This country-specific Q&A provides an overview to technology laws and regulations that may occur in China.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the technology market.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
In China, the communications networks and services are highly regulated. According to the Telecommunication Regulation, the state divides all telecommunications services into two categories, i.e. Basic Telecommunications Services (BTS) and Value-Added Telecommunications Services (VATS). BTS essentially refers to the provision of infrastructure facilities and basic voice and data transmissions, both domestically and internationally. VATS refers to the provision of specialised services via the basic infrastructure facilities. China adopts a strict licensing system for the telecoms industry. Telecoms operators are required to obtain a licence to engage in either BTS or VATS. VATS license further includes the licenses for Internet Content Provider (ICP), Internet Service Provider (ISP), Call Centre, Internet Data Centre (IDC) and etc.
Regarding the communications networks, the construction of public telecommunications networks and dedicated telecommunications networks are planned and regulated by the Ministry of Industry and Information Technology (MIIT).
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
Main regulators for the provisions of communication-related services are MIIT and the Cyberspace Administration of China (CAC). MIIT is in charge of licensing for and administration of both BTS and VATS, while CAC’s functions cover implementing the internet information communication policies, promoting the legislation in internet information communication, instructing relevant departments to enhance the management of internet information content, approving and supervising network news services, and planning the construction of critical news websites. Both MIIT and CAC are directly led by the State Council.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
Foreign-fund telecoms operators are allowed to engaged in BTS and VATS in China through a Sino-foreign equity joint venture which is domiciled in China. According to the Provisions on the Administration of Foreign-fund Telecommunications Enterprises (2016 Revision), the foreign investment in a foreign-funded telecom enterprise which is engaged in BTS (exclusive radio paging services) shall not be more than 49%; the foreign investment in a foreign-funded telecom enterprise which is engaged in VATS (including radio paging business in BTS) shall not be more than 50%. Further, to fulfil China’s commitments to the WTO and to open up China’s telecoms industry, in 2015, the MIIT issued the Circular for Lifting Restrictions on the Foreign Equity Ratio for Online Data Processing and Transaction Processing Business to allow foreign investors to hold up to 100% equity interest in e-commerce operations nationwide in China. In the Opinions of MIIT and the Shanghai Municipal Government on Further Opening Up the Value-added Telecommunications Services in China, for app stores business, storage-forwarding business, call center services, domestic multiparty communications services and internet access services (providing access services for internet users), the foreign investment in Shanghai Free Trade Zone may be up to 100%; for domestic internet virtual private network (VPN) business, the foreign investment is subject to a 50% cap.
In addition, according to the Announcement of MIIT on Issues concerning the Provision of Telecommunication Services Provided by Hong Kong and Macau Service Providers in the Mainland, Hong Kong and Macau service providers may establish joint ventures or wholly owned enterprise to provide the VATS such as online data processing and transaction processing service (limited to e-commerce), domestic multi-party communications service, storage-forwarding service, call center service, internet access service (providing access services for internet users) and information service business (limited to application stores), and the proportion of Hong Kong-owned and Macau-owned equity is not limited. Further, Hong Kong and Macau service providers may establish joint ventures to provide the following VATS, but the proportion of Hong Kong-owned and Macau-owned equity shall not exceed 50%: online data processing and transaction processing service (excluding e-commerce); domestic VPN service, internet data center service; internet access service (exclusive providing access services for internet users) and information service (excluding application stores).
Some sectors of internet-related services are not open to foreign investment. In the negative list of the Catalogue for the Guidance of Foreign Investment Industries (2017 Revision), foreign investment is prohibited from engaging in internet news information services, network publication services, network video and audio programs services, internet culture operations (exclusive music) and internet public information distribution services.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
The Chapter 3 of the Telecommunications Regulations (2016 Revision) and the Provisions on the Management of Interconnection between Public Telecommunication Networks (2014 Revision) are the major regulations governing the interconnection between operators. China adopts the ‘asymmetric regulation’ management mode to dominant telecommunication operators and non-dominant operators. In aligning with the Telecommunications Regulations, the Provisions on the Management of Interconnection between Public Telecommunication Networks specifically provide obligations for dominant operators, such as the dominant operator shall provide the non-dominant operator with the information of network functions and equipment allocations which are related to the interconnection, and shall facilitate the non-dominant operator to use its facilities and shall not attach any unreasonable conditions, to facilitate non-dominant operators in the interconnection.
