Contributed By DaHui Lawyers
There are no laws and only a few legal regulations in the PRC relating specifically to cloud computing, but cloud computing service providers are subject to various general bodies of legislation and regulations, including the following:
There are also numerous non-binding recommended standards published by the Standardisation Administration of China (SAC) relating to cloud computing, covering topics ranging from security guidance to data centre requirements and file service application interfaces.
The Cybersecurity Law sets out obligations on “Critical Information Infrastructure Operators” (CIIOs – see 6 Key Data Protection Principles for more details), which are defined broadly to include companies whose business implicates significant issues of PRC national security, the national economy, social well-being and other public interests. There is no express law or regulation in effect currently specifying that cloud services is a category of “Critical Information Infrastructure” (CII), but the scale and importance of some cloud computing operators could conceivably cause them to fall within this definition. Indeed, draft guidance from the Cyberspace Administration of China (CAC) – which was issued for public comment in July 2017 but has not yet been promulgated – specifically includes cloud computing service providers among its listed types of entities that may be deemed as CIIOs. Subject to the specific data stored or processed on a cloud computing service or the party to which the cloud computing services are provided, a cloud computing service provider could be required to comply with various obligations under the Cybersecurity Law, such as local data hosting and offshore data transfer restrictions, or the Cloud Computing Security Evaluation Measures. This may result in a cloud computing network with offshore components (eg, servers hosted outside China, or networks between a PRC subsidiary and foreign parent company) having to undergo restructuring to comply with the Cybersecurity Law and/or undergo a security assessment procedure (which is currently vaguely defined) prior to providing such cloud services to CIIOs.
Cloud Computing Security Evaluation Measures
The Cloud Computing Security Evaluation Measures provide that cloud computing service providers that supply cloud computing services to the Communist Party of China (CPC), the government or any CIIO must complete a security evaluation on each of its cloud computing platforms providing such services. The evaluation is organised by the CAC to ensure the security and controllability of cloud computing platforms and will act as a reference – and may even be required – for the procurement of cloud computing services by government bodies, the CPC and CIIOs.
Personal Information Protection
Cloud computing service providers generally must comply with the requirements of the Cybersecurity Regime in respect of the collection and use of personal information. Previously, personal information was protected primarily by the Cybersecurity Law (supplemented by a number of national standards, including the Information Security Technology – Personal Information Security Specification (Specification) and the Information Security Technology – Guideline for Personal Information Protection within Information Systems for Public and Commercial Services). Key protections include the requirement to obtain consent from data subjects for the collection and further uses of the personal information, the requirement on some operators to undergo security assessment procedures prior to an overseas transfer (see 10 Encryption Requirements) and such further general principles as “legitimacy, rightfulness and necessity” in the collection and use of personal information. The Consumer Protection Law of the People’s Republic of China (Consumer Protection Law) sets similar requirements on the collection of consumer information by business operators. Other high-level laws provide general privacy protections – eg, the Tort Law of the People’s Republic of China, the Civil Code of the People’s Republic of China (Civil Code) and the Criminal Law of the People’s Republic of China(Criminal Law).
On 21 October 2020, China released a draft Personal Information Protection Law of the People’s Republic of China(Draft PI Protection Law), composed of both high-level and specific rules for a broad range of issues related to the processing of individuals' personal information. On the one hand, its coverage overlaps with several laws, regulations, recommended national standards, etc, promulgated in the last few years, such as the Cybersecurity Law, Civil Code and the Specification, and thus may serve as a synthesis of rules and supersede existing rules that conflict with it. On the other hand, it both contains new or extended rules and leaves some aspects of the protection of personal information to other sets of rules, including the latest draft Data Security Law of the People’s Republic of China(Draft Data Security Law) promulgated by the National People's Congress of China on 3 July 2020.
