Clearer skies for foreign cloud services in China?
December 08, 2016 | BY
Katherine Jo &clp articles &The MIIT's draft cloud regulations confirm foreign investment and data limits and set strict rules for local partnerships
China's complex and restrictive regulatory framework governing data protection, cybersecurity and internet services has made accessing its vast cloud computing market a highly complicated process.
Global IT companies shifting their business models to focus on the cloud have found it particularly tough to navigate—and enter—the domestic market, and the nation's IT regulator has drafted new rules to clarify the applicable scope of cloud services, the required licenses and qualifications, and the extent to which foreign operators can actually get involved.
These have been put forward in the Circular on Standardizing Business Conducts in Cloud Services Market (Draft for Comments) (Circular), published on November 24, 2016 by the Information Communication Administration of the Ministry of Industry and Information Technology (MIIT). It is soliciting public opinions by December 24, 2016.
If adopted, the Circular will be the first MIIT regulation specific to cloud computing services, and will provide significant guidance to an industry projected by Bain & Company to be worth $20 billion by 2020 and grow 40% every year. The PRC government already views cloud computing as a strategic priority, and China's tech giants Tencent and Alibaba are leading this charge in the private sector, with each announcing last year to invest $1.6 billion and $1 billion into its own cloud business unit, respectively.
Cloud services defined
The Circular categorizes “cloud services” as “internet resources collaborative services” (IRCS), a subset of internet data center (IDC) services listed in the Classified Catalogue of Telecommunications Services (Telecom Catalogue).
Article 1 of the Circular presents a clearer legal definition of “cloud services”, though with a narrower scope compared with international standards and industry practice. It has been generally recognized that IRCS under the Telecom Catalogue includes PaaS [Platform as a Service] and parts of IaaS [Infrastructure as a Service], while excluding most SaaS [Software as a Service]. In other words, IRCS under the Telecom Catalogue does not cover all—if not most—operational models of cloud services. (According to the Telecom Catalogue, IRCS refers to data storage services, internet applications development, internet applications deployment services, and operation management services provided in a way of “real-time, on-demand usage, expandable and real-time collaboration and sharing” through the internet or other networks, based on equipment and resources of data centers.)
The Circular's clarification of “cloud services” may therefore serve more as a demonstrative regulatory scope rather than an ultimate official definition.
Qualification requirements
The Circular stresses that cloud service providers must meet all the relevant requirements for capital, personnel, site and facilities set out in the Measures for the Administration of Telecommunications Business Operation Permits (Telecom Permit Measures) and the Circular on Further Standardizing Market Access-related Work for Businesses Concerning Internet Data Centers and Internet Service Providers. They must also pass relevant technical assessments and obtain the corresponding value-added telecom business permits.
- The capital requirement is mainly set out in Article 6 of the Telecom Permit Measures. Due to their often diverse range of clients, IRCS providers usually operate businesses across provinces or nationwide. In such instances, their registered capital must be a minimum of Rmb10 million.
- The criteria for personnel, site and facilities can be found in Article 3 of the Implementation Scheme on Further Standardizing the Market Access-related Work for Businesses Concerning Internet Data Centers and Internet Service Providers.
- The technical assessments referred to by the Circular are relevant to four systems: ICP/IP address/domain name record filing system, IDC/ISP resource access management system, IDC server room operation security, and IDC information security management system.
- The value-added telecom services permits required by cloud service providers must be for IRCS, which is subordinate to the internet information center business in the Catalogue. These can be IDC Operation Permits that include but are not limited to IRCS, or those that cover only IRCS.
Foreign investment restrictions
The Circular reiterates the restriction on foreign investment access to IDC businesses. It emphasizes that foreign investors must strictly comply with the Regulations for Foreign-invested Telecommunications Enterprises and other regulations, as well as the Agreement on Trade in Services provided in the Mainland and Hong Kong/Macau Closer Economic Partnership Arrangement (CEPA), in order to establish foreign-invested telecom enterprises and obtain relevant permits.
The Circular follows the policy trend of restricting foreign investors' access to IDC businesses, allowing them only to establish Sino-foreign joint ventures through CEPA channels for the purpose of obtaining IDC permits. To be specific, a whitelist of open telecom sectors was attached to the CEPA Agreement on Trade in Services at the end of 2015, permitting Hong Kong service providers to engage in IDC businesses in the PRC through Sino-foreign joint ventures at a 50% shareholding cap on Hong Kong investors. This has been restated in the MIIT's Announcement on Issues Regarding the Provision of Telecommunications Services by Hong Kong and Macau Service Providers in the Mainland promulgated on June 30, 2016.
