Network Equipment Companies Facing Security Review in China

The Cyberspace Administration of China (CAC) published a set of draft rules on February 4, 2017 to establish a network security review committee, which will be responsible for assessing the security of network equipment and services under the new Network Security Law. The security review is aiming at reducing the risks that network equipment or services may be controlled, interfered, or interrupted, or network users’ personal information may be illegally collected, stored, processed, and used, among other security concerns. Under the draft rules, no political office or “critical information infrastructure operators” (CIIO) in China can purchase any network equipment or services that have not passed the scrutiny of the committee. CIIO is broadly defined, including infrastructure used by the public communications, information services, and public utilities sectors, as well as any other infrastructure that, if damaged or malfunctions, could significantly jeopardize China’s national security or public interests. As public information service providers, data centers and cloud service providers are likely subject to these restrictions.

Currently, there is no restriction on foreign ownership of network equipment companies in China, and many U.S. network equipment companies have established wholly owned subsidiaries there. Although it is not yet clear whether U.S. equity interests will have an adverse impact on obtaining permission from the committee to transact with CIIOs, U.S. companies interested in the Chinese market should get prepared for the increasingly complicated compliance requirements under the Network Security Law. For example, the Network Security Law requires that all CIIOs to enter into security and confidentiality agreements with suppliers when purchasing network products or services. The Network Security Law will take effect on July 1 this year.

Chinese government has always been skeptical of foreign ownership of internet service providers. Foreign investment is strictly prohibited in the operation of data centers. Although it is legally possible for a foreign invested company to obtain an internet content provider license or an internet service provider license, the chance of approval is so slim that most non-Chinese companies chose to go through a “variable interest entity” structure (VIE) for indirect control of a local company with such license.

The VIE structure is certainly not a perfect solution as it could be rendered void by a Chinese court as an intentional circumvention of the Chinese regulations, which has happened in a number of cases. In order to operate cloud services in China, Amazon and Microsoft had to enter into contractual arrangements with local licensed data centers. The legality of such arrangement is not yet completely clear, especially in light of the recent denouncement of “sublicensing” of authorized internet service providers by the Ministry of Industry and Information Technology of China

On February 4, a U.S. judge ordered Google to hand over emails stored outside the U.S. to the FBI as part of a domestic fraud investigation, reversing a previous decision where Microsoft was not forced to hand over emails stored on a server in Dublin. The order, if upheld, could give the U.S. government agencies, such as the FBI, access to information around the globe controlled and retained by a U.S. company. It could also give the to-be-formed network security review committee one more reason to reject U.S. companies’ applications to get the necessary permission to transact with CIIOs in China.