Weathering China’s Cloud Computing Regulations

By Dezan Shira & Associates

Last summer, Chinese tech giants Tencent and Alibaba announced investments into cloud computing services worth US$1.57 billion and US$1 billion, respectively. In 2014, cloud computing sales accounted for only five percent of China’s total IT market compared to 11 percent globally, but Bains predicts this number will increase to 20 percent by 2020. 

Despite the positive outlook for cloud computing, China’s complex and restrictive regulations governing data and internet services make entering the rapidly expanding market a complicated process.

Regulatory requirements

Telecommunications services and business requirements

After entering the World Trade Organization (WTO) in 2001, China pledged to gradually open the country’s borders to seven value-added telecommunications services, including foreign email and voicemail. Content-related commitments to these services are outlined in China’s “Telecommunications Directory 2015 Edition” as follows:

cloud-computing-chart

Foreign-invested companies are permitted to establish Sino-foreign joint ventures and apply for professional certification. However, foreign investment in internet data centers (IDCs) and internet service providers (ISPs) remains prohibited. Notably, the Shanghai Free Trade Zone’s negative list expressly forbids foreign investment in IDCs, but the national Free Trade Zone negative list does not contain this restriction. However, Closer Economic Partnership Agreement (CEPA) previously opened the IDC sector to investment originating from Hong Kong and Macau, so this should not be seen as a sign that IDCs are open to foreign investment from outside Hong Kong and Macau.

Foreign investment ratio requirements for telecoms

Foreign investment in telecommunications services in China must be in the form of a joint venture with a commercial presence. The following foreign investment proportion stipulations require special attention:

(1)According to the 2015 edition of the Guiding Catalogue of Foreign Investment, the proportion of foreign investment permitted in value-added telecom services may not exceed 50 percent, with the exception of e-commerce, which can be 100 percent. Those involved in basic telecoms may not exceed 49 percent.

(2)Foreign ownership restrictions for value-added telecommunications services in the Shanghai Free Trade Area have been further liberalized. For example, businesses engaging in information services are allowed 50 percent foreign ownership, and up to 100 percent for mobile apps. The proportion of foreign investment in internet access services may exceed 50 percent.

The impact of cloud computing data supervision on foreign-invested companies

China’s policies for data supervision prohibit data from being removed from the territory of the People’s Republic of ChinaIn recent years, China’s laws and policies directed at data security and user identity have been gradually implemented and strengthened. Data removal measures are evident in many laws and regulations. Below is a summary of the main points:

(1)Personal credit information: Sorting, storing, and processing information collected by credit institutions in China should be carried out in China.

(2)Personal financial information: Storage, management, and analysis of personal financial information collected in China must be carried out within China. Banking and financial organizations must not provide countries outside China with personal financial information, unless otherwise stated by rules and regulations.

(3)Population health information should not be stored, entrusted, or leased to overseas servers.

(4)Map data should be stored in servers within the People’s Republic of China.

(5)Governmental information: Data centers and cloud services that serve governmental organizations must be located in China.

(6)Accounting information: Accounting system information server deployment must comply with relevant state provisions. Data centers outside China must keep a monthly backup of accounting data. Accounting information involving state secrets or national economic security must not be taken, transported, or transferred overseas without the approval of the competent authorities.

(7)Human genetic resource information: Unless otherwise stated by laws and regulations, under special situations where it is imperative that genetic information is temporarily required to be supplied to an outside entity, companies must fill out a human genetic resources information export declaration form and other required documents for the examination department. Once approval is obtained by the China human genetic resource department of the local authority or State Council, an export certificate will be issued.

(8)A series of documents on standardization proposed that cloud service providers must ensure their server centers are located in China and fulfill the technology requirements of Chinese law.

In June 2015, the Network Security Act (draft) was made public. The act states that key information infrastructure operators should store the personal information of Chinese citizens within the country. Those who need to store information overseas will be evaluated in accordance with safety regulations. This legislation also reflects the policy that personal data cannot leave the country.

Maintain a data interface

Apart from the above-mentioned policy, the Anti-Terrorism Act, passed this January, states that telecommunications operators and internet service providers must provide a technical interface and other decryption support that public security organs and state security agencies can use to investigate terrorist activities. Mandatory national standards also require internet service providers provide safety organizations with a compliant technical interface and ensure the timely and effective delivery of relevant evidence. Maintaining a data interface does not necessarily mean that relevant authorities are permitted to freely access data without any procedure, but these regulations may increase worries for foreign investors.

Key takeaways

Foreign-invested cloud computing businesses operating in China need to be aware of the restrictions on data governance and other related issues. Even if they are in a joint venture with a domestic enterprise, foreign investors should consider the legal compliance of their cooperation agreement, including qualification compliance, data storage restrictions, and other regulatory policies, in addition to business management cooperation, framework management, access to income and transfer, customer services, and other management issues.

Investing in internet and information-related businesses in China is a complicated exercise owing to the government’s stringent security measures and active supervision. Regulatory compliance is particularly important in this sector, as foreign investors face heightened scrutiny and risk drawing the ire of the government. The potential of the market makes navigating these issues worthwhile, however, as Chinese businesses and consumers are increasingly willing to invest in internet services that improve convenience and optimize performance.

 

About the Author

Asia Briefing Ltd. is a subsidiary of Dezan Shira & Associates. Dezan Shira is a specialist foreign direct investment practice, providing corporate establishment, business advisory, tax advisory and compliance, accounting, payroll, due diligence and financial review services to multinationals investing in China, Hong Kong, India, Vietnam, Singapore and the rest of ASEAN. For further information, please email [email protected] or visit www.dezshira.com.

YOU'RE INVITED
Gala 2024

Gala 2024