For foreign investors that intend to provide cloud services in the PRC through the CEPA channel, one issue remains uncertain: whether the “Hong Kong service providers” that qualify for the CEPA channel have to be indigenous, or can be Hong Kong enterprises invested in by entities from foreign countries or regions. The CEPA Agreement on Trade in Services or other MIIT instruments have not provided any definite answers to this.
This gives the MIIT considerable discretion in relation to determining investment origins on a case-by-case basis. The regulator usually takes into account the specific circumstances, investors' backgrounds and the business in question before deciding on approval.
Cooperation with IDC license holders
Article 4 of the Circular sets out the basic principles surrounding the “technology cooperation between cloud service operators and relevant entities”. It lists the regulatory requirements on existing modes of cooperation between multinational cloud service providers and domestic enterprises that hold IDC licenses, which acknowledges the presence of multinational companies' cloud services in China.
The current policy—excluding the CEPA channel—does not allow foreign investors to provide cloud services through a foreign-invested telecom enterprise established in China. Mainstream multinational cloud service providers can only access the Chinese market by working with Chinese local enterprises with value-added telecom business permits. For example, Microsoft and IBM work with local data center provider 21Vianet, and Amazon AWS has partnered with Beijing-based Sinnet.
The criteria flagged in Article 4 actually convey the authorities' attitude toward the various problems that have emerged as a result of cooperation with foreign-invested enterprises (FIEs). First of all, the Circular states that if a cloud service provider wishes to pursue a cooperation with relevant entities, it must report, in written form, to the telecom regulatory organs on the particulars of the arrangement. The regulators may publish more detailed instructions on the specific requirements for these reports.
Five prohibitions on the mode of technology cooperation have been specifically drawn up in the Circular:
- Leasing and transferring telecom business operation permits to cooperation partners in any disguised form, or providing resources, site or facilities to the partner for any illicit operations, are forbidden. This aims to ensure that the real and licensed IRCS service providers are domestic operators and that ineligible foreign investors are barred from entering the IRCS business through cooperation.
- Cooperation partners must not sign contracts directly with users. The purpose of this restriction is to also ensure that the entity directly providing cloud services is a licensed operator.
- Services must not be provided solely under the cooperation partner's trademarks and brands. The authorities have made great efforts to stress this point, embodying the State Council's intention to vigorously promote the local cloud services industry and to prompt licensed domestic operators to build their own brands and advance their technology and services, and avoid becoming dependent on the products of foreign partners.
- Providing personal information and network data to cooperation partners is expressly forbidden. Stemming from the requirements of the PRC Cybersecurity Law and other regulations relating to personal data protection, this prohibition is aimed at forcing licensed cloud service providers to comply with the law and their contractual obligations and to protect user data security. It also acts to restrain FIEs from touching any information or data they should not have access to, so as to ensure national and cyber security and sovereign welfare.
- Any other acts that violate laws and regulations are forbidden.
Cloud infrastructure
Article 6 of the Circular sets supervisory requirements for cloud service infrastructure. On one hand, cloud service operators must use access resources as network infrastructure, IP addresses and bandwidth provided by licensed operators. On the other hand, telecom business operators are forbidden from providing these services to any unit or individual without appropriate qualification for the latter to provide cloud services.
The Circular also emphasizes that cloud service platforms must be established within the territory of China. Article 7 states that cloud service operators must connect to overseas servers or networks only through MIIT-approved internet international service gateways, and may not be done through any self-established channels or those used for private lines or virtual private networks (VPN).
Management duties
Article 8 states that cloud service operators must perform management duties on its users, such as applying record filing systems to access websites and real name registration and validation to third party application developers, strengthening management on information published by users, immediately suspending, and saving records of information on, those that violate laws and regulations, and reporting them to the regulators.
Network and data security
The Circular also clarifies cloud service operators' responsibilities for managing network data and individual information security, which include: formulating and publishing rules for collecting and using individual information; storing the facilities and network data within China; reporting to the telecom authorities; and making public announcements to all users at least three months before ceasing to provide services. These are detailed in Article 9.
It sets clear standards for building a quality service system, improving security management, staffing information security employees, establishing cybersecurity systems, and implementing security standards and criteria. In addition, it encourages the establishment of third-party assessment institutions to certify cloud service operators, based on factors such as service capability, quality, credibility, and security, for instance.
