New Articles

Winter 2019 U.S.- China Cybersecurity Update

cybersecurity

Winter 2019 U.S.- China Cybersecurity Update

It is difficult to accurately speculate on the progress of U.S.-China trade negotiations, as media reports on the status of key policy proposals seemingly differ each day depending on the transparency and messaging agenda of the sources involved. However, what has been certain during the winter of 2019 is that major updates to U.S. and Chinese cybersecurity regulations are in the process of being implemented, and these developments stand to set key precedents for the intersection of applicable foreign investment and cybersecurity regulations in the U.S. and China.  

Building on our previous two articles regarding U.S. economic espionage concerns and updated U.S. foreign investment restrictions, this article will provide an overview of notable cybersecurity legislative and investigative developments that will likely dictate the near future of critical facets of U.S.-China relations in the 21st century, including (1) the implementation of China’s revised cybersecurity legislation known as the Multi-Level Protection Scheme (“MLPS 2.0”); (2) the Committee on Foreign Investment in the United States (“CFIUS”) reported investigation into the popular social media app TikTok; and (3) the race to implement 5G infrastructure and ongoing speculation regarding Huawei’s licensing status.

1. Implementation of China’s Multi-Level Protection Scheme (MLPS 2.0)

In 2017, China implemented comprehensive cybersecurity legislation commonly referred to as China’s Cybersecurity Law (“CCL”) in efforts to consolidate authority over and standardize regulation of the internet and cyberspace. The CCL includes strict prohibitions on how companies, particularly U.S. and other foreign companies, can store data and interact online.  For example, the CCL requires that network operators in China cooperate with and provide support to government agencies in support of safeguarding national security, and additional provisions have been passed in recent years under the CCL that provide broad authorizations for law enforcement agencies to inspect and monitor internet service providers and computer network data centers. Foreign companies and human rights organizations have criticized the CCL as regressive legislation that fosters state censorship and surveillance and lacks sufficient privacy protections.

Article 21 of the CCL codified China’s requirements for network operators to implement a cybersecurity “multi-level protection system” that includes mandates to implement and adopt certain technical measures and security protocols to monitor and record network activity. Article 37 imposes certain data localization requirements and requires “critical information infrastructure” operators to store personal information and important data gathered or produced within the mainland territory of China.

On December 1, 2019, MLPS 2.0 will take effect, and will impact how U.S. companies and other foreign companies can do business online and store electronic data in China. A draft of the new regulations was first released in June 2018, and the revised MLPS 2.0 incorporates three information security technology standards that in effect will broaden the Chinese government’s authority, particularly that of the Ministry of Public Security, to proactively supervise, manage, and enforce cybersecurity regulations and restrictions on companies operating in China.

The expanded monitoring and enforcement authorities that MLPS 2.0 provides the Chinese government has provoked increasing privacy concerns for foreign firms, particularly those handling sensitive data. The regulations provide stringent mandates on how foreign companies must secure their networks, utilize local sever systems, and cooperate with government authorities. As the new law enters into effect on December 1, 2019, it will be critical for U.S. companies operating in China to understand how the new laws will impact their operations. Companies that store and utilize sensitive personal data, U.S.-regulated technology or technological data, or proprietary intellectual property and trade secrets will have to ensure compliance with both U.S. and Chinese regulations governing privacy, export controls, and cybersecurity regulations. 

2. CFIUS Takes on TikTok

We previously provided an overview of the updated CFIUS regulations concerning foreign investment restrictions scheduled to take effect in the U.S. in February 2020. However, that does not mean that CFIUS, the inter-agency committee tasked with the authority to review, modify and reject certain types of foreign investment that could adversely impact U.S. national security, is dormant in terms of its current investigations. In fact, on November 1, 2019, Reuters reported that CFIUS has launched a national security review of the popular social media and video-streaming app TikTok, related to the acquisition of social media app Musical.ly (since rebranded as “TikTok”) by Beijing ByteDance Technology Co. in 2017 for $1 billion. TikTok earlier this year said that approximately 60% of its 26.5 million monthly active users are located in the United States.

U.S. lawmakers first raised national security concerns related to the TikTok platform, particularly its Chinese parent company’s collection of user data and purported censorship of user content.  For example, Senators Chuck Schumer and Tom Cotton sent a bi-partisan letter to the Acting Director of National Intelligence in October voicing concerns over TikTok’s data collection practices, highlighting Chinese laws that “compel Chinese companies to support and cooperate with intelligence work controlled by the Chinese Communist Party.” While it is unclear what the outcome of this particular review will be, it puts a spotlight on the types of industries and practices that CFIUS is currently scrutinizing and provides a useful case study for what types of mitigating measures we may see imposed by the Committee down the road.

