data to destinations outside of China.
We expect to see further developments and clarification on the scope and impact of the CSL in the near future, and companies should keep a close eye on how the measures proposed and finalized by the CAC under the CSL would affect their business and operations going forward.
The FIL was promulgated in March 2019, which has enforced the principle that China will have a national security review system for foreign investments and will review transactions that have or could have national security concerns.
In April 2019, NDRC replaced MOFCOM as the regulatory authority accepting the application for national security review.
- Generally, the outcomes of a national security review are as follows:
- The investment may be approved by MOFCOM, including with mitigation conditions
- The MRP will terminate a foreign investment project if it fails the national security review
- If the Chinese government has national security concerns about a transaction that is not submitted for approval, parties could be subject to sanctions or mitigation measures, including a requirement to divest the acquired Chinese assets
- A foreign investor may withdraw its application for national security review only with the MRP's prior consent
- Decisions resulting from a national security review may not be administratively reconsidered or litigated