Online services are deemed to be telecom business in China and subject to the strict regulation of the Ministry for Industry and Information Technology (“MIIT"). 

According to the Telecommunication Regulations/电信条例 (“Telecom Regulations"), telecom business is divided into (i) basic telecom business, and (ii) value-added telecom business. These two categories of telecom business are subject to different levels of scrutiny.

a) Basic telecom business refers to the provision of basic facilities of public networks, public data transmissions, and basic speech communications.  In practice, the basic telecom business is almost only open to 3 state-owned basic telecom carriers, i.e., China Mobile, China Telecom, and China Unicom. 

b) Value-added telecom (“VAT") business refers to the provision of telecom and information services by using the basic facilities of public networks.  According to Chinese government’s commitment of entering into WTO, foreign investors theoretically can invest in the VAT business through joint ventures (“JVs") with Chinese partners, as long as the foreign investors’ equity interest does not exceed 50%. However, in practice, it is very difficult to obtain government approval. 

According to the Telecom Regulations, a telecom operator must obtain a proper license for its telecom business.  The Classification Catalogue of Telecom Business/电信业务分类目录 (“Catalogue") further divides basic telecom  business and VAT business into different sub-categories, each requiring a corresponding license. 

One of the essential sub-categories of VAT business is called “Information Service". The information service provided through the Internet is called “Internet Information Service", which is usually referred to as Internet Content Provision (“ICP") service. This is a very broad category and covers a wide range of online services, such as instant messaging, app stores, search engines, online communities, and online anti-virus services, etc. An ICP license is required for the ICP service. 

In theory, a JV, of which foreign investors’ equity interest is no more than 50%, is allowed to obtain the ICP license. However, in practice, it is challenging.  According to a report issued by China Academy of Information and Communications Technology (“CAICT") in January 2019, only 49 Sino-foreign JVs have obtained the ICP license[2], including those investing through Closer Economic Partnership Arrangement (“CEPA") with Hong Kong and Macau. 

Depending on the features of online services, other VAT licenses under the Catalogue may also be required. Some examples are as follows:

a) The operation of e-commerce platforms requires the VAT license for online data processing and transaction processing/在线数据处理和交易处理;

b) The operation of cloud services require the VAT license for Internet resources collaboration service/互联网资源协作服务 (“IRCS"); and

c) The operation of the content distribution network (“CDN") requires the VAT license for CDN service.

There are some special opening-up policies under CEPA or in some special areas, e.g., Shanghai Free Trade Zone (“SHFTZ"). Two examples are as follows:

a) The IRCS license is not open to foreign investors. To date, there is only one exception： under CEPA, service providers from Hong Kong or Macau can set up JVs in China to provide IRCS service, provided that the percentage of equity interest owned by Hong Kong or Macau service providers does not exceed 50%.

b) In SHFTZ, a foreign investor can set up a wholly foreign-owned enterprise (“WFOE") to obtain the ICP license for app stores.   

The special opening-up policies are quite limited, and, in practice, it is also very difficult to obtain the VAT licenses under such special opening-up policies. To date, only one JV has successfully obtained the IRCS license under CEPA, and it appears no WFOE has successfully obtained the ICP license for app stores yet. 

In addition to the telecom licenses issued by MIIT, depending on the nature of the online services, other special licenses issued by different government agencies may be required as well.  Below are some examples:

Some of such licenses are not open to foreign investors at all. 

China enacts Cybersecurity Law (“CSL") for strengthening the regulation on cybersecurity. CSL was promulgated in November 2016 and took effect on June 1, 2017.

CSL only provides the framework and general principles regarding the protection of cybersecurity. More specific implementation measures are required to implement CSL. The Chinese government has released some implementation rules and national standards, but most of them are drafts only.  Many important implementation rules or national standards have yet to be finalized or released. 

CSL applies to all network operators in China. The scope of network operators is extensive. Any individuals or entities that own or manage the network or provide network services may be identified as network operators. Network operators can be further divided into (i) CII Operators (or “CIIOs") and (ii) Non-CII Operators (or “Non-CIIOs"). The network operators that are not CIIOs are all Non-CIIOs. 

CIIOs refer to network operators who operate CII, i.e., the critical network facilities that are related to the national economy and the people’s livelihood.  The scope of CII is very broad.  

Due to the significance of CII, CSL requires special measures for protecting CII. 

“Personal information" under CSL refers to all kinds of information that can determine the identity of an individual person independently or in combination with other information. Typical examples include an individual person’s name, date of birth, identification number, personal biometric information, residential address, and telephone number, etc.

CSL provides important principles for protecting personal information. The Personal Information Security Specification/个人信息安全规范 (“Specification"), a nationally recommended standard, provides more specific rules. Although the Specification is not mandatory, it is an important guideline in practice. Several other standards for personal information protection have also been drafted.