The fact that the Circular is soliciting public opinions indicates that the Chinese authorities' supervision over, and focus on, the cloud services industry—the most important sector in information technology—has been put on track. The Circular is expected to come into force soon after the solicitation period ends, and will be supplemented with implementing rules and guiding opinions to steer the industry forward.
Ben Qi, Partner, and Casper Shi, Partner
Jin Mao Partners
China's complex and restrictive regulatory framework governing data protection, cybersecurity and internet services has made accessing its vast cloud computing market a highly complicated process.
Global IT companies shifting their business models to focus on the cloud have found it particularly tough to navigate—and enter—the domestic market, and the nation's IT regulator has drafted new rules to clarify the applicable scope of cloud services, the required licenses and qualifications, and the extent to which foreign operators can actually get involved.
These have been put forward in the Circular on Standardizing Business Conducts in Cloud Services Market (Draft for Comments) (Circular), published on November 24, 2016 by the Information Communication Administration of the Ministry of Industry and Information Technology (MIIT). It is soliciting public opinions by December 24, 2016.
If adopted, the Circular will be the first MIIT regulation specific to cloud computing services, and will provide significant guidance to an industry projected by
Cloud services defined
The Circular categorizes “cloud services” as “internet resources collaborative services” (IRCS), a subset of internet data center (IDC) services listed in the Classified Catalogue of Telecommunications Services (Telecom Catalogue).
Article 1 of the Circular presents a clearer legal definition of “cloud services”, though with a narrower scope compared with international standards and industry practice. It has been generally recognized that IRCS under the Telecom Catalogue includes PaaS [Platform as a Service] and parts of IaaS [Infrastructure as a Service], while excluding most SaaS [Software as a Service]. In other words, IRCS under the Telecom Catalogue does not cover all—if not most—operational models of cloud services. (According to the Telecom Catalogue, IRCS refers to data storage services, internet applications development, internet applications deployment services, and operation management services provided in a way of “real-time, on-demand usage, expandable and real-time collaboration and sharing” through the internet or other networks, based on equipment and resources of data centers.)
The Circular's clarification of “cloud services” may therefore serve more as a demonstrative regulatory scope rather than an ultimate official definition.
Qualification requirements
The Circular stresses that cloud service providers must meet all the relevant requirements for capital, personnel, site and facilities set out in the Measures for the Administration of Telecommunications Business Operation Permits (Telecom Permit Measures) and the Circular on Further Standardizing Market Access-related Work for Businesses Concerning Internet Data Centers and Internet Service Providers. They must also pass relevant technical assessments and obtain the corresponding value-added telecom business permits.
- The capital requirement is mainly set out in Article 6 of the Telecom Permit Measures. Due to their often diverse range of clients, IRCS providers usually operate businesses across provinces or nationwide. In such instances, their registered capital must be a minimum of Rmb10 million.
- The criteria for personnel, site and facilities can be found in Article 3 of the Implementation Scheme on Further Standardizing the Market Access-related Work for Businesses Concerning Internet Data Centers and Internet Service Providers.
- The technical assessments referred to by the Circular are relevant to four systems: ICP/IP address/domain name record filing system, IDC/ISP resource access management system, IDC server room operation security, and IDC information security management system.
- The value-added telecom services permits required by cloud service providers must be for IRCS, which is subordinate to the internet information center business in the Catalogue. These can be IDC Operation Permits that include but are not limited to IRCS, or those that cover only IRCS.
Foreign investment restrictions
The Circular reiterates the restriction on foreign investment access to IDC businesses. It emphasizes that foreign investors must strictly comply with the Regulations for Foreign-invested Telecommunications Enterprises and other regulations, as well as the Agreement on Trade in Services provided in the Mainland and Hong Kong/Macau Closer Economic Partnership Arrangement (CEPA), in order to establish foreign-invested telecom enterprises and obtain relevant permits.
The Circular follows the policy trend of restricting foreign investors' access to IDC businesses, allowing them only to establish Sino-foreign joint ventures through CEPA channels for the purpose of obtaining IDC permits. To be specific, a whitelist of open telecom sectors was attached to the CEPA Agreement on Trade in Services at the end of 2015, permitting Hong Kong service providers to engage in IDC businesses in the PRC through Sino-foreign joint ventures at a 50% shareholding cap on Hong Kong investors. This has been restated in the MIIT's Announcement on Issues Regarding the Provision of Telecommunications Services by Hong Kong and Macau Service Providers in the Mainland promulgated on June 30, 2016.