The updated CFIUS regulations set to take effect in February 2020 expressly expand the jurisdiction of CFIUS to include reviews of non-controlling foreign investments in companies that store and have access to sensitive personal data of U.S. citizens. But the CFIUS review into TikTok is only the latest investigation by the Committee into burgeoning technology apps that store sensitive personal data. CFIUS has previously targeted the proposed acquisition by the Chinese Kunlun Group of the U.S. dating application “Grindr” for data privacy concerns regarding its individual users, and similarly forced the Chinese digital healthcare company iCarbonX to divest from it its investment in the U.S. healthcare startup “PatientsLikeMe.” 

These recent cases ultimately show that CFIUS is increasingly focused on the protection of the sensitive personal data of U.S. citizens in emerging technological applications, particularly when Chinese investment is involved.  All U.S. companies considering foreign investment will have to take heed of the current and soon-to-be updated CFIUS regulations and increase their due diligence efforts, particularly where Chinese investment is concerned.

3. 5G Supremacy: Timeline on Huawei Restrictions and Licensing Still Unclear

Finally, a critical ongoing area of U.S.-China cybersecurity relations is the debate over the role that China’s telecommunications leader Huawei will have in developing and implementing global 5G technology and data networks. Huawei was placed on the U.S. Department of Commerce “Entity List” over national security concerns in May 2019, which restricts U.S. companies from doing business with it, and a licensing regime was put into place for U.S. companies that seek to engage with Huawei and certain of its subsidiaries. While no such licenses have been issued to date, U.S. Secretary of Commerce Wilbur Ross recently indicated that at least some of the 260 license applications their office has received will be granted and issued shortly.  

U.S. critics believe that allowing Huawei to take the lead on 5G and similar data network equipment will potentially give the Chinese government the ability to collect data of the users of Huawei products. However, Huawei is a global leader in 5G technology, and despite pressure from the U.S. government, countries like Germany, Hungary, and Norway have decided against banning Huawei from their 5G networks. The inherent difficulties and concerns in having the global leader in 5G technology also be closely connected to the Chinese government is an issue that every country seeking to develop 5G infrastructure will have to address, and will likely be a focal point in the U.S.-China trade war as well as in global cybersecurity relations for years to come. 

If you have any questions about U.S.-China trade relations as it relates to CFIUS, cybersecurity regulatory compliance, or U.S.-imposed licensing restrictions, please contact a member of Baker Donelson’s Global Business Team below.

____________________________________________________________________
Joe D. Whitley is a shareholder at Baker Donelson and chairs the Firm’s Government Enforcement and Investigations Group. He can be reached at jwhitley@bakerdonelson.com. 

Alan Enslen is a shareholder with Baker Donelson and leads the International Trade and National Security Practice and is a member of the Global Business Team. He can be reached at aenslen@bakerdonelson.com. 

Julius Bodie is an associate with Baker Donelson who assists U.S. and foreign companies across multiple industries with international trade regulatory issues. He can be reached at jbodie@bakerdonelson.com. 

Frank Xue is an associate with Baker Donelson who assists Chinese clients with matters in the U.S. related to foreign direct investments, mergers and acquisitions, and private equity/venture capital. He can be reached at fxue@bakerdonelson.com. 

_______________________________________________________________________

1. CCL Translation: “Cyber-security Law of the People’s Republic of China,” Dezan Shira and Associates. https://www.dezshira.com/library/legal/cyber-security-law-china-8013.html.

2. CCL Article 9; see also Laney Zhang, China: New Regulation on Police Cybersecurity Supervision and Inspection Powers Issued, Library of Congress (November 13, 2018) (discussing Measures of Internet Security Supervision and Inspection by the Public Security Organs, (Sept. 15, 2018, effective Nov. 1, 2018)) https://www.loc.gov/law/foreign-news/article/china-new-regulation-on-police-cybersecurity-supervision-and-inspection-powers-issued/.

3. See, e.g., China: Abusive Cybersecurity Law Set to be Passed, Human Rights Watch (November 6, 2016) https://www.hrw.org/news/2016/11/06/china-abusive-cybersecurity-law-set-be-passed; China adopts cyber security law in face of overseas opposition, Reuters (November 6, 2016) https://www.reuters.com/article/us-china-parliament-cyber-idUSKBN132049.

4. Draft Cybersecurity Classified Protection Regulations, China Ministry of Public Security (June 27, 2018) http://www.mps.gov.cn/n2254536/n4904355/c6159136/content.html?from=timeline&isappinstalled=0.

5. See, e.g. Simone McCarthy, Will China’s revised cybersecurity rules put foreign firms at risk of losing their secrets?, South China Morning Post (October 13, 2019) https://www.scmp.com/news/china/diplomacy/article/3032649/will-chinas-revised-cybersecurity-law-put-foreign-firms-risk.

