Unlocking the Cloud

2. What is the impact of the Cybersecurity Law's provisions regarding data localization on data centers and cloud computing?

Article 37 of the CSL's provisions on data localization include two aspects: (1) personal information and important data collected or generated by CII operators in China must be stored within mainland China; and (2) if such information must be transferred out of China for business reasons, the CII operators must complete security reviews according to the measures jointly formulated by the CAC and other ministries.

The draft CII Regulations expressly include cloud computing service providers within the scope of CII. Cloud service providers must therefore comply with all the requirements for CII operators under the CSL, especially those for data localization and security review. It is also worth noting that the draft proposes severe consequences for failing to comply with these requirements, including confiscation of unlawful revenue, shutting down of websites, and even revocation of licenses.

As the CSL came into effect, relevant cloud service providers have begun taking action. For instance, in order to continue to provide iCloud services to Chinese customers, Apple recently inked an agreement with Guizhou-Cloud Big Data Industry Development, backed by the local government, to build a data center in Guizhou province. Apple will provide technical knowhow for the data center, which will be run and operated by the Chinese partner. By doing so, Apple will ensure its Chinese-facing iCloud services comply with the CSL's data localization requirement. Other foreign cloud service providers are expected to follow a similar approach.

3. Can you describe the current regulatory framework for the IaaS, PaaS and SaaS cloud services?

Currently, telecom business activities in China are regulated by the PRC Telecommunications Regulations, and classified in more detail by the Telecom Catalogue, which requires telecom service providers to obtain the corresponding licenses.

With respect to IaaS [Infrastructure-as-a-Service] and PaaS [Platform-as-a-Service], they are regulated as internet resources collaboration services (IRCS) under the internet data center (IDC) category (B11). IRCS has three critical business elements: (i) online data storage; (ii) internet application development environment; and (iii) internet application deployment and operation management. An IaaS or PaaS that provides one of these services based on IDC infrastructure would be considered as IRCS.

As for SaaS [Software-as-a-Service], several models may be covered under the online data processing and transaction processing service (B21) or information service business (B25). But some SaaS models are purely computer/software services that do not constitute telecom services, and therefore do not need to obtain value-added telecom service (VATS) licenses.

4. What are the biggest challenges that foreign IT companies face in terms of developing and operating cloud services and infrastructure in China? How are these challenges overcome?

Market access restrictions remain the biggest challenge faced by foreign IT companies.

In China, most cloud services are deemed to be the regulated VATS, which requires an operating permit. However, there are special foreign investment restrictions on these businesses.

For example, the IDC or IRCS license is required for running and operating the underlying infrastructure for cloud services, but such licenses are only granted to domestic companies or Sino-Hong Kong/Macau joint ventures that satisfy certain conditions. Even some SaaS businesses require certain VATS licenses and foreign investors must establish 50-50 Sino-foreign joint ventures to apply for these licenses.

There are some proven methods that foreign IT companies may use to overcome the market access hurdles:

• They may find and cooperate with a local partner with the necessary VATS licenses to provide services to customers. Amazon and Microsoft have used this approach to provide technical support to their local partners with IDC licenses. Cooperating with local partners also entails complying with the MIIT's requirements.
• For businesses requiring IDC/IRCS licenses, foreign investors that have a qualified subsidiary in Hong Kong or Macau may consider establishing a joint venture with a Chinese company to apply for the licenses by leveraging the special treatment under the Closer Economic Partnership Arrangement between Mainland China and Hong Kong/Macau (CEPA).
• For businesses requiring VATS licenses other than those for IDC/IRCS, foreign companies may consider establishing Sino-foreign joint ventures to directly apply for the licenses.