For foreign investors that intend to provide cloud services in the PRC through the CEPA channel, one issue remains uncertain: whether the “Hong Kong service providers” that qualify for the CEPA channel have to be indigenous, or can be Hong Kong enterprises invested in by entities from foreign countries or regions. The CEPA Agreement on Trade in Services or other MIIT instruments have not provided any definite answers to this.
This gives the MIIT considerable discretion in relation to determining investment origins on a case-by-case basis. The regulator usually takes into account the specific circumstances, investors' backgrounds and the business in question before deciding on approval.
Cooperation with IDC license holders
Article 4 of the Circular sets out the basic principles surrounding the “technology cooperation between cloud service operators and relevant entities”. It lists the regulatory requirements on existing modes of cooperation between multinational cloud service providers and domestic enterprises that hold IDC licenses, which acknowledges the presence of multinational companies' cloud services in China.
The current policy—excluding the CEPA channel—does not allow foreign investors to provide cloud services through a foreign-invested telecom enterprise established in China. Mainstream multinational cloud service providers can only access the Chinese market by working with Chinese local enterprises with value-added telecom business permits. For example,
The criteria flagged in Article 4 actually convey the authorities' attitude toward the various problems that have emerged as a result of cooperation with foreign-invested enterprises (FIEs). First of all, the Circular states that if a cloud service provider wishes to pursue a cooperation with relevant entities, it must report, in written form, to the telecom regulatory organs on the particulars of the arrangement. The regulators may publish more detailed instructions on the specific requirements for these reports.
Five prohibitions on the mode of technology cooperation have been specifically drawn up in the Circular:
- Leasing and transferring telecom business operation permits to cooperation partners in any disguised form, or providing resources, site or facilities to the partner for any illicit operations, are forbidden. This aims to ensure that the real and licensed IRCS service providers are domestic operators and that ineligible foreign investors are barred from entering the IRCS business through cooperation.
- Cooperation partners must not sign contracts directly with users. The purpose of this restriction is to also ensure that the entity directly providing cloud services is a licensed operator.
- Services must not be provided solely under the cooperation partner's trademarks and brands. The authorities have made great efforts to stress this point, embodying the State Council's intention to vigorously promote the local cloud services industry and to prompt licensed domestic operators to build their own brands and advance their technology and services, and avoid becoming dependent on the products of foreign partners.
- Providing personal information and network data to cooperation partners is expressly forbidden. Stemming from the requirements of the PRC Cybersecurity Law and other regulations relating to personal data protection, this prohibition is aimed at forcing licensed cloud service providers to comply with the law and their contractual obligations and to protect user data security. It also acts to restrain FIEs from touching any information or data they should not have access to, so as to ensure national and cyber security and sovereign welfare.
- Any other acts that violate laws and regulations are forbidden.
Cloud infrastructure
Article 6 of the Circular sets supervisory requirements for cloud service infrastructure. On one hand, cloud service operators must use access resources as network infrastructure, IP addresses and bandwidth provided by licensed operators. On the other hand, telecom business operators are forbidden from providing these services to any unit or individual without appropriate qualification for the latter to provide cloud services.
The Circular also emphasizes that cloud service platforms must be established within the territory of China. Article 7 states that cloud service operators must connect to overseas servers or networks only through MIIT-approved internet international service gateways, and may not be done through any self-established channels or those used for private lines or virtual private networks (VPN).
Management duties
Article 8 states that cloud service operators must perform management duties on its users, such as applying record filing systems to access websites and real name registration and validation to third party application developers, strengthening management on information published by users, immediately suspending, and saving records of information on, those that violate laws and regulations, and reporting them to the regulators.
Network and data security
The Circular also clarifies cloud service operators' responsibilities for managing network data and individual information security, which include: formulating and publishing rules for collecting and using individual information; storing the facilities and network data within China; reporting to the telecom authorities; and making public announcements to all users at least three months before ceasing to provide services. These are detailed in Article 9.
It sets clear standards for building a quality service system, improving security management, staffing information security employees, establishing cybersecurity systems, and implementing security standards and criteria. In addition, it encourages the establishment of third-party assessment institutions to certify cloud service operators, based on factors such as service capability, quality, credibility, and security, for instance.
The fact that the Circular is soliciting public opinions indicates that the Chinese authorities' supervision over, and focus on, the cloud services industry—the most important sector in information technology—has been put on track. The Circular is expected to come into force soon after the solicitation period ends, and will be supplemented with implementing rules and guiding opinions to steer the industry forward.
Ben Qi, Partner, and Casper Shi, Partner
Jin Mao Partners
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now