Cloud computing in China: New rules will increase regulatory oversight

On 24 November 2016, China’s Ministry of Industry and Information Technology (MIIT) issued a draft “Notice on Regulating Cloud Computing Service Market Business Activities” (Draft Notice). The public consultation period is open for one month and closes on 24 December 2016. Cloud computing is receiving a great deal of attention within China’s information technology industry at present, and is a particular focus for businesses engaged in providing IT and telecom products and services in both the public and private sectors. However, at the moment provisions relating to cloud computing services are currently scattered among policy guidelines, technical regulation and industry standards. The purpose of the Draft Notice, therefore, is to enhance regulatory oversight and control over cloud computing services by imposing certain obligations on cloud computing service operators.

1. Internet Data Centre Value Added Telecom Services Permit (IDC VATS)

The Draft Notice clarifies that operators of cloud computing services which fall within “Internet-based resources collaboration services” must apply for and obtain an IDC VATS permit. Internet-based resources collaboration services is added as a sub-category of “Internet Data Centre” (IDC) services under the 2015 Telecom Services Catalogue. It covers the cloud computing technology and services that are based on data center facilities, that can be realized through the flexible deployment, sharing and collaboration of resources via the Internet.

It is well-known that cloud computing services are classified into three subcategories: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). On a plain reading, it seems that the Draft Notice refers to IaaS and PaaS types of cloud computing services, which - based on the nature of the services - fall within the description of Internet-based resources collaboration service.

It is arguably the case that SaaS may fall within the same category. If the final Notice makes clear that operators of all sub-categories of cloud computing services must apply for an IDC VATS permit, this could be of significant concern to SaaS providers. This may be particularly so because:

• the application thresholds for IDC VATS permit are quite high; and
• it could be impractical for SaaS providers to meet the site, facility and experience requirements (given the nature of SaaS is that it provides non-physical delivery of software services).

2. Restrictions in Technical Cooperation

The Draft Notice puts strict restrictions on technical cooperation in cloud computing services where the operator’s partners do not have IDC VATS permits, such as the following:

• a cloud computing service operator:
  • and its partner(s) must report the proposed cooperation in writing to the telecom authorities;
  • is not permitted to lease, lend, or transfer any telecom permits in any way, and nor is it permitted to provide funds, sites, facilities and other assistance to partners who illegally operate cloud computing services in China;
  • shall not provide services under the a partner’s trademarks and brands or provide a partner with users’ personal data or network data illegally; and
• partners must not sign a service agreement with users directly.

These restrictions could have a potential impact on foreign investors because China has made no specific commitments to open up the IDC service market when it joined the WTO. As of today, only Hong Kong and Macau investors can apply for an IDC VATS permit (with a cap on foreign shareholding at 50%), and it has proved very difficult for foreign invested entities to obtain an IDC VATS permit.

The Draft Notice signposts the Chinese government’s intention to crack down on the practice of licence borrowing and any other behaviors that circumvent prescribed requirements. Foreign investors must therefore carefully consider the new requirements proposed by the Draft Notice in any technical cooperation with their Chinese IDC licence holders.

3. Technical and Industrial Requirements

The Draft Notice requires that cloud computing service platforms must be situated within the territory of China. When connected with an overseas network, the server of a cloud computing service must use MIIT-approved international network gateway channels (rather than a private network, virtual private network or other channels). The Draft Notice further requires that connection service providers of a cloud computing service, including network infrastructure facilities, bandwidth and IP address service providers, must all be licensed telecom services providers. Additionally, telecom service providers must not provide connection services to persons/entities who do not, in providing cloud computing services, have a corresponding VATS permit.

The issuance of the Draft Notice is a strong indication of the Chinese government’s desire