Navigating through Cloud Computing Regulations and Enforcement in China

October 18, 2018 | BY

Jacelyn Johnson

Jeanette Chan, managing partner – China Practice, and David Lee, counsel at Paul, Weiss, Rifkind, Wharton & Garrison speaks to China Law & Practice about the key regulations, foreign investment trends and personal data issues governing cloud computing in China

|

China has maintained and in fact recently increased their focus on tightening and monitoring data security as a conscious measure to protect national security. Since entering the World Trade Organization (WTO) in 2001, China has taken various measures to open up its borders to the telecommunications industry, but it does seem that there is still a tight hold over foreign investments and ownership, especially in this era of cloud computing. Jeanette Chan and David Lee of Paul Weiss shares with us their thoughts on the current legislative state and future trend of cloud computing in China.

What types of cloud computing services are offered in China?

There are generally three types of cloud computing services available in China:

  • IaaS – Infrastructure as a Service under which the service provider provides basic infrastructure, which could include servers, data storage space, etc. Examples of IaaS providers in China include China Telecom and other data center service providers.
  • PaaS – Platform as a Service under which the service provider provides the platform/operating system for customers to run applications. The platform runs on the infrastructure. PaaS that are available in China include Aliyun, Amazon Web Services operated by Amazon's China partner.
  • SaaS – Software as a Service under which applications run on the cloud to provide services. SaaS providers provide on-demand software and are more end- user focused. These services come in all different types but generally offer some type of cloud storage function.

The types of cloud computing services are not mutually exclusive – large cloud computing service providers often have their own infrastructure, develop their own platforms and deploy applications for end users.

What is the size of the cloud computing market in China, and what is the estimated total market value?

China's cloud computing market has experienced robust growth since 2010 and its market size reached Rmb178.2 billion in 2016, up 18.8% year-on-year, according to the Report of Prospects and Investment Strategy Planning on China Cloud Computing Industry (2017-2022). The growth was mainly propelled by public departments, which serve both as the customer and the government, along with telecom operators.

According to Alvarez and Marsal, by 2020, the aggregate market size of China's cloud computing industry is expected to hit Rmb686.6 billion (about US$103.6 billion). In addition, cloud sales is expected to grow from 5% to 20% in the Chinese IT market by 2020.

What are some of the key regulations governing cloud computing in China? And are there different rules governing different industries?

Cloud computing, referred to as 'Internet resource collaboration services' in China, is classified as a type of value-added telecommunication service in China. Telecommunication services in China are regulated under the Telecommunications Regulations, the Administrative Measures on the Licensing of Telecoms Businesses and the Catalog of Classification of Telecoms Businesses (2015 version).

A draft notice on regulating the cloud computing market was issued in November 2016, however it is still not finalized or passed by the government yet.

There are different regulations governing specific types of Internet-related services in China, e.g., online publishing services, online gaming services, online audio-visual streaming services, online mapping services, etc. If a type of service involves both cloud computing services and these other types of services, then regulations governing such other types of services would also apply.

The Cybersecurity Law (CSL), which came into effect on June 1, 2017, governs network security and cyberspace activities in China which also applies to cloud computing services in China.

Is foreign investment permitted in cloud computing services in China?

Foreign investment in cloud computing services in China is not permitted. However, under the Closer Economic Partnership Arrangement (CEPA) between Hong Kong and China and the CEPA between Macau and China, qualified Hong Kong or Macau service suppliers can set up joint venture companies in China (owning no more than 50%) to provide data center services which would cover cloud computing services.

Foreign investors sometimes participate in the cloud computing industry by licensing technology to Chinese partners. There are also foreign companies that use contractual arrangements to control a domestic entity which operates a cloud computing business in China. This structure is known as the VIE structure and there are both legal and control risks applicable to this type of structure.

What are some of the legal requirements for personal data applicable to cloud computing in China?

Under the CSL, before collecting information from a data subject, a network operator has to explicitly inform the data subject of the purposes, means and scope of the collection and use of his/her information, and obtain his/her consent for collection. The processing of the personal information is required to be done in accordance within the scope of the consents.

Consent of a data subject must be obtained before any of his/her personal information is to be transferred to a third party. A network operator must promptly inform data subjects of a data breach or loss of data; and is also required to report the incident to the government and to take immediate remedial actions.

In addition, the CSL requires that an operator of critical information infrastructure (CII) are subject to data localization requirements – personal information and important data that is generated or collected by a CII operator in China must be stored in China unless the requisite security assessment has been passed or if the data transfer is otherwise permitted by law. There are also draft measures that may expand the cybersecurity review process to all network operators, not only operators of CII. There are still clarifications needed for the specific requirements relating to cyber security, and ultimately a balance would need to be struck between legitimate exchange of commercial information and transfer of truly sensitive information.

What are the consequences for breach of the laws with respect to personal data protection?

There are administrative rules and national laws with respect to personal data protection. Breaches of administrative rules may lead to fines and in serious cases, a business operator may lose its license to operate its business. National laws, such as the CSL, provide more onerous penalties for violations of data protection provisions, such as fines of up to Rmb1,000,000. There are also criminal law requirements relating to protection of personal information and state secrets.

What do lawyers and in-house counsels need to be aware of when advising clients with regards to cloud computing in China?

In house counsels of multi-national companies should note that foreign investment in cloud computing services in China is not permitted. They also need to be aware that it is difficult in general to create a seamless user experience for use of cloud computing services in China and use of global cloud computing services.

The Chinese government issued a set of draft rules on regulating the cloud computing market in November 2016. The draft rules have not yet been passed, but they show the Chinese government's attitude towards foreign participation in cloud computing – taking a more restrictive approach and to prevent Chinese cloud computing service providers from lending their permits to foreign cloud computing service providers.

What is the future of cloud computing in China?

The origins of cloud computing in China vary from Western counterparts in that consumer services, prompted the need for cloud computing while startups in the West were the first companies to use cloud computing technology. Although certain technology companies in China have dominated the cloud services market in 2017, research indicates that other Chinese companies will strengthen their cloud computing abilities by 2020.

As stated above, the aggregate market size of China's cloud computing industry is expected to hit US$103.6 billion by 2020. A report by Alibaba Cloud predicts cloud computing in China will continue to grow due to private sector investments, strong government backing and emerging talent. In particular, China is placing great emphasis on artificial intelligence related businesses, which requires tremendous amount of data and big data analysis. These types of activities will require strong cloud computing support.

The Chinese government's 13th five-year plan includes investing in various new cloud platforms and building cloud data centers across the country. Additionally, increased speed, flexibility and decreased cost have also helped the cloud industry grow exponentially in the last few years. According to a government plan, China will expand its presence in cloud computing companies in the global market. The focused efforts on growing cloud computing will transform traditional industries, such as manufacturing, to increase smart production.

This premium content is reserved for
China Law & Practice Subscribers.

  • A database of over 3,000 essential documents including key PRC legislation translated into English
  • A choice of newsletters to alert you to changes affecting your business including sector specific updates
  • Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
For enterprise-wide or corporate enquiries, please contact our experienced Sales Professionals at +44 (0)203 868 7546 or [email protected]