What are the principal consumer protection regulations that apply specifically to telecoms services?
The Telecommunication Regulation (2016 Revision) is the principal consumer protection regulation for the telecoms services. Chapter 3 of the regulation provides standards in providing telecommunication services. Users of telecommunication services referred by the regulation may include both individual consumers and enterprises.
What legal protections are offered in relation to the creators of computer software?
The Copyright Law and the Regulations on Computer Software Protection (2013) provide main protection for software creators. The copyright rights of software creators include the rights of publication, indicating authorship, alteration, reproduction, distribution, rental, communication through information network and translation. Software creators may transfer and/or license the software and receive remuneration. Under the patent law, software creators may patent the algorisms or other protectable subject matters of the software that he/she invents.
Do you recognise specific intellectual property rights in respect of data/databases?
According to the General Rules of Civil Law, data may be protected in accordance with special laws or regulations. However, under the current legal framework, data is only protected by the Anti-unfair Competition Law as trade secret if it is a qualified subject matter, where the data 1) possesses secrecy, 2) derives economic value, and 3) has utility and is kept secret by its owners through taking certain measures. The database, as a whole, may be protected by copyright as a compilation if the selection or arrangement of the content elements is with originality.
What key protections exist for personal data?
‘Personal data’ or ‘personal information’ under the Cyber Security Law refers to various types of information that can be used separately or in combination with other information to identify a natural person, including but not limited to name, date of birth, identity certificate number, genetic information, address and telephone numbers. According to the Cyber Security Law, when network operators collect personal information, they shall follow the principles of legitimacy, rightfulness and necessity, disclose their rules of collecting and using the information, specify the purpose, ways and scope of collecting and using the information, and obtain consent from the information subjects. Network operators shall not divulge, tamper with or damage the personal information they have collected, and shall not provide the personal information to others without the consent of the information subjects.
The Guidelines for the Protection of Personal Information (GB/Z 28828-2012) divides personal information into personal general information and personal sensitive information. Personal sensitive information means the information which, once exposed or modified, will have an adverse impact on the information subject. For personal sensitive information, before collecting the information, expressed consent from the information subject is required.
Further, the Article 253 of the Criminal Law and its 9th amendment defines the criminality of selling or providing citizen's personal information, causing serious circumstances. To give more guidance of applying the criminal law, the Interpretations of the Supreme Court and the Supreme Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases of Invading Personal Information further specifies the criminality stipulated in Article 253.
Are there restrictions on the transfer of personal data overseas?
The Cyber Security Law introduces the rule of data localization for operators of Critical Information Infrastructure’ (CII). Personal information and important data which is collected and generated by operators of CII during operating their business in China should be stored in China. CII means the infrastructures used for public communications, information service, energy, transport, water conservancy, finance, public services, e-government affairs and other important industries and fields and other infrastructures that, once they are destroyed or any function loss of data leakage occurs, will result in serious damage to national security, national economy and people's livelihood and public interests. Where there is a business necessity and the entity needs to transfer the personal information and important data to overseas, it should conduct a security assessment process.
In April, 2017, the CAC issued the Measures on Security Assessments for Personal Information and Important Data to be Transmitted Abroad (Draft for Comments) (“First Draft of Measures”). As one of the important supporting regulations associating with the Cyber Security Law, the First Draft of Measures specify the personal information and important data export security assessment requirements found in the Cyber Security Law. Succeeding the First Draft of Measures, CAC disclosed a second draft of Measures on Security Assessments for Personal Information and Important Data to be Transmitted Abroad (“Second Draft of Measures”) in May, which modified the First Draft of Measures in some aspects.