The Draft PI Protection Law does not represent a major addition or alteration to the regime heralded by the Cybersecurity Law over four years ago and being filled in by implementing regulations and other measures since then. Aside from reinforcing the regime of the Cybersecurity Law, the Draft PI Protection Law – if passed in substantially its present form – would likely bring some innovations (though still subject to how they would be implemented, interpreted and applied). Parties who process personal information may wish to identify the most crucial innovations, but they need not rush to any conclusions or actions about changing their internal systems or businesses more generally as a number of specifics still need to be set out, likely in implementing measures to be issued in the months and years after the Draft PI Protection Law is promulgated.
Risk and Liability
Blockchain technologies are generally permitted and even encouraged in China, except in the sector of cryptocurrencies. Developing blockchain was identified as one of the core aims in the PRC government’s 13th Five-Year Plan in 2016. The 14th Five-Year Plan promulgated by the China Communist Party Central Committee on 29 October 2020 did not specifically mention blockchain technology, but actually emphasised the research and development of digital currency and fintech. While China’s Central Bank Digital Currency (CBDC) is currently not based on blockchain technology, fintech is among the most important functions of blockchain technology. Since then, 12 authorities (including the Ministry of Commerce) have published guiding opinions on the promotion and development of blockchain for use in commodity trading markets. In addition, with the growth of mobile payments and online banking, the People’s Bank of China (PBOC) has developed a new consumer credit rating system that employs blockchain technology and is used to monitor the wealth and debt of individuals (including household borrowing and utility bills) to give banks or third parties a more comprehensive picture of an individual’s financial position and their credit risk so that systemic risks can be better controlled.
The Provisions on Administration of Blockchain-based Information Services (Blockchain Services Provisions) promulgated by the CAC represent the first administrative guidelines for providers of non-cryptocurrency, blockchain-based services in China. The Blockchain Services Provisions define blockchain-based service providers as entities or nodes that provide blockchain-based information services, or any institution or organisation that provides technological support to such entities (Blockchain Service Providers). Under the Blockchain Services Provisions, Blockchain Service Providers are responsible for information security and should build internal management systems for user registration, information censorship, emergency response and security protection. The Blockchain Services Provisions require Blockchain Service Providers to conduct a record-filing with the CAC or its provincial-level branch to report certain key information, such as the type and scope of services, application sectors and server addresses, within ten business days of launching their services. Blockchain Service Providers are also required to undertake a security evaluation administered by the CAC or its provincial branches, and to authenticate the identities of their users based on ID card numbers, organisational codes (for PRC entities) or mobile phone numbers before providing services to such users, in accordance with the Cybersecurity Law. As of 30 October 2020, the CAC has announced a total of 1,015 blockchain services provided by relevant service providers.
On the other hand, the Chinese government continues to take a hard line against private cryptocurrencies and initial coin offering (ICO) fundraisings. The regulators have had an outright ban on cryptocurrency exchanges and ICOs in China since 2017, and have also imposed severe restrictions on the use of cryptocurrencies and relevant trading services. Although some market players have continued to conduct limited cryptocurrency operations in China, the regulators have vowed to strengthen monitoring of cryptocurrency-related activities. However, the PBOC has started a trial utilisation of the CBDC in a number of cities and regions in China, as its own contribution to the growing world of digital currencies. As noted above, the current CBDC is not based on blockchain technology, which is another sign that cryptocurrencies may be subject to increased scrutiny.
A blockchain-based application will typically be in the form of computer software, which may make it subject to copyright protection under PRC law. If the application is sophisticated enough (eg, if it includes sufficient technical elements in addition to being mere computer algorithms or business method), and if the application constitutes a solution to a technological problem, then it could be considered patentable under China’s patent law. That said, many blockchain technologies are based, at least partially, on open-source software, which will generally be governed by the terms of an open-source licence. That licence may impose restrictions on patent applications, or may contain provisions undermining patent enforcement.
There are no PRC rules on data privacy that relate to blockchain technologies specifically. However, an operator of blockchain services would be subject to various other PRC laws and regulations relating to data privacy, such as under the Cybersecurity Regime (see, generally, 1 Cloud Computing and 6 Key Data Protection Principles).
