To date, no laws or regulations that specifically regulate the metaverse have been enacted in the People’s Republic of China (PRC). However, metaverse platform providers and participants should pay attention to laws and regulations regarding the PRC telecoms regime, virtual property, personal information (PI) and other data, and intellectual property (IP), including the following:
Each of the above areas of law is further specified by national and local regulations and rules, although still not addressing the metaverse specifically.
The metaverse is specifically addressed, however, in development plans of several large cities, including Beijing, Shanghai and Chongqing, in order to attract investments from metaverse companies. Furthermore, in September 2023, the Ministry of Industry and Information Technology (MIIT), in collaboration with four other ministries, released the Three-Year Action Plan for the Innovative Development of the Metaverse Industry (2023–2025), which outlines a policy framework and specific measures aimed at fostering the growth of the metaverse industry. Key strategies involve advancing AI-based technologies, such as data circulation technology, content generation technology, digital twin technology, perception and interaction technology, and networking and computing technology. The overarching goal is to facilitate the formation of what is referred to as the “industrial metaverse”.
PRC Telecoms Regime
Depending on the business model and the telecoms resources to be used for the metaverse, PRC telecoms regulatory requirements might be triggered. The internet and telecoms sectors in the PRC are subject to a comparatively rigid licensing regime, which might be applicable to companies offering services to PRC customers via an onshore model (with servers, data and other facilities/resources within China).
In particular, if an entity offering services via an onshore model would like to engage in activities that fall under the definition of “basic telecoms services” or “value-added telecoms services”, then it will first need to obtain the relevant licences according to the Catalogue of Telecommunications Businesses, issued and regularly amended by the MIIT. As examples, depending on the business model and product features to be implemented, engaging in metaverse activities may require an Internet Content Provider (ICP) licence or a Service Provider (SP) licence (if the services are provided through mobile networks), at least one of which is a prerequisite for metaverse platform operators to provide services falling into any one of the following sub-categories:
Some of the activities (eg, certain basic telecoms services) can only be provided by state-owned entities, while others need at least 50% or 51% local Chinese shareholding (eg, services falling under the requirement for an ICP licence), and some are completely open to any kind of investment – with more and more falling under this last category every year.
On 23 November 2023, the State Council approved the Plan on Supporting Beijing to Deepen the Development of the Comprehensive Demonstration Zone of National Service Industry (“Plan”), with the objective of advancing the further opening and reform of various service sectors. The most notable part of the Plan is its relaxing of foreign investment shareholding restrictions in specific sub-categories of value-added telecommunications services (VATS) in Beijing, including the elimination of foreign shareholding limitations in the operation of app stores (under a B25 licence) and internet access services (under a B14 licence).
Under the prevailing regulatory framework, the operation of app stores in China is limited to 50% foreign investment, except for investment in free trade zones (FTZs) and for qualified service providers from Hong Kong or Macau under the Closer Economic Partnership Arrangement (CEPA), while foreign investment in internet access services in China is 100% prohibited, subject to the same exceptions.
IP Protection
The metaverse has created an emerging environment that revolutionised the traditional application of the internet, and is creating a virtual society reflective of the physical world. User-generated content makes infringement of IP more common. Metaverse participants usually create scenes in the virtual world based on their preferences in the real world, transferring, copying and linking trade marks, signs, designs and other copyrights or works protected under IP law into the virtual world. These activities likely implicate IP protection laws, as the PRC Copyright Law, PRC Patent Law and PRC Trademark Law are quite clear that the author and trade mark registrant enjoy the exclusive right of any given copyright or trade mark, and there are currently no exceptions or special provisions that would clearly apply to metaverse activities.
In late 2022, draft amendments to the AUCL were released and included the new concept of “commercial data”, which is defined as data that is lawfully collected by business operators, has commercial value and employs corresponding technical management measures. The draft amendments would impose additional requirements for business operators processing “commercial data” and prohibit certain related conduct, such as disrupting technical management measures of other business operators, breaching relevant contracts, agreements or protocols, acting contrary to the principle of good faith, etc.
Data Property Rights and Data Transactions
The Chinese government recognises data as a significant “factor of production” in the digital economy, akin to capital, land, technology, and human resources. On 19 December 2022, the Central Committee of the Chinese Communist Party and the State Council jointly released the Opinion on Building a Data Basic System to Enhance the Utilisation of Data Elements, which introduces 20 measures (“20 Measures”) designed to establish fundamental data systems that will promote the rapidly growing data industry in China. According to these 20 Measures, China plans to develop basic data systems from four key aspects:
In alignment with the 20 Measures, several local governments in China, including Jiangsu, Zhejiang, Beijing, and Shenzhen provincial governments, have enacted relevant regulations to define data property rights and establish mechanisms for data transactions. These regulations have instituted a property rights operating mechanism to delineate the right to hold data resources, the right to use data processing, and the right to operate data products. Entities possessing data with “commercial value” can apply for and obtain ownership certificates for such data. These certificates serve as legitimate credentials in data transactions, income distribution from data usage, and dispute resolution, forming the basis for data circulation and the burgeoning data-driven economy.
In March 2023, China further solidified its commitment to data governance by establishing the National Data Bureau. Tasked with promoting data-related basic systems, this bureau collaborates with other departments to facilitate data sharing and development, as well as to guide the planning and development of the digital economy.
Protection of Virtual Property
Although China does not have any laws or regulations that specifically address the protection of virtual property and assets, Article 127 of the PRC Civil Code has been widely understood and interpreted as providing that rights to virtual property and assets have been officially recognised as legal property rights and are thus subject to protection under the civil law regime, just like physical property rights. However, Article 127 further provides that the protection of virtual property and assets is still subject to further, more detailed regulations.
