Contributed By DaHui Lawyers
There are no laws or legal regulations in the PRC specifically relating to cloud computing, but cloud computing service providers are subject to various general bodies of legislation and regulations, including the Telecommunications Regulations of the People’s Republic of China (see 8 Scope of Telecommunications Regime), the Cybersecurity Law of the People’s Republic of China (“PRC Cyber Security Law” – see 6 Key Data Protection Principles) as well as subsequent implementing regulations aimed at forming a more complete framework for governing cybersecurity and data protection in China (“Cyber Security Regime”), the Administrative Measures for the Licensing of Telecommunications Business and Administrative Measures for Internet Information Service, and the Cryptography Law of the People’s Republic of China (“Cryptography Law”), among others. In addition, in 2019 the Measures for Security Evaluation for Cloud Computing Services (“Cloud Computing Security Evaluation Measures”) went into effect, which clarify certain aspects of the PRC Cyber Security Law for cloud service providers. Moreover, there have been more than 30 non-binding recommended standards published by the Standardisation Administration of China (SAC) relating to cloud computing, covering topics ranging from security guidance to data centre requirements and file service application interfaces.
Cloud computing service providers generally must comply with the requirements of the Cyber Security Regime in respect of the collection and use of personal information. This includes obtaining user consent before collecting personal information, and disclosing internal rules for personal information collection, the intended use of such information, its purpose and the means and scope of collection.
The PRC Cyber Security Law also sets out more strict obligations on “Critical Information Infrastructure Operators” (CIIOs – see 6 Key Data Protection Principles for more details), which are defined broadly to include companies whose business implicates significant issues of PRC national security, the national economy, social well-being and other public interests. There is no express law or regulation in effect currently specifying that cloud services is a category of critical information infrastructure, per se. However, the scale and importance of some cloud computing operators could conceivably cause them to fall within this definition. Indeed, draft guidance from the Cyberspace Administration of China (CAC), which was issued for public comment in July 2017 but has not yet been promulgated, specifically includes cloud computing service providers among its listed types of entities that may be deemed as CIIOs.
Furthermore, on 1 September 2019, the Cloud Computing Security Evaluation Measures took effect, which were jointly issued by the CAC, the MIIT, the National Development and Reform Commission (NDRC) and the Ministry of Finance. The Cloud Computing Security Evaluation Measures provide that cloud computing service providers that supply cloud computing services to the Communist Party of China (CPC), the government or any CIIO must complete a security evaluation on each of its cloud computing platforms providing such services. The evaluation is organised by the CAC to ensure the security and controllability of cloud computing platforms and will act as a reference, and may even be required, for the procurement of cloud computing services by government bodies, the CPC and CIIOs.
Therefore, subject to the specific data stored or processed on a cloud computing service or the party to which the cloud computing services are provided, a cloud computing service provider could be required to comply with the more stringent obligations under the PRC Cyber Security Law, such as local data hosting and offshore data transfer restrictions, or the Cloud Computing Security Evaluation Measures. This may result in a cloud computing network with offshore components (eg, servers hosted outside China, or networks between a PRC subsidiary and foreign parent company) having to undergo restructuring to comply with the PRC Cyber Security Law and/or undergo a security assessment procedure (which is currently vaguely defined) prior to providing such cloud services to CIIOs.
Risk and Liability
Blockchain technologies are generally permitted and even encouraged in China. A white paper published in October 2016 by the China Blockchain Technology and Industrial Development Forum, under the guidance of the Ministry of Industry and Information Technology (MIIT), analysed the current state of blockchain technology in China and its potential future applications, set out a roadmap for blockchain development in China and called for the formal set of national blockchain standards to provide industry guidance to existing and potential market players. To date, however, no blockchain-related standards have been released.
Nevertheless, China is now arguably among the vanguard in the application of blockchain technology, which is already adopted and used by China’s e-commerce giants, such as JD and Alibaba, both of which have announced further plans to apply blockchain technology to their logistics services to better allow suppliers and consumers to trace products through production, transportation and storage. Also, China’s Ping An bank and Ant Financial both announced blockchain-based applications to maintain ledgers for cross-border transactions. The Nanjing local government even established a RMB10 billion investment fund to invest in blockchain projects.
