The Cyberspace Administration of China (“CAC”) in a brief statement on March 31, 2023 stated that it has launched a cybersecurity review of Micron’s products sold in China pursuant to the National Security Law (2015), Cybersecurity Law (2016), and Cybersecurity Review Measures (the “Measures”, 2021 rev.) to ensure the security of the supply chain of critical information infrastructure (“CII”), guard against cybersecurity risks caused by hidden product problems, and safeguard national security.¹ The US-based memory chip maker derives more than 10% of its revenue from China and reportedly said that it was staying in communication with the CAC and cooperating fully.

The Micron investigation is believed to be the first cybersecurity review proactively conducted by the CAC against a foreign company based on the Measures, which were first issued in April 2020 and then revised in December 2021 jointly by thirteen central government departments, including the CAC, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security and Ministry of State Security. Please see our earlier client alert on the Measures.

The CAC has previously conducted cybersecurity reviews of Didi Chuxing, two truck-hailing service providers, an online recruitment app and a Chinese academic database in 2021 and 2022, based on the Cybersecurity Law, Data Security Law and Personal Information Protection Law and on the grounds of fending off data security risks, safeguarding national security, and ensuring the public interests. To date, CAC has imposed an administrative penalty only on Didi Chuxing in July 2022, including a fine of RMB 8.026 billion on the company, and fines of RMB 1 million on each of its CEO and president.²

The legal basis of cybersecurity review is provided in Article 2 of the Cybersecurity Review Measures. When affecting or potentially affecting national security, the purchase of network products and services by a critical information infrastructure operator (“CIIO”) and the data processing activities carried out by online platform operators shall be subject to cybersecurity review.

A cybersecurity review can be triggered (i) when the CIIO determines that its purchase of network products and services may affect national security (Article 5); (ii) when an online platform operator that possesses the personal information of more than one million users goes public abroad (Article 7); or (iii) when the government believes that a network product or service or data processing activity affects or may affect national security (Article 16). Based on the limited information disclosed in the statement issued by the CAC regarding the Micron investigation, it is likely that the review was initiated by CAC itself as opposed to being requested by one or more of Micron’s domestic CIIO customers to the CAC for review.

In conducting the cybersecurity review, CAC will focus on the following risk factors associated with national security (Article 10):

1) Risks of illegal control, interference or destruction of CII brought about by the use of products and services;

2) The disruption of product and service supply to the continuity of CII business;

3) The security, openness, transparency, and diversity of sources of products and services, the reliability of supply channels, and the risk of supply interruption due to political, diplomatic, trade or other factors;

4) Product and service providers’ compliance with Chinese laws, administrative regulations, and ministerial rules;

5) Risks of core data, important data, or a large amount of personal information being stolen, leaked, damaged, illegally used, or illegally exported;

6) Risks of CII, core data, important data, or a large quantity of personal information being influenced, controlled, or maliciously used by a foreign government, as well as network information security risks once made public; and

7) A catch all other factors that may endanger the security of CII, network security, or data security.

Given the timing, the Micron investigation may best be viewed as retaliation against the US and its allies’ increasingly tight export controls targeting China’s semiconductor industry. Last week, Japan announced export restrictions on certain types of hardware used to make the most advanced chip manufacturing equipment - a move that will likely have an impact on China’s ability to develop high-end semiconductors although China was not named as the main target of the restrictions.

Micron is speculated to have been behind efforts to push the US government to impose sanctions against China.³ In 2022, the US government added China’s leading memory chip producers Yangtze Memory Technologies Corp and ChangXin Memory Technologies to the Entity List, essentially denying them access to high-end chip manufacturing hardware and software to remain competitive.

Micron may also have been vulnerable because of China’s relatively low level of dependence on the firm and because China is generally less dependent on imported memory chips than on other semiconductors.⁴ Further retaliation against US chip makers in other industry segments with higher market shares and lower substitutability is less likely.

Footnotes -

1. http://www.cac.gov.cn/2023-03/31/c_1681904291361295.htm

2. http://www.cac.gov.cn/2022-07/21/c_1660021534306352.htm

3. https://www.scmp.com/tech/tech-war/article/3215742/why-china-launched-cybersecurity-review-us-memory-chip-maker-micron-technology-and-what-could-happen

4. https://www.scmp.com/tech/tech-war/article/3215742/why-china-launched-cybersecurity-review-us-memory-chip-maker-micron-technology-and-what-could-happen