The financial value of virtual property has been increasingly acknowledged by PRC judicial bodies. In a case adjudicated by the Beijing Internet Court and publicised as one of the “10 Typical Cases for China Internet Governance in 2022”, the plaintiff filed a claim against a game company to refund his unused game coins and pay compensation for other game props since the game company shut down the game. The Court upheld the plaintiff’s claim and ruled that the game props have the nature of property and shall be protected as internet virtual property. While the Court determined that the game company was liable in tort for infringing the property rights of the plaintiff, the specific compensation amount depends on the nature and characteristics of the game props. For example, game coins were directly purchased with legal tender, so the game company must refund the amount equivalent to the value of the unused virtual coins.
Regulation of Data and Personal Information
There are no PRC rules on data privacy that relate to the metaverse explicitly. However, an operator – and possibly a user – of the metaverse may be subject to various other PRC laws and regulations relating to data protection and privacy.
In particular, due to the massive volume of PI that they might possess or collect, metaverse platform providers are likely to be subject to numerous rules under the PIPL, including the requirement to obtain consent before processing PI from users (except in certain situations permitted by law) and disclosing the intended use, purpose, means, scope and rules of the processing.
Metaverse platform providers and participants who (also) engage in operations deemed to fall within “critical information infrastructure” could be deemed Critical Information Infrastructure Operators (CIIOs) and therefore subject to more strict obligations under the cybersecurity regime.
The PRC Data Security Law imposes data security and privacy obligations on entities and individuals carrying out data activities. It also introduces a data classification and hierarchical protection system based on the importance of data in terms of economic and social development, as well as the degree of harm that would be caused to national security, public interests or the legitimate rights and interests of individuals or organisations if such data were to be tampered with, destroyed, leaked or illegally acquired or used. Appropriate protective measures are required to be taken for each category of data. For example, a processor of so-called “important data” must designate personnel and a management body responsible for data security, carry out risk assessments for its data processing activities, and file risk assessment reports with the Cyberspace Administration of China (CAC).
Under the current data protection regime, the transfer of PI outside of China is subject to the following requirements (“Data Export Requirements”):
On 28 September 2023, the CAC released the Draft Provisions on Regulating and Facilitating Cross-Border Data Transfer (“Draft Regulation”). If the Draft Regulation is ultimately issued substantially in its current form, many cross-border data transfers involved in various daily operations of multinational companies, will not be subject to Data Export Requirements, including:
Laws and Regulations
While digital economies can generally be said to be subject to a wide range of laws, the following are especially pertinent in the PRC:
E-Commerce
The PRC E-Commerce Law defines an e-commerce operator as any natural person, legal person or unincorporated association that carries out business activities through information networks such as the internet to sell commodities or offer services, including operators of e-commerce platforms, business operators on e-commerce platforms, and other e-commerce operators that sell commodities or offer services on websites they develop themselves or through other network services. Importantly, this definition could extend to individuals who conduct business activities such as selling second-hand commodities or providing procurement services through Taobao.com or JD.com.
The PRC E-Commerce Law includes a large number of rules covering a wide range of conduct, even addressing customer comments, which the law prohibits operators from removing or modifying. For example, one of the largest platforms for individual customers buying and selling second-hand luxury goods in China, Secoo, was investigated by the Beijing Xicheng Branch of the State Administration for Market Regulation and fined RMB50,000 for deleting one negative review from its platform.
Discriminatory pricing using big data is also regulated by the PRC E-Commerce Law, which prohibits schemes that customise the display of search results of products and services based on consumers’ interests, preferences, habits and other personal characteristics.
Although such practices are prohibited by the PRC E-Commerce Law, individual customers generally lack sufficient resources and capabilities to prove that any online platform adopts discriminatory pricing based on algorithms, which results in online platforms rarely being penalised for such conduct. As an example, in litigation where Ctrip (one of the largest online travel agencies in China) was allegedly collecting PI from a user and raised the accommodation price for the user based on analysis of her data, the court ruled that Ctrip infringed upon the user’s information rights but remained silent on whether and how Ctrip conducted price customisation based on data analysis. It is challenging under the current legal regime for customers to successfully persuade the court or administrative authorities that the price is different as a result of algorithms based on personal data collected from customers.
PRC Telecoms Requirement on E-commerce
Which telecoms licences and rules will apply to an e-commerce participant will depend on its business and model. Typical licences include those for Electronic Data Interchange (EDI) and ICP. The former is needed for platforms featuring third-party sellers (ie, individuals or entities running online stores on the platform), while the need for the latter depends on whether such platforms enable other services that might fall into sub-categories of information services as listed and defined in the Classification Catalogue of Telecommunications Services.
Interestingly, foreign investment in an ICP licence holder is capped at 50%, whereas there is no restriction on foreign shareholding for an EDI licence holder. That said, an e-commerce business featuring the sale of products manufactured or procured by the operator itself generally does not need an ICP (or EDI) licence (although a so-called “ICP filing” is generally required).
Other key rules generally applicable to parties using a website or other online platform to sell their own or third parties’ goods or services include requirements that e-commerce platform operators have adequate funds (RMB10 million minimum for national level and RMB1 million for provincial level), specialised personnel and a reputation for long-term service. Foreign and foreign-related telecoms enterprises (FITEs) in China are subject to the same registered capital requirements. In 2022, it was confirmed that FITEs are no longer required to have a “record of good performance and operating experience” prior to being established in China.