5. What have been some major IT and cloud deals in the past 12 months? What are the key market trends?

• In August 2016, Amazon officially announced its cooperation with Sinnet Technology to provide AWS Cloud services in China.
• In August 2016, Oracle and Tencent announced their cooperation on IaaS, PaaS and SaaS based on existing Oracle technology. Oracle could land its cloud solutions by integrating its products with Tencent's public cloud services in China.
• In September 2016, a joint venture was formed by Microsoft and CECT to license, deploy, manage, and provide technical support for Windows 10 for governments and state-owned institutions.
• In September 2016, Cisco and Inspur announced the establishment of a joint venture that will deliver advanced technologies and services in the areas of IT infrastructure, cloud, data centers, smart cities, and big data in China.
• In November 2016, a $600 million takeover of Opera's mobile and desktop browser and mobile app was completed. The buyer is a Chinese consortium that includes Kunlun Tech, Qihoo 360 and a private equity fund.
• In March 2017, IBM and Wanda announced a partnership to land cloud services powered by IBM's Watson and blockchain technologies in China.
• In July 2017, Apple announced its cooperation with the state-owned and Guizhou-based cloud company to build a data center in the province to provide iCloud services in China.

With the implementation of the CSL and relevant rules, it has become increasingly common for foreign IT companies to form strategic partnerships with large Chinese IT players.

6. What are the real barriers to entry for foreign investors in China's IT market?

The real barriers faced by foreign investors are buy-local policies for IT products, software and services.

A 2014 circular jointly published by the China Banking Regulatory Commission (CBRC) and MIIT required the banking sector to take measures to increase the procurement and utilization of “secure and controllable” IT products and services. The requirements were interpreted such that the banks needed to procure IT products developed and manufactured by local companies, rather than by foreign firms. They were deemed as the part of Chinese government's “De-IOE” campaign for IT products and services, where state agencies and companies in key sectors such as banking, insurance, and healthcare are encouraged or required to gradually scale down on using hardware products and software for mainframe servers made by foreign IT companies and shift to homegrown brands that are said to be “safe, advanced and less expensive”.

These policies forced foreign IT players to change their China strategy. For example, in order to sell Windows 10 to governments in China, Microsoft established a joint venture with CETC to develop and sell a government-edition operating system that satisfied specific technical and security requirements.

7. Have any legal developments led to changing R&D trends in the IT and cloud sectors in China?

The PRC government imposes the most stringent censorship over content transmitted and posted online. In response, artificial intelligence (AI) and machine learning technology is commonly used by IT companies in China to develop tools that would allow the authorities to identify restricted/forbidden content and intercept their transmission.

Another example is the sniffer (嗅探) technology (also called “packet analyzer”), which used to intercept and log traffic that passes over a digital network. According to an MIIT circular released in January 2017, private networks (including VPN) can only be used by companies for internal office purposes and any individual or company is prohibited from using private networks to connect to any overseas websites/internet services blocked by the Chinese government. IT companies are encouraged to invest in R&D for sniffer and similar technology to enforce such requirements.

With the implementation of the CSL and its supporting rules, most of the data generated in China is subject to data localization. Companies providing IT services based on big data must develop the technology that can support their business in compliance with such requirements.

Moreover, as the Chinese government pushes to establish a relatively closed network that is disconnected from the internet outside the country, foreign IT companies also need to consider developing applicable technologies and create new business models to adapt to China's closed network environment.

8. Have there been any influential dispute cases in the IT/cloud computing sector in the past 12 months?

A recent tort case invoving Aliyun, Alibaba's cloud affiliate, reflects the ambiguous line between the data privacy of users and network infringement in China.

The plaintiff alleged that a gaming website hosted by Aliyun infringed its copyright and asked Aliyun to delete the infringing game and provide the user's information in relation to the infringement. Aliyun did not take responsive action for more than eight months. The plaintiff then filed an action before a Beijing district court for copyright infringement against Aliyun and claimed Rmb1 million in damages.

In May 2017, the court rendered its judgment and held that, as a cloud service provider and if the interests of its third parties have been infringed due to its services, Aliyun is obligated to take necessary, reasonable, and proper measures to cooperate with the right owners to prevent further losses. But Aliyun ignored the plaintiff's request for far longer than reasonable, and was therefore held jointly responsible for the infringement damages and was required to indemnify Rmb261,240 to the plaintiff. Aliyun has since appealed.

This case will have significant implications on the cloud service sector and the final ruling will be helpful in clarifying the scope of obligations and responsibilities of cloud service providers for their hosting services.