Pursuant to the Article 2 of the Second Draft of Measures, when a network operator provides overseas parties with personal information and important data gathered and produced during operations within the territory of the P.R.C (Cross-border Data Transfer), it shall conduct a security assessment in accordance with the Measures. This implies that not only operators of CII, but all network operators should conduct the security assessment if they transfer personal data to overseas. However, as addressed, both of the First Draft and the Second Draft of Measures, through they conflict in the above aspect, are still draft versions, and the formal version has not been issued yet.
In addition, the Guidelines for the Security Assessment of Data Cross-border Transfer, which is also a draft version yet, provides further guidance on how the security assessment might be carried out.
What is the maximum fine that can be applied for breach of data protection laws?
According to Article 42 of the Cyber Security Law, network operators shall not divulge, tamper with or damage the personal information they have collected, and shall not provide the personal information to others without the consent of the information subjects. Any network operators violating the Article 42 of the Cyber Security Law shall be fined no less than one time but no more than ten times of the illegal gains; where there is no illegal gain, the fine may be up to RMB 1,000,000.
Are there any restrictions applicable to cloud-based services?
Key restrictions applicable to cloud-based services providers are the rules in telecommunication laws and cyber security laws. Cloud-based services, as a type of VATS, is categorized in Internet Digital Center (IDC) and subcategorized as Internet Resource Collaboration Service (IRCS) of the Catalogue of Telecommunications Business (2015 Revision). To engage in Cloud-based services, entities should obtain IRCS license from MIIT. Qualified cloud-based service providers shall meet the requirements in operation funding, professional personnel, reputation and capability, registered capital and etc. according to the Administrative Measures for the Licensing of Telecommunication Business Operations (2017 Revision). Cloud-based service is not open to foreign investors, except that Hong Kong or Macao service provider may secure the IDC/IRCS license through joint ventures in accordance with CEPA.
Pursuant to the Cyber Security Law, cloud-based services providers shall duly perform their duties to protect the network security. If the facilities in providing cloud-based services are categorized as CII, the personal information collected and generated by cloud-based services providers during operating their business in China may have to be stored in China, and security assessment have to be carried out if the personal information needs to be transferred abroad.
Are there specific requirements for the validity of an electronic signature?
Pursuant to the Electronic Signature Law, ‘electronic signature’ refers to the data in electronic form contained in and attached to a data message, for the use of identifying the identity of the signatory and showing that the signatory has recognized the content of the data massage. A reliable electronic signature has equal legal force with a hand-written signature or a seal. When an electronic signature concurrently meets the following conditions, it is reliable.
- When the creation data of the electronic signature is used for the electronic signature, it is exclusively owned by the electronic signatory.
- When the electronic signature is entered, the creation data is controlled solely by the electronic signatory.
- After the electronic signature is entered, any alteration to the electronic signature is detectable.
- After the electronic signature is entered, any alteration to the content and the form of the data massage is detectable.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
In practice, we include provisions in IT outsourcing contracts if any employees, assets or third party contracts need to be transferred to the outsourcing supplier. Otherwise, there is little room to argue these things have been automatically transferred to the outsourcing supplier.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
Under the current law, AI developers and operators may be liable for the early form of AI malfunctions. We consider the nature of the early form of AI is like a machine with more human control rather than that with little human control. When AI malfunctions, the AI operator may be liable in the first place and the AI user may seek liquidated damages and other remedies based on the user contract; while the AI developer may be liable eventually if the AI developer breaches the AI development contract, resulting in the AI malfunction. According to the Consumer Protection Law, when the AI user’s legitimate interests are infringed due to AI’s malfunction, the AI user may claim compensation from the AI operator and the AI operator may then claim compensation from the AI developer if the developer should be blamed for the malfunction. Where the AI user suffers from personal injuries or property damages due to the defect of AI, in accordance with the Tort Liability Law, the user may seek damages from either the AI operator or the developer in the first place, and the AI operator or the developer may be liable entirely or proportionally according to their faults in the AI malfunction.
What key laws exist in terms of obligations as to the maintenance of cyber security?