Additionally, various PRC arbitral tribunals have announced their intention to apply blockchain technology to arbitral proceedings. For instance, there have been reports that the Guangzhou Arbitration Committee worked with WeBank and other parties to develop a blockchain system for arbitration. Under that system, if a borrower defaults on a loan, the Guangzhou Arbitration Committee can automatically issue an arbitral award/ruling based on the information stored via blockchain to all parties involved in the loan’s underlying contract. The Nanjing Arbitration Committee also launched a test version of a blockchain-based online ruling system, which allows disputing parties to view digital evidence. The system is reportedly aimed at facilitating the rapid conclusion of arbitration proceedings.
On 10 January 2019, the CAC promulgated the Provisions on Administration of Blockchain-based Information Services (“Blockchain Services Provisions”), which represent the first administrative guidelines for providers of non-cryptocurrency, blockchain-based services in China. The Blockchain Services Provisions define blockchain-based service providers as entities or nodes that provide blockchain-based information services, or any institution or organisation that provides technological support to such entities (“Blockchain Service Providers”).
Under the Blockchain Services Provisions, Blockchain Service Providers are responsible for information security and should build internal management systems for user registration, information censorship, emergency response and security protection. The Blockchain Services Provisions require Blockchain Service Providers to conduct a record-filing with the CAC or its provincial-level branch to report certain key information, such as the type and scope of services, application sectors and server addresses, within ten business days after launching their services. Blockchain Service Providers are also required to undertake a security evaluation administered by the CAC or its provincial branches, and to authenticate the identities of their users based on ID card numbers, organisational codes (for PRC entities) or mobile phone numbers before providing services to such users, in accordance with the Cyber Security Law.
As a consequence of the promulgation of the Blockchain Service Provisions, the CAC publicly released a list of 197 registered blockchain information services projects on 30 March 2019, and a second list of 309 registered products on 18 October 2019. The registered projects cover areas including supply chain financing, open platforms, anti-counterfeiting and source tracking. Featured on the list are well-known Chinese internet giants like Baidu (which has launched Baidu Blockchain Engine, Superchain and Tuteng), Ant Financial (which has launched Cloud Blockchain-as-a-Service), Tencent blockchain and Tencent Cloud’s Blockchain-as-a-Service blockchain services platform, and JD.com (which has launched Cloud Blockchain Data Services). Ping An Insurance has also filed its online data pre-payments card service under its Yiqianbao entity; Aiqiyi has filed its blockchain work information certification; and WeBank has filed its Blockchain-as-a-Service platform, its brand tracing project, and its Titanium Platform.
The Supreme People’s Court of China (SPC) has also supported the use of data contained in blockchains in Chinese Internet courts. Under the Provisions of the SPC on Several Issues Concerning the Trial of Cases by Internet Courts, issued on 6 September 2018, Internet courts are required to recognise data submitted as evidence that has been stored on a blockchain. Such blockchain-stored data, however, must have been collected and stored via blockchain with digital signatures, and the party wishing to use the evidence must establish the authenticity of the technology used.
On the other hand, the Chinese government has taken a hard line against private cryptocurrencies and initial coin offering (ICO) fundraising. In 2017, regulators instituted an outright ban on cryptocurrency exchanges and ICOs in China, and also imposed severe restrictions on the use of cryptocurrencies and relevant trading services. This continued in 2019, as both the PBOC and a government group on internet financial risk rectification announced an “all around” crackdown on cryptocurrency and illegal blockchain activities. Although some market players have continued to conduct limited cryptocurrency operations in China, these actions continue to attract increased government scrutiny, with regulators vowing to impose additional restrictions and strengthened monitoring of cryptocurrency-related activities throughout the near future. However, the Chinese government appears to be interested in launching its own cryptocurrency, as the PBOC announced that it was close to releasing an RMB-backed stablecoin in August 2019.
A blockchain-based application will typically be in the form of computer software, which may make it subject to copyright protections under PRC law. If the application is sophisticated enough (eg, if it includes sufficient technical elements in addition to being mere computer algorithms or business method), and if the application constitutes a solution to a technological problem, then it could be considered patentable under China’s patent law. It is reported that more than 1,000 patent applications relating to blockchain technology were filed in China in 2018 alone. That said, many blockchain technologies are based, at least partially, on open source software, which will generally be governed by the terms of an open source licence. That licence may impose restrictions on patent applications, or may contain provisions jeopardising patent enforcement.