This may require a provider of blockchain services or an operator of blockchain technologies to obtain consent before collecting personal information from users, and to disclose internal rules for personal information collection, the intended use of such information, its purpose and the means and scope of collection.
Furthermore, Blockchain Service Providers who are engaged in certain industries could be deemed to be operating CII, making them subject to more strict obligations under the Cybersecurity Regime. In particular, this may include operators of blockchain services in the financial or mineral resources sectors. If such a service provider qualifies as a CIIO, any personal information or other information constituting important data collected within mainland China through a given blockchain would be required to be stored in China and could not be transferred outside China without undergoing additional security assessment procedures, which may require that all nodes of the blockchain are located within China as well.
Currently, there are no specific PRC laws or regulations on any service levels or service level agreements (SLAs) for an operator of blockchain services. That said, the SAC has promulgated a number of recommended national standards and industrial standards on SLAs for cloud computing, prepared by the China National Information Technology Standardisation Committee (CNITSC), which has also promulgated industrial standards on SLAs. While none of these standards are compulsory, there appears to be an increasing number of Chinese internet and software service providers adopting SLAs. As such, SLAs are expected to evolve primarily in light of technical and commercial considerations between Blockchain Service Providers and users.
Because the nodes of a blockchain could potentially be dispersed across servers located in multiple countries and jurisdictions, the question of which laws the blockchain will be subject to is complicated and has not been specifically addressed by PRC law within the blockchain context. However, because the definition of Blockchain Service Providers under the Blockchain Services Provisions covers “nodes”, the rules provided by the Blockchain Services Provisions should at least be applicable to hosts of Chinese nodes used for blockchain information services (defined as information services provided to the public using blockchain-based technology and in the form of internet websites, mobile applications, etc). That said, since the Block Services Provisions are only an administrative provision, under current PRC law and in the absence of an agreement among relevant blockchain parties on governing law and forum selection, whether or not a blockchain is subject to PRC law will be governed by standard PRC choice of laws and forum selection rules under the Civil Procedure Law of the People’s Republic of China and the Law of the People’s Republic of China on Application of Laws to Foreign-Related Civil Relationships. Even under these laws, there remain uncertainties, such as whether having a single blockchain node located on a server in the PRC will be sufficient to subject the entire blockchain to PRC jurisdiction, or whether something more is required.
Currently, there are restrictions on foreign investment into big data companies. The Telecommunications Business Catalogue, published in 2015 by the Ministry of Industry and Information Technology (MIIT), lists the operation of an internet data centre (IDC) as a business that requires a value-added telecommunications operating permit. Subject to certain limited exceptions, this permit cannot be obtained by a foreign-invested entity. Therefore, foreign entities generally are required to outsource their data storage and data analysis services to local PRC IDCs. Indeed, since 28 February 2018, the Apple iCloud service in mainland China (which formerly operated via an offshore service provider) has been transferred and operated by Guizhou-Cloud Big Data Industry Development Company, a PRC IDC.
Beyond these foreign investment restrictions, there are no laws or regulations in the PRC specifically applying to “big data” companies or providers of big data-type services, such as big data analytics and consulting services. As such, there are no statutory limitations or allocations of liability or insurance requirements applicable to duly established big data companies.
Generally, big data companies will be subject to the requirements of the Cybersecurity Regime, whereby informed consent must be procured from users or data subjects before a company can collect and process their personal information. In the case of a big data service provider, such consent should indicate that the user’s personal information will be used specifically to produce data analytics or provide consulting services. Additionally, a company engaging in business related to big data in certain industry sectors might be subject to additional regulatory requirements. For example, health-related data must be stored on a secure and trusted server in China, and hospital authorisation is required to collect and process such data (even anonymised data), and even a security assessment is required before transferring such data offshore.
