TMT 2024 Comparisons

To date, no laws or regulations that specifically regulate the metaverse have been enacted in the People’s Republic of China (PRC). However, metaverse platform providers and participants should pay attention to laws and regulations regarding the PRC telecoms regime, virtual property, personal information (PI) and other data, and intellectual property (IP), including the following:

• the PRC Telecommunications Regulations, the PRC Administrative Measures for the Licensing of Telecommunications Business and the PRC Classification Catalogue of Telecommunication Services set out myriad restrictions and requirements on telecoms services in China;
• the PRC Copyright Law, the PRC Trademark Law and the PRC Anti-Unfair Competition Law (AUCL) are key pieces of legislation concerning IP rights in China;
• the PRC Civil Code came into effect on 1 January 2021 and covers a wide range of parties’ private rights; Article 127 clearly imparts legal status to virtual property, just the same as any object of civil rights; and
• the various laws of the cybersecurity regime, beginning with the PRC Cybersecurity Law of 2017 and most recently including the PRC Data Security Law and the PRC Personal Information Protection Law (PIPL), set out numerous rules for the collection, transfer and other processing of various kinds of data.

Each of the above areas of law is further specified by national and local regulations and rules, although still not addressing the metaverse specifically.

The metaverse is specifically addressed, however, in development plans of several large cities, including Beijing, Shanghai and Chongqing, in order to attract investments from metaverse companies. Furthermore, in September 2023, the Ministry of Industry and Information Technology (MIIT), in collaboration with four other ministries, released the Three-Year Action Plan for the Innovative Development of the Metaverse Industry (2023–2025), which outlines a policy framework and specific measures aimed at fostering the growth of the metaverse industry. Key strategies involve advancing AI-based technologies, such as data circulation technology, content generation technology, digital twin technology, perception and interaction technology, and networking and computing technology. The overarching goal is to facilitate the formation of what is referred to as the “industrial metaverse”.

PRC Telecoms Regime

Depending on the business model and the telecoms resources to be used for the metaverse, PRC telecoms regulatory requirements might be triggered. The internet and telecoms sectors in the PRC are subject to a comparatively rigid licensing regime, which might be applicable to companies offering services to PRC customers via an onshore model (with servers, data and other facilities/resources within China).

In particular, if an entity offering services via an onshore model would like to engage in activities that fall under the definition of “basic telecoms services” or “value-added telecoms services”, then it will first need to obtain the relevant licences according to the Catalogue of Telecommunications Businesses, issued and regularly amended by the MIIT. As examples, depending on the business model and product features to be implemented, engaging in metaverse activities may require an Internet Content Provider (ICP) licence or a Service Provider (SP) licence (if the services are provided through mobile networks), at least one of which is a prerequisite for metaverse platform operators to provide services falling into any one of the following sub-categories:

• Information Publishing Platform and Delivery Services, which usually refer to online services provided by a platform disseminating content in the form of text, video or applications;
• Information Community Platform Services, which usually refer to online services provided by platforms that allow users to exchange information;
• Information Search Services, which usually refer to online services provided by search engines such as Baidu and Bing;
• Information Instant Interaction Services, which usually refer to online services that allow users to exchange information instantly through a service provider’s product; and
• Information Protection and Process Services, which usually refer to online services relating to anti-virus functions and information protection services.

Some of the activities (eg, certain basic telecoms services) can only be provided by state-owned entities, while others need at least 50% or 51% local Chinese shareholding (eg, services falling under the requirement for an ICP licence), and some are completely open to any kind of investment – with more and more falling under this last category every year.

On 23 November 2023, the State Council approved the Plan on Supporting Beijing to Deepen the Development of the Comprehensive Demonstration Zone of National Service Industry (“Plan”), with the objective of advancing the further opening and reform of various service sectors. The most notable part of the Plan is its relaxing of foreign investment shareholding restrictions in specific sub-categories of value-added telecommunications services (VATS) in Beijing, including the elimination of foreign shareholding limitations in the operation of app stores (under a B25 licence) and internet access services (under a B14 licence).

Under the prevailing regulatory framework, the operation of app stores in China is limited to 50% foreign investment, except for investment in free trade zones (FTZs) and for qualified service providers from Hong Kong or Macau under the Closer Economic Partnership Arrangement (CEPA), while foreign investment in internet access services in China is 100% prohibited, subject to the same exceptions.

IP Protection

The metaverse has created an emerging environment that revolutionised the traditional application of the internet, and is creating a virtual society reflective of the physical world. User-generated content makes infringement of IP more common. Metaverse participants usually create scenes in the virtual world based on their preferences in the real world, transferring, copying and linking trade marks, signs, designs and other copyrights or works protected under IP law into the virtual world. These activities likely implicate IP protection laws, as the PRC Copyright Law, PRC Patent Law and PRC Trademark Law are quite clear that the author and trade mark registrant enjoy the exclusive right of any given copyright or trade mark, and there are currently no exceptions or special provisions that would clearly apply to metaverse activities.

In late 2022, draft amendments to the AUCL were released and included the new concept of “commercial data”, which is defined as data that is lawfully collected by business operators, has commercial value and employs corresponding technical management measures. The draft amendments would impose additional requirements for business operators processing “commercial data” and prohibit certain related conduct, such as disrupting technical management measures of other business operators, breaching relevant contracts, agreements or protocols, acting contrary to the principle of good faith, etc.