9. Is there any way by which foreign investors can engage in IDC and IRCS businesses in China? What are some examples?

IDC and IRCS businesses are subject to strict foreign investment restrictions. Only qualified service providers of Hong Kong/Macau can apply for an IDC license through a joint venture with a domestic company, where the foreign investment shareholding is no higher than 50%, under CEPA. The CEPA scheme is the only legitimate means for foreign service providers to engage in IDC and IRCS businesses in mainland China.

According to a report newly issued by the research institute of the MIIT, as of the end of June 2017, there are five foreign-invested companies that have been granted and maintain IDC licenses in China. All five are Sino-Hong Kong joint venture companies that have acquired the IDC license under CEPA.

Among them, a Sino-Hong Kong joint venture with NTT as the ultimate controller of the Hong Kong shareholder was granted the IDC license in June. This presents the latest case under which a foreign service provider established a joint venture through its Hong Kong subsidiary to apply for IDC license under CEPA, and could be a reference for foreign investors that wish to enter the IDC/IRCS business in China under the CEPA scheme.

10. What legal developments are in the pipeline for the IT and cloud sectors? What is your outlook for the industry in 2018?

For the upcoming year, it is expected that: (1) detailed implementing rules for the CSL and the corresponding standards will be published and enter into effect, including the Measures for Security Assessments of the Transfer of Personal Information and Important Data Overseas, and the Regulations for Protection of the Security of Critical Information Infrastructure; (2) the MIIT's circular on regulating cloud services will also soon be in place; and (3) the government authorities will continue legislating new regulations and rules to respond to business and technology innovation.

• Measures for Security Assessments of the Transfer of Personal Information and Important Data Overseas (Draft for Comments) (Data Transfer Measures):

On April 11, 2017, the CAC issued these draft Data Transfer Measures for public comment. They are one step closer towards the implementation of the CSL. Once adopted, the Data Transfer Measures will have a significant impact on businesses in China that have operational needs for transferring data overseas.

It is expected that the Data Transfer Measures and the corresponding national standard Information Security Technology – Guidelines for Data Cross-border Transfer Security Assessment will soon be published to provide guidance on cross-border data transfer practices.

• Regulations for Protection of the Security of Critical Information Infrastructure (Draft for Comments):

On July 11, 2017, the CAC released the draft CII Regulations, which clarify the scope of CII and expand on how CII operators are supposed to protect their networks against cyber threats.

Article 19 of the CII Regulations states that the CAC, MIIT and Ministry of Public Security (MPS) are working together to draft the Guidelines on the Identification of Critical Information Infrastructure. The drafting status of these Guidelines is unclear, but it is expected to be officially published during late 2017 or early 2018.

• Circular on Regulating the Business Activities in the Cloud Service Market:

On November 24, 2016, the MIIT released a draft circular aiming to regulate business activities in the cloud computing service market.

The public comment period has ended but the circular is still in deliberation due to different opinions of various stakeholders. Despite the controversy surrounding this circular, it is expected to be officially published in upcoming months.

Ben (Bin) Qi, Partner

Jin Mao Partners

Bin (Ben) Qi is the managing partner of Jin Mao Partners, based in the Beijing office. He has rich experience in corporate development strategy, the IT industry, M&A, antitrust, capital markets, PE & VC, and cross-border transactions.

Prior to his private practice, Ben worked for more than 10 years as in-house legal counsel for multinational companies. From 2003 he was senior legal counsel for IBM Greater China, where he was the company's lead lawyer on matters regarding the telecom industry, risk control, corporate development, M&A, investments, and management. He was the key counsel on many of IBM's high-profile deals, including its PC and x86 server business divestiture to Lenovo, sale of its printer business to RICOH, investment in Guangdong Development Bank, and other acquisitions of software firms. Ben was also the chief legal counsel for IBM China Investment Fund and led deals such as IBM's investments in Kingdee, Changhong, and Smartdot, and received IBM's global legal counsel award. Ben was previously also the Asia Pacific general counsel for Peak Pacific Investment Company and senior counsel for Siemens China.

Ben has been recognized as a leading lawyer in the area of IT, IP, and M&A. One of his projects, Lenovo's acquisition of IBM's x86 business, was awarded the “TMT Deal of the Year” by China Law & Practice in 2015.

