China question: What are the requirements and risks of setting up data centers or cloud servers in China?
June 30, 2016 | BY
Katherine Jo &clp articles &As an MNC with operations in China, are we legally required to establish data centers and servers in the country? Do I need to partner with a local company or SOE? What are the risks involved in big data and cloud computing, and how do I maximize cybersecurity?
The law firm perspective
In the era of digital information and intelligence, the internet data center (IDC) has become a key IT resource for corporate development and expansion. Multinational companies (MNCs) must manage their data centers around the world carefully to support their growing businesses. MNCs in China, in particular, need to address and understand the following issues with respect to establishing and maintaining servers while complying with local data laws:
|The purpose of the data centers/cloud servers
Understanding the purpose of data centers or cloud servers is the first step. Circumstances differ depending on whether these are for a company's internal use or for providing such services to third parties.
Existing PRC laws do not prohibit or restrict MNCs from establishing data centers or private cloud servers in China for their own internal use. MNCs can set up a data center or a private cloud within the PRC territory to support their business, and allow their local subsidiaries or foreign affiliates to access to those centers and servers.
However, if the intention is to provide services to third parties, the legal status becomes more complex. According to the PRC Telecommunications Regulations and the newly updated Classified Catalogue of Telecommunications Services, these activities are deemed to be IDC services (including internet resources collaboration services) and therefore require an IDC license. Currently, the IDC business is not open to all foreign investors. Only a few qualified Hong Kong or Macau telecom providers are permitted to engage in these services through joint ventures with Chinese partners under the Closer Economic Partnership Arrangement. The Hong Kong or Macau entity's ownership in the venture is capped at 50%, but the Chinese partners do not necessarily have to be state-owned enterprises (SOEs).
Very few Sino-Hong Kong joint ventures have acquired IDC licenses this way. It is very difficult for foreign companies to directly operate IDC or public cloud services in China. Some MNCs present in the market, including IBM, Microsoft, Amazon and Oracle, can only engage in the public cloud business in China by cooperating with their licensed local partners.
|Data storage in China
If the data centers or cloud servers are used to store or process specific sensitive or regulated data collected in China, such as personal credit, financial or health information, they must be established and maintained within the territory of the PRC pursuant to regulations requiring the data to be stored and processed in China. MNCs must check their specific industry laws and regulations to determine whether they must establish data centers or servers in China to store and process the collected information. Requirements are largely sector-dependent and refer to “sensitive data”.
|Compliance, privacy and regulatory risks
Compliance risks: When operating big data and cloud computing businesses in China, MNCs must carefully comply with various regulatory requirements, from the location of the data center, monitoring and deleting any “harmful information” in the cloud, to providing the authorities access to the data. Breaches or violations can result in serious consequences, including license revocation.
Privacy and security risks: MNCs must also meet the requirements of customer data privacy and security. They must comply with specific policies designed to protect customers' data from unauthorized access, malicious attacks and theft. A security breach or data leakage can cause a tremendous amount of damages for the service providers. MNCs must implement an effective technical mechanism to mitigate these risks, and control for these possibilities in legal documents such as by adding a reasonable limitation of liability clause in service contracts.
Regulator requests: In China, MNCs may also encounter the dilemma of complying with government requirements and protecting customers' privacy, just like the awkward position Apple found itself in when the FBI requested the company to unlock an encrypted iPhone. The government may require data processors or cloud operators to provide private customer data and, in China, if these requests come from the public safety or national security authorities, the MNCs have no choice but to fully comply.
|Cybersecurity
Data centers and cloud servers are generally sensitive topics in China. There are no mandatory national standards for the internal use of data centers or private cloud servers, however, MNCs are recommended to implement the highest and most stringent cybersecurity standards to operate their centers and servers in China. They can refer to non-compulsory national cybersecurity standards for public cloud services (GBT 31167-2014 and GBT 31168-2014).
They must also comply with the statutory security requirements when storing or processing specific data. A comprehensive, efficient and safe mechanism must be built and maintained to address any potential incidents where security is compromised.
The government is in the process of enacting the PRC Network Security Law (Cybersecurity Law), which will provide detailed requirements with respect to data and internet security. MNCs are advised to pay close attention to the progress of this legislation.
Bin Qi, Casper Sek and Hanshuo Zhou
Jin Mao Partners, Beijing
___________________________________________________________________________________
The tech consultant perspective
The PRC market represents unprecedentedly huge business opportunities, especially during a time when the rest of the world is experiencing volatile slides and slumps. Over the last 20 years, MNCs have been flooding into China, trying to capture their share of the seemingly endless revenue stream.
As data and infrastructure become crucial components of business, MNC must pay extra attention in building their data and application presence when entering the China market. Apart from select industries that are required to comply with PRC laws in terms of the handling and cross-border transfer of data, MNCs are required to fulfill compliance and regulatory requirements based on their own business needs and industry-specific guidelines when establishing data centers and servers in China.
|Governance by the countries of origin
Some governments require MNCs to comply with security requirements when setting up date center facilities both locally and abroad. For example, Singapore requires all their financial institutions to perform TVRA (Threat and Vulnerability Risk Assessments) on their data centers, even if they are located outside of jurisdiction. The guideline not only focuses on the information and physical security of the audited data center, but also covers other potential threats, including, but not limited to, weather, possibility of the occurrence of natural disasters like earthquakes, and the political stability of where the data center is located, whether it is outsourced or operated by the financial institutions.