Data Property Rights and Data Transactions

The Chinese government recognises data as a significant “factor of production” in the digital economy, akin to capital, land, technology, and human resources. On 19 December 2022, the Central Committee of the Chinese Communist Party and the State Council jointly released the Opinion on Building a Data Basic System to Enhance the Utilisation of Data Elements, which introduces 20 measures (“20 Measures”) designed to establish fundamental data systems that will promote the rapidly growing data industry in China. According to these 20 Measures, China plans to develop basic data systems from four key aspects:

• data property rights;
• data circulation and transaction;
• data income distribution to promote fair competition; and
• data security governance.

In alignment with the 20 Measures, several local governments in China, including Jiangsu, Zhejiang, Beijing, and Shenzhen provincial governments, have enacted relevant regulations to define data property rights and establish mechanisms for data transactions. These regulations have instituted a property rights operating mechanism to delineate the right to hold data resources, the right to use data processing, and the right to operate data products. Entities possessing data with “commercial value” can apply for and obtain ownership certificates for such data. These certificates serve as legitimate credentials in data transactions, income distribution from data usage, and dispute resolution, forming the basis for data circulation and the burgeoning data-driven economy.

In March 2023, China further solidified its commitment to data governance by establishing the National Data Bureau. Tasked with promoting data-related basic systems, this bureau collaborates with other departments to facilitate data sharing and development, as well as to guide the planning and development of the digital economy.

Protection of Virtual Property

Although China does not have any laws or regulations that specifically address the protection of virtual property and assets, Article 127 of the PRC Civil Code has been widely understood and interpreted as providing that rights to virtual property and assets have been officially recognised as legal property rights and are thus subject to protection under the civil law regime, just like physical property rights. However, Article 127 further provides that the protection of virtual property and assets is still subject to further, more detailed regulations.

The financial value of virtual property has been increasingly acknowledged by PRC judicial bodies. In a case adjudicated by the Beijing Internet Court and publicised as one of the “10 Typical Cases for China Internet Governance in 2022”, the plaintiff filed a claim against a game company to refund his unused game coins and pay compensation for other game props since the game company shut down the game. The Court upheld the plaintiff’s claim and ruled that the game props have the nature of property and shall be protected as internet virtual property. While the Court determined that the game company was liable in tort for infringing the property rights of the plaintiff, the specific compensation amount depends on the nature and characteristics of the game props. For example, game coins were directly purchased with legal tender, so the game company must refund the amount equivalent to the value of the unused virtual coins.

Regulation of Data and Personal Information

There are no PRC rules on data privacy that relate to the metaverse explicitly. However, an operator – and possibly a user – of the metaverse may be subject to various other PRC laws and regulations relating to data protection and privacy.

In particular, due to the massive volume of PI that they might possess or collect, metaverse platform providers are likely to be subject to numerous rules under the PIPL, including the requirement to obtain consent before processing PI from users (except in certain situations permitted by law) and disclosing the intended use, purpose, means, scope and rules of the processing.

Metaverse platform providers and participants who (also) engage in operations deemed to fall within “critical information infrastructure” could be deemed Critical Information Infrastructure Operators (CIIOs) and therefore subject to more strict obligations under the cybersecurity regime.

The PRC Data Security Law imposes data security and privacy obligations on entities and individuals carrying out data activities. It also introduces a data classification and hierarchical protection system based on the importance of data in terms of economic and social development, as well as the degree of harm that would be caused to national security, public interests or the legitimate rights and interests of individuals or organisations if such data were to be tampered with, destroyed, leaked or illegally acquired or used. Appropriate protective measures are required to be taken for each category of data. For example, a processor of so-called “important data” must designate personnel and a management body responsible for data security, carry out risk assessments for its data processing activities, and file risk assessment reports with the Cyberspace Administration of China (CAC).

Under the current data protection regime, the transfer of PI outside of China is subject to the following requirements (“Data Export Requirements”):

• Security Assessment – the following parties must carry out so-called “security assessments” before transferring data offshore:
1. CIIOs seeking to transfer PI offshore;
2. data handlers seeking to transfer so-called “important data” offshore;
3. data handlers who process the PI of more than one million individuals and seek to transfer any PI offshore;
4. data handlers who cumulatively transfer offshore, the PI of more than 100,000 individuals in the period since 1 January of the preceding year; and
5. data handlers who cumulatively transfer offshore, the “sensitive personal information” of more than 10,000 individuals in the period since 1 January of the preceding year.
• Standard Contract or PI Protection Certification – if none of the thresholds for the security assessment listed above is triggered, a party wishing to transfer any PI out of China must nevertheless carry out one of the following procedures:

1. executing a standard contract issued by the CAC with the relevant overseas recipient of the PI; or
2. passing “PI protection certification” from a specialised institution designated by the CAC.

On 28 September 2023, the CAC released the Draft Provisions on Regulating and Facilitating Cross-Border Data Transfer (“Draft Regulation”). If the Draft Regulation is ultimately issued substantially in its current form, many cross-border data transfers involved in various daily operations of multinational companies, will not be subject to Data Export Requirements, including:

• PI exporting that is necessary for the conclusion or performance of a contract to which the PI subject is a party, such as cross-border shopping, payments, ticket and hotel bookings, visa applications, etc;
• exporting PI of employees for purposes of implementing HR management according to employment policies and collective labour contracts;
• exporting PI of no more than 10,000 individuals within one year;
• exporting PI for purposes of protecting individuals’ life, health, or property security in emergency situations;
• exporting of PI that is not collected or generated within mainland China; and
• exporting non-PI data that is collected or generated during international trade, academic co-operation, cross-border manufacturing and marketing, and certain other as-yet unspecified activities, unless such data is recognised as “important data”.