There are no specific PRC rules on data privacy that relate to blockchain technologies specifically. However, an operator of blockchain services would be subject to various other PRC laws and regulations relating to data privacy, such as under the PRC Cyber Security Law. This may require a provider of blockchain services or an operator of blockchain technologies to obtain consent before collecting personal information from users, and to disclose internal rules for personal information collection, the intended use of such information, its purpose and the means and scope of collection.
Furthermore, Blockchain Service Providers who are engaged in certain industries could be deemed to be operating “critical information infrastructure”, making them subject to more strict obligations under the PRC Cyber Security Law. In particular, this may include operators of blockchain services in the financial or mineral resources sectors. If such a service provider qualifies as a CIIO, any personal information or other information constituting important data collected within mainland China through a given blockchain is required to be stored in China and cannot be transmitted outside of China without undergoing additional security assessment procedures, which may require that all nodes of the blockchain are located within China as well.
Currently, there are no specific PRC laws or regulations on any service levels or service level agreements (SLAs) for an operator of blockchain services. That said, the SAC recently promulgated recommended national standards on SLAs for cloud computing as prepared by the China National Information Technology Standardisation Committee (CNITSC) – ie, information technology – Cloud computing – Basic requirements of cloud service level agreement (CSLA) (GB/T 36325-2018). The CNITSC has also promulgated an industrial standard on SLAs – ie, Information Technology Service – Guidelines on Service Level Agreement (SJ/T 11691-2017). While none of these standards are compulsory, there appears to be an increasing number of Chinese Internet and software service providers adopting some level of SLAs. As such, SLAs are expected to evolve primarily in light of technical and commercial considerations between Blockchain Service Providers and users.
Because the nodes of a blockchain could potentially be dispersed across servers located in multiple countries and jurisdictions, the question of which laws the blockchain will be subject to is complicated and has not been specifically addressed by PRC law within the blockchain context. However, because the definition of Blockchain Service Providers under the Blockchain Services Provisions covers “nodes”, the rules provided by the Blockchain Services Provisions should at least be applicable to hosts of Chinese nodes used for blockchain information services (defined as information services provided to the public using blockchain-based technology and in the form of Internet websites, mobile applications, etc). That said, since the Block Services Provisions are only an administrative provision, under current PRC law and in the absence of an agreement among relevant blockchain parties on governing law and forum selection, whether or not a blockchain is subject to PRC law will be governed by standard PRC choice of laws and forum selection rules under the PRC Civil Procedure Law and the Law of the People’s Republic of China on Application of Laws to Foreign-Related Civil Relationships. Even under these laws, there remain uncertainties, such as whether having a single blockchain node located on a server in the PRC will be sufficient to subject the entire blockchain to PRC jurisdiction, or whether something more is required.
Currently, there are restrictions on foreign investment into big data companies. The Telecommunications Business Catalogue, published in 2015 by the MIIT, lists the operation of an Internet data centre (IDC) as a business that requires a value-added telecommunications operating permit. Subject to certain limited exceptions, this permit cannot be obtained by a foreign-invested entity. Therefore, foreign entities generally are required to outsource their data storage and data analysis services to local PRC IDCs. Indeed, since 28 February 2018, the Apple iCloud service in mainland China (which formerly operated via an offshore service provider) has been transferred and operated by Guizhou-Cloud Big Data Industry Development Company, a PRC IDC.
Beyond these foreign investment restrictions, there are no laws or regulations in the PRC specifically applying to “big data” companies or providers of big data-type services, such as big data analytics and consulting services. As such, there are no statutory limitations or allocations of liability or insurance requirements applicable to duly established big data companies.
Generally, big data companies will be subject to the requirements of the Cyber Security Regime, whereby informed consent must be procured from users or data subjects before a company can collect and process their personal information. In the case of a big data service provider, such consent should indicate that the user’s personal information will be used specifically to produce data analytics or provide consulting services. Additionally, a company engaging in business related to big data in certain industry sectors might be subject to additional regulatory requirements. For example, health-related data must be stored on a secure and trusted server in China, and hospital authorisation is required to collect and process such data (even anonymised data), and even security assessment is required before transferring such data offshore.