More generally, a big data service provider may be deemed a CIIO and therefore subject to stricter compliance requirements, including the requirement to store all personal information and other important data within the PRC and the restrictions on transmitting such data outside the PRC without performing certain security assessment procedures. That said, if a big data service provider undertakes anonymisation (ie, technologically processing personal information to make the personal information subject unidentifiable and non-recoverable) when processing personal information, the ultimate analytics and consulting services may not be subject to the restrictions of the Cybersecurity Law on processing personal information without the data subject’s consent.
There are no PRC laws or regulations specifically pertaining to the creation, development or use of machine learning algorithms or technologies. As such, there is no PRC legislation on the allocation of liability or setting insurance requirements on companies that provide products or services employing machine learning algorithms or technology.
As the operation of machine learning algorithms tends to require large data sets, service providers obtaining such data will be subject to the requirements of the Cybersecurity Regime. As such, informed consent must be obtained for any personal information obtained directly from data subjects, and such consent should indicate that the data subject’s personal information will be used specifically for machine learning purposes. If such data is obtained from a third-party source, care should be taken to ensure that appropriate consents were obtained by the entity that collected any personal information, or that such personal information is anonymised.
A software program employing machine learning technology is likely to be subject to copyright protections under PRC law. However, machine learning algorithms themselves will be very difficult to patent in the PRC. Moreover, any machine learning software that is based on open-source software will generally be governed by the terms of an open-source licence, which may impose restrictions on patent applications or contain provisions undermining patent enforcement.
There are no PRC laws or regulations specifically pertaining to the creation, development or use of artificial intelligence (AI). As such, there is no PRC legislation specific to the use of AI on the allocation of liability or setting insurance requirements on companies that provide products or services employing AI.
As the operation of AI tends to require large data sets, service providers obtaining such data will be subject to the requirements of the Cybersecurity Law. As such, informed consent must be obtained for any personal information obtained directly from data subjects, and such consent should indicate that the data subject’s personal information will be used specifically for AI purposes. If such data is obtained from a third-party source, care should be taken to ensure that appropriate consents were obtained by the entity that collected the personal information, or that the personal information is anonymised.
With respect to the ownership of intellectual property rights, under the Copyright Law of the People’s Republic of China (Copyright Law), only natural persons, legal persons or organisations can be entitled to copyrights. As a result, PRC law currently appears to suggest that any works and content created by AI cannot be protected under the Copyright Law.
Chinese legislators have taken a relatively broad view of the concept of the internet of things (IoT). The Guiding Opinions of the State Council on Promoting the Orderly and Healthy Development of Internet of Things (Guo Fa  No 7 – the IoT Opinion) describes IoT as technologies “based on the intensive integration and comprehensive application of a new generation of information technology,” and designates IoT as an important strategic emerging industry of the country. The IoT Opinion further emphasises the co-ordinated overall development of IoT applications, technologies, industry and standards.
Although China has yet to promulgate any comprehensive legislation on the security and regulation of IoT, recent legislation on IoT-related issues – such as data security, data privacy, cloud computing, protection of critical infrastructure, classified levels of security protection, information security, etc – is all applicable to IoT, and a number of different government departments and regulatory bodies have been involved in the regulation and standardisation of the IoT sector. These government bodies include the MIIT, which is the key regulator for the telecoms sector and about 20 other industries, and the CAC, which acts as the main watchdog for information security and content administration, as well as others such as the NDRC, the Ministry of Science and Technology (MOST) and the SAC.
While there is no specific law on the information security of IoT, the general rules of the Cybersecurity Regime are generally applicable to the IoT sector – in particular, the rules regarding the confidentiality and safekeeping of personal information of consumers, and the protection of privacy (see 1 Cloud Computing and 6 Key Data Protection Principles). Therefore, if an IoT service provider is deemed to be operating critical information infrastructure, then it will be subject to more stringent compliance requirements.