Laws and Regulations

While digital economies can generally be said to be subject to a wide range of laws, the following are especially pertinent in the PRC:

• the PRC E-Commerce Law, which came into effect on 1 January 2019 and is the first law regulating processes relating specifically to digital commerce;
• the regulations of the PRC telecoms industry, as detailed in 1.1 Laws and Regulation;
• the PRC Electronic Signatures Law, which was revised and took effect on 23 April 2019, and is another key law governing electronic transactions;
• the AUCL, most recently revised in 2019, and the PRC Anti-monopoly Law, most recently revised in 2022, are widely regarded as playing an essential role in the regulation of the digital economy – anti-monopoly authorities in particular are increasingly targeting technology giants that have huge market shares in e-commerce and the digital economy even more fundamentally;
• the Advertising Law, most recently revised in 2021, and the Measures for the Administration of Internet Advertising issued by the State Administration for Market Regulation (SAMR) in 2023; and
• the laws and regulations of the cybersecurity regime, as detailed in 1.1 Laws and Regulations, especially as they pertain to “Important Data” (eg, sensitive financial data) and CIIOs.

E-Commerce

The PRC E-Commerce Law defines an e-commerce operator as any natural person, legal person or unincorporated association that carries out business activities through information networks such as the internet to sell commodities or offer services, including operators of e-commerce platforms, business operators on e-commerce platforms, and other e-commerce operators that sell commodities or offer services on websites they develop themselves or through other network services. Importantly, this definition could extend to individuals who conduct business activities such as selling second-hand commodities or providing procurement services through Taobao.com or JD.com.

The PRC E-Commerce Law includes a large number of rules covering a wide range of conduct, even addressing customer comments, which the law prohibits operators from removing or modifying. For example, one of the largest platforms for individual customers buying and selling second-hand luxury goods in China, Secoo, was investigated by the Beijing Xicheng Branch of the State Administration for Market Regulation and fined RMB50,000 for deleting one negative review from its platform.

Discriminatory pricing using big data is also regulated by the PRC E-Commerce Law, which prohibits schemes that customise the display of search results of products and services based on consumers’ interests, preferences, habits and other personal characteristics.

Although such practices are prohibited by the PRC E-Commerce Law, individual customers generally lack sufficient resources and capabilities to prove that any online platform adopts discriminatory pricing based on algorithms, which results in online platforms rarely being penalised for such conduct. As an example, in litigation where Ctrip (one of the largest online travel agencies in China) was allegedly collecting PI from a user and raised the accommodation price for the user based on analysis of her data, the court ruled that Ctrip infringed upon the user’s information rights but remained silent on whether and how Ctrip conducted price customisation based on data analysis. It is challenging under the current legal regime for customers to successfully persuade the court or administrative authorities that the price is different as a result of algorithms based on personal data collected from customers.

PRC Telecoms Requirement on E-commerce

Which telecoms licences and rules will apply to an e-commerce participant will depend on its business and model. Typical licences include those for Electronic Data Interchange (EDI) and ICP. The former is needed for platforms featuring third-party sellers (ie, individuals or entities running online stores on the platform), while the need for the latter depends on whether such platforms enable other services that might fall into sub-categories of information services as listed and defined in the Classification Catalogue of Telecommunications Services.

Interestingly, foreign investment in an ICP licence holder is capped at 50%, whereas there is no restriction on foreign shareholding for an EDI licence holder. That said, an e-commerce business featuring the sale of products manufactured or procured by the operator itself generally does not need an ICP (or EDI) licence (although a so-called “ICP filing” is generally required).

Other key rules generally applicable to parties using a website or other online platform to sell their own or third parties’ goods or services include requirements that e-commerce platform operators have adequate funds (RMB10 million minimum for national level and RMB1 million for provincial level), specialised personnel and a reputation for long-term service. Foreign and foreign-related telecoms enterprises (FITEs) in China are subject to the same registered capital requirements. In 2022, it was confirmed that FITEs are no longer required to have a “record of good performance and operating experience” prior to being established in China.

Unfair Competition

The current AUCL expressly restricts network-based anti-competitive conduct, but only based on high-level provisions. However, the AUCL is currently undergoing another revision process, with the public comment period having closed at the end of 2022. The draft amendments aim to improve anti-competition rules for the digital economy, with several newly added provisions, including Article 4 as a basic guideline and Articles 15, 17, 18 and 19 targeting anti-competitive conduct in the area of digital economy specifically.

In the version of the AUCL currently in effect, Article 12 prohibits acts impeding or disrupting the normal operation of network products or services, specifically including:

• inserting a link or forcing a URL redirection in a network product or service legally provided by another business operator without the consent of that business operator;
• misleading, deceiving or compelling users into modifying, closing or uninstalling a network product or service legally provided by another business operator; and
• implementing in bad faith an incompatibility with a network product or service legally provided by another business operator.