Unfair Competition
The current AUCL expressly restricts network-based anti-competitive conduct, but only based on high-level provisions. However, the AUCL is currently undergoing another revision process, with the public comment period having closed at the end of 2022. The draft amendments aim to improve anti-competition rules for the digital economy, with several newly added provisions, including Article 4 as a basic guideline and Articles 15, 17, 18 and 19 targeting anti-competitive conduct in the area of digital economy specifically.
In the version of the AUCL currently in effect, Article 12 prohibits acts impeding or disrupting the normal operation of network products or services, specifically including:
In the draft amendments of the AUCL, Article 4 would function as a fundamental cornerstone prohibiting business operators from using data and algorithms, technology, capital strength or platform rules to engage in unfair competition practices. More specific to the digital economy, unfair competition activities explicitly prohibited by the draft amendments include:
Advertisements
To refine the advertising regulatory rules applicable to numerous new types of advertisements over the internet, on 25 February 2023, the SAMR released the Measures for the Administration of Internet Advertising (“Online Advertising Measures”), which came into effect on 1 May 2023. The Online Advertising Measures impose different compliance requirements on various forms of internet advertisements, including advertisements with links, soft advertising in forms of experience sharing or consumer commenting, advertisement pushing to smart devices, pop-up ads and splash ads, and ads on livestreaming, etc. For example, it remains controversial (and is perhaps not legally settled) whether using livestreaming to promote products or services constitutes advertising under PRC law. However, according to the Online Advertising Measures, for some internet livestreaming with essential features of commercial advertisements, the operators and marketers in the livestreaming room must assume the responsibilities of an advertising operator and publisher. Likewise, if any individuals conducting live marketing activities use their own name or image to endorse products, they must abide by the legal responsibilities and obligations of an advertising endorser. For internet advertising that appears in the form of pop-ups or splash screens when launching an internet application, both the advertiser and the advertising publisher are obligated to prominently display a button to ensure easy closure with just one click.
Data and Privacy Protection
Subject to the specific data stored or processed during digital economy activities, service providers could be required to comply with various obligations under the PRC Cybersecurity Law, the PRC Data Security Law, the PIPL and/or the PRC Critical Information Infrastructure Regulations, such as local data hosting and offshore data transfer restrictions (see 1.1 Laws and Regulation). Ultimately, in some circumstances, businesses that have offshore components (eg, servers hosted outside China, or networks between PRC subsidiaries and foreign parent companies) and are subject to offshore data transfer restrictions might have to restructure entities or operations to comply with these laws and regulations.
Under the PIPL and other regulations (such as the PRC Measures for Cybersecurity Review), an e-commerce platform that processes large volumes of PI or operates a certain type of business will be subject to enhanced requirements for PI protection, including:
The PRC Consumer Protection Law sets similar requirements for the collection of consumer information by business operators. Other high-level laws provide general privacy protections, such as the PRC Tort Law, the PRC Civil Code and the PRC Criminal Law. Draft amendments to the AUCL would introduce a new category of data, “commercial data”, with new attached rights and responsibilities (as set out in 1.1 Laws and Regulation).
Laws and Regulations
There are no laws, and only a few regulations, in the PRC specifically addressing cloud and edge computing, but cloud and edge computing service providers are subject to various general bodies of legislation and regulation, including:
The Standardisation Administration of China (SAC; also known as TC260) also publishes numerous non-binding, recommended standards relating to cloud and edge computing, covering topics ranging from security guidance to data centre requirements and file service application interfaces.
PRC Telecoms Regulations
Depending on the business model and features of cloud computing services, engaging in cloud services within China may trigger value-added telecoms licensing requirements. Cloud services might implicate the requirements for an “internet data centre” (IDC) or “internet resource collaborative” (IRC) licence. An IDC/IRC licence essentially allows a company to directly provide server hosting or cloud storage solutions, as well as other related business activities. Foreign shareholding in any holder of an IDC/IRC licence is completely prohibited (with the exception of qualified service providers under the Mainland and Hong Kong Closer Economic Partnership Arrangement Agreement on Services Trade, who can own up to 50%).
Circular on Regulating the Market Operations of Cloud Services (Draft)
On 24 November 2016, the MIIT released a draft of a new circular for regulating cloud services, with the following key points, which are at least to some extent already enforced in regulatory practice.
Special Regulatory Reviews for Cloud and Edge Computing
The PRC Measures for Cybersecurity Review provides that any CIIO seeking to procure any network product or service that affects or may affect national security needs to undergo a so-called “cybersecurity review”. Some cloud and edge computing products and services – such as high-performance computers or servers, mass storage equipment, large databases or applications, and network security equipment – are specifically included in the scope of network products that are subject to the PRC Measures for Cybersecurity Review. Therefore, any CIIO procuring such cloud and edge computing products or services, or others that may affect national security, will need to go through a process that may include an application for cybersecurity review being submitted to the Cybersecurity Review Office (CRO), an initial review by the CRO, and potentially a “special review” by the CRO if no agreement can be reached by CRO members after the initial review.
Non-CIIOs are unlikely to need to go through a cybersecurity review for procuring cloud or edge computing products or services, although there is a broad catch-all provision that may require any network operator or data handler whose processing activities might impact state security to undergo a cybersecurity review (and any party processing PI of one million or more individuals and applying to go public outside China will need to conduct a review, as detailed in 2.1 Key Challenges).
