Background: After a third deliberation, the Chinese government passed the new PRC Cybersecurity Law on 7 November 2016. The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China.
The new PRC Cybersecurity Law intends to combat online fraud and protect China against Internet security risks. In short, it imposes new security and data protection obligations on "network operators"; puts restrictions on transfers of data outside China by "key information infrastructure operators"; and introduces new restrictions on critical network and cybersecurity products.
Following hot on the heels of the recently-enacted Cybersecurity Law, the Chinese Government has published a draft of sweeping rules to regulate the delivery of cloud services.
In addition to impacting Chinese cloud service providers, these changes could alter the ability of international cloud providers to offer cloud services in the rapidly expanding Chinese market.
Perhaps of most significance are the knock-on consequences this may have for non-Chinese owned businesses that currently have any of their systems hosted by cloud service providers in China. Over the past few years, many non-Chinese businesses operating in China have been driven to use hosted service arrangements as a result of the wave of data localization laws, online censorship restrictions and the need for mandatory telecoms and internet based licenses which can only be held by Chinese owned companies.
Currently, there are foreign ownership restrictions on cloud services in the PRC (People's Republic of China). However, foreign operators have managed these by creating partnering arrangements with local licensed Chinese cloud service providers. The message appears to be that these may no longer be tolerated by the PRC authorities meaning that non-Chinese cloud providers may need to be restructured, closed down, or migrated onto local partner owned infrastructure.
For businesses that rely on cloud solutions to operate in China, there is a risk that these services could be adversely impacted by the new regulations. It is worth checking your service contracts to see what level of business continuity assurances you have in place. Unless they have been negotiated, cloud service contracts are notoriously vendor biased so you may find that your current service provider has a right to simply terminate your contract if regulatory change in China means they are unable to deliver your service.
The proposed changes to the current regulatory regime are contained in the draft "Circular on Regulating Cloud Service Market Business Activities" issued by the Ministry of Industry and Information Technology (MIIT) for public consultation. The consultation on the Draft Circular closes on 24 December 2016.
Which services will be regulated? Platform-as-a Service and Infrastructure-as-a- Service appear to be caught; however the position on Software-as-a-Service remains somewhat unclear.
- IDC Licence Required: In-scope cloud services are now clearly designated as data center services, which require an Internet Data Centre Value Added Telecom Service license (IDC VATS).
- Locals Only License Regime: IDC VATS licenses are unavailable to foreign companies.
- Partnering Restrictions: Cloud service providers will be subject to strict restrictions on technical co-operation on cloud services with partners who do not themselves have a relevant license. This will require partner arrangements to be notified to MIIT and the foreign company's role will be limited to supporting the local cloud service provider.
- Supervision: Cloud Service Providers will be required to "supervise" users of the services.
- Operational and technical requirements: Cloud service platforms must be located in China and connection to overseas networks can only be made via MIIT-approved international Internet gateways.
- Data protection/security requirements: Data protection policies, rules and management systems must be established and maintained to ensure data security.
The draft rules suggest the creation of a further regulatory barrier to foreign cloud operators, and potentially a significant boost to local companies offering these services. This aligns with a number of recent regulatory developments which appear to support the development of home grown technologies and local control over the delivery of IT, internet and data center related services. Such a development will fundamentally alter the business operations of cloud service providers and we expect it will radically alter the options available to all businesses that rely on third parties to host their systems in China.
Scott Thiel is Partner, and Carolyn Bigg is Of Counsel at global law firm DLA Piper