In the draft amendments of the AUCL, Article 4 would function as a fundamental cornerstone prohibiting business operators from using data and algorithms, technology, capital strength or platform rules to engage in unfair competition practices. More specific to the digital economy, unfair competition activities explicitly prohibited by the draft amendments include:

• disrupting the order of fair competition in the market by influencing user choices by using big data collected from users and algorithms to process it;
• violating industry practices or technical specifications to hinder access to other network products or services;
• acquiring commercial data of other operators in an improper way; and
• customising prices for different users based on analysis of their preferences and other characteristics by using algorithms.

Advertisements

To refine the advertising regulatory rules applicable to numerous new types of advertisements over the internet, on 25 February 2023, the SAMR released the Measures for the Administration of Internet Advertising (“Online Advertising Measures”), which came into effect on 1 May 2023. The Online Advertising Measures impose different compliance requirements on various forms of internet advertisements, including advertisements with links, soft advertising in forms of experience sharing or consumer commenting, advertisement pushing to smart devices, pop-up ads and splash ads, and ads on livestreaming, etc. For example, it remains controversial (and is perhaps not legally settled) whether using livestreaming to promote products or services constitutes advertising under PRC law. However, according to the Online Advertising Measures, for some internet livestreaming with essential features of commercial advertisements, the operators and marketers in the livestreaming room must assume the responsibilities of an advertising operator and publisher. Likewise, if any individuals conducting live marketing activities use their own name or image to endorse products, they must abide by the legal responsibilities and obligations of an advertising endorser. For internet advertising that appears in the form of pop-ups or splash screens when launching an internet application, both the advertiser and the advertising publisher are obligated to prominently display a button to ensure easy closure with just one click.

Data and Privacy Protection

Subject to the specific data stored or processed during digital economy activities, service providers could be required to comply with various obligations under the PRC Cybersecurity Law, the PRC Data Security Law, the PIPL and/or the PRC Critical Information Infrastructure Regulations, such as local data hosting and offshore data transfer restrictions (see 1.1 Laws and Regulation). Ultimately, in some circumstances, businesses that have offshore components (eg, servers hosted outside China, or networks between PRC subsidiaries and foreign parent companies) and are subject to offshore data transfer restrictions might have to restructure entities or operations to comply with these laws and regulations.

Under the PIPL and other regulations (such as the PRC Measures for Cybersecurity Review), an e-commerce platform that processes large volumes of PI or operates a certain type of business will be subject to enhanced requirements for PI protection, including:

• completing cybersecurity review if processing PI of one million or more individuals and applying to go public outside China;
• establishing an independent body mainly composed of external members to supervise protection of PI;
• ceasing the provision of any service to any product or service provider operating on the e-commerce platform who commits a serious violation of any law or administrative regulation in the processing of PI; and
• publishing a social responsibility report concerning PI protection on a regular basis and accepting supervision from the public.

The PRC Consumer Protection Law sets similar requirements for the collection of consumer information by business operators. Other high-level laws provide general privacy protections, such as the PRC Tort Law, the PRC Civil Code and the PRC Criminal Law. Draft amendments to the AUCL would introduce a new category of data, “commercial data”, with new attached rights and responsibilities (as set out in 1.1 Laws and Regulation).

Laws and Regulations

There are no laws, and only a few regulations, in the PRC specifically addressing cloud and edge computing, but cloud and edge computing service providers are subject to various general bodies of legislation and regulation, including:

• the PRC Telecommunications Regulations and related regulations, such as the PRC Administrative Measures for the Licensing of Telecommunications Business and the PRC Administrative Measures for Internet Information Services;
• the PRC Cybersecurity Law and related laws and regulations forming the framework for governing data security and privacy protection in China;
• the PRC Cryptography Law;
• the Measures for Security Evaluation for Cloud Computing Services; and
• the Circular on Regulating the Market Operations of Cloud Services (Draft for Comments).

The Standardisation Administration of China (SAC; also known as TC260) also publishes numerous non-binding, recommended standards relating to cloud and edge computing, covering topics ranging from security guidance to data centre requirements and file service application interfaces.

PRC Telecoms Regulations

Depending on the business model and features of cloud computing services, engaging in cloud services within China may trigger value-added telecoms licensing requirements. Cloud services might implicate the requirements for an “internet data centre” (IDC) or “internet resource collaborative” (IRC) licence. An IDC/IRC licence essentially allows a company to directly provide server hosting or cloud storage solutions, as well as other related business activities. Foreign shareholding in any holder of an IDC/IRC licence is completely prohibited (with the exception of qualified service providers under the Mainland and Hong Kong Closer Economic Partnership Arrangement Agreement on Services Trade, who can own up to 50%).

Circular on Regulating the Market Operations of Cloud Services (Draft)

On 24 November 2016, the MIIT released a draft of a new circular for regulating cloud services, with the following key points, which are at least to some extent already enforced in regulatory practice.

• In any co-operation between a local cloud service provider (who holds a relevant telecoms licence) and a foreign partner, the former is prohibited from:
1. transferring or lending (explicitly or “in disguised form”) any telecoms licence to the partner, or providing any resource, site, facility, etc, for the purpose of assisting any unlawful conduct of the partner;
2. allowing the partner to directly conclude a contract with a user;
3. providing users with services by using the trade mark and brand of the partner only; and
4. illegally providing a partner with network data or user PI.
• Cloud services providers may not independently establish a virtual private network (VPN) or other special connection to the internet, except as authorised by the MIIT.
• When providing services for domestic users, an operator of cloud services must locate service facilities and network data within China and abide by the relevant state provisions for cross-border operations, facility maintenance and data flows.

