Cloud computing is becoming one of the hottest global IT topics. In China it is a rapidly emerging business concept and seems to be creating some promising market potential: Amazon’s AWS and Mircrosoft’s Azure have already made their debuts on the Chinese market and there are more anxiously waiting in the wings. However, this potential goldmine is not likely to be easily exploited by foreign companies according to Dr Michael Tan and Lynn Zhao of Taylor Wessing. In the article below they analyse the various legal challenges facing foreign players planning to explore opportunities in cloud computing in China.

As an industry of strategic importance cloud computing is explicitly addressed and promoted under China’s current 12^th Five-Year Plan. In 2011 alone the central government allocated RMB 660 million to boost the development of cloud computing services in five major cities including Beijing and Shanghai,[1] and according to a 2012 report the cloud computing market in China is expected to grow at a composite rate of 50 per cent in the next five years.[2]

However, despite this promising business outlook, the complicated regulatory environment in China means its relevance to foreign companies remains unclear.

Market access

Since most cloud computing services will be deployed via the internet, strictly speaking any related business activities would fall under the scope of telecoms services, an area in China that is presently highly sensitive and heavily regulated. If a foreign company wished to provide such services from outside of China, however, it could be argued that such activities need not fall under the jurisdiction of the Chinese regulatory authorities.

This approach may seem positive since there are technically no territorial borders in the cyber world, and to physically deter such activities via the internet presents a challenging and expensive task. However, although it may avoid regulatory complexities in China, this approach does not come without risks and related costs.

Transmission of data via long distance would likely cause deterioration in the user experience. More importantly there is always the risk that national security concerns would prompt the Chinese authorities to adopt technical measures to block cross-border data flow, the likes of which Dropbox has experienced in the past.

In order to satisfy Chinese customers’ expectations, local cloud computing competence would probably be the preferred solution. This would mean establishing a local presence, which would inevitably touch upon investment-access issues.

According to the Ministry of Industry and Information Technology (MIIT), who are the industrial regulator, telecoms services are divided into two major categories: basic and value-added businesses. Foreign investment is limited to 49 per cent in the former and 50 per cent in the latter, as stipulated in the currently applicable Foreign Investment Industrial Guidance Catalogue (2011 version). Depending on the specific features of the intended cloud computing business it may fall into either or both of these areas making it impossible for foreign players to achieve a majority controlling position when investing in such businesses in China.

Additionally, foreign investment in the telecoms sector will further be subject to certain capital requirements and comparably stricter procedural requirements (i.e. provincial- or even central-level approvals).

All this presents significant barriers for foreign players looking to enter this market, which explains why until now only a handful has officially shown up in China.

Licence requirements

Telecoms businesses in China require special licenses, as detailed in the Telecommunication Service Catalogue (Telecom Catalogue) promulgated by the MIIT on  21^st February, 2003, which outlines the categories of services under the scope of both basic and value-added telecoms businesses. Each category requires an explicit entry under the respective telecoms service license.

However, in the context of cloud computing the picture is unclear as it is not explicitly addressed by the current Telecom Catalogue. Besides the fact that it is a relatively new concept, only becoming popular in recent years, this situation may also be due to the reason that cloud computing itself is a vague term which can mean different things when discussing different service models.

For example, it may be easier to tell that the service model of Infrastructure as a Service (IaaS), will very likely trigger—among others—an IDC (Internet Data Centre) license since it focuses on providing facilities for data storage/computing and access management. But it will be more difficult to tell which service license(s) under the Telecom Catalogue would be required for service models of Platform as a Service (PaaS) and Software as a Service (SaaS).

Although the PRC Telecommunication Regulations, promulgated by the State Council on 25^th September, 2000, stipulate that business which is not explicitly addressed under the Telecom Catalogue shall require filing with MIIT’s provincial branches, in reality such filing is difficult. All this creates uncertainty and complexities for a service operator trying to properly structure its cloud computing business, and some may even have to outsource the more sensitive parts to the few big players who normally have better leverage when tackling license issues.

One recent development worth noting is the amended version of the Telecom Catalogue presented by the MIIT for public comments on 23^rd May, 2013, which obviously has taken this problem into consideration. The amended catalogue includes a new value-added service category titled ‘Internet resources collaboration service business’. Its definition reflects the major features of cloud computing such as service upon demand, cloud storage and management, content sharing and collaboration. Although not yet officially effective, it is widely believed that the amended Telecom Catalogue will pave the way for a much clearer legal framework to regulate cloud computing in the future.

Data Protection

China is rapidly picking up on the legislative side regarding data protection, and concerns over the data-rich aspect of cloud computing will undoubtedly bring about serious challenges. Service operators are well advised to keep a close eye on legal developments in China and any related compliance risks.

Last year saw intensive new data protection legislation activity in China. Based on the Decision of the Standing Committee of the National People’s Congress Regarding Strengthening the Protection of Online Information (28^th December, 2012), a series of new laws and regulations were enacted or amended to regulate the issue of data protection (e.g. the Telecommunications and Internet Users Personal Data Protection provisions issued by the MIIT on 16^th July, 2013, and the Consumer Protection Act last amended on 25^th October, 2013). By introducing concrete administrative punishments such as fines and establishing a link between a serious data breach case with criminal offences, these new rules increase the compliance burden and risks for cloud computing service operators.

Cross-border data transfer—a common occurrence in cloud computing—is not yet something regulated by Chinese data protection rules, but risks may arise from other existing laws and regulations (e.g. state secret protection) and the related implications will need to be carefully evaluated.

Conclusion

There is no doubting the potential of the Chinese cloud computing market. It is anticipated that current market access issues will need to be resolved via China’s further participation in global and regional free-trade talks; however, the present legal framework is less than friendly to foreign players.

This is a market that cannot be ignored though, and foreign players still have the chance to benefit from it by other means, such as licensing arrangements or services support. The related industrial legislation is picking up fairly quickly in tackling new challenges brought about by cloud computing activities, so foreign players would do well to keep a close eye on these developments both on the business side and the legal side.

Taylor Wessing is a full service law firm with approximately 900 lawyers in Europe, the Middle East and Asia, with offices in Shanghai and Beijing. For more information please visit www.taylorwessing.com. Dr Michael Tan is Senior Counsel (Chinese Partner) in Shanghai with an industrial focus on aerospace, aviation, TMT and other technology-driven sectors.