By and large, the PRC legal framework concerning IT service agreements presents many of the common issues found in other jurisdictions. In particular, provisions dealing with indemnification and liability caps for data breaches, service outages and other service malfunctions tend to be among the most heavily negotiated clauses of IT service agreements in China. Another routinely contested contractual issue concerns a service provider’s reporting obligations to its customers in the event that it discovers breaches, attempted intrusions, actual intrusions and data leaks. Maintenance timetables and service-level credits are also potential points of discussion, as is IP ownership of customised software applications. Taken together, these general issues of IT service agreements tend to be deal-specific, and their resolution is often subject to the risk profiles of the parties involved. It is worth noting that the Civil Codeentered into effect on 1 January 2021, rendering a number of laws obsolete, such as the Contracts Law of the People’s Republic of China. The Civil Code will also govern IT service agreements, although no significant changes to existing and prevailing contractual arrangements for such agreements are expected.
There are no sector-specific rules on IT service agreements, except for those generally governing the cloud computing/data/privacy sectors (see 1 Cloud Computing and 6 Key Data Protection Principles).
Core Rules Regarding Data Protection
Currently, there is no single definitive piece of legislation in the PRC governing data protection. Instead, a range of laws and regulations contain data protection provisions that apply to specific parties in a variety of circumstances. Some of the most notable include the Cybersecurity Law, the Criminal Law (revised in 2015) and the Consumer Protection Law. For example, under the Consumer Protection Law, business operators are required to notify consumers of the purpose, method and scope of information collected from users/customers, as well as how such information will be used, and to obtain consumers’ consent prior to collecting such data or transferring it, whether such transfers are made onshore or offshore. These consumer protection restrictions also require business operators to keep any personal information of consumers confidential, and to take technical and other measures to safeguard such information. Additionally, various sources of legislation provide that PRC nationals have a general right to privacy under PRC law, which includes the right to have their information kept private.
On 3 July 2020, the National People’s Congress Standing Committee published the Draft Data Security Lawfor public comment. If passed in its current form, the Draft Data Security Law will be applicable to all “data activities” within China, with the exception of data activities involving state secrets and military information, which will be governed by the Law of the People’s Republic of China on Guarding State Secrets and related legislation and regulation. The Draft Data Security Law also purports to apply to organisations and individuals outside the territory of China if such organisations or individuals harm the national security, public interests or legitimate rights and interests of the citizens and organisations of China in carrying out data activities.
The Draft Data Security Law features a unified system for assessing, reporting, sharing, monitoring and warning data security risk, though the system would still need to be established by the state. The Draft Data Security Law envisions a classified data protection regime based on the level of importance of different data. Local governmental departments would be mandated to impose heightened protection on the data within a “key data catalogue”. The Draft Data Security Law would also provide that China will establish a national security review mechanism on data activities, an export control mechanism on controlled data, and a data security emergency response mechanism, though the draft law does not provide any details on these mechanisms.
Both the draft Data Security Law and PI Protection Law are considered extensions/reinforcements to the existing cybersecurity regime with the Cybersecurity Law at its centre (see also 1 Cloud Computing).
Distinction between Companies/Individuals
The Cybersecurity Law does not make a technical distinction between companies and individuals. However, it does contain other important distinctions, both at the level of collectors/handlers of data (typically companies) and at the level of data itself (typically data belonging to consumers/individuals).
At the data collector/handler level, the law distinguishes between “Network Operators” and the narrower concept of CIIOs. Network Operators are broadly defined as “network owners and administrators, and network service providers”. As no further definitions of these sub-categories is provided, this definition could potentially include any company or individual operating a website or using a company intranet/cloud computing network. CIIOs, on the other hand, are essentially defined to include certain companies that are heavily connected to industries implicating PRC sovereignty or the economy, or the well-being of PRC citizens, the collapse of which would likely have an adverse impact on the PRC government or its citizens (eg, major utilities and banks). Different rules and requirements within the Cybersecurity Law are applicable to Network Operators and CIIOs, with the restrictions placed on the latter tending to be more onerous.