Monetary authorities or government agencies in other countries may have similar requirements to their member institutions operating overseas, and should be fulfilled on top of any corresponding Chinese laws and regulations.
|Industry-specific security standards
For the payment industry, PCI DSS (Payment Card Industry Data Security Standard) has long been the standard to follow since its introduction back in 2006. The standard, currently in version 3.2, is applicable to any organizations that process, transmit, or store valuable payment card data, including service providers. In fact, more and more stakeholders in the payment industry include clauses in their purchase agreements with service providers, making it mandatory for the service providers to comply with PCI DSS on an annual basis. It is therefore highly recommended for MNCs within the payment eco-chain to ensure this prerequisite is met when choosing data centers or hosting management providers in China.
Similarly, for MNCs that are required to comply with the AICPA's SOC (Service Organization Controls) standards, it is highly advisable to ensure that their data centers or the hosting service providers they have chosen in the PRC are SOC-2 compliant. This is because data centers are becoming the core provider in terms of network infrastructure as MNCs rapidly increase their reliance on Software as a Service (SaaS), cloud storage and on-demand technologies when conducting financial reporting activities, and the SOC-2 reporting framework is an excellent platform for testing and validating critical areas within a data center's daily operational practices.
PCI DSS and SOC-2 are just two examples highlighting the importance of referring to industry-specific requirements when choosing their data hosting solutions in the PRC. Other industries may need to follow similar regulations when expanding their business and infrastructure presence in the China market.
|Compliance requirements for emerging technologies
Technologies are evolving at a pace that organizations are taking advantage of by constantly changing their way in handling data and applications. As mentioned above, on-demand computing, cloud storage and SaaS are being commonly adopted by MNCs. While setting up data centers, selecting hosting services, or picking cloud providers in China, certifications on cloud computing security should be a major decisive factor. These may include ISO 27017 (for Cloud Security) and ISO 27018 (for Cloud Privacy), both of which are globally recognized and applicable worldwide. As a matter of fact, such compliance seals are quickly becoming compulsory requirements for foreign companies sourcing for cloud or on-demand services.
These requirements for data centers and hosting services, whether owned and operated by the MNCs themselves or used as outsourcing solutions, are critical to address. With compliance and governance pressures coming from both internal and external parties, it is important for MNCs in China to stay informed of not only the changes in PRC laws, but also the evolution of international standards, to safeguard their data and business in the rapidly growing China market.
Joseph Lee
Evolution Security Consulting, Hong Kong
The law firm perspective
In the era of digital information and intelligence, the internet data center (IDC) has become a key IT resource for corporate development and expansion. Multinational companies (MNCs) must manage their data centers around the world carefully to support their growing businesses. MNCs in China, in particular, need to address and understand the following issues with respect to establishing and maintaining servers while complying with local data laws:
|The purpose of the data centers/cloud servers
Understanding the purpose of data centers or cloud servers is the first step. Circumstances differ depending on whether these are for a company's internal use or for providing such services to third parties.
Existing PRC laws do not prohibit or restrict MNCs from establishing data centers or private cloud servers in China for their own internal use. MNCs can set up a data center or a private cloud within the PRC territory to support their business, and allow their local subsidiaries or foreign affiliates to access to those centers and servers.
However, if the intention is to provide services to third parties, the legal status becomes more complex. According to the PRC Telecommunications Regulations and the newly updated Classified Catalogue of Telecommunications Services, these activities are deemed to be IDC services (including internet resources collaboration services) and therefore require an IDC license. Currently, the IDC business is not open to all foreign investors. Only a few qualified Hong Kong or Macau telecom providers are permitted to engage in these services through joint ventures with Chinese partners under the Closer Economic Partnership Arrangement. The Hong Kong or Macau entity's ownership in the venture is capped at 50%, but the Chinese partners do not necessarily have to be state-owned enterprises (SOEs).
Very few Sino-Hong Kong joint ventures have acquired IDC licenses this way. It is very difficult for foreign companies to directly operate IDC or public cloud services in China. Some MNCs present in the market, including IBM,
Data storage in China
If the data centers or cloud servers are used to store or process specific sensitive or regulated data collected in China, such as personal credit, financial or health information, they must be established and maintained within the territory of the PRC pursuant to regulations requiring the data to be stored and processed in China. MNCs must check their specific industry laws and regulations to determine whether they must establish data centers or servers in China to store and process the collected information. Requirements are largely sector-dependent and refer to “sensitive data”.
|Compliance, privacy and regulatory risks
Compliance risks: When operating big data and cloud computing businesses in China, MNCs must carefully comply with various regulatory requirements, from the location of the data center, monitoring and deleting any “harmful information” in the cloud, to providing the authorities access to the data. Breaches or violations can result in serious consequences, including license revocation.