6. Greg Roumeliotis, Yingzhi Yang, Echo Wang, Alexandra Alper, Exclusive: U.S. opens national security investigation into TikTok, Reuters (November 1, 2019) https://www.reuters.com/article/us-tiktok-cfius-exclusive/exclusive-u-s-opens-national-security-investigation-into-tiktok-sources-idUSKBN1XB4IL.

7. Reuters,  How TikTok, Caught in U.S. Regulatory Crossfire, Rose to Global Video Stardom, The New York Times (November 4, 2019) https://www.nytimes.com/reuters/2019/11/04/business/04reuters-tiktok-cfius-factbox.html.

8. See, e.g. Senator Marco Rubio Letter to Secretary of Treasury Steven Mnuchin https://www.rubio.senate.gov/public/_cache/files/9ba023e4-2f4b-404a-a8c0 e87ea784f440/FCEFFE1F54F3899795B4E5F1F1804630.20191009-letter-to-secretary-mnuchin-re-tiktok.pdf

9. Senators Charles E. Schumer and Tom Cotton Senate Letter (October 23, 2019) https://www.democrats.senate.gov/imo/media/doc/10232019%20TikTok%20Letter%20-%20FINAL%20PDF.pdf.

10. See, e.g., Christiana Farr and Ari Levy, The Trump administration is forcing this health start-up that took Chinese money into a fire sale, CNBC (April 4,  2019) https://www.cnbc.com/2019/04/04/cfius-forces-patientslikeme-into-fire-sale-booting-chinese-investor.html; Echo Wang, China’s Kunlun Tech agrees to U.S. demand to sell Grindr gay dating app, Reuters (May 13, 2019) https://www.reuters.com/article/us-grindr-m-a-beijingkunlun/chinas-kunlun-tech-agrees-to-u-s-demand-to-sell-grindr-gay-dating-app-idUSKCN1SJ28N.

11. Huawei Entity List and Temporary General License Frequently Asked Questions, Department of Commerce (September 18, 2019) https://www.bis.doc.gov/index.php/documents/pdfs/2447-huawei-entity-listing-faqs/file

12. Philip Heijmans and Haslinda Amin, Ross Optimistic on China Deal, Trump Wants It Signed in U.S., Bloomberg (November 3, 2019) https://www.bloomberg.com/news/articles/2019-11-03/ross-optimistic-on-china-trade-deal-says-huawei-licenses-coming?srnd=premium.

13. See, e.g., Associated Press, Hungary Says Huawei to Help Build Its 5G Wireless Network, New York Times (November 5, 2019) https://www.nytimes.com/aponline/2019/11/05/business/bc-eu-hungary-huawei.html; Chloe Taylor, Germany set to allow Huawei into 5G networks, defying pressure from the US, CNBC (October 16, 2019) https://www.cnbc.com/2019/10/16/germany-to-allow-huawei-into-5g-networks-defying-pressure-from-the-us.html.

foreign investment

New Foreign Investment Restriction Regulations Cement CFIUS Reform

One of the emerging focal points of the U.S.-China trade war involves the implementation of updated foreign investment restrictions in key U.S. industries. 

On September 17, 2019, the Department of the Treasury issued proposed regulations to implement the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), legislation that sought to reform and expand the scope of foreign investment reviews conducted by the Committee on Foreign Investment in the United States (CFIUS). CFIUS, an inter-agency committee chaired by the Treasury Department with the authority to review, modify and potentially reject certain types of foreign investment that could adversely affect U.S. national security, has undergone a significant overhaul during the past year in the wake of FIRRMA becoming law in August 2018. It is now more vital than ever that companies understand how their business can be affected by the updated CFIUS regulations when they are seeking or negotiating a merger, acquisition, real estate investment or even a non-controlling investment from a foreign investor.

Typically, CFIUS reviews are voluntary and are conducted for merger or acquisition transactions where a non-U.S. company or a foreign government-controlled entity obtain a controlling interest in a U.S. company. If CFIUS determines that a covered transaction presents a national security risk, it has the authority to impose certain mitigating conditions before allowing the deal to proceed and can refer the transaction to the President for an ultimate decision. 

However, FIRRMA updated and expanded the scope of CFIUS jurisdiction to authorize reviews of additional types of non-controlling foreign investments based on the type of U.S. company involved. The implementing regulations proposed in September 2019 are set to take effect February 13, 2020, and while the CFIUS reform regulations are motivated by concerns directly related to China, the impact of FIRRMA will be felt globally and the new rules will not be tied to or affected by impending trade negotiations. U.S. businesses, particularly those involved in critical technologies, real estate, infrastructure and data collection or maintenance, must take heed of how the updated rules will affect their global business decisions moving forward.