At the level of data itself, the Cybersecurity Law is focused especially on two particular types of network data: personal information and “Important Data”. Personal information is defined under the Cybersecurity Law to include “all kinds of information recorded by electronic or other means that can be used to identify, independently or in conjunction with other information, a natural person, including name, date of birth, ID numbers, biometric personal information, etc.” Important Data is technically undefined under the Cybersecurity Law, but subsequent draft guidance sets out many sector-specific types of data deemed to be Important Data. For example, for a financial institution, a list of clients would be considered Important Data, as a breach or leak of such list would potentially damage the safety and soundness of that financial institution. Taken together, companies collecting or processing information that could be considered personal information or Important Data over a network should take particular care that they are in full compliance with the Cybersecurity Law.
The above rules may all be further clarified/strengthened by the Draft Data Security Law and Draft PI Protection Law, when these laws are promulgated.
General Processing of Data
In addition to the general data handling and user consent rules noted above in the context of the Consumer Protection Law, the Cybersecurity Regime also provides data processing rules that apply to all Network Operators in China. For example, Article 10 of the Cybersecurity Law requires Network Operators to “take technical and other necessary measures to ensure the secure and stable operation of a network, effectively respond to cybersecurity incidents, prevent illegal crimes committed on a network, and maintain the integrity, confidentiality and availability of cyber data.” Article 21 also provides that Network Operators must formulate internal security management systems and take technological measures to preserve relevant web logs for no less than six months, among other requirements.
However, if a party collecting or processing data in China is deemed to be a CIIO, then a series of more stringent data processing rules will be triggered. Most significant to multinational companies, these heightened data processing rules include a local data-hosting requirement, which requires that all personal information and Important Data collected or maintained during business operations in China is hosted on servers physically located in the PRC. Similarly, CIIOs are also restricted from transferring personal information or Important Data offshore without performing certain security assessment procedures. Notably, any data transfers between an offshore parent company and a PRC subsidiary in which the latter is deemed to be a CIIO would fall under these local hosting and offshore data transfer restrictions. It is also worth noting that some draft legislation subsequent to the Cybersecurity Law has envisioned the expansion of these local hosting and offshore data transfer restrictions to all Network Operators (ie, not just CIIOs); however, this draft legislation has faced significant scrutiny and it is far from a reliable indication that it will be adopted in the future.
Processing of Personal Data
As noted above, controllers and processors of all personal data in the PRC must ensure their compliance with the various consumer protection rules and individual rights to privacy under the Cybersecurity Regime, the Consumer Protection Law and the Civil Code and Criminal Law. Typically, the consent of data subjects should be obtained before any personal data is collected, processed, stored or transmitted. Under the Cybersecurity Law, Network Operators are required to disclose the intended use and purpose when collecting personal information (just as for Important Data) from data subjects. Moreover, personal information may only be collected if it relates to the work or services provided by the Network Operator. When processing information, Network Operators are obligated to not divulge, damage or distort any personal information. There are also other requirements to follow to protect the interests and privacy of data subjects, including ensuring that data subjects are provided certain rights of rectification if their personal information is misused, as well as rights of withdrawal, deletion, etc.
The Cybersecurity Law further provides that personal information can be provided to third parties, as long as the consent of the data subject is obtained in advance and other requirements are satisfied. Indeed, the Specification addresses the delegated processing of personal information, and includes compliance recommendations.
The Cybersecurity Law also includes a general exception for personal information that is anonymised – ie, technologically processed so that the subject is unidentifiable and non-recoverable. Anonymised information will not be subject to the restrictions of the Cybersecurity Law on divulging personal information without the data subject’s consent.
PRC law provides no rules specifically covering the monitoring of employees’ use of computer and internet resources owned by the employer. As such, employers are generally permitted to use various means (eg, monitoring software) to monitor and restrict employees’ use of company computer resources.