The Regulations of the Security Protection of Computer Information Systems and the Cyber Security Law are the key laws stipulating obligations in maintaining the cyber security. Obligations in the Regulations of the Security Protection of Computer Information Systems include that, for example, any organizations or individuals shall not endanger the security of computer information systems; any organizations using computer information systems shall establish the security management system and be responsible for the security of its computer information systems.
The ‘cyber security’ in the Cyber Security Law includes network operating security and network information security. To maintain the network operating security, the law introduces the obligations for network operators and operators of CII. Key obligations of network operators include that network operators shall formulate internal security management systems and operating instructions, determine the persons responsible for cyber security; take technical measures to prevent computer viruses, network attacks, network intrusions; take technical measures to monitor, record the network operation status and cyber security incidents and preserve relevant web logs for no less than six months according to the provisions; and so on. In addition to the above obligations, for operators of CII, they shall set up independent security management institutions and designate persons responsible for the security management; make disaster recovery backups of important systems and databases; formulate contingency plans for cyber security incidents and carry out drills periodically; and so on.
To protect the network information security, Article 41 of the Cyber Security Law introduces obligations for network operators in collecting, using and providing others any personal information. Network operators shall follow the principles of legitimacy, rightfulness and necessity, disclose their rules of collecting and using the information, express the purpose, ways and scope of collecting and using the information, and obtain consent from the information subjects. Network operators shall not provide the personal information to any third parties without the consent of the information subject.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
The Criminal Law prohibits hacking or DDOS attacking computer systems. Specifically, Article 286 of the Criminal Law describes the criminality of the following acts:
- deleting, altering, adding or jamming the functions of the computer information system, making the system impossible to operate normally and causing serious consequences;
- deleting, altering, or adding the data stored in or handled or transmitted by the computer information system or any of its application program, causing serious consequences;
- intentionally creating or spreading destructive programs such as computer viruses, thus affecting the normal operation of the computer system and causing serious consequences.
Further, Article 285 of the Criminal Law describes the criminality of invading the computer information system of state affairs, national defence construction or sophisticated science and technology. Any person, who invades other computer information systems, obtaining the data restored in, handled or transmitted by the computer system or conducting illegal control of that computer information system and causing serious circumstances, may also be sentenced.
What technology development will create the most legal change in your jurisdiction?
Big data, cloud computing, internet of things (IoT) and AI may create the most legal changes in China. These new technologies will all involve the processing and the storage of huge amount of data, and will eventually direct to the same legal issues in the protection of personal information and privacy, data and network security as well as the security examination in cross-border data transfer. Another legal change brought by AI could be the legislation specifically for proportionating liabilities when AI malfunctions or infringes others’ legitimate rights.
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
No information indicates any specific law or legal provisions in China creates obvious impediment to economic development.
Do you believe your legal system specifically encourages or hinders digital services?
Tensions exist among different laws which protect various interests, such as social warfare, freedom of contract, privacy and consumer benefits. As a national strategy, the state encourages the development of the internet and digital service industry which is called Internet Plus. In past a few years, the industry policies and laws favoured enterprises to develop their business in this field. On the other hands, lawmakers nevertheless show concerns that new models of digital services may jeopardize the national security and invade the privacy of individuals. It is not until recently that the legislature and the government have intensively issued new laws, for example, the Cyber Security Law to emphasize the importance of protecting national security and data security and provide clear instructions on how network operators and operators of CII should behave in securing these interests. Further, virtual currency and the services provided for the exchange of virtual currency are illegal in China because they may bring financial risks as recognized by the lawmaker.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
To some extent, legal issues arising from AI may be solved under the current law regimes. The Consumer Rights Protection Law provides rules for protecting AI users if the AI product/service has defect and thus the user suffers loss from the defect. The Tort Liability Law and the Contract Law is also used in cases that the AI infringes anyone’s legitimate interests. Further, data collection and machine learning is the core of the AI technology. The Cybersecurity Law and the privacy law give instructions on how AI should collect, process, use and transfer information in related to national security and privacy. However, China has not fully prepared to deal with ethic issues arising from AI. There is no such an integrated law defining rights and obligations of AI developers, AI operators and AI users. Last, the current IP law does not define the ownership of IP created by AI.