New Regulations for TID Companies Effective February 2020

Effective February 13, 2020, CFIUS will be authorized to review “covered control transactions,” (all foreign acquisitions resulting in direct control in a U.S. business, which CFIUS already had jurisdiction over), as well as non-controlling “covered investments” by a foreign person in a U.S. critical technology, critical infrastructure or sensitive personal data company. The new rules refer to these as “TID U.S. Businesses” (Technology, Infrastructure and Data), or to be more specific, a company that engages in one of the following categories of activity: 

-produces, designs, tests, manufactures, fabricates or develops one or more critical technologies;

-owns, operates, manufactures, supplies or services critical infrastructure; or

-maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.

“Critical technologies” include defense articles or defense services under the International Traffic in Arms Regulations, certain nuclear-related products regulated by the Nuclear Regulatory Commission Controls and certain technologies on the Commerce Control List under the Export Administration Regulations. In addition, “critical technologies” will include certain “emerging technologies” that are yet to be defined, and the Commerce Department’s Bureau of Industry and Security is currently reviewing at least 17 technology areas that are anticipated to result in new controls (including bio-tech, artificial intelligence, microprocessors, positional navigation and timing technology, quantum computing and additive manufacturing (3D printing)). 

“Critical infrastructure” includes key industry subsectors such as telecommunications, utilities, energy and transportation. “Sensitive personal data” is defined to include ten categories of data maintained or collected by U.S. businesses that (i) target products or services to sensitive populations (including U.S. military members and federal national security employees); (ii) collect or maintain such data on at least one million individuals; or (iii) have a business objective to collect such data on greater than 1 million individuals and such data is an integrated part of the U.S. business’s primary product or service. The categories of data include types of financial, geolocation and health data. 

Non-Controlling Covered Investments

Under the new regulations, CFIUS will be authorized to review non-controlling covered investment in TID U.S. Businesses. A “covered investment” includes scenarios where a foreign investor obtains:

-access to material non-public technical information;

-membership or observer rights on the board of directors or an equivalent governing body of the business or the right to nominate an individual to a position on that body; or

-any involvement, other than through voting of shares, in substantive decision making regarding sensitive personal data of U.S. citizens, critical technologies, or critical infrastructure.

Filing a CFIUS declaration for a non-controlling covered investment will remain a largely voluntary process, and parties will be able to file a notice or submit a short-form declaration notifying CFIUS of a covered investment in order to receive a potential “safe harbor” letter (after which CFIUS in most scenarios will not initiate a review of a transaction). 

However, if a foreign government holds a “substantial interest” in the foreign investor that obtains a “substantial interest” in a TID U.S. Business, a CFIUS filing will be mandatory. The updated regulations provide that a foreign government is considered to have a substantial interest in the foreign investor if it holds a 49% direct or indirect interest, whereas a foreign person will obtain a substantial interest in a TID U.S. Business if it obtains at least a 25% direct or indirect interest. CFIUS is also authorized to mandate declarations for transactions involving certain types of critical technology companies. 

The proposed rules also include a “white list” provision providing CFIUS the authority to designate certain “excepted investors” and “excepted foreign states” that may be eligible for an exclusion in connection with non-controlling covered investments. 

Global Impact: How Does This Affect My Business? 

The most important practical effect of the updated regulations is the breadth of U.S. companies standing to be impacted or affected by new foreign investment restrictions. U.S. businesses and industries that have previously never had to consider filing a CFIUS declaration, including healthcare companies, tech start-ups, related infrastructure industries, venture capital funds, emerging technology companies and manufacturers, and any company with access to sensitive consumer data, will now have to contemplate the implications of a CFIUS review when considering even passive foreign investment. Robust due diligence on potential investors will be more important than ever to ensure compliance with both mandatory and voluntary CFIUS declaration filings. Cross-border deals will be a costlier and more time-consuming process that will require acute attention to detail when drafting the contractual rights afforded to foreign investors. 

If you have any questions about the impact of the updated CFIUS regulations or how they may affect your company, please contact a member of Baker Donelson’s Global Business Team for additional information.

___________________________________________________________________

Joe D. Whitley is a shareholder at Baker Donelson, chair of the Firm’s Government Enforcement and Investigations Group and former General Counsel at the Department of Homeland Security. He can be reached at jwhitley@bakerdonelson.com

Alan Enslen is a shareholder with Baker Donelson and leads the International Trade and National Security Practice and is a member of the Global Business Team. He can be reached at aenslen@bakerdonelson.com

Julius Bodie is an associate with Baker Donelson who assists U.S. and foreign companies across multiple industries with international trade regulatory issues. He can be reached at jbodie@bakerdonelson.com