What does Micron tell about China’s national security priorities?
China's concept of "national security" in the economic field is not incomprehensible
On March 31, 2023, the Cybersecurity Review Office of Cyberspace Administration of China (“CAC”) issued a notice on its website, announcing the launch of a cybersecurity review of the products sold by US storage chip giant Micron in China, in order to "safeguard the security of the supply chain for critical information infrastructure, prevent product problems from causing Cybersecurity risks, and maintain national security".
As the investigation was announced, Micron's stock fell 4.4% on March 31, and another 1.2% on Monday, April 3. On April 4, Micron stated in an interview with Bloomberg, "Micron's product shipments, engineering, manufacturing, sales, and other functions are all operating normally." The company also said, "Micron is committed to conducting all business with integrity, and we adhere to product safety and our commitment to customers."
In this issue, we will discuss about the background of this cybersecurity review, why Micron has been singled out, and what this case reveals about China’s national security priorities.
I. What is China’s Cybersecurity Review?
Considering that most readers are not familiar with China's cybersecurity review system and related enforcement situations, we excerpted parts of the analysis by Wu Weiming, a lawyer at Shanghai AllBright Law Offices, as an introduction:
1. China's Cybersecurity Review System
China's cybersecurity review system mainly comes from the "Cybersecurity Review Measures", a departmental regulatory document issued in 2020 and further revised in 2021.
On the afternoon of April 27, 2020, the CAC, the National Development and Reform Commission, and other 12 departments under the State Council jointly issued the "Cybersecurity Review Measures" ("Measures (2020)"). According to the Measures (2020), if the purchaser of network products and services for critical information infrastructure operation affects or may affect national security, a cybersecurity review shall be conducted. The Cybersecurity Review Office of the CAC is the regulatory department for organizing cybersecurity review. The subject of the review, critical information infrastructure operators ("CIIOs"), have the obligation to predict risks and declare them for review in advance for their procurement of network products and services.
In 2021, the CAC published the revised "Cybersecurity Review Measures" after agreeing with 12 other departments. The new "Cybersecurity Review Measures" ("Measures (2022)") came into effect on February 15, 2022. Based on the Measures (2020), the Measures (2022) have expanded the scope of the subject and behavior to be reviewed. Regarding the subject of the review, the Measures (2022) added "data processors" on the basis of CIIOs, which means that the data processing activities of general data processors will also be included in the scope of cybersecurity review. Regarding the scope of the review, the Measures (2022) added data processing activities and foreign listing to the scope of review based on the procurement of network products and services, stipulating that "operators who own personal information of more than one million users and are listed overseas must declare cybersecurity review to the Cybersecurity Review Office."
According to the Measures (2020) and Measures (2022), the following risks are mainly included in the "national security" risks of concern to the cybersecurity review system:
(1) Security of critical information infrastructure, which refers to the risk of critical information infrastructure being illegally controlled, interfered with, or destroyed after the use of products and services.
(2) Security of information infrastructure supply chain, which is another important dimension of security, refers to the harm caused by the interruption of product and service supply to the business continuity of critical information infrastructure, as well as the security, openness, transparency, diversity of sources, reliability of supply channels, and the risk of supply interruption due to political, diplomatic, trade, and other factors.
(3) Data security, which refers to the risk of theft, leakage, damage, illegal use, or export of core data, important data, or a large amount of personal information.
(4) Risk of being manipulated by foreign governments, which refers to the risk of critical information infrastructure, core data, important data, or a large amount of personal information being influenced, controlled, or maliciously utilized by foreign governments after being listed overseas.
2. Cybersecurity Review Enforcement Cases
After the implementation of the cybersecurity review system, the number of review cases initiated by law enforcement agencies is not large but is highly illuminating.
(1) Didi Chuxing and other review cases - Concerns on companies with massive volume of data listed overseas
The cybersecurity review of Didi Chuxing (China's largest ride-hailing platform company) is the first public review case of cybersecurity review announced. On the evening of July 2, 2021, the CAC issued the "Announcement of the Cybersecurity Review Office on Launching a Cybersecurity Review of Didi Chuxing," announcing the cybersecurity review of Didi Chuxing.
Subsequently, the Cybersecurity Review Office launched cybersecurity reviews of BOSS Zhipin (job recruitment platform company), Full Truck Alliance (freight logistics platform company).
Based on the conclusions of the cybersecurity review and subsequent discovery, the CAC has filed an investigation against Didi Global Inc. for suspected illegal activities. On July 21, the CAC imposed a fine of RMB 8.026 billion on Didi Global Inc.
The cybersecurity review of the aforementioned companies is mainly a response measure to the potential impact on national security by companies with massive volume of data (including a large amount of personal information) listed overseas.
In addition to the cybersecurity reviews initiated by the country, after the implementation of the Measures (2022), dozens of companies planning to list overseas have applied for cybersecurity reviews in accordance with the Measures (2022). According to the disclosure in their listing announcements, many companies have passed the review or have been deemed not to require cybersecurity review.
(2) CNKI review case - Focus on important data processing activities
On June 24, 2022, the website of CAC issued the notice "Cybersecurity Review Office Launches a Cybersecurity Review of CNKI," announcing the cybersecurity review of CNKI (a Chinese large academic literature resources search platform). It is reported that CNKI holds a large amount of personal information and important data in key areas such as national defense, industry, telecommunications, transportation, natural resources, health, finance, as well as sensitive information such as China's major projects, important scientific and technological achievements and key technology dynamics. As of now, the case is still under review, and the results are yet to be announced.
Although the definition and identification standards for "important data" have yet to be established by current Chinese laws, a national standard document, "Rules for Identifying Important Data in Information Security Technology (Draft for Solicitation of Comments)", which is undergoing public solicitation of opinions and is expected to become the main defining basis, defines important data as: "data that exists in electronic form, which, once tampered with, destroyed, leaked, or illegally obtained or used, may harm national security and public interests." And noted: "Important data does not include state secrets and personal information, but statistical data and derivative data based on massive personal information may be classified as important data."
Although the definition of "important data" still needs to be further clarified, the legal community generally understands that the cybersecurity review of CNKI means that law enforcement of cybersecurity review for important data processing activities has entered the implementation stage.
II. The Micron Case
Keep reading with a 7-day free trial
Subscribe to Baiguan - China Insights, Data, Context to keep reading this post and get 7 days of free access to the full post archives.