China’s booming technology, media and communications (TMC) sector provides great market opportunities for cloud computing and related services. Its size, coupled with the fact that it is still fast growing, means that it simply cannot be ignored. However, as with many other aspects of this market, the regulatory environment in China has never been easy. 

Dr Michael Tan and Lynn Zhao, both at Taylor Wessing, look at the legal aspects of operating cloud services in China—in particular a new draft circular that was disseminated for public comments in November 2016—and reveal a picture that is about as clear as a typical Beijing day.

For quite a long time, cloud services in general remained unregulated. In fact, it was not even possible to find the term explicitly addressed under the related telecommunication business classification catalogue (Telecom Catalogue), formulated by the Ministry of Industry and Information Technology (MIIT). It can be equated to the service model of Infrastructure as a Service (IaaS), since it requires an Internet Data Centre (IDC) licence, providing, as it does, facilities for data storage/computing and access management. However, under the Telecom Catalogue for service models of Platform as a Service (PaaS) and Software as a Service (SaaS) it had been difficult to tell exactly which service licence(s) would be required. It is very important to note, though, that just because it is not explicitly addressed it does not necessarily mean you are free to do it. On the contrary, in China this usually means you do not have a sound legal basis for launching operations.

All this creates uncertainty and complexities for a service operator – in particular a foreign one trying to properly structure its cloud computing business. Some clarity in this regard was achieved in 2016, when the MIIT updated the Telecom Catalogue, introducing a new entry termed ‘internet resources collaboration services’ as part of IDC services, which is a very general description supposed to cover all types of cloud-based services. However, there is still some ambiguity (and sometimes flexibility, based on past experience dealing with the MIIT) that can be applied when analysing a specific cloud service case when trying to determine whether or not it falls into this scope.

On 24^th November, 2016, the MIIT presented to the public the draft Notice on Regulating the Operation Behaviours in the Cloud Service Market (Draft Circular) to solicit comments. Though its intention is to better regulate the market, as its name indicates, this Draft Circular unfortunately makes the picture foggy again. Its stated purpose is to improve the market environment, regulate administration and promote the healthy development of the Internet industry, but it comes with many new regulatory requirements and constraints which will have a substantial impact on existing business models, in particular those of foreign players. Below are some key highlights.

Market Access

The Draft Circular defines the term ‘cloud services’ to be any Internet resource collaboration service that is part of an IDC service under the Telecom Catalogue. In other words, the use, via the Internet or other networks, of equipment and resources constructed on data centres to provide customers with services that include: data storage; a development environment for Internet applications; and the deployment of Internet applications and operation management to users, by way of easily accessible, use-on-demand, easily expanded and/or collaborative sharing. Such an expression could theoretically include all cloud-based business models (IaaS, PaaS and SaaS), ranging from consumer applications to enterprise and Internet of Things (IoT) applications. Since an IDC service is classified as a class-one, value-added telecommunications service (VATS), which is still subject to foreign investment access restriction (i.e. a foreign stake of up to 50 per cent), full or majority foreign participation in the Chinese cloud service market will become impossible due to the broadened interpretation of the term ‘cloud services’ under the Draft Circular.

In the past, outsourcing parts of the business that are subject to sensitive regulations to a qualified local partner holding the required VATS licence was a practical way to circumvent licence requirements – some foreign players used this approach to expand their global offering to the Chinese market. However, the Draft Circular now closes the door on this model by explicitly prohibiting a qualified Chinese partner from, for example:

• letting or assigning in a disguised form its VATS licence to its foreign partner, or providing resources, a location or facilities that enable such a partner’s illegal operation;
• enabling its foreign partner to conclude a service contract directly with cloud service customers;
• delivering services to customers only using the trademark and brand name of the foreign partner; or
• illegally providing users’ personal information and network data to the foreign partner.