Special Regulatory Reviews for Cloud and Edge Computing

The PRC Measures for Cybersecurity Review provides that any CIIO seeking to procure any network product or service that affects or may affect national security needs to undergo a so-called “cybersecurity review”. Some cloud and edge computing products and services – such as high-performance computers or servers, mass storage equipment, large databases or applications, and network security equipment – are specifically included in the scope of network products that are subject to the PRC Measures for Cybersecurity Review. Therefore, any CIIO procuring such cloud and edge computing products or services, or others that may affect national security, will need to go through a process that may include an application for cybersecurity review being submitted to the Cybersecurity Review Office (CRO), an initial review by the CRO, and potentially a “special review” by the CRO if no agreement can be reached by CRO members after the initial review.

Non-CIIOs are unlikely to need to go through a cybersecurity review for procuring cloud or edge computing products or services, although there is a broad catch-all provision that may require any network operator or data handler whose processing activities might impact state security to undergo a cybersecurity review (and any party processing PI of one million or more individuals and applying to go public outside China will need to conduct a review, as detailed in 2.1 Key Challenges).

The Measures for Security Evaluation for Cloud Computing Services provide that cloud computing service providers supplying the Communist Party of China, government agencies or any CIIO may complete a security evaluation of each of their cloud computing platforms providing such services. The evaluation result can be used as a reference to support a supplier’s bid for procurement contracts. As of July 2023, 72 cloud computing service providers had passed this security evaluation, including cloud computing service providers for more than half of China’s provincial governments. The evaluation may cover the following:

• the credit and operation status of the cloud service supplier;
• the stability of the cloud service supplier’s personnel;
• the security of the technologies, products and service supply chains of the cloud platforms;
• the security management capability of the cloud service supplier and the security protection of the cloud platforms;
• the feasibility and convenience of customer data migration; and
• the business continuity of the cloud service supplier.

Higher Scrutiny Over Cloud and Edge Computing Services Provided for Financial Entities

Cloud and edge computing services provided in financial areas are likely to constitute a “fintech product” and therefore be subject to additional requirements under the PRC Certification Rules for Fintech Products. Regulations promulgated by The People’s Bank of China (PBOC) impose even more requirements on cloud and edge computing services providers, including the “Financial Application of Specification of Cloud Computing Technology-Technical Architectures, Security Technical Requirements, and Disaster Recovery”, which sets out a required standardisation for cloud computing services in the financial area and specifies requirements from the perspective of the establishment of basic structures, technical security, risk assessment and risk management.

With respect to financial personal data and information generated, transmitted and stored during the course of financial cloud and edge computing services, the PBOC and the China Financial Standardisation Technical Committee provide more requirements, primarily through the PRC Personal Financial Information Protection Technical Specification, which adopts a broad definition of personal financial information and specifies measures required during the life cycle of such information.

Data and Privacy Protection

Cloud and edge computing service providers must generally comply with the requirements of the cybersecurity regime in respect of the collection, use, transfer and other processing of PI and certain other kinds of data. Key requirements on parties, including cloud and edge computing service providers, include obtaining consent from data subjects for the collection and further uses of their PI, undergoing so-called “security assessment” procedures or executing the “standard contracts” or obtaining the certification prior to overseas data transfers in certain circumstances, and such further general principles as “legitimacy, rightfulness and necessity” in the collection and use of PI (see also 1.1 Laws and Regulation and 2.1 Key Challenges).

Laws and Regulations

Although there had been some quasi-legislation of AI before mid-2023 (eg, the Ethical Norms for New Generation Artificial Intelligence from September 2021), the first major component in the Chinese regulatory framework for AI was issued on 10 July 2023: the Interim Measures for the Administration of Generative Artificial Intelligence Services (“Generative AI Measures”), effective as of 15 August 2023. Any entity, organisation or individual that provides services that generate any text, images, audio recordings, videos or other content to the general public in mainland China using “generative AI technology”, whether through APIs or other means, will be subject to the Generative AI Measures.

The Generative AI Measures require providers of generative AI services to take a number of actions, including executing service agreements with users, labelling videos and other generated content if the service provider offers “deep synthesis” services, and reporting content violations and wrongful activities to PRC regulators, etc. For any generative AI services with “public opinion properties or the capacity for social mobilization”, their providers are required by the Generative AI Measures to conduct security assessments and algorithm filings via the CAC’s designated online platform. As of November 2023, the CAC already accepted filings of 262 applicants.

Further legislative developments on AI are expected in the near term according to the State Council’s 2023 legislative agenda, including an “AI law”.

At the local government level, from the previous two years, multiple municipal or provincial governments (including Beijing, Shanghai and Shenzhen) have issued guidelines to facilitate the AI industry, aiming at leaving more space and flexibility for AI based technologies in industries spanning healthcare, scientific research, financial, autonomous driving, etc. For example, the Shanghai Provisions on Promoting the Development of the AI Industry (“Shanghai AI Provisions”), effective from 1 October 2022, call for management systems based on grading and “sandbox” supervision. Such management intends to leave space and flexibility for the AI industry to develop. Most notably, the Shanghai AI Provisions stipulate that minor violations of laws during the development of the AI industry can be tolerated without administrative punishment, subject to specific lists of such minor violations formulated by provincial departments.