However, the right of privacy has been developing in PRC law, and with its first major explicit instantiation in the recently promulgated Civil Code, challenges may be levied (successfully) in the near future against certain (unreasonable) monitoring. Moreover, if a company collects employees’ personal information, then the employer may be obligated under the Cybersecurity Law to notify its employees of its collection methods and to obtain employee consent before such collection. This can be accomplished by including appropriate language in the company’s employee handbook, and obtaining each employee’s acknowledgement that he or she has read and understood the handbook’s content.
The Telecommunications Regulations of the People’s Republic of China (Regulations) apply to all types of “telecommunications” services. “Telecommunications” is defined broadly as the “act of using wired or wireless electromagnetic or optoelectronic systems to transmit or receive voice, text, data, images or any other form of information.”
The Regulations categorise telecommunications services as either “basic telecommunications services” or “value-added telecommunications services”, and require different operating permits to engage in each. Basic telecommunications services include voice communications services, public data transmission and public network infrastructure, while value-added telecommunications services consist of call centre services, IDC services, CDN services, VPN services and others. A complete list of services or businesses qualifying as basic telecommunications services and value-added telecommunications services can be found in the Telecommunications Business Catalogue, as first formulated by the MIIT in 2000 and last updated in 2019.
Therefore, depending on the type of telecommunications services being provided, the telecommunications operator will need to obtain either a “Basic Telecommunications Service Operating Permit” or a “Value-Added Telecommunications Services Operating Permit” prior to bringing a service to market. Each permit requires a telecommunications services operator to meet different requirements, as follows.
On 15 October 2020, the MIIT released the Notice on Strengthening Interim and Ex-Post Supervision of Foreign-Invested Telecommunications Enterprises (FITE Notice). The FITE Notice confirms that a separate process for MIIT approval (MIIT FITE Approval) is no longer required for the establishment of foreign-invested telecommunication enterprises (FITEs), and all the procedures and documents required under the former MIIT FITE Approval application will be integrated into the existing application process for licences of telecoms services. This is yet another easing of foreign-invested enterprises’ entry into China’s telecoms market, which has been opening up more and more since the country joined the World Trade Organization.
China does not maintain a unified regulatory regime for all components of the audio-visual media industry as a whole. Instead, industry sub-sectors are regulated separately through a range of different laws and regulations. With respect to audio-visual media, the key areas of regulation include cable broadcasting, online audio-visual services and Over the Top (OTT) services. In general, the broadcasting or online transmission of audio-visual content is highly regulated and in many cases restricted to both foreign and domestic investment.
Cable broadcasting is highly regulated in the PRC and is not open to foreign participation or even new domestic market entrants. Currently, a broadcasting television station may only be set up and established by the central or local government branches, such as the National Radio and Television Administration (NRTA) or the Ministry of Education. The station’s establishment will be subject to the central PRC government’s national market plans as well. No individual or other enterprise or organisation is allowed to set up any broadcasting television station in China.
The most central piece of legislation relating to cable broadcasting – ie, offering traditional cable television channels – is the Administrative Regulations for Radio and Television. All cable broadcasters are required to obtain the following two key permits, among others:
PRC law requires applicants for these permits to meet certain requirements, including regarding the applicant’s location, equipment, technology and personnel, and to complete an application process with the applicable authorities. No application fees are required. As mentioned, however, it is difficult if not impossible for new entities – domestic or foreign-invested – to obtain either of these permits in China.
Online Audio-Visual Services
Online audio-visual services are primarily regulated through the following legislation:
To operate an online streaming platform (ie, to provide video on demand (VOD) services, such as Youku (the Chinese YouTube)), the most important operating permits include an “Internet Culture Business Permit” and an “Internet Audio Video Broadcasting Permit” (IAVB Permit). The IAVB permit requires the applicant to meet certain requirements and complete an application process with local and central government authority, while the internet Culture Business Permit’s application process involves only the provincial level government authority. No application fees are required. The IAVB Permit requires the new applicant to be controlled or wholly owned by one of China’s state-owned enterprises (SOEs). Neither the Internet Culture Business Permit nor the IAVB Permit may be obtained by an applicant that has any direct or indirect (on a see-through basis) foreign investor, although indirect control structures featuring variable interest entity structures are widely used in this sector.