Obviously these cooperation models are viewed as ‘too aggressive’ by the MIIT. Since they have been practiced in the past, the Draft Circular will now deliver a heavy blow to those international players that have already entered the Chinese market via these routes. They may have to switch to form a 50:50 joint venture (JV) with a local partner to apply for the required VATS licence and adopt a co-branding approach, which will certainly have negative implications on their business. Also to be noted is that the JV route currently remains a theoretical possibility – it does not necessarily guarantee the issuance of a VATS licence for cloud business, not to mention the complicated procedural and time implications.

Data Protection 

With cyber security becoming a top priority of the Chinese Government, the Draft Circular also aims to reflect this political will by raising the below obligations for cloud service operators:

• Their cloud service platforms shall be constructed within the territory of China, and connection to overseas networks shall go through MIIT-approved Internet gateways. Connection to the outside via dedicated lines (专线in Chinese) or VPNs are not allowed.
• Besides abiding by the general data protection rules (e.g. collection consent, data security, right to be forgotten), service facilities and data storage shall remain within China for services that target Chinese users. Any cross-border data transmission and management must follow statutory requirements.

These requirements appear understandable to an extent, and parallels can be drawn with existing mechanisms like the Great Chinese Firewall, which aims to better control cross-border data traffic. However, they will create hurdles for cloud services, in particular those that are internationally deployed. A key value of cloud services is seamless access from anywhere in the world. More value could only be created when all data are pooled together, for example to improve data sampling and data mining. Using a geographically-based concept to regulate services, including data flow, does not appear to fit the demand of business realities. The intention to rule out the use of some very popular technical solutions like VPNs also casts doubt over the value of such prohibitions in practice, since actual enforcement might prove very difficult.

The Draft Circular seems to keep the door open for cross-border data transmission by referring to statutory requirements. The fact that such statutory requirements and procedures are not yet clearly spelled out in sufficient detail for implementation makes this exemption less relevant at this stage, though.

Other concerns and prospects 

In addition to the above, the Draft Circular raises many other concerns that are making foreign players nervous. For example, it stipulates that technical cooperation with a qualified local partner must be reported to the regulator in written form. Since this kind cooperation often involves technical and business secrets, which are of critical importance in the fast moving Internet sector, questions arise over the level of detail in relation to the cooperation that must be reported in order to secure endorsement from the regulators. Latest discussions with the MIIT seems to indicate that they only need the information to evaluate regulatory implications but not to unduly probe commercial secrets. Nevertheless before the final version is inked, these kinds of concerns will remain.

Like it or not, the Draft Circular will land on the ground and its broad coverage will have a substantial impact on international players that are offering or using cloud solutions in their business. The extent of its impact could potentially lead to the MIIT softening its position regarding certain issues – for example, a more proactive approach could be taken allowing cross-border data flow under MIIT supervision by keeping an onshore copy of data instead of completely blocking such flow. As usual, the MIIT might also interpret the scope of cloud services in a more relaxed way, thereby leaving room for certain less sensitive cloud business models to survive, in particular those where their key added value relies on software and data services instead of telecom facility services. This is not too much different from the variable interest entity (VIE) example which remains theoretically illegal but practically tolerated. Whether or not all these will happen in the present case remain to be seen.

Dr Michael Tan is a Partner at Taylor Wessing. He has profound experience in supporting multinational corporations in their business operations in mainland China, in particular in the corporate and commercial fields. Michael is also experienced in dealing with finance and foreign exchange control issues. His industrial focus is on TMC, aerospace, aviation, and other new technology driven sectors. At the same time, Michael supports Chinese companies in their ‘going abroad’ activities, including business expansion and IPOs in Europe. For more information please contact Michael Tan. Taylor Wessing is a leading full service law firm with over 1,200 lawyers in 33 offices around the world. Our China Group members are based in Shanghai, Beijing, Hong Kong, Munich, Frankfurt, Düsseldorf, Hamburg, Vienna, Paris, London and Singapore. Besides all areas of business law relevant to business transactions in China, we are also well known for our advice to Chinese companies investing overseas. For more information please visit our website.