As the operation of AI tends to be based on large data sets, service providers obtaining such data will be subject to the requirements of the cybersecurity and privacy protection frameworks. In addition to the rules and requirements detailed in 1.1 Laws and Regulation, 2.1 Key Challenges and 3.1 Highly Regulated Industries and Data Protection, AI may be more likely to trigger stricter ones due to the processing of so-called “sensitive personal information”. For example, biological characteristics (eg, fingerprints, faces, voices, gaits) are not allowed to be used as the sole method for personal ID verification; when they are used, the data processor is required to conduct a risk assessment on the necessity and safety of the use, and is prohibited from requesting the natural person to agree on facial information processing as a precondition to using products or services where the facial information is not necessary for their provision.

With respect to the ownership of IP rights, under Article 9 of the PRC Copyright Law, only natural persons, legal persons or organisations may obtain copyrights. As a result, AI may carry out activities such as editing photographs or even composing music or poetry, but it cannot obtain rights or thus protection as a copyright owner under current PRC law. Similarly, the PRC Patent Law stipulates that a patentee should be either an entity or a natural person. Thus, AI itself cannot be considered entitled to patent rights for its inventions.

Recently, a landmark case marks the first instance in China wherein a user’s copyright claim on an AI-generated image has been acknowledged. The case was ruled by the Beijing Internet Court in November 2023. Mr Li, the plaintiff, posted an image created by an AI-based model on his social media account. Subsequently, he filed a copyright infringement claim against the defendant, who had used this image in an article published on a news blog. The Beijing Internet Court supported the plaintiff’s claim, asserting that the AI-generated image encapsulates the intelligent efforts and original thinking of Mr Li. Consequently, the image was deemed a work product, and Mr Li has the copyright. It has sparked widespread attention, prompting discussions on the issue of whether users employing AI-based technology should be afforded copyright protection.

PRC legislators have taken a relatively broad view of the “internet of things” (IoT) concept. The State Council’s 2013 Guiding Opinions on Promoting the Orderly and Healthy Development of Internet of Things (“IoT Opinions”) describe IoT as technology “based on the intensive integration and comprehensive application of a new generation of information technology”, and designate IoT as an important strategic emerging industry of the country. The IoT Opinion further emphasises the co-ordinated overall development of IoT applications, technologies, industries and standards. In September 2021, the MIIT issued the Guidelines for the Construction of a Fundamental Security Standard system for IoT, aiming to outline the framework for the development and implementation of standards for IoT, including software security, access authentication and data security.

Although China has yet to promulgate any comprehensive legislation on the security and regulation of IoT, recent legislation and regulation on data-related issues – such as the PRC Data Security Law, the PIPL, the Measures for Security Evaluation for Cloud Computing Services and the Measures for Cybersecurity Reviews (see 1.1 Laws and Regulation, 2.1 Key Challenges, 3.1 Highly Regulated Industries and Data Protection and 4.1 Liability, Data Protection, IP and Fundamental Rights) – are all applicable to IoT. For example, the PIPL provides that IoT companies that collect PI must obtain prior consent from the individual, and companies cannot refuse to provide services to individuals that refuse to provide PI, unless the processing of such PI is necessary for providing the product or service.

A number of government departments and regulatory bodies have clearly assumed certain responsibilities over IoT activities. Such government bodies include the MIIT (the key regulator for the telecoms sector and approximately 20 other industries), the CAC (which acts as the main watchdog for information security and content administration), the National Development and Reform Commission, the Ministry of Science and Technology (MOST) and the SAC.

There is no single, unified regulatory regime for all components of the audio-visual media industry as a whole in China. Instead, industry sub-sectors are regulated separately through a variety of laws and regulations, with key areas being cable broadcasting, online audio-visual services (including online video-sharing platforms) and over-the-top (OTT) services. In general, the broadcasting or online transmission of audio-visual content is highly regulated, and is off limits to not only foreign but also most domestic investment, in many cases.

Cable Broadcasting

Cable broadcasting is highly regulated in the PRC and is not open to foreign participation or even new domestic market entrants. Currently, a broadcasting television station may only be set up by central or government branches, such as the National Radio and Television Administration or the Ministry of Education. The station’s establishment will also be subject to the central PRC government’s national market plans.

The most central piece of legislation relating to cable broadcasting – ie, offering traditional cable television channels – is the PRC Administrative Regulations for Radio and Television. All cable broadcasters are required to obtain the following two key permits, among others:

• the “Radio and Television Broadcasting Institution Permit”; and
• the “Radio or Television Programme Production Permit”.

PRC law requires applicants for these permits to meet certain requirements, including regarding their location, equipment, technology and personnel, and to complete an application process with the applicable authorities. No application fees are required. As mentioned, however, it is difficult if not impossible in practice for new entities – whether purely domestic or foreign-invested – to obtain either of these permits in China.

Online Audio-Visual Services

Online audio-visual services are primarily regulated through the following:

• the PRC Interim Administrative Provisions on Internet Culture, which is central to the so-called “Internet Culture” sector, regulating online cultural activities;
• the PRC Provisions on the Administration of Private Network and Targeted Communication Audio-Visual Programme Services; and
• the PRC Administrative Regulations on Internet Audio-Visual Programme Services.