Ben obtained his LL.B. from East China Politics and Law Institute in Shanghai, LL.M. and Ph.D. from Renmin University Law School in Beijing, and his S.J.D. from the University of British Columbia School of Law. He is fluent in both Chinese and English.

Casper Sek, Partner

Jin Mao Partners

Casper Sek is a partner at Jin Mao Partners, based in the Beijing office. He advises foreign and domestic clients across a broad range of industries on general corporate matters, private equity, offshore financing, M&A, TMT, and IP. Casper has extensive experience in cloud computing and IT-related legal issues, having assisted numerous multinational IT and cloud companies in launching their business in the China market.

Casper obtained his LL.B. from Beijing Normal University, and his LL.M. degrees from the University of International Business and Economics and University of Wisconsin-Madison. He is admitted to both the PRC and New York bar. His working languages are Chines and English.

1. 有哪些影响IT行业的最新法律动态?

• 《中华人民共和国网络安全法》(《网络安全法》):

《网络安全法》(2017年6月1日起生效)第23条规定,“网络关键设备”和“网络安全专用产品”必须经认证合格或者安全检测符合要求后,方可在中国销售或者提供。国家互联网信息办公室(网信办)在六月公布了该等设备和产品的首批目录。此条表明中国防控风险的决心,并可能对外国IT设备制造商构成一定的市场准入门槛。

《网络安全法》第35条要求为关键信息基础设施提供重点保护,涉及范围广泛。关键信息基础设施的运营者采购网络产品和服务,可能影响国家安全的,须通过“国家安全审查”。该法第37条进一步规定,关键信息基础设施的运营者在中国大陆境内运营中收集和产生的个人信息和重要数据应当在境内存储。网信办颁布的《关键信息基础设施安全保护条例(征求意见稿)》(《CII条例》)将云计算和大数据服务提供者运行和管理的网络设施纳入关键信息基础设施范畴。该种就关键信息基础设施的宽泛的界定不禁使人担忧，在华通过互联网运营的 IT公司也可能被视为关键信息基础设施运营者,进而必须符合前述有关要求。

• 《互联网新业务安全评估管理办法》(《互联网业务办法》):

工业和信息化部(工信部)于2017年6月8日发布《互联网业务办法》草案,对通过互联网新开展其已取得经营许可的电信业务或未列入《电信业务分类目录》(《电信目录》)的新型电信业务,电信业务经营者须接受安全评估。《互联网业务办法》将对IT服务提供者的技术和创新施加一定限制,有关经营成本也将增加。

• 《电信业务经营许可管理办法》(《电信许可管理办法》):

工信部在2017年7月3日发布修订版《电信许可管理办法》,明确将建立网上电信业务综合管理平台,以处理电信许可申请。工信部还将建立包括“黑名单”在内的信用管理机制来监管经营者。此外,《电信许可管理办法》通过该平台开展的年报制度以取代此前推行的年检制度。

除管理制度变更外,修订后的规则也为业务运营提供了更大的灵活度。该办法第18条允许持有电信业务经营许可证的经营者授权其符合经营电信业务条件的控股子公司经营其获准经营的电信业务。

2. 《网络安全法》有关数据本地化的规定对数据中心和云计算有什么影响?

《网络安全法》第37条对数据本地化作出了规定,该等规定包括两个层面:(1)关键信息基础设施的运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据应当在境内存储;及 (2)因业务需要,确需向境外提供的,应当按照国家网信部门会同国务院有关部门制定的办法进行安全评估。

《CII条例》草案明确将云计算服务提供者提供的网络设施纳入关键信息基础设施范围内。因此,云计算服务提供者将必须遵守《网络安全法》有关关键信息基础设施的所有规定,尤其是有关数据本地化和安全评估的要求。此外同样值得注意的是,草案提出了不遵守这些规定的严重后果,包括没收非法收入、关闭网站、乃至吊销相关业务许可证。

随着《网络安全法》的生效,相关云服务提供者已开始采取行动。例如,为继续向中国客户提供iCloud服务,苹果近期与当地政府所支持的云上贵州大数据产业发展有限公司签订协议,在贵州省建立数据中心。数据中心将由中国合作方运营,苹果公司则为数据中心提供专有技术支持。通过此种合作,苹果将确保其面向中国的iCloud服务遵守《网络安全法》的数据本地化规定。预计其他外国云服务提供者将采用与之类似的合规策略。

3. 您可以介绍一下IaaS、PaaS和SaaS云服务的现行监管框架吗?