The most important operating permit for providers of OTT Services is the OTT licence. To apply for an OTT licence, a qualified applicant must meet certain requirements, including being controlled by an SOE, along with other equipment and personnel requirements. Here too, both local and state government approval are needed, which requires submitting an application to local- and state-level authorities. No application fees are required. To date, only 16 OTT licences have been issued.
Directly operating an online video channel in the PRC is highly regulated and requires the procurement of operating licences/permits (ie, an Internet Culture Business Permit and an IAVB Permit/OTT licence) that are generally only available to companies with SOEs as (controlling) shareholders. As such, it is more common for content owners outside China to simply license content to a domestic entity that holds all required permits – eg, the licensing arrangement between iQiyi and Netflix. Such domestic entities will also ensure that licensed content complies with PRC content/censorship requirements, and will potentially self-censor any content that could result in an infringement.
The use of certain encryption products is highly regulated in the PRC. While there are some general, affirmative obligations for companies to safeguard/encrypt protected types of data (such as personal information and Important Data under the Cybersecurity Law), such companies must always ensure that they remain in compliance with the PRC’s more tailored legal provisions on encryption, such as the recent Cryptography Law.
Prior to 2017, the manufacture, distribution and use of commercial encryption products was restricted in China. In 2017, China’s State Council and the State Cryptography Administration (SCA) suspended a series of restrictive regulations that made the production and distribution of cryptography products in China subject to a burdensome prior approval process. The Cryptography Law, promulgated on 26 October 2019 and effective since 1 January 2020, continues this trend by making clear that the state encourages and supports research on cryptography and its application, as well as the innovation of cryptography science and technology.
The Cryptography Law divides cryptography into different types:
Core and ordinary cryptography are used to protect state secret information; all other cryptography is classified as commercial cryptography. The Cryptography Law sets out different rules and regulations for each type.
The Cryptography Law generally affords national treatment to foreign-invested entities in the research, production, sale, service, import and export of cryptography, and prohibits the forced transfer of proprietary information from commercial cryptography entities. Moreover, the Cryptography Law provides for a detection and certification requirement for commercial cryptography products involving national security, the national economy and the public interest, clarifies that CIIOs must use commercial cryptography, and stipulates that a national security review must be completed if national security is involved. In addition, the SCA is mandated under the Cryptography Law to formulate a list of commercial cryptography involving national security or public interests, which will be subject to an import licensing requirement.
The use of encryption does not exempt an organisation from any specific rules under PRC law. However, in practice, the use of certain encryption products as certified/authorised by Chinese authorities will often satisfy certain obligations to safeguard and protect data under PRC law, such as the provisions applicable to Network Operators under the Cybersecurity Law. In addition, the Cryptography Law requires that any state secret information transmitted by wired or wireless communications is sent using encryption.
Although China was the first to be hit by COVID-19, despite initial disruptions the Chinese economy has stabilised over the course of the past year and has seen even more growth than the year before, particularly in the TMT industry. Perhaps the only (and only remotely relevant) TMT sector that has received sector-specific government relief funds is the cinema sector – cinemas in China remained closed until late July 2020, when the National Film Bureau conditionally allowed cinemas to resume business – and cinemas can only operate at up to 75% of their seat capacity, and seats must remain over 1 metre apart.
That said, the government has indeed provided relief funds to many small-to-medium sized Chinese companies, TMT companies included, in forms ranging from relief grants and tax rebates/reductions to low interest loans. Companies are also encouraged to arrange for employees to work from home rather than in-office, and companies in hardship may arrange for employees to take leave with minimum wages to reduce cost. That said, the COVID-19 crisis has not directly led to any changes in TMT-specific legislation.