Moreover, a big data service provider may be deemed a CIIO and therefore subject to stricter compliance requirements, including the requirement to store all personal information and other important data within the PRC and the restrictions on transmitting such data outside the PRC without performing certain security assessment procedures. That said, if a big data service provider undertakes anonymisation (ie, technologically processing personal information to make the personal information subject unidentifiable and non-recoverable) when processing personal information, the ultimate analytics and consulting services may not be subject to the restrictions of the PRC Cyber Security Law on divulging personal information without the data subject’s consent.
There are no PRC laws or regulations specifically pertaining to the creation, development or use of machine learning algorithms or technologies. As such, there is no PRC legislation on the allocation of liability or setting insurance requirements on companies that provide products or services employing machine learning algorithms or technology.
As the operation of machine learning algorithms tends to require large data sets, service providers obtaining such data will be subject to the requirements of the Cyber Security Regime. As such, informed consent must be obtained for any personal information obtained directly from data subjects, and such consent should indicate that the data subject’s personal information will be used specifically for machine learning purposes. If such data is obtained from a third-party source, care should be taken to ensure that appropriate consents were obtained by the entity that collected any personal information, or that such personal information is anonymised.
A software program employing machine learning technology is likely to be subject to copyright protections under PRC law. However, machine learning algorithms themselves will be very difficult to patent in the PRC. Moreover, any machine learning software that is based on open source software will generally be governed by the terms of an open source licence, which may impose restrictions on patent applications or contain provisions jeopardising patent enforcement.
There are no PRC laws or regulations specifically pertaining to the creation, development or use of artificial intelligence (AI). As such, there is no PRC legislation specific to the use of AI on the allocation of liability or setting insurance requirements on companies that provide products or services employing AI.
As the operation of AI tends to require large data sets, service providers obtaining such data will be subject to the requirements of the PRC Cyber Security Law. As such, informed consent must be obtained for any personal information obtained directly from data subjects, and such consent should indicate that the data subject’s personal information will be used specifically for AI purposes. If such data is obtained from a third-party source, care should be taken to ensure that appropriate consents were obtained by the entity that collected the personal information, or that the personal information is anonymised.
With respect to the ownership of intellectual property rights, under the Copyright Law of the People’s Republic of China (“PRC Copyright Law”), only natural persons, legal persons or organisations can be entitled to copyrights. As a result, PRC law currently appears to suggest that any works and content created by AI cannot be protected under the PRC Copyright Law.
Chinese legislators have taken a relatively broad view of the concept of “Internet of Things” (IoT). The Guiding Opinions of the State Council on Promoting the Orderly and Healthy Development of Internet of Things (Guo Fa  No 7 –, the “IoT Opinion”) describes IoT as technologies “based on the intensive integration and comprehensive application of a new generation of information technology”, and designated IoT as an important strategic emerging industry of the country. The IoT Opinion further emphasises the co-ordinated overall development of IoT applications, technologies, industry and standards.
Although China has yet to promulgate any comprehensive legislation on the security and regulation of IoT, recent legislation on IoT-related issues – such as data security, data privacy, cloud computing, protection of critical infrastructure, classified levels of security protection, information security, etc – is all applicable to IoT, and a number of different government departments and regulatory bodies have been involved in the regulation and standardisation of the IoT sector. These government bodies include the MIIT, which is the key regulator for the telecoms sector and about 20 other industries, and the CAC, which acts as the main watchdog for information security and content administration, as well as others such as NDRC, the Ministry of Science and Technology (MOST) and the SAC. When contemplating an IoT project, the following legal issues and relevant rules of PRC law should be considered.
The Telecommunications Regulations of the People’s Republic of China apply to all types of “telecommunications” services. “Telecommunications” is defined broadly as the “act of using wired or wireless electromagnetic or optoelectronic systems to transmit or receive voice, text, data, image or other forms of information.” Under PRC law, telecommunications services are divided into two categories: basic and value-added telecommunications services. The former generally covers important telecommunications infrastructure, while the latter covers the services working in conjunction with that infrastructure – eg, VPN services, Internet data service centres, call centres, etc. In light of this, any infrastructure services for IoT connectivity and networks would likely fall within the definition of “basic telecommunications services”, while other IoT products or services would likely be categorised as “value-added telecommunications services”.