目前,中国电信业务活动受《中华人民共和国电信条例》监管,《电信目录》对此作出更具体的分类,要求电信服务提供者取得相应类别的许可。IaaS(基础设施即服务)和PaaS(平台即服务)一般被认定为属于互联网数据中心(IDC)(B11类)项下的互联网资源协作服务(IRCS),而受到监管。IRCS有三个关键业务内容:(i)在线数据存储;(ii)互联网应用开发环境;及(iii)互联网应用部署和运行管理。基于IDC基础设施提供其中一项服务的IaaS或PaaS即被视为构成IRCS。

至于SaaS(软件即服务),不同业务模式的SaaS可能被归为在线数据处理与交易处理业务(B21类)或信息服务业务(B25类)。值得注意的是，一些SaaS的业务模式属于纯粹的计算机/软件服务,并不构成电信服务,因此无需取得增值电信业务经营许可证。

4 . 外国IT公司在华发展和经营云服务和基础设施的最大挑战是什么? 如何克服这些挑战?

市场准入限制仍然是外国IT公司面临的最大挑战。

在中国,大多数云服务被视为受监管的增值电信业务,须取得经营许可。但是,这些业务还受到特别的外商投资限制。

例如,运营云服务基础设施需要IDC或IRCS许可,但该等许可仅颁发给满足特定条件的国内公司或中港/澳合资公司。甚至一些SaaS业务都需要特定的增值电信业务经营许可证,外国投资者必须设立持股比例至少为50-50的中外合资企业来申办有关电信许可证。

外国IT公司可通过下述已被证实可行的方法,来克服市场准入的障碍:

• 外国IT公司可选择与一家持有增值电信业务经营许可证的本地合作方进行合作,为客户提供服务。亚马逊和微软均采用此种方式通过为持有IDC许可证的本地合作方提供技术支持的方式与本地合作方展开合作。但需要注意的是，与本地合作方的该等合作同样须遵守工信部的有关要求。
• 对于要求持有IDC/IRCS许可证才能开展的业务,在香港或澳门有合格子公司的外国投资者可考虑与中国公司建立合资公司,通过利用《内地与香港/澳门关于建立更紧密经贸关系的安排》(CEPA)下的特别待遇来申办该等电信许可证。
• 对于要求持有IDC/IRCS许可证以外的其他增值电信业务许可证的业务,外国公司可考虑设立中外合资公司并通过该实体直接申请电信许可。

5. 过去 12 个月, IT和云行业有哪些重大交易? 主要市场趋势是什么?

• 2016年8月,亚马逊正式宣布与光环新网合作,在华提供AWS云服务。
• 2016年8月,甲骨文和腾讯宣布基于现有甲骨文技术,开展IaaS、PaaS和SaaS合作。通过将自身产品与腾讯在中国的公共云服务相整合,甲骨文可将其自身的云解决方案在中国落地。
• 2016年9月,微软与CETC成立合资企业,就用于政府和国有机构的Windows 10提供许可、部署、管理并提供技术支持。
• 2016年9月,思科与浪潮集团宣布成立合资公司,在中国为IT基础设施、云服务、数据中心、智慧城市和大数据领域提供先进技术和服务。
• 2016年11月,昆仑万维、奇虎 360 和一家私募股权基金组成的中国联合体完成对Opera 移动和桌面浏览器、移动应用程序价值6亿美元的收购。
• 2017年3月,IBM和万达宣布合作,计划将IBM沃森和区块链技术所支持的云服务在中国落地。
• 2017年7月,苹果宣布与一家总部位于贵州的国有云公司合作,在该省建立数据中心,在中国提供 iCloud 服务。

随着《网络安全法》和相关规则的实施,外国IT公司与中国大型IT企业建立战略合作伙伴关系,正在成为日益普遍的做法。

6. 外国投资者进入中国IT市场的真正壁垒是什么? 