The Measures for Security Evaluation for Cloud Computing Services provide that cloud computing service providers supplying the Communist Party of China, government agencies or any CIIO may complete a security evaluation of each of their cloud computing platforms providing such services. The evaluation result can be used as a reference to support a supplier’s bid for procurement contracts. As of July 2023, 72 cloud computing service providers had passed this security evaluation, including cloud computing service providers for more than half of China’s provincial governments. The evaluation may cover the following:
Higher Scrutiny Over Cloud and Edge Computing Services Provided for Financial Entities
Cloud and edge computing services provided in financial areas are likely to constitute a “fintech product” and therefore be subject to additional requirements under the PRC Certification Rules for Fintech Products. Regulations promulgated by The People’s Bank of China (PBOC) impose even more requirements on cloud and edge computing services providers, including the “Financial Application of Specification of Cloud Computing Technology-Technical Architectures, Security Technical Requirements, and Disaster Recovery”, which sets out a required standardisation for cloud computing services in the financial area and specifies requirements from the perspective of the establishment of basic structures, technical security, risk assessment and risk management.
With respect to financial personal data and information generated, transmitted and stored during the course of financial cloud and edge computing services, the PBOC and the China Financial Standardisation Technical Committee provide more requirements, primarily through the PRC Personal Financial Information Protection Technical Specification, which adopts a broad definition of personal financial information and specifies measures required during the life cycle of such information.
Data and Privacy Protection
Cloud and edge computing service providers must generally comply with the requirements of the cybersecurity regime in respect of the collection, use, transfer and other processing of PI and certain other kinds of data. Key requirements on parties, including cloud and edge computing service providers, include obtaining consent from data subjects for the collection and further uses of their PI, undergoing so-called “security assessment” procedures or executing the “standard contracts” or obtaining the certification prior to overseas data transfers in certain circumstances, and such further general principles as “legitimacy, rightfulness and necessity” in the collection and use of PI (see also 1.1 Laws and Regulation and 2.1 Key Challenges).
Laws and Regulations
Although there had been some quasi-legislation of AI before mid-2023 (eg, the Ethical Norms for New Generation Artificial Intelligence from September 2021), the first major component in the Chinese regulatory framework for AI was issued on 10 July 2023: the Interim Measures for the Administration of Generative Artificial Intelligence Services (“Generative AI Measures”), effective as of 15 August 2023. Any entity, organisation or individual that provides services that generate any text, images, audio recordings, videos or other content to the general public in mainland China using “generative AI technology”, whether through APIs or other means, will be subject to the Generative AI Measures.
The Generative AI Measures require providers of generative AI services to take a number of actions, including executing service agreements with users, labelling videos and other generated content if the service provider offers “deep synthesis” services, and reporting content violations and wrongful activities to PRC regulators, etc. For any generative AI services with “public opinion properties or the capacity for social mobilization”, their providers are required by the Generative AI Measures to conduct security assessments and algorithm filings via the CAC’s designated online platform. As of November 2023, the CAC already accepted filings of 262 applicants.
Further legislative developments on AI are expected in the near term according to the State Council’s 2023 legislative agenda, including an “AI law”.
At the local government level, from the previous two years, multiple municipal or provincial governments (including Beijing, Shanghai and Shenzhen) have issued guidelines to facilitate the AI industry, aiming at leaving more space and flexibility for AI based technologies in industries spanning healthcare, scientific research, financial, autonomous driving, etc. For example, the Shanghai Provisions on Promoting the Development of the AI Industry (“Shanghai AI Provisions”), effective from 1 October 2022, call for management systems based on grading and “sandbox” supervision. Such management intends to leave space and flexibility for the AI industry to develop. Most notably, the Shanghai AI Provisions stipulate that minor violations of laws during the development of the AI industry can be tolerated without administrative punishment, subject to specific lists of such minor violations formulated by provincial departments.
As the operation of AI tends to be based on large data sets, service providers obtaining such data will be subject to the requirements of the cybersecurity and privacy protection frameworks. In addition to the rules and requirements detailed in 1.1 Laws and Regulation, 2.1 Key Challenges and 3.1 Highly Regulated Industries and Data Protection, AI may be more likely to trigger stricter ones due to the processing of so-called “sensitive personal information”. For example, biological characteristics (eg, fingerprints, faces, voices, gaits) are not allowed to be used as the sole method for personal ID verification; when they are used, the data processor is required to conduct a risk assessment on the necessity and safety of the use, and is prohibited from requesting the natural person to agree on facial information processing as a precondition to using products or services where the facial information is not necessary for their provision.
With respect to the ownership of IP rights, under Article 9 of the PRC Copyright Law, only natural persons, legal persons or organisations may obtain copyrights. As a result, AI may carry out activities such as editing photographs or even composing music or poetry, but it cannot obtain rights or thus protection as a copyright owner under current PRC law. Similarly, the PRC Patent Law stipulates that a patentee should be either an entity or a natural person. Thus, AI itself cannot be considered entitled to patent rights for its inventions.
Recently, a landmark case marks the first instance in China wherein a user’s copyright claim on an AI-generated image has been acknowledged. The case was ruled by the Beijing Internet Court in November 2023. Mr Li, the plaintiff, posted an image created by an AI-based model on his social media account. Subsequently, he filed a copyright infringement claim against the defendant, who had used this image in an article published on a news blog. The Beijing Internet Court supported the plaintiff’s claim, asserting that the AI-generated image encapsulates the intelligent efforts and original thinking of Mr Li. Consequently, the image was deemed a work product, and Mr Li has the copyright. It has sparked widespread attention, prompting discussions on the issue of whether users employing AI-based technology should be afforded copyright protection.