Therefore, depending on the type of services being provided, a business operator may need to obtain either a Basic Telecommunications Service Operating Permit or a Value-Added Telecommunications Services Operating Permit before bringing an IoT product or service to market. Each permit will require a telecommunications services operator to meet different requirements, which may include an absence of foreign investment, which could make a particular IoT service or product effectively prohibited to foreign investment.
Information Security and Data Protection
While there is no specific law on the information security of IoT, the general rules of the Cyber Security Regime are generally applicable to the IoT sector – in particular, the rules regarding the confidentiality and safekeeping of personal information of consumers, and the protection of privacy (further elaborated in relevant sections below). If an IoT service provider is deemed to be operating critical information infrastructure, then it will be subject to more stringent compliance requirements.
The SAC has been working with various governmental bodies and industrial associations to devise national standards in the IoT sector. Since 1 January 2019, 23 IoT standards have been implemented to cover information sharing, security, network connectivity, etc. In 2020, at least eight IoT standards will be implemented, including GB/T 36478.3-2019 (Internet of things – Information sharing and exchanging – Part 3: Metadata), GB/T 36478.4-2019 (Internet of things – Information sharing and exchanging – Part 4: Data interface), GB/T 37684-2019 (Internet of things – Collaborative information processing reference model), GB/T 37685-2019 (Internet of things – Application information services classification), GB/T 37686-2019 (Internet of things – Sensing object information fusion model), GB/T 37694-2019 (Technical requirements of Internet of things system for tourist service management), and GB/T 37976-2019 (Internet of things – Smart hotel application – General technical requirements of the platform interface).
While the national standards in the IoT sector are mostly recommended standards (GB/T standards) rather than mandatory standards (GB standards), IoT device manufacturers and service providers will need to consider if their products/services are compatible with the relevant national standards.
By and large, the PRC legal framework concerning IT service agreements presents many of the same common issues found in other jurisdictions. In particular, provisions dealing with indemnification and liability caps for data breaches, service outages and other service malfunctions tend to be among the most heavily negotiated clauses of IT service agreements in China. Another routinely contested contractual issue concerns a service provider’s reporting obligations to its customers in the event that it discovers breaches, attempted intrusions, actual intrusions and data leaks. Maintenance timetables and service-level credits are also potential points of discussion, as is IP ownership of customised software applications. Taken together, these general issues of IT service agreements tend to be deal-specific, and their resolution is often subject to the risk profiles of the parties involved.
In addition, similar to the practice in the IoT sector, the SAC, the MIIT and the China Communication Standards Association (CCSA) have drafted several national and industrial standards for cloud services – eg, GB/T 36325-2018 (Information technology – Cloud computing – Basic requirements of Cloud Service Level Agreement (CSLA)), SJ/T 11691-2017 (Information Technology Service – Guidelines on Service Level Agreement) and YDB 144-2014 (Cloud Service Agreement Reference Framework). These standards are not mandatory but represent official recommendations of PRC government authorities and industry associations.
There are also some considerably unique features and considerations that apply to IT service agreements in the PRC. In light of the rigid regulatory framework and complex operating permit regime in China’s telecoms sector (see 8 Scope of Telecommunications Regime), many companies may find that engaging or partnering with an IT service provider is a regulatory necessity, so that an entity can use one or more permits held by the service provider to indirectly provide services or content that would otherwise be restricted. Indeed, this may result in some market players contracting with IT service providers even if they do not technically need some types of third party IT services or would prefer to handle such activities internally, as doing so may be more convenient and efficient. Because these arrangements may entail a longer-term and more substantive relationship between IT service providers and their customers than would otherwise be the case, such customers should be careful in selecting a local IT service provider to ensure not only that they can provide the necessary IT services, but also that they hold all the necessary permits.
Some IT service providers also effectively serve as de facto “gatekeepers” of Chinese IT and telecoms regulations. According to the Administrative Measures for the Licensing of Telecommunications Business, value-added telecoms operators that provide access services to their customers are prohibited from equipping such customers with the means to conduct restricted activities if the customers lack necessary telecoms operating permits. As such, some service providers may require their customers to hold certain permits in order to use their services in a given manner. For instance, an Internet service provider may require a customer to hold a value-added telecom service permit to use its Internet access services in conjunction with the customer’s e-commerce website. As the interpretation of these licensing requirements may vary among service providers, different services providers may have different requirements for their customers. Therefore, it is recommended that users should be clear from the outset as to the range of services they wish to use, and to the IT service provider’s requirements for providing those services.