外国投资者面临的真正壁垒是针对IT产品、软件和服务的本土采购政策。

中国银监会和工信部在2014年联合发布通知,要求银行业 采取措施,增加对“安全可控”的IT产品和服务的采购和使用。该要求被解释为银行必需采购本土企业开发和制造的IT产品,而非外国公司产品。这被视为中国政府对IT产品和服务“去 IOE”行动的一部分,即鼓励或要求关键行业(例如银行、保险 和医疗)的国有机构和公司逐渐减少使用外国IT企业制造的用于主机服务器的硬件产品和软件,改为使用所谓的“安全、先进和廉宜”的本土品牌。

这些政策迫使IT公司改变其在中国的战略。例如,为了向中国政府出售Windows 10,微软与CETC成立了一家合资公司,开发和出售满足特定技术和安全要求的政府版操作系统。

7. 有没有引致中国IT和云行业的研发趋势变化的法规新动态? 


近年来，中国政府对经网络传输和发布的内容实施着最为严格的审查。为此,中国IT公司普遍使用人工智能(AI)和机器学习技术来开发有关审查工具,使主管部门能够识别受限/被禁止的内容,并拦截这些内容的传输。

这其中较为典型的例子是嗅探技术(又称为“数据包分析器”)的研发。该技术用于拦截和记录通过数字网络的流量。根据工信部2017年1月发布的通知,专线网络(包括VPN)仅限企业用于内部办公,任何个人或公司均不得使用专线网络来连接中国政府封锁的任何境外网站/互联网服务。有关部门鼓励IT公司投资嗅探器和类似技术的研发,以执行此类规定。

随着《网络安全法》及其配套规则的实施,中国境内产生的大多数数据将受数据本地化规限。对于依靠大数据来提供IT服务的企业而言,必须开发出能够支持其业务并符合这些规定的技术。

此外,由于中国政府在推进建立与境外互联网相分离的一个相对封闭的网络,外国IT公司还需考虑开发适当的技术并探索新的商业模式,以适应中国封闭的网络环境。

8. 过去 12 个月, IT/云计算行业有哪些具有影响力的争议案件? 


近期涉及阿里云(阿里巴巴的云服务关联公司)的侵权案件,反映出中国的用户数据隐私与网络侵权之间的模糊界线。

原告称阿里云托管的某个游戏网站侵犯其著作权,要求阿里云删除侵权游戏,并提供有关侵权的用户信息。然而在此后八个月多月的时间里,阿里云并未采取回应措施。就此原告在北京的一个区级法院对阿里云提起著作权侵权诉讼,索赔人民币100万元。

2017年5月,一审法院作出判决,判定阿里云作为云服务提供者,若第三方的利益由于其服务受到侵害,则阿里云有义务采取必要且合理的适当措施,与权利人合作,防止进一步的损失。但阿里云超出合理时间无视原告请求,因此对侵权损害赔偿负有连带责任,应向原告赔偿人民币261,240元。阿里云此后已提出上诉。

这一案件将对云服务领域有重要影响,最终判决将有助于明确云服务提供者就其提供的托管服务所应承担的义务和责任范围。

9. 有没有外国投资者可以参与中国的IDC和IRCS业务的方法? 有没有这方面的实例?

IDC和IRCS均受严格的外商投资限制。只有香港/澳门的合格服务提供者可根据CEPA,通过与国内公司组建合资企业的方式来申请IDC许可证,且外商投资持股比例不得高于50%。CEPA安排是外国服务提供者在中国大陆从事IDC和IRCS业务的唯一合法方式。

根据工信部研究机构最新发布的报告,截至2017年6月底, 共有五家外商投资企业获颁并持有中国IDC许可证。所有五家企业均为在CEPA安排下取得IDC许可证的中港合资公司。