To operate an online streaming platform – eg, to provide video on demand services, such as Youku (the Chinese YouTube) – the most important operating permits are the “Internet Culture Business Permit” and the “Internet Audio-Video Broadcasting Permit” (“IAVB Permit”). The IAVB Permit requires an application process to be completed with local and central government authorities, while the application for the Internet Culture Business Permit involves only provincial level government authorities. No application fees are required. An applicant for an IAVB Permit must be controlled or wholly owned by one of China’s state-owned enterprises (SOEs). Neither the Internet Culture Business Permit nor the IAVB Permit may be obtained by an applicant that has any direct or indirect (on a see-through basis) foreign investor, although indirect control structures featuring variable-interest-entity structures established before the requirement that the IAVB Permit must be controlled or wholly owned by SOEs are widely used in this sector.

OTT Services

The most important operating permit for providers of OTT services is the OTT licence. To apply for an OTT licence, a qualified applicant must meet certain requirements, including being controlled by an SOE, along with equipment and personnel requirements. Here too, both local and central government approval are needed. There are no application fees. To date, only 16 OTT licences have been issued, and the regulators have effectively suspended the granting of this licence, with the date of resumption unknown.

Contractual Partnerships/Licensing

Directly operating an online video channel in the PRC is highly regulated and requires the procurement of operating licences/permits (ie, an Internet Culture Business Permit and an IAVB Permit/OTT licence) that are generally only available to companies with SOEs as (controlling) shareholders. As such, it is more common for content owners outside China to simply license content to domestic entities that hold all required permits – eg, the licensing arrangement between iQiyi and Netflix. Such domestic entities will also ensure that licenced content complies with PRC content/censorship requirements and will potentially self-censor any content as needed.

The PRC Telecommunications Regulations apply to all types of “telecommunications” services. “Telecommunications” is defined broadly as any “act of using wired or wireless electromagnetic or optoelectronic systems to transmit or receive voice, text, data, images, or any other form of information.”

The PRC Telecommunications Regulations categorise telecommunications services as either “basic telecommunications services” (BTS) or VATS, and different operating permits are required to engage in each. BTS include communications services, public data transmission and public network infrastructure, while VATS consist of call centre services, IDC services, CDN services, VPN services and others. A complete list of BTS and VATS can be found in the PRC Catalog of Telecommunications Businesses, as first formulated by the MIIT in 2000 and last updated in 2019.

Therefore, depending on the type of telecommunications services being provided, the telecommunications operator will need to obtain either a “Basic Telecommunications Service Operating Permit” or a “Value-Added Telecommunications Services Operating Permit” prior to bringing a service to market. Setting aside the fact that numerous BTS and several VATS are off limits to foreign and foreign-invested parties, each permit requires a telecommunications services operator to meet different requirements, as follows.

• Basic Telecommunications Service Operating Permit:
1. the operator must be a legally established company that specialises in BTS and in which the state has no less than 51% ownership;
2. a feasibility study and technical plan for the formation of the network must be completed;
3. the operator must have access to funds and specialised personnel commensurate with the business activities to be engaged in;
4. there must be a site and corresponding resources to carry out envisioned business activities;
5. the operator must have the reputation or the capability to provide long-term service to its subscribers;
6. the minimum registered capital for operators engaging in business within a single province is RMB100 million, while the minimum registered capital for operators engaging in business across provinces (including nationwide) is RMB1 billion; and
7. the operator must comply with other conditions specified by the state.
• Value Added Telecommunications Services Operating Permit:
1. the operator must be a legally established company with a minimum domestic shareholding of no less than 50% for most VATS, unless otherwise specified by the state (except for those fully opened up to foreign investment, such as domestic multi-party communications services, call centres and e-commerce services);
2. the operator must have access to funds and specialised personnel commensurate with the proposed business activities;
3. the operator must have the reputation or the capability to provide long-term service to its subscribers;
4. the minimum registered capital for operators engaging in business within a single province is RMB1 million, while the minimum registered capital for operators engaging in business across provinces (including nationwide) is RMB10 million; and
5. the operator must comply with other conditions specified by the state.

The procedure for obtaining the relevant approvals/permits can be complicated and time-consuming, but is increasingly being simplified, especially for foreign and foreign-invested businesses. For example, on 15 October 2020, the MIIT released the Notice on Strengthening Interim and Ex-Post Supervision of Foreign-Invested Telecommunications Enterprises, which confirmed that a separate process for MIIT approval would no longer be required for the establishment of FITEs. Then, on 1 May 2022, the key legal regime governing FITEs – the PRC Administrative Provisions on Foreign-Invested Telecommunications Enterprises – was further amended to remove one of the market entry requirements imposed on FITEs looking to obtain the telecommunication operating permits.

The fundamental legal regime in the PRC governing technology agreements is the “Technology Contracts” chapter of the Civil Code (which entered into effect on 1 January 2021), which sets forth certain requirements for technology contracts, as well as the rights and obligations of the contracting parties. Because trade secrets are usually involved in technology agreements, technology agreements are also often subject to the PRC AUCL and the Provisions of the Supreme People’s Court on Several Issues concerning the Application of Law in the Trial of Civil Cases of Trade Secret Infringement. Aside from the general laws and regulations above, technology agreements of computer software are subject to the PRC Copyright Law and the PRC Regulations on Computer Software Protection.

Technology Improvements and Ownership

Provisions dealing with technology improvements and ownership are commonly negotiated in China’s technology agreements. As indicated in Articles 850 and 864 of the Civil Code, a technology transfer agreement or technology licensing agreement may not restrict competition or development of the technology, nor illegally monopolise it. Provisions that restrict improvements to the technology received may be held invalid and unenforceable by a PRC court. However, the risk tends to be deal-specific.

