Decoding the latest cybersecurity product review rules

Notwithstanding a lengthy consultation process that commenced in July 2015 when the first draft was published, the PRC Cybersecurity Law (CSL) suffers from significant gaps and ambiguities in practical implementation. Many commentators expected these shortcomings to be addressed through implementing rules issued before the CSL came into effect. The enforcement of many of its key provisions, such as the data localization requirement under Article 37 and the security review requirement under Article 35, depend on implementing measures. Yet, between November 1, 2016, when the CSL was promulgated, and June 1, 2017, when it entered into effect, mostly only draft measures addressing limited questions were issued.

The one exception was with respect to Article 35. The Measures for the Security Review of Network Products and Services (Trial Implementation) (网络产品和服务安全审查办法(试行) (Measures), setting out some details for the security review under Article 35, are the only implementing measures to have been issued to date in final form. The Measures were published by the Cyberspace Administration of China (CAC) in May and came into effect, together with the CSL, on June 1. They do not expressly refer to Article 35 but the language of the Measures permits the inference that they relate to and operate within the scope of Article 35.