CSL and the Specification together provide important rules for protecting personal information, such as:

a) Informed Consent: Network operators must inform individuals of the purpose, method, and scope of the collection and the use of personal information, and obtain consent from individuals.

In addition, if the collected information is sensitive personal information[3], the consent must be express consent rather than implied consent.

b) Minimum Necessity: Network operators may only collect the personal information that is related to the services provided by the network operators, and must comply with the agreements with individuals.

c) Legitimate Collection: The personal information collected by network operators must come from legitimate channels. Sale or purchase of personal information is not allowed in China and may even trigger criminal liabilities. 

d) De-identification vs. Anonymization: “De-identification" refers to the technological processing of personal information that makes the person unidentifiable if no additional information is used. “Anonymization" refers to technological processing of personal information that makes the person unidentifiable, even if additional information is used. De-identification may reduce the risk, but the de-identified personal information is still personal information under CSL. Anonymized personal information is no longer deemed to be personal information under CSL, and hence exempted from the above protection measures under CSL and the Specification. 

According to CSL, important data[4] and personal information that is collected and created by the CIIOs in China must be stored within the territory of China, and if a CIIO needs to transfer the above data abroad, a security assessment must be conducted and approved by the Chinese government in advance.

The security assessment requirements under the CSL only apply to CIIOs, but the draft implementing rules of CSL subject Non-CIIOs to such requirements as well. According to the draft rules, both CIIOs and Non-CIIOs may organize a security assessment by themselves or retain a qualified third party to conduct the security assessment. Furthermore, the assessment result of a CIIO must be submitted to the government for approval, whereas the assessment result of a Non-CIIO does not need to be approved by the government. The Non-CIIO only needs to file the assessment result with the government under some special circumstances. In addition, CIIOs must have a local copy of personal information and important data even if it can pass the security assessment.  Non-CIIOs, if they can pass the security assessment, may directly transfer the personal information and important data abroad and do not need to maintain a local copy.

It is noteworthy that the draft rules have yet to be finalized and promulgated.  The general public, particularly the multinational companies, criticized the over-extensive coverage of these draft regulations. The Chinese government is also under pressure from governments of other countries to ease the burdens on cross-border transfer. There may be adjustments before finalization of these rules.

Operators of information systems must decide the level of security protection for their information systems and take corresponding protective measures in accordance with relevant rules. Such a mechanism is called “Multi-Level Protection System" (“MLPS"). 

Based on the levels of importance, China divides security protection of information systems into five levels ranging from MLPS Level 1 to MLPS Level 5. The higher the level of information systems is, the more important the information systems are for the national security, and the stricter the protective measures are required to be taken.

If a company’s network facilities are deemed to be CII, they typically will be subject to MLPS Level 3 protective measures and must pass the corresponding certification.

The MLPS had been in place for many years before CSL. MLPS rules before CSL are often referred to as “MLPS 1.0". CLS re-emphasized the importance of MLPS and the upgraded MLPS implementing rules under CSL are often called “MLPS 2.0". On May 10, the Chinese government released several national standards as a part of MLPS 2.0. More MLPS 2.0 rules have yet to be released.

According to related laws and regulations, a Chinese company must disclose its user information to different government agencies for criminal investigations or other investigations.

The Specification further stipulates that a company may share, transfer, disclose personal information without consent from an individual if it is directly related to a criminal investigation, prosecution, trial, and execution of judgment. 

The Telecom Regulations and many other related regulations provide that no entity or person is allowed to produce, reproduce, publish or disseminate information that is prohibited by laws or administrative regulations (“Prohibited Content").

The State Council authorizes CAC to administrate and censor the content published online. In addition, several other government agencies are empowered to monitor online contents as well.

If a foreign-invested enterprise wishes to deploy servers in China to provide online services, its services provided in China typically will be required to be isolated from its offshore services and for China only. 

There are several options to enter into the Chinese market. However, none of them is perfect, and each has its pros and cons. 

Different online services require different licenses in China, and different investors may have different strategies and tolerance level for their investment. A strategy suitable for one company may not be a good choice for another. Furthermore, the regulatory environment for online services in China is constantly evolving. To ensure a successful investment, foreign investors may want to consult professionals and plan carefully before entering into the Chinese market. 

【注] 

[1] http://www.cac.gov.cn/2019-02/28/c_1124175677.htm

[2]http://m.caict.ac.cn/yjcg/201901/P020190104477132355599.pdf

[3]Pursuant to the Specification, “sensitive personal information" refers to the portion of personal information that is more sensitive. If any of such information is leaked, illegitimately provided, or misused, it may endanger an individual or his/her property, harm the individual’s reputation and mental or physical health, or lead to discriminatory treatment. The Specification lists some typical sensitive personal information as examples. We would be happy to elaborate, if necessary. 

[4] “Important Data" refer to the data that is closely related to national security, economic development and public interests. Its scope has been finalized yet, which, according to a draft national standard, is very wide. The data relating to many sensitive industries are likely to be identified as important data.