PRC legislators have taken a relatively broad view of the “internet of things” (IoT) concept. The State Council’s 2013 Guiding Opinions on Promoting the Orderly and Healthy Development of Internet of Things (“IoT Opinions”) describe IoT as technology “based on the intensive integration and comprehensive application of a new generation of information technology”, and designate IoT as an important strategic emerging industry of the country. The IoT Opinion further emphasises the co-ordinated overall development of IoT applications, technologies, industries and standards. In September 2021, the MIIT issued the Guidelines for the Construction of a Fundamental Security Standard system for IoT, aiming to outline the framework for the development and implementation of standards for IoT, including software security, access authentication and data security.
Although China has yet to promulgate any comprehensive legislation on the security and regulation of IoT, recent legislation and regulation on data-related issues – such as the PRC Data Security Law, the PIPL, the Measures for Security Evaluation for Cloud Computing Services and the Measures for Cybersecurity Reviews (see 1.1 Laws and Regulation, 2.1 Key Challenges, 3.1 Highly Regulated Industries and Data Protection and 4.1 Liability, Data Protection, IP and Fundamental Rights) – are all applicable to IoT. For example, the PIPL provides that IoT companies that collect PI must obtain prior consent from the individual, and companies cannot refuse to provide services to individuals that refuse to provide PI, unless the processing of such PI is necessary for providing the product or service.
A number of government departments and regulatory bodies have clearly assumed certain responsibilities over IoT activities. Such government bodies include the MIIT (the key regulator for the telecoms sector and approximately 20 other industries), the CAC (which acts as the main watchdog for information security and content administration), the National Development and Reform Commission, the Ministry of Science and Technology (MOST) and the SAC.
There is no single, unified regulatory regime for all components of the audio-visual media industry as a whole in China. Instead, industry sub-sectors are regulated separately through a variety of laws and regulations, with key areas being cable broadcasting, online audio-visual services (including online video-sharing platforms) and over-the-top (OTT) services. In general, the broadcasting or online transmission of audio-visual content is highly regulated, and is off limits to not only foreign but also most domestic investment, in many cases.
Cable Broadcasting
Cable broadcasting is highly regulated in the PRC and is not open to foreign participation or even new domestic market entrants. Currently, a broadcasting television station may only be set up by central or government branches, such as the National Radio and Television Administration or the Ministry of Education. The station’s establishment will also be subject to the central PRC government’s national market plans.
The most central piece of legislation relating to cable broadcasting – ie, offering traditional cable television channels – is the PRC Administrative Regulations for Radio and Television. All cable broadcasters are required to obtain the following two key permits, among others:
PRC law requires applicants for these permits to meet certain requirements, including regarding their location, equipment, technology and personnel, and to complete an application process with the applicable authorities. No application fees are required. As mentioned, however, it is difficult if not impossible in practice for new entities – whether purely domestic or foreign-invested – to obtain either of these permits in China.
Online Audio-Visual Services
Online audio-visual services are primarily regulated through the following:
To operate an online streaming platform – eg, to provide video on demand services, such as Youku (the Chinese YouTube) – the most important operating permits are the “Internet Culture Business Permit” and the “Internet Audio-Video Broadcasting Permit” (“IAVB Permit”). The IAVB Permit requires an application process to be completed with local and central government authorities, while the application for the Internet Culture Business Permit involves only provincial level government authorities. No application fees are required. An applicant for an IAVB Permit must be controlled or wholly owned by one of China’s state-owned enterprises (SOEs). Neither the Internet Culture Business Permit nor the IAVB Permit may be obtained by an applicant that has any direct or indirect (on a see-through basis) foreign investor, although indirect control structures featuring variable-interest-entity structures established before the requirement that the IAVB Permit must be controlled or wholly owned by SOEs are widely used in this sector.
OTT Services
The most important operating permit for providers of OTT services is the OTT licence. To apply for an OTT licence, a qualified applicant must meet certain requirements, including being controlled by an SOE, along with equipment and personnel requirements. Here too, both local and central government approval are needed. There are no application fees. To date, only 16 OTT licences have been issued, and the regulators have effectively suspended the granting of this licence, with the date of resumption unknown.
Contractual Partnerships/Licensing
Directly operating an online video channel in the PRC is highly regulated and requires the procurement of operating licences/permits (ie, an Internet Culture Business Permit and an IAVB Permit/OTT licence) that are generally only available to companies with SOEs as (controlling) shareholders. As such, it is more common for content owners outside China to simply license content to domestic entities that hold all required permits – eg, the licensing arrangement between iQiyi and Netflix. Such domestic entities will also ensure that licenced content complies with PRC content/censorship requirements and will potentially self-censor any content as needed.
The PRC Telecommunications Regulations apply to all types of “telecommunications” services. “Telecommunications” is defined broadly as any “act of using wired or wireless electromagnetic or optoelectronic systems to transmit or receive voice, text, data, images, or any other form of information.”
The PRC Telecommunications Regulations categorise telecommunications services as either “basic telecommunications services” (BTS) or VATS, and different operating permits are required to engage in each. BTS include communications services, public data transmission and public network infrastructure, while VATS consist of call centre services, IDC services, CDN services, VPN services and others. A complete list of BTS and VATS can be found in the PRC Catalog of Telecommunications Businesses, as first formulated by the MIIT in 2000 and last updated in 2019.
Therefore, depending on the type of telecommunications services being provided, the telecommunications operator will need to obtain either a “Basic Telecommunications Service Operating Permit” or a “Value-Added Telecommunications Services Operating Permit” prior to bringing a service to market. Setting aside the fact that numerous BTS and several VATS are off limits to foreign and foreign-invested parties, each permit requires a telecommunications services operator to meet different requirements, as follows.
