China Cyber Security Update – How Do the Recent Regulations Impact Your Business?

Cyber security has been a top priority concern of the Chinese government since the Snowden revelations and the disclosure of the US PRISM project (click to read our earlier article). In this regard, the most remarkable move on legislation side recently is the enactment of the new PRC Cybersecurity Law on Nov. 7, 2016 (“Cybersecurity Law”), which will take effect in around two months on June 1, 2017. Not long after the promulgation of the Cybersecurity Law, the Ministry of Industry and Information Technology (“MIIT”) as industrial watchdog quickly followed up with regulations to tighten up the administration of the telecommunications industry. On November 24, 2016, MIIT published a draft Notice on Regulating the Operation Behaviours in the Cloud Service Market (“Cloud Service Draft”) to solicit comments, and it further promulgated the Circular on Clearing up and Regulating the Internet Access Service Market (“Circular 32”) on Jan. 17, 2017 with immediate effect. Below we highlighted several topics which have been widely discussed associated with these legislations and the influences on foreign investors’ operation in China.

The requirement on Local Storage of Data

The requirement on local storage of data has caused serious concerns and discussions since the first draft Cybersecurity Law was published on July 6, 2015 soliciting comments. This requirement was ultimately upheld in the officially released Cybersecurity Law despite the numerous opposing voices especially from telecom service providers, cloud computing market players, and operators offering cross-border services / solutions based on international networking.

However, when having a closer look at the wording of the regulation, Article 37 of the Cybersecurity Law – which addresses the local storage of personal information and important data produced during operations in China – applies only to the operators of key information infrastructure (“CII Operator”). Although so far there is no official definition of CII or CII Operator, Article 31 of the Cybersecurity law named several industries / features of CII for which the government takes specific protective measures: industries such as public communication network and information service, energy, transport, water conservancy, finance, public services, e-government affairs, and CII, which – in case of being destroyed, loss function, or data leakage – will result in serious damage to the national security, national economy and people’s livelihood and public interests. The industry of “information service” is mentioned, which – in a broad since – could cover almost all enterprises operating a website within China providing information to the Internet users. However, from the features described under Article 31, one may speculate that the purpose of the specific protective measures provided by the Cybersecurity Law (including the local storage requirement) would be to target the market players which play an important role in the national economy or national security. The influence on foreign invested enterprises – which are anyway prohibited or strictly restricted to enter into the industries concerning the national economy or national security in China – should be less than people imagined.

The Operation of Cloud Computing Business

The operation of cloud computing business in China is always related to the issue of the so-called telecommunications service. Any entity operating a telecommunications service in China shall apply for a telecommunications license covering the corresponding service (“TC License”), which is to be issued by MIIT or one of its local counterparts. In addition, in most cases, a wholly foreign owned enterprise is not in a position to apply for such a TC License. Depending on whether the telecommunications service is categorized as basic or value-added telecommunications service under the Classified Catalogue of Telecommunications Services promulgated by MIIT’s most updated version effective on March 1, 2016 (“Telecom Catalogue”), the applicant of the corresponding TC License shall be subject to the restriction of maximum 49% or 50% foreign stake.

In this regard, without mentioning the terms “cloud service” or “cloud computing”, the Telecom Catalogue listed “internet data centre (IDC)” as a telecommunications service and provides “internet resources collaboration services” as a kind of IDC services, which is defined in a very general way and supposed to cover all types of cloud-based services. This means that most cloud-based services shall be subject to TC License covering IDC service (yet in the practice the license requirement of a specific cloud computing business shall be analysed on a case by case basis).

In the past, due to the above foreign investment access restrictions and regulatory license requirements, some foreign cloud computing service providers chose to outsource the sensitive parts of the business to a qualified local partner holding the required IDC license and at the same time set up their own 100% subsidiaries to provide IT services to the local partner, so as to circumvent licence requirements as a practical approach to enter into the Chinese market.

However, such business model would be challenged by Circular 32 and the Cloud Service Draft. Article 2.1.1 of Circular 32 explicitly prohibits the sub-leasing or transferring of IDC license. Concretely speaking, an enterprise holding an IDC license is not allowed to provide qualifications or resources to any unlicensed enterprise in the name of technical cooperation. Similar prohibitive regulation is addressed under the Cloud Service Draft which further prohibits the IDC license holders from:

allowing its foreign partner to conclude a service contract directly with cloud service customers;
delivering services to customers only using the trademark and brand name of the foreign partner; or
illegally providing users’ personal information and network data to the foreign partner.
Although there is yet limited information published on the implementation of Circular 32 since its effectiveness and the Cloud Service Draft has not been officially released, it is necessary for international market players in the cloud computing area to revisit and adjust their cooperation model with the local IDC License holders.

The Use of VPN

Many international companies deploying the IT facilities use VPN in China to improve cross border data flow performance as well as creating a seamless and integrated corporate IT environment. Since the announcement of the promulgation of Circular 32, there are concerns whether or not this will result in use of VPN being blocked which could be disastrous for international operations that rely on VPN services.

Circular 32 does tighten control over the provision and use of VPN. According to Article 2.2.4 of Circular 32, enterprises are prohibited from conducting cross-border business operations by setting up their own or leasing privately leased circuits including VPN and other information channels. It further stresses that privately leased circuits can only be used by users for handling their internal official business exclusively and shall not be used for connecting onshore and offshore data centres or business platforms to carry out telecom business operations.

In our view, most companies using VPNs for internal use service would not be impacted by Circular 32. The wording under Circular 32 only targets those who are offering VPN services including related facilities but not the VPN users. In addition, during a recent press conference on January 24, 2017, MIIT spokesman further confirmed this point and clarified that use of VPN by international companies for their internal business purposes shall not be impacted by Circular 32. Despite this, it is recommended for VPN users to conduct a brief “compliance audit” on the providers of the VPN services just in case the use of VPN might be shut down due to incompliance from the supplier side.


We summarize the possible impacts of the regulations discussed in this article on different market players and the recommended countermeasures as following:

VPN users: the use of VPN might be blocked due to incompliance of the VPN service provider. Suggest reviewing the most up-to-date telecom service license of the service provider and the related service agreements to confirm the compliance of the VPN service;
VPN service providers: the reselling of VPN service without proper TC License might be deemed as illegal according to Circular 32. Suggest revisiting the regulatory compliance for provision of VPN services before offering them to customers; and
IDC service providers: the coordination with local licensed IDC providers might be deemed as “re-leasing or re-transferring of TC License”, which is illegal. Suggest contacting MIIT to clarify the legal and appropriate coordination model with the local service providers.


. . . . . . . .

Leave a Reply