Unlocking the Cloud

1. What are the latest legal updates impacting the IT industry?

• PRC Cybersecurity Law (CSL):

Article 23 of the CSL, which took effect on June 1, 2017, requires that “critical network equipment” and “dedicated cybersecurity products” may only be sold or provided in China after receiving security certification or passing a security test. The first catalogue for these equipment and products was published by the Cyberspace Administration of China (CAC) in June. Article 23 demonstrates China's resolve to mitigate these risks and may pose a significant market entrance check on foreign IT equipment manufacturers.

Article 35 of the CSL mandates the provision of advanced protection for critical information infrastructure (CII)—which covers a broad scope. CII operators are required to complete a “national security review” when purchasing network products and services that may affect national security. Article 37 further requires CII operators to locally store personal information and important data gathered or generated in mainland China.

The Regulations for Protection of the Security of Critical Information Infrastructure (Draft for Comments) (CII Regulations) published by the CAC includes networks used by service providers of cloud computing and big data in the scope of CII. The broad coverage of the CII definition raises concerns that IT companies using the internet to operate in China may be considered CII operators and must comply with these requirements.

• Measures for the Administration of  the Security Review for New Internet Business (Internet Business Measures):

The draft Internet Business Measures, published by the Ministry of Industry and Information Technology (MIIT) on June 8, 2017, require service providers to undergo a security review before operating a licensed telecom business via the internet or a new online business that is not included in the Classified Catalogue of Telecommunications Services (Telecom Catalogue). The Internet Business Measures will impose restrictions on IT service providers' technology and innovation, as well as increase their operating costs.

• Measures for the Administration of Telecommunications Business Operating Permits (Telecom Permit Measures):

The revised Telecom Permit Measures, issued by the MIIT on July 3, 2017, states that an online administrative platform will be set up to support the processing of telecommunications license applications. The MIIT will establish a credit management mechanism, including a “blacklist”, to regulate the operators. Further, the Telecom Permit Measures replace the annual inspection system with an annual report system via the platform.

In addition to the changes in management schemes, the revised rules also provide more flexibility for business operations. Article 18 allows an operator with a telecom license to authorize any of its controlled subsidiaries to operate the telecom service under the parent's license.