The procedure for obtaining the relevant approvals/permits can be complicated and time-consuming, but is increasingly being simplified, especially for foreign and foreign-invested businesses. For example, on 15 October 2020, the MIIT released the Notice on Strengthening Interim and Ex-Post Supervision of Foreign-Invested Telecommunications Enterprises, which confirmed that a separate process for MIIT approval would no longer be required for the establishment of FITEs. Then, on 1 May 2022, the key legal regime governing FITEs – the PRC Administrative Provisions on Foreign-Invested Telecommunications Enterprises – was further amended to remove one of the market entry requirements imposed on FITEs looking to obtain the telecommunication operating permits.
The fundamental legal regime in the PRC governing technology agreements is the “Technology Contracts” chapter of the Civil Code (which entered into effect on 1 January 2021), which sets forth certain requirements for technology contracts, as well as the rights and obligations of the contracting parties. Because trade secrets are usually involved in technology agreements, technology agreements are also often subject to the PRC AUCL and the Provisions of the Supreme People’s Court on Several Issues concerning the Application of Law in the Trial of Civil Cases of Trade Secret Infringement. Aside from the general laws and regulations above, technology agreements of computer software are subject to the PRC Copyright Law and the PRC Regulations on Computer Software Protection.
Technology Improvements and Ownership
Provisions dealing with technology improvements and ownership are commonly negotiated in China’s technology agreements. As indicated in Articles 850 and 864 of the Civil Code, a technology transfer agreement or technology licensing agreement may not restrict competition or development of the technology, nor illegally monopolise it. Provisions that restrict improvements to the technology received may be held invalid and unenforceable by a PRC court. However, the risk tends to be deal-specific.
With respect to the ownership of the subsequent improvements using the technology received, Article 875 of the Civil Code mandates that, unless the ownership is explicitly specified, the party who develops such improvements shall be the owner of the improvements, and the improvements may not be shared by other parties. That said, the subsequent improvements will not be automatically granted back to the technology provider. Therefore, a technology provider should carefully draft the relevant clauses to explicitly specify the ownership of any subsequent improvements.
Reverse Engineering
Another challenge routinely encountered when entering a technology agreement with a local organisation is reverse engineering, which is defined by PRC law as the acquisition of technical information on a product obtained from any public channel through disassembly, mapping, analysis and other technical means.
The provisions restricting reverse engineering are widely used in China as a seller protection scheme, and there is no law expressly prohibiting the inclusion of “anti-reverse engineering provisions” in a technology agreement. However, as explained just above, the provisions against reverse engineering cannot explicitly restrict competition or development of the technology, nor promote its illegal monopolisation. Therefore, anti-reverse engineering provisions bear some risk of being deemed invalid or unenforceable by a PRC court, and any provisions relevant to anti-reverse engineering should be carefully drafted to mitigate such risk.
Technology Import/Export
Many technology agreements also implicate import/export issues. For cross-border technology transfers, parties should look into the PRC Catalogue of Technologies Prohibited or Restricted from Export and the Catalogue of Technologies Prohibited or Restricted from Import (which was last updated on 21 December 2023) to determine if the technology involved is prohibited or requires pre-approval. Even for technology that is not prohibited or does not require pre-approval, the technology contracts need to be filed with the PRC Ministry of Commerce and relevant authorities.
On the other hand, this is another area that China is gradually opening up. In 2020, several clauses implicating forced transfer of technology were removed from the PRC Regulations on the Administration of Import and Export of Technologies. Moreover, the Foreign Investment Law enacted in 2020 made forced technology transfers and unauthorised disclosure of trade secrets by government officials illegal.
Resale Price Maintenance
Furthermore, technology agreements should be carefully drafted to avoid violating provisions in the PRC Anti-monopoly Law. For example, the Anti-monopoly Law strictly prohibits fixing the resale price of a product or service. This restriction can be interpreted to include the scenario of fixing the price of sub-licensing in a technology agreement. Therefore, contracting parties must take care to avoid drafting the technology agreements in such a way that might be deemed to create resale price maintenance, although the most recent amendments to the Anti-monopoly Law (in 2022) did add a safe harbour.
Laws and Regulations
Trust services and electronic signatures are widely used in China, especially in online commerce. The PRC Law on Electronic Signatures (Electronic Signatures Law) was the first PRC law that systematically set forth the requirements on trust services and electronic signatures. China also issued two other regulations concerning trust services providers:
Furthermore, trust services providers must utilise commercial cryptography when providing the relevant services, and therefore are subject to the PRC Cryptography Law. However, China still has no law specifically governing digital identity.
Trust Services
Trust services are highly regulated in China. To become a qualified trust services provider (ie, to provide electronic certification services in China), two permits are required:
The Cipher Code Permit is a prerequisite for the Certification Permit and should be applied for with the competent Cryptography Administration, while the application for the Certification Permit should be completed with the MIIT. In addition, applicants must satisfy several requirements under PRC law, including concerning corporate capacity, technology equipment, technical personnel and registered capital.
Electronic Signatures
The provision of electronic signatures services is a core part of trust services/electronic certification services in China. An “electronic signature” is defined by the PRC Electronic Signatures Law as data in electronic form identifying the signatory and verifying the signatory’s acknowledgement of the content being signed. For an electronic signature to have the same legal effect as a seal or written signature, the following conditions must be met:
The PRC Electronic Signatures Law also specifies certain documents that cannot be legally accepted in electronic format and cannot be signed electronically, such as documents concerning personal relations (eg, marriage, adoption and succession), and documents concerning transfers of real estate rights and interests.