Core Rules Regarding Data Protection
There is no single definitive piece of legislation in the PRC governing data protection. Instead, there are a range of laws and regulations containing data protection provisions that apply to specific parties in a variety of circumstances. Some of the most notable include the PRC Cyber Security Law, the Criminal Law of the PRC (revised in 2015) and the Law of the PRC on the Protection of Consumer Rights and Interests ("PRC Consumer Protection Law”). For example, under the PRC Consumer Protection Law, business operators are required to notify consumers of the purpose, method and scope of information collected from users/customers, as well as how such information will be used, and to obtain consumers’ consent prior to collecting such data or transferring it, whether such transfers are made onshore or offshore. These consumer protection restrictions also require business operators to keep any personal information of consumers confidential, and to take technical and other measures to safeguard such information. Additionally, various sources of legislation provide that PRC nationals have a general right to privacy under PRC law, which includes the right to have their information kept private.
In recent years, the most significant data protection development to affect both domestic and multinational companies operating in China has been the roll-out of the PRC Cyber Security Law, which contains various rules applicable to data collected and/or stored on a company’s networks. The PRC Cyber Security Law took effect on 1 June 2017 and, along with its implementing regulations, is intended to serve as the comprehensive and definitive law governing cybersecurity in the PRC.
Distinction Between Companies/Individuals
The PRC Cyber Security Law does not make a technical distinction between companies and individuals. However, it does contain important other distinctions, both at the level of collectors/handlers of data (typically companies) and at the level of data itself (typically data belonging to consumers/individuals).
At the data collector/handler level, the law distinguishes between “Network Operators” and the narrower concept of CIIOs. Network Operators are broadly defined as “network owners and administrators, and network service providers”. As no further definitions of these three sub-categories is provided, this definition could potentially include any company or individual operating a website or using a company intranet/cloud computing network. CIIOs, on the other hand, are essentially defined to include certain companies that are heavily connected to industries implicating PRC sovereignty or the economy, or the well-being of PRC citizens, the collapse of which would likely have an adverse impact on the PRC government or its citizens (eg, major utilities and banks). Different rules and requirements within the PRC Cyber Security Law are applicable to Network Operators and CIIOs, with the restrictions placed on the latter tending to be more onerous.
At the level of data itself, the PRC Cyber Security Law is focused especially on two particular types of network data – ie, “Personal Information” and “Important Data”. Personal Information is defined under the PRC Cyber Security Law to include “…all kinds of information recorded by electronic or other means that can be used to identify, independently or in conjunction with other information, a natural person, including name, date of birth, ID numbers, biometric personal information, etc.” Important Data is technically undefined under the PRC Cyber Security Law, but subsequent draft guidance sets out many sector-specific types of data deemed to be Important Data. For example, for a financial institution, a list of clients would be considered Important Data, if a breach or leak of such list would potentially damage the safety and soundness of that financial institution. Taken together, companies collecting or processing information over a network that could be considered Personal Information or Important Data should take particular caution that they are in full compliance with the PRC Cyber Security Law.
General Processing of Data
In addition to the general data handling and user consent rules noted above in the context of the PRC Consumer Protection Law, the Cyber Security Regime also provides data processing rules that apply to all Network Operators in China. For example, Article 10 of the PRC Cyber Security Law requires Network Operators to “take technical and other necessary measures to ensure the secure and stable operation of a network, effectively respond to cyber security incidents, prevent illegal crimes committed on a network, and maintain the integrity, confidentiality and availability of cyber data.” Article 21 also provides that Network Operators must formulate internal security management systems and take technological measures to preserve relevant web logs for no less than six months, among other requirements.