其中,一家中港合资公司在六月获颁IDC许可证,而该公司的香港股东的最终控制人为NTT。这是外国服务提供者通过其香港子公司在华设立合资企业,并在CEPA下申办IDC许可证的最新案例,可供有意通过CEPA安排进入中国IDC/IRCS业务的外国投资者参考。

10. IT和云领域有哪些正在草拟中的法规? 您对这一行业 2018 年有何展望?

预计未来一年:(1)《网络安全法》的具体执行规则和相应标准将颁布并生效,其中包括《个人信息和重要数据出境安全评估办法》及《关键信息基础设施安全保护条例》;(2)工信部监管云服务的通知也即将出台;及(3)政府主管部门将继续制定新的法律法规,以应对商业和技术创新。

• 《个人信息和重要数据出境安全评估办法(征求意见稿)》(《数据出境办法》):

2017年4月11日,网信办颁布《数据出境办法》草案,向社会公开征求意见,标志着向贯彻落实《网络安全法》又迈进一步。《数据出境办法》一旦通过,将对有数据出境运营需求的在华企业产生重要影响。

《数据出境办法》及相应的国家标准《信息安全技术数据出境安全评估指南》预计不久即将公布,从而为数据出境实践提供指引。

• 《关键信息基础设施安全保护条例(征求意见稿)》:

2017年7月11日,网信办发布《CII条例》草案,其中明确了关键信息基础设施的范围,继而规定关键信息基础设施运营者应如何保护其网络不受网络威胁。

《CII条例》第19条规定,国家网信部门将会同国务院电信主管部门、公安部门等部门制定《关键信息基础设施识别指南》。该指南的起草情况尚不明确,但预计将于2018 年初正式发布。

• 《关于规范云服务市场经营行为的通知》:

工信部于2016年11月24日公布通知该草案,以规范云计算服务市场的经营行为。

现该通知的公开征求意见期已经结束,但由于多个利益相关方的意见存在分歧,通知仍在审议阶段。尽管存在争议,预计该通知将在未来几个月内正式发布。

齐斌 合伙人

金茂凯德律师事务所

齐斌律师是金茂凯德律师事务所北京办公室管理合伙人。他在外商投资、IT、跨国兼并收购、反垄断法、资本市场、风险投资和私募股权投资以及跨国投资与交易领域具有丰富的经验。

在加入金茂凯德律师事务所之前，齐斌具有超过10年跨国公司法律顾问的工作经验。从2003年起，齐斌是 IBM大中华区的资深高级律师，主要负责IBM在中国的电信行业、风险管理、公司事业发展和重组并购、投资决策和管理领域的法律事务。他参与了许多著名的交易，其中包括作为IBM核心律师参与IBM向联想出售其PC及x86服务器业务、IBM向理光出售其打印机业务、IBM与花旗集团对广发行的 投资、以及IBM对许多软件公司的收购与整合活动。他同时还担任IBM中国投资基金的首席律师，负责了包括IBM投资金蝶软件、长虹电子和慧点科技等项目。在此期间，齐斌律师获得了IBM全球法律总监奖。在加入IBM之前，齐斌是美国PEAK PACIFIC投资公司亚太区法律总监和西门子中国公司资深法律顾问。

他多次被评为在IT、IP和兼并收购领域的杰出律师。2015年，齐斌律师参与的“联想收购IBMx86服务器业务”交易被《China Law & Practices》评选为“年度TMT交易大奖”。

齐斌律师毕业于华东政法学院、中国人民大学法学院和加拿大英属哥伦比亚大学法学院，拥有法学学士、法学硕士和法学博士学位。 他的工作语言为中文和英文。

石钛戈 合伙人

金茂凯德律师事务所

石钛戈律师是金茂凯德律师事务所北京办公室合伙人。他为境内外客户提供公司事务、私募股权投资、离岸融资、公司并购、TMT、知识产权等方面的法律服务。石律师在云计算与IT相关法律事务方面拥有丰富的经验，他为多个跨国IT和云服务企业在华开展业务提供服务。

石律师于北京师范大学取得法学学士学位，并在对外经济贸易大学和美国威斯康星大学（麦迪逊分校）取得法学硕士学位。他同时持有中国和美国纽约州的律师执照。他的工作语言为中文和英文。