Digital Identity Schemes
Digital identity refers to a set of data stored online that can be used to identify a specific individual. Such data ranges from a personal name to an ID card number. Digital identity (which is also called “E-ID card”) is widely used in China. For example, the Chinese government has been promoting digital identity cards since 2018. Under the digital identity card system, each individual’s identity information is stored online and can be used to access various social services, such as healthcare and public transportation, with a smart device.
While China has yet to promulgate any law specifically governing digital identity, the rules of the cybersecurity regime are generally applicable to the digital identity schemes – particularly the rules regarding the confidentiality and safekeeping of individuals’ PI and the protection of privacy (see 1.1 Laws and Regulation, 2.1 Key Challenges and 3.1 Highly Regulated Industries and Data Protection).
China World Tower A
1 Jianguomenwai Avenue
Beijing
100004
China
+86 10 6535 5888
+86 10 6535 5899
info@dahuilawyers.com www.dahuilawyers.comTechnology, Media and Telecommunication in China in 2024
After years of robust growth, technology, media and telecommunication (TMT) companies in China are encountering evolving regulatory scrutiny and new challenges along with the continued opening-up to foreign investment. Key regulatory developments that affected the TMT industry in 2023 include:
While enhanced or refined regulation is a constant reality (in China, as elsewhere), especially in areas such as AI and data protection, perhaps the two most notable developments in 2023 were the lifting of restrictions on foreign shareholding in certain telecommunication businesses and the release of a draft regulation easing cross-border transfer restrictions that entered into effect only at the end of November 2023. Both are signals that China is keeping its doors open, in some ways opening them more than in 2022, for foreign TMT businesses to tap into the country’s still enormous and vibrant market.
Further opening to foreign investment
The trend of foreign-investment liberalisation carried over (and arguably grew) from 2022. The revisions to the Administrative Provisions on Foreign-Invested Telecommunications Enterprises (“FITE Provisions”), which came into effect on 29 March 2022, radically eased the market entry requirements for FITEs to obtain PRC telecommunications operating licences. Specifically, they removed a previous requirement placed on FITEs to demonstrate that their principal shareholders/parent companies have a “good track record in the telecommunications business”, which, inter alia, may have precluded foreign financial investors (eg, USD-denominated funds) from taking significant stakes in Chinese companies performing internet/telecommunications activities.
Whereas some TMT financial and even strategic investors formerly even had to adopt alternative structures to bypass the “good track record” requirement, they and all foreign TMT businesses seeking to establish themselves or obtain financing should now have a much easier and more straightforward experience in obtaining telecommunications operating licences in China. In fact, the China Academy of Information and Communications Technology has reported the total number of FITEs with one type of such licences (specifically, a licence for value-added telecommunications business) increased from 1,097 to 1,448 between September 2022 and June 2023.
The above developments were followed by even more significant ones in 2023, especially in the Plan on Supporting Beijing to Deepen the Development of the Comprehensive Demonstration Zone of the National Service Industry (“Plan”), released by the State Council on 23 November 2023. Among other things, the Plan relaxes foreign investment shareholding restrictions in specific sub-categories of value-added telecommunications services (VATS) in Beijing. Notably, this includes the elimination of foreign shareholding limitations in the operation of app stores (under the B25 licence) and internet access services (under the B14 licence).
Under the prevailing regulatory framework, the operation of app stores in China is limited to 50% foreign investment, except for investment in free trade zones (FTZs) and for qualified service providers from Hong Kong or Macau under the Closer Economic Partnership Arrangement (CEPA), while foreign investment in internet access services in China is 100% prohibited, subject to the same exceptions.
This development is significant not only in itself but also in being a signal that the Chinese TMT markets may in the near term open up even more to foreign investment.
Data and privacy protection
In 2023, PRC regulators released several implementing rules concerning data protection and related areas, almost all primarily elaborating on the existing law. TMT businesses are faced with the considerable task of keeping abreast of, and in compliance with, new or adjusted rules – often substantial – on a quarterly or semi-annual basis.
Cross-border data transfers
Though the Cybersecurity Law had emphasised cross-border data transfer controls as far back as 2016, they did not take on concrete form until 2021’s Personal Information Protection Law (PIPL), and only in 2022 and 2023 did the system crystallise with detailed implementing rules.
The PIPL provided for three avenues of regulatory compliance for companies to choose from when transferring certain data out of China:
The details of the “security assessment” were largely provided in 2022, while in 2023, specific regulations were promulgated to provide guidance on executing the “standard contract” for cross-border transfer of personal information (PI).
On 24 February 2023, the Cyberspace Administration of China (CAC) released the finalised Measures on Standard Contracts for the Outbound Cross-Border Transfer of PI (“SC Measures”). The SC Measures took effect on 1 June 2023, and allowed a six-month grace period for full compliance; ie, until 30 November 2023. In addition, on 30 May 2023, the CAC issued guidance for the standard contracts and for the PI protection impact assessment (PIPIA) report that needs to be carried out in tandem therewith. On 2 June 2023, the Beijing branch of the CAC released a set of local filing guidelines for further directions related to the standard contract mechanism.
A data handler who satisfies the following criteria can transfer data outside China by using only a standard contract and PIPIA (instead of a security assessment):
To the amazement of many, just two months before the grace period ended for parties to comply with the SC Measures, the CAC did an apparent about-turn. On 28 September 2023, it released the Draft Provisions on Regulation and Facilitating Cross-Border Data Transfer (“Draft Regulation”), which exempted many cross-border data transfers involved in various daily operations of multinational companies from the most wide-reaching and burdensome cross-border data transfer requirements.
Specifically, if the Draft Regulation is implemented substantially in its current form, many cross-border transfers of PI of China employees, customers, vendors, and other business associates will not be subject to security assessments, standard contracts, or PI protection certification. Though that is likely the main purpose, and would be the main effect, of the Draft Regulation, it also eases other restrictions and requirements; eg, exempting data handlers in FTZs from requirements related to cross-border transfer of data as long as the data type to be transferred is not included in particular negative lists (which do not exist as of year-end 2023).
As the Draft Regulation was not promulgated as of year-end 2023, and the grace period for complying with the SC Measures expired, many companies already began work to comply with the SC Measures.
Data property rights and data transactions
The Chinese government recognises data as a significant “factor of production” in the digital economy, akin to capital, land, technology, and human resources. On 19 December 2022, the Central Committee of the Chinese Communist Party and the State Council jointly released the Opinion on Building a Data Basic System to Enhance the Utilisation of Data Elements, which introduced 20 measures (“20 Measures”) designed to establish fundamental data systems that will promote the rapidly growing data industry in China. According to these 20 Measures, China plans to develop basic data systems from four key aspects:
In alignment with the 20 Measures, several local governments in China (including Beijing, Shenzhen, Jiangsu and Zhejiang), have enacted relevant regulations to define data property rights and establish mechanisms for data transactions. These regulations have instituted a property rights operating mechanism to delineate the right to hold data resources, the right to use data processing, and the right to operate data products. Entities possessing data with “commercial value” can apply for and obtain ownership certificates for such data. These certificates serve as legitimate credentials in data transactions, income distribution from data usage, and dispute resolution, forming the basis for data circulation and the burgeoning data-driven economy.
In March 2023, China further solidified its commitment to data governance by establishing the National Data Bureau. Tasked with promoting data-related basic systems, this bureau collaborates with other departments to facilitate data sharing and development, as well as to guide the planning and development of the digital economy.
Artificial intelligence and the emerging trend
As the first major component in the Chinese regulatory framework for AI, the Interim Measures for the Administration of Generative Artificial Intelligence Services (“Generative AI Measures”) was issued on 10 July 2023 by the CAC, alongside six other PRC government departments, and came into effect on 15 August 2023. Any entity, organisation or individual that provides services that generate any text, images, audio recordings, videos or other content to the general public in mainland China using “generative AI technology”, whether through APIs or other means, will be subject to the Generative AI Measures.
The Generative AI Measures require providers of generative AI services to take certain actions, including executing service agreements with users, labelling videos and other generated content if the service provider offers “deep synthesis” services, and reporting content violations and wrongful activities to PRC regulators. For any generative AI services with “public opinion properties or the capacity for social mobilization”, their providers are required by the Generative AI Measures to conduct security assessments and algorithm filings via the CAC’s designated online platform. As of November 2023, the CAC already accepted filings of 262 applicants.
Further legislative developments on AI are expected in the near term according to the State Council’s 2023 legislative agenda, including an “AI law”.
At the local government level, from the previous two years, multiple provincial governments (including Beijing, Shanghai and Shenzhen) have issued guidelines to facilitate the AI industry, aiming at leaving more space and flexibility for AI-based technologies in industries spanning healthcare, scientific research, finance, autonomous driving, and more.
Anti-monopoly and competition
Following the amendment of the PRC Anti-monopoly Law (“AM Law”) in 2022, the State Administration for Market Regulation (SAMR) has released implementing regulations and more detailed guidelines. On 24 March 2023, SAMR issued:
To provide detailed guidance on the above regulations, on 5 September 2023, SAMR issued the Antitrust Compliance Guidelines for Concentrations of Undertakings (“Antitrust Guidelines”). The Antitrust Guidelines serve as an essential reference for parties involved in establishing a compliance management system for transactions.
Some highlights of the Antitrust Guidelines include the following.
In June 2023, the SAMR released the Annual Report on China’s Anti-monopoly Law Enforcement (2022) (“2022 Report”). The 2022 Report reflects the enforcement activities of Chinese anti-monopoly and unfair competition policies in 2022. According to the 2022 Report, Chinese regulators concluded 794 cases involving concentrations of business operators, and 187 anti-monopoly cases of other types.
Company Law
On 29 December 2023, China passed certain amendments to the PRC Company Law which will take effect on 1 July 2024. While some amendments do nothing more than codify already existing judicial rules and regulatory practices, others may affect how companies in China are run in the coming years.
The amended Company Law requires shareholders of companies to inject their subscribed registered capital within five years from the company’s establishment date. Companies established before the amendments come into effect must “gradually adjust the payment timeline to be in compliance” (if they are not already in compliance). While this provision is not precise, the amended Company Law provides that PRC company registries (ie, SAMR) may require such companies to adjust their capital payment timelines.
The amended Company Law provides more flexibility in organising the management of a company, although some new requirements are also added. There is no longer a maximum number of directors, though the minimum remains three, except if the company is “relatively small in scale and number of shareholders”, in which case it can have just one director (called “sole director” instead of the current title, “executive director”). On the other hand, a company with 300 or more employees must have at least one director selected by the employees and acting as their representative.
Instead of a supervisor or board of supervisors, under the amended Company Law, a company can now alternatively set up an audit committee comprised of an unspecified number of directors of the board that is responsible for supervising the company’s financial and accounting matters. The general manager’s powers and functions are no longer specified in the law, but rather are expected to be enumerated in the articles of association of the company or as delegated by the directors. The amended Company Law imposes enhanced liability on directors and officers, calling for the directors and officers to perform their duties and functions more diligently and carefully.
China World Tower A
1 Jianguomenwai Avenue
Beijing
100004
China
+86 10 6535 5888
+86 10 6535 5899
info@dahuilawyers.com www.dahuilawyers.com