Having said that, if a party collecting or processing data in China is deemed to be a CIIO, then a collection of more stringent data processing rules will be triggered. Most significant to multinational companies, these heightened data processing rules include a local data-hosting requirement, which requires that all Personal Information and Important Data collected or maintained during business operations in China are hosted on servers physically located in the PRC. Similarly, CIIOs are also restricted from transferring Personal Information or Important Data offshore without performing certain security assessment procedures. Notably, any data transfers between an offshore parent company and a PRC subsidiary that is deemed to be a CIIO would fall under these local hosting and offshore data transfer restrictions. It is also worth noting that some subsequent draft legislation following the PRC Cyber Security Law has envisioned the expansion of these local hosting and offshore data transfer restrictions to all Network Operators (ie, not just CIIOs); however, this draft legislation has faced significant scrutiny and ultimately it is uncertain whether it will be adopted in the future.
Processing of Personal Data
As noted above, controllers and processors of all personal data in the PRC must ensure their compliance with the various consumer protection rules and individual rights to privacy under the Cyber Security Regime. Typically, the consent of data subjects should be obtained before any personal data is collected, processed, stored or transmitted. Under the PRC Cyber Security Law, Network Operators are required to disclose the intended use and purpose when collecting Personal Information (like Important Data) from data subjects. Moreover, personal information may only be collected if it relates to the services provided by the Network Operator. When processing information, network operators are obligated to not divulge, damage or distort any personal information. There are also other requirements to follow to protect the interests and privacy of data subjects, including ensuring that data subjects are provided certain rights of rectification if their personal information is misused, as well as rights of withdrawal, deletion, etc.
The PRC Cyber Security Law further provides that Personal Information can be provided to third parties, provided that consent of the data subject is obtained in advance. This is generally interpreted to permit the sharing of Personal Information with third party data processors, so long as the necessary consent is obtained and other requirements are met. Indeed, the Personal Information Security Specification (GB/T 35273-2017) addresses the delegated processing of personal information, and includes compliance recommendations.
The PRC Cyber Security Law also includes a general exception for Personal Information that is anonymised – ie, technologically processed so that the subject is unidentifiable and non-recoverable. Anonymised information will not be subject to the restrictions of the PRC Cyber Security Law on divulging Personal Information without the data subject’s consent.
PRC law provides no rules on the monitoring of employees’ use of computer and Internet resources owned by the employer. As such, employers are generally permitted to use various means (eg, monitoring software) to monitor and restrict employees’ use of company computer resources.
However, if a company uses such means to collect employees’ Personal Information, then the employer may be obligated under the PRC Cyber Security Law to notify its employees of its collection methods, and to obtain employee consent before such collection. This can be accomplished by including appropriate language in the company’s employee handbook, and obtaining each employee’s acknowledgement that he or she has read and understood the handbook’s contents.
The Telecommunications Regulations of the People’s Republic of China (“Regulations”) apply to all types of “telecommunications” services. “Telecommunications” is defined broadly as the “act of using wired or wireless electromagnetic or optoelectronic systems to transmit or receive voice, text, data, images or any other form of information.”
The Regulations categorise telecommunications services as either “basic telecommunications services” or “value-added telecommunications services”, and require different operating permits to engage in each. Basic telecommunications services include voice communications services, public data transmission and public network infrastructure, while value-added telecommunications services consist of call centre services, Internet data centre services, CDN services, VPN services and others. A complete list of services or businesses qualifying as basic telecommunications services and value-added telecommunications services can be found in the Telecommunications Business Catalogue, as first formulated by the MIIT in 2000 and recently updated in 2019.
Therefore, depending on the type of telecommunications services being provided, prior to bringing a service to market, the telecommunications operator will need to obtain either a Basic Telecommunications Service Operating Permit or a Value-Added Telecommunications Services Operating Permit. Each permit requires a telecommunications services operator to meet different requirements, as follows:
China does not maintain a unified regulatory regime for all components of the audiovisual media industry as a whole. Instead, industry sub-sectors are regulated separately through a range of different laws and regulations. With respect to audiovisual media, the key areas of regulation include cable broadcasting, online audiovisual services and Over the Top (OTT) services. In general, the broadcasting or online transmission of audiovisual content is highly regulated and in many cases restricted to both foreign and domestic investment.
Cable broadcasting is highly regulated in the PRC, and is not open to foreign participation or even new domestic market entrants. Currently, a broadcasting television station may only be set up and established by the central or local government branches, such as the National Radio and Television Administration (NRTA) or the Ministry of Education. The station’s establishment will be subject to the central PRC government’s national market plans as well. No individual or other enterprise or organisation is allowed to set up any broadcasting television station in China.
