China to Strengthen the Regulatory Oversight of Cloud Services

June 16, 2017

By: Greg Pilarowski | Samuel Gintel | Lu Yue

On March 30, 2017, the Ministry of Industry and Information Technology (the “MIIT”) released the Cloud Computing Three-Year Development Plan (2017-2019) (云计算发展三年行动计划 (2017-2019)) (the “Three Year Plan”) to promote the development of China’s emerging cloud computing industry. The Three Year Plan represents the first time that China’s government has released a national level plan to encourage and promote the development of the cloud computing services industry, and sets the goal of having an RMB 430 billion cloud computing industry by 2019.

China has also recently attempted to strengthen the regulatory oversight of domestic cloud computing services. On November 24, 2016, MIIT released for public comment a draft of the Notice on Cloud Services Business Operation Management (关于规范云服务市场经营行为的通知) (the “Proposed Cloud Services Rules”). Although the public comment period ended on December 24, 2016, and the Proposed Cloud Services Rules are not yet in final form, the content of the draft is suggestive of the direction MIIT intends to take with respect to oversight of China’s cloud computing services.

1.  Definition of “Cloud Services”

Prior to March 1, 2016, when the Catalogue of Telecommunications Services (2015) (电信业务分类目录 (2015年版)) (the “2015 Catalogue”), which was promulgated by MIIT, went into effect, cloud services were largely unregulated in China.[1]  The 2015 Catalogue, however, added a new subcategory to the “internet resources collaboration services” category of value added telecommunication services (“VATS”) called “internet data center services”, which refers to “use of data center equipment and resources to provide, via the internet or by way of other networks, customers with services, including data storage and online application development and operation, in each case that are accessible at any time and on-demand, where such resources are continuously expanding and being shared collaboratively.”  

According to the Proposed Cloud Services Rules, “cloud services” refers to internet data center services as referenced in the 2015 Catalogue. This means that if the Proposed Cloud Services Rules become effective, a cloud service would clearly fit within the scope of a VATS, and consequently, an operator of a cloud service would be required to obtain a license from MIIT to operate such business in China.  Such clarity previously did not exist.  

2.  Restrictions on Foreign Investors

Foreign investment in the telecommunications industry has long been restricted in China. According to (i) the Foreign Investors Investment Telecommunication Entities Management Rules (外商投资电信企业管理规定) released by the State Council on December 11, 2001, and (ii) the Mainland China and Hong Kong/Macau Closer Economic Partnership Agreement (the “CEPA”) (内地与香港和澳门关于建立更紧密经贸关系的安排) entered between China’s central government and Hong Kong and Macau on June 29, 2003 and October 27, 2005, respectively, joint ventures between a domestic company and one or more foreign investors or investors from Hong Kong or Macau (collectively, “Non-Domestic”) may only engage in a value-added telecommunication business if the Non-Domestic ownership of the joint venture is less than 50%, subject to a number of exceptions.[2]

Classification of cloud services as a VATS in the 2015 Catalogue, therefore, will significantly impact foreign entities that wish to operate in the cloud services industry in China because they will have to operate through joint ventures, or via some other structure, with less than 50% Non-Domestic ownership.

3.  Cooperation Activity Requirements

Some foreign business may seek to operate in the cloud services industry in China through foreign-domestic cooperation agreements with domestic cloud services operators. The Proposed Cloud Services Rules place certain requirements and restrictions on these types of cooperation.

For example, each domestic cloud service provider that creates a cooperation agreement with one or more foreign partners must: (i) submit written reports to MIIT or its local branch offices detailing the cooperation; (ii) not lease or transfer the relevant value-added telecommunication license to its foreign partners, or provide resources, sites or equipment to its foreign partners; (iii) not permit its foreign partners to enter into agreements directly with customers; (iv) not provide cloud computing services where only the trademark(s) and/or brand(s) of the foreign partners are displayed, and (v) not provide user information and online data to its foreign partners illegally, or act in any way that would otherwise violate the law.[3]

4.  Cloud Services Operation Requirements

The Proposed Cloud Services Rules also set forth the following requirements in connection with the operation of cloud services:

  • International Gateways. The Proposed Cloud Services Rules stipulate that cloud services providers must build their cloud services platforms on servers located in China. If the relevant servers need to be connected with internet sites outside of China, the data must be routed through specific international internet gateways approved by China’s government, and not by way of leased lines or virtual private networks.[4]
  • Data Records within China. If cloud services are provided to domestic customers, the relevant customer data must be saved on servers located in China. Moreover, overseas transferring of data must comply with the requirements of other laws and regulations.[5] For example, on April 11, 2017, the Cyberspace Administration of China (国家互联网信息办公室), released for public comment a draft of the Measures for Security Assessment of Transferring Personal Information and Critical Data Overseas (个人信息和重要数据出境安全评估办法) (the “Overseas Data Transfer Draft”), which, if implemented, would require companies, organizations and individuals in China that qualify as “internet operators” to apply for permission to transmit personal information and critical data out of China.  Pursuant to the Overseas Data Transfer Draft, “internet operators” is defined in very broad terms, capturing “all network owners, network managers and internet service providers.”[6] We understand this broad language to include all companies, organizations and individuals that collect personal information and critical data through the internet.  Further, if, for example, data to be transferred out of China includes the personal information of more than 500,000 persons, irrespective of if such threshold is met with respect to a single transfer or on an accumulated basis through multiple transfers, or the storage size of the data exceeds 1,000 gigabytes, the relevant internet operator must submit an application to such internet operator’s primary regulator in China for a security assessment with respect to such proposed transfer.
  • Security Measures.  Cloud services providers must establish management mechanisms to ensure operational security, including (i) imposing security responsibilities on select employees; (ii) strengthening testing and checking of important equipment, systems and platforms; and (iii) saving backup copies for important equipment, systems and data to ensure safety and stability of operations. In the event clouding services are suddenly and inadvertently terminated, the cloud services providers must take responsive measures and report the issue to MIIT and its local branches.[7]
  • Qualified Basic Telecommunications Vendors. Cloud services providers must use network infrastructure, IP addresses and bandwidth provided by competent business entities that hold basic telecommunication licenses issued by MIIT. The Proposed Cloud Services Rules also include a provision prohibiting basic telecommunication operators from providing services to unlicensed cloud services providers.[8] 

5.  User Monitoring and Protection

The Proposed Cloud Services Rules also include provisions regarding user monitoring and protection.

Cloud services providers must monitor users’ behavior, including: (i) identifying and verifying real names of such users, and monitoring and storing logs of the websites visited by such users, and providing information upon request to the relevant government departments; (ii) supervising users to ensure compliance with the user agreements entered into between cloud services providers and their users; (iii) monitoring the content of information published by users; and (iv) reporting any users who violate the rules of relevant government departments.[9]

The cloud services providers shall also protect users’ information, including: (i) posting applicable rules relating to user information collection and avoiding collection and use of user information in the event that the services are terminated; (ii) improving and optimizing security measures in connection with anti-interception, anti-tampering and data backup to ensure the safety of user information; (iii) reporting to users and to MIIT or its local branch offices without delay in the event users’ data is leaked; and (iv) reporting to MIIT or its local branch offices at least three (3) months in advance of termination of services, and informing users of such termination to enable them to save their data before services are terminated.

6.  Controversy

The Proposed Cloud Services Rules are not without controversy.

On February 9, 2017, AmCham China (中国美国商会), BSA The Software Alliance (BSA软件联盟), the US-China Business Council (美中贸易全国委员会),  U.S. Chamber of Commerce (美国商会) and the United States Information Technology Office (USITO) (美国信息产业机构) jointly issued an opinion to MIIT, complaining that the Proposed Cloud Services Rules will severely impact foreign-invested enterprises that currently operate in China’s cloud computing market, particularly because the Proposed Cloud Services Rules:  (i) prohibit foreign cloud service operators from operating in China as wholly-foreign-owned enterprises; (ii) aim to restrict use of trademarks and brands, signing of contracts and sharing of data, which are all basic business matters; and (iii) require reporting certain issues to MIIT that might serve to otherwise weaken the protection of intellectual property of both Chinese and foreign entities.[10] 

According to an article published in the Wall Street Journal, however, MIIT declared that certain parts of the Proposed Cloud Services Rules are being misinterpreted, and China has no intention of jeopardizing the intellectual property and technology of foreign companies. Instead, MIIT takes the position that the Proposed Cloud Services Rules are only designed to address the proliferation of companies offering cloud services illegally or without proper licenses.[11]

The Proposed Cloud Services Rules are still currently under review and it is therefore possible that they will be more moderate in their final form. Whether more moderate or not, however, the regulatory developments in this area will nevertheless significantly impact the business of cloud services providers in China.

[1] See Section 1 of the Proposed Cloud Services Rules.  

[2] See Section 3 of the Proposed Cloud Services Rules, Section 6 of the Foreign Investors Invest Telecommunication Entities Management Rules, and the CEPA.

[3] See Section 4 of the Proposed Cloud Services Rules.

[4] See Section 7 of the Proposed Cloud Services Rules.

[5] See Section 9 of the Proposed Cloud Services Rules.

[6] See Section 2, Section 17 of the Overseas Data Transfer Draft.

[7] See Section 10 and Section 11 of the Proposed Cloud Services Rules. The Section 12 of the Proposed Cloud Services Rules also require the cloud services providers to comply with (i) Measures for the Administration of Communication Network Security Protection (通信网络安全防护管理办法)  issued by MIIT on January 21, 2010, (ii) Cloud Computing Services Security Management Requirements (云计算服务安全能力要求) (GB/T 31168-2014) issued by MIIT on April 1, 2015, and (iii) Public Cloud Services Security Protection Requirements (公有云服务安全防护要求) issued by China Communications Standards Association (中国通信标准化协会) (YD/T 3157-2016 ) on July 1, 2016.

[8] See Section 6 of the Proposed Cloud Services Rules.

[9] See Section 8 of the Proposed Cloud Services Rules.

[11] See “China Says Draft Rules on Cloud Computing Have Been Misunderstood”, posted on the Wall Street Journal on May 8, 2007.