With respect to the ownership of the subsequent improvements using the technology received, Article 875 of the Civil Code mandates that, unless the ownership is explicitly specified, the party who develops such improvements shall be the owner of the improvements, and the improvements may not be shared by other parties. That said, the subsequent improvements will not be automatically granted back to the technology provider. Therefore, a technology provider should carefully draft the relevant clauses to explicitly specify the ownership of any subsequent improvements.

Reverse Engineering

Another challenge routinely encountered when entering a technology agreement with a local organisation is reverse engineering, which is defined by PRC law as the acquisition of technical information on a product obtained from any public channel through disassembly, mapping, analysis and other technical means.

The provisions restricting reverse engineering are widely used in China as a seller protection scheme, and there is no law expressly prohibiting the inclusion of “anti-reverse engineering provisions” in a technology agreement. However, as explained just above, the provisions against reverse engineering cannot explicitly restrict competition or development of the technology, nor promote its illegal monopolisation. Therefore, anti-reverse engineering provisions bear some risk of being deemed invalid or unenforceable by a PRC court, and any provisions relevant to anti-reverse engineering should be carefully drafted to mitigate such risk.

Technology Import/Export

Many technology agreements also implicate import/export issues. For cross-border technology transfers, parties should look into the PRC Catalogue of Technologies Prohibited or Restricted from Export and the Catalogue of Technologies Prohibited or Restricted from Import (which was last updated on 21 December 2023) to determine if the technology involved is prohibited or requires pre-approval. Even for technology that is not prohibited or does not require pre-approval, the technology contracts need to be filed with the PRC Ministry of Commerce and relevant authorities.

On the other hand, this is another area that China is gradually opening up. In 2020, several clauses implicating forced transfer of technology were removed from the PRC Regulations on the Administration of Import and Export of Technologies. Moreover, the Foreign Investment Law enacted in 2020 made forced technology transfers and unauthorised disclosure of trade secrets by government officials illegal.

Resale Price Maintenance

Furthermore, technology agreements should be carefully drafted to avoid violating provisions in the PRC Anti-monopoly Law. For example, the Anti-monopoly Law strictly prohibits fixing the resale price of a product or service. This restriction can be interpreted to include the scenario of fixing the price of sub-licensing in a technology agreement. Therefore, contracting parties must take care to avoid drafting the technology agreements in such a way that might be deemed to create resale price maintenance, although the most recent amendments to the Anti-monopoly Law (in 2022) did add a safe harbour.

Laws and Regulations

Trust services and electronic signatures are widely used in China, especially in online commerce. The PRC Law on Electronic Signatures (Electronic Signatures Law) was the first PRC law that systematically set forth the requirements on trust services and electronic signatures. China also issued two other regulations concerning trust services providers:

• the PRC Measures for the Administration of Cipher Codes for Electronic Certification Services; and
• the PRC Measures for the Administration of Electronic Certification Services.

Furthermore, trust services providers must utilise commercial cryptography when providing the relevant services, and therefore are subject to the PRC Cryptography Law. However, China still has no law specifically governing digital identity.

Trust Services

Trust services are highly regulated in China. To become a qualified trust services provider (ie, to provide electronic certification services in China), two permits are required:

• Permit for Use of Cipher Codes for Electronic Certification Services (“Cipher Code Permit”); and
• Permit for Electronic Certification Services (“Certification Permit”).

The Cipher Code Permit is a prerequisite for the Certification Permit and should be applied for with the competent Cryptography Administration, while the application for the Certification Permit should be completed with the MIIT. In addition, applicants must satisfy several requirements under PRC law, including concerning corporate capacity, technology equipment, technical personnel and registered capital.

Electronic Signatures

The provision of electronic signatures services is a core part of trust services/electronic certification services in China. An “electronic signature” is defined by the PRC Electronic Signatures Law as data in electronic form identifying the signatory and verifying the signatory’s acknowledgement of the content being signed. For an electronic signature to have the same legal effect as a seal or written signature, the following conditions must be met:

• the data generated by the electronic signature is exclusively used and owned by the signatory;
• the data generated by the electronic signature is exclusively controlled by the signatory at the time of signing;
• any alteration to the electronic signature can be discovered after signing; and
• any alteration to the content and form of the electronic data can be discovered after signing.

The PRC Electronic Signatures Law also specifies certain documents that cannot be legally accepted in electronic format and cannot be signed electronically, such as documents concerning personal relations (eg, marriage, adoption and succession), and documents concerning transfers of real estate rights and interests.

Digital Identity Schemes

Digital identity refers to a set of data stored online that can be used to identify a specific individual. Such data ranges from a personal name to an ID card number. Digital identity (which is also called “E-ID card”) is widely used in China. For example, the Chinese government has been promoting digital identity cards since 2018. Under the digital identity card system, each individual’s identity information is stored online and can be used to access various social services, such as healthcare and public transportation, with a smart device.

While China has yet to promulgate any law specifically governing digital identity, the rules of the cybersecurity regime are generally applicable to the digital identity schemes – particularly the rules regarding the confidentiality and safekeeping of individuals’ PI and the protection of privacy (see 1.1 Laws and Regulation, 2.1 Key Challenges and 3.1 Highly Regulated Industries and Data Protection).