The most central piece of legislation relating to cable broadcasting – ie, offering traditional cable television channels such as CCTV – is the Administrative Regulations for Radio and Television. All cable broadcasters are required to obtain two key permits, among others: (i) the Radio and Television Broadcasting Institution Permit, and (ii) the Radio or Television Programme Production Permit. PRC law requires applicants for these permits to meet certain requirements, including requirements regarding the applicant’s location, equipment, technology and personnel, and to complete an application process with the applicable authorities. No application fees are required. As mentioned, however, it is difficult if not impossible for new entities, domestic or foreign-invested, to obtain either of these permits in China.
Online Audiovisual Services
Online audiovisual services are primarily regulated through the following:
To operate an online streaming platform (ie, to provide video on demand (VOD) services such as Youku), the most important operating permits include an Internet Culture Business Permit (“Online Culture Permit”) and an Internet Audio Video Broadcasting Permit (“IAVB Permit”). Both permits require the applicant to meet certain requirements and complete an application process with local- and state-level government authorities. No application fees are required. The IAVB Permit requires the new applicant to be controlled or wholly owned by one of China’s State-Owned Enterprises. Neither the Online Culture Permit nor the IAVB Permit may be obtained by an applicant that has any foreign investor.
The most important operating permit for providers of OTT Services is the Over the Top (OTT) licence. To apply for an OTT licence, a qualified applicant must meet certain requirements, including being controlled by a State-Owned Enterprise, along with other equipment and personnel requirements. Here too, both local and state government approval are needed, which requires submitting an application to local- and state-level authorities. No application fees are required. To date, only 16 OTT licences have been issued.
Directly operating an online video channel in the PRC is highly regulated and requires the procurement of operating licences/permits (ie, an Online Culture Permit and an IAVB Permit/OTT licence) that are generally only available to companies with State-Owned Enterprises as shareholders. As such, it is more common for content owners outside China to simply license content to a domestic entity that holds all required permits – eg, the licensing arrangement between iQiyi and Netflix. Such domestic entities will also ensure that licensed content complies with PRC content/censorship requirements, and will potentially self-censor any content that could potentially result in an infringement.
The use of certain encryption products is highly regulated in the PRC. While there are some general, affirmative obligations for companies to safeguard/encrypt protected types of data (such as Personal Information and Important Data under the PRC Cyber Security Law), such companies must always ensure that they remain in compliance with the PRC’s more tailored legal provisions on encryption, such as the recent Cryptography Law.
Prior to 2017, the manufacture, distribution and use of commercial encryption products was restricted in China. In 2017, China’s State Council and the State Cryptography Administration (SCA) suspended a series of restrictive regulations that made the production and distribution of cryptography products in China subject to a burdensome prior approval process. The Cryptography Law, promulgated on 26 October 2019 and effective since 1 January 2020, continues this trend by making clear that the state encourages and supports research on cryptography and its application, as well as the innovation of cryptography science and technology.
The Cryptography Law divides cryptography into different types: core cryptography, ordinary cryptography and commercial cryptography. Core and ordinary cryptography are used to protect state secret information; all other cryptography is classified as commercial cryptography. The Cryptography Law sets out different rules and regulations for each type.
The Cryptography Law generally affords national treatment to foreign-invested entities in the research, production, sale, service, import and export of cryptography, and prohibits the forced transfer of proprietary information from commercial cryptography entities. Moreover, the Cryptography Law provides for a detection and certification requirement for commercial cryptography products involving national security, the national economy and the public interest, clarifies that CIIOs must use commercial cryptography, and stipulates that a national security review must be completed if national security is involved. In addition, the SCA is mandated under the Cryptography Law to formulate a list of commercial cryptography involving national security or public interests, which will be subject to an import licensing requirement.
The use of encryption does not exempt an organisation from any specific rules under PRC law. However, in practice, the use of certain encryption products as certified/authorised by Chinese authorities will often satisfy certain obligations to safeguard and protect data under PRC law, such as the provisions applicable to Network Operators under the PRC Cyber Security Law. In addition, the Cryptography Law requires that any state secret information transmitted by wired or wireless communications is sent using encryption.