Privacy and security risks: MNCs must also meet the requirements of customer data privacy and security. They must comply with specific policies designed to protect customers' data from unauthorized access, malicious attacks and theft. A security breach or data leakage can cause a tremendous amount of damages for the service providers. MNCs must implement an effective technical mechanism to mitigate these risks, and control for these possibilities in legal documents such as by adding a reasonable limitation of liability clause in service contracts.
Regulator requests: In China, MNCs may also encounter the dilemma of complying with government requirements and protecting customers' privacy, just like the awkward position
Cybersecurity
Data centers and cloud servers are generally sensitive topics in China. There are no mandatory national standards for the internal use of data centers or private cloud servers, however, MNCs are recommended to implement the highest and most stringent cybersecurity standards to operate their centers and servers in China. They can refer to non-compulsory national cybersecurity standards for public cloud services (GBT 31167-2014 and GBT 31168-2014).
They must also comply with the statutory security requirements when storing or processing specific data. A comprehensive, efficient and safe mechanism must be built and maintained to address any potential incidents where security is compromised.
The government is in the process of enacting the PRC Network Security Law (Cybersecurity Law), which will provide detailed requirements with respect to data and internet security. MNCs are advised to pay close attention to the progress of this legislation.
Bin Qi, Casper Sek and Hanshuo Zhou
Jin Mao Partners, Beijing
___________________________________________________________________________________
The tech consultant perspective
The PRC market represents unprecedentedly huge business opportunities, especially during a time when the rest of the world is experiencing volatile slides and slumps. Over the last 20 years, MNCs have been flooding into China, trying to capture their share of the seemingly endless revenue stream.
As data and infrastructure become crucial components of business, MNC must pay extra attention in building their data and application presence when entering the China market. Apart from select industries that are required to comply with PRC laws in terms of the handling and cross-border transfer of data, MNCs are required to fulfill compliance and regulatory requirements based on their own business needs and industry-specific guidelines when establishing data centers and servers in China.
|Governance by the countries of origin
Some governments require MNCs to comply with security requirements when setting up date center facilities both locally and abroad. For example, Singapore requires all their financial institutions to perform TVRA (Threat and Vulnerability Risk Assessments) on their data centers, even if they are located outside of jurisdiction. The guideline not only focuses on the information and physical security of the audited data center, but also covers other potential threats, including, but not limited to, weather, possibility of the occurrence of natural disasters like earthquakes, and the political stability of where the data center is located, whether it is outsourced or operated by the financial institutions.
Monetary authorities or government agencies in other countries may have similar requirements to their member institutions operating overseas, and should be fulfilled on top of any corresponding Chinese laws and regulations.
|Industry-specific security standards
For the payment industry, PCI DSS (Payment Card Industry Data Security Standard) has long been the standard to follow since its introduction back in 2006. The standard, currently in version 3.2, is applicable to any organizations that process, transmit, or store valuable payment card data, including service providers. In fact, more and more stakeholders in the payment industry include clauses in their purchase agreements with service providers, making it mandatory for the service providers to comply with PCI DSS on an annual basis. It is therefore highly recommended for MNCs within the payment eco-chain to ensure this prerequisite is met when choosing data centers or hosting management providers in China.
Similarly, for MNCs that are required to comply with the AICPA's SOC (Service Organization Controls) standards, it is highly advisable to ensure that their data centers or the hosting service providers they have chosen in the PRC are SOC-2 compliant. This is because data centers are becoming the core provider in terms of network infrastructure as MNCs rapidly increase their reliance on Software as a Service (SaaS), cloud storage and on-demand technologies when conducting financial reporting activities, and the SOC-2 reporting framework is an excellent platform for testing and validating critical areas within a data center's daily operational practices.
PCI DSS and SOC-2 are just two examples highlighting the importance of referring to industry-specific requirements when choosing their data hosting solutions in the PRC. Other industries may need to follow similar regulations when expanding their business and infrastructure presence in the China market.
|Compliance requirements for emerging technologies
Technologies are evolving at a pace that organizations are taking advantage of by constantly changing their way in handling data and applications. As mentioned above, on-demand computing, cloud storage and SaaS are being commonly adopted by MNCs. While setting up data centers, selecting hosting services, or picking cloud providers in China, certifications on cloud computing security should be a major decisive factor. These may include ISO 27017 (for Cloud Security) and ISO 27018 (for Cloud Privacy), both of which are globally recognized and applicable worldwide. As a matter of fact, such compliance seals are quickly becoming compulsory requirements for foreign companies sourcing for cloud or on-demand services.
These requirements for data centers and hosting services, whether owned and operated by the MNCs themselves or used as outsourcing solutions, are critical to address. With compliance and governance pressures coming from both internal and external parties, it is important for MNCs in China to stay informed of not only the changes in PRC laws, but also the evolution of international standards, to safeguard their data and business in the rapidly growing China market.
Joseph Lee
Evolution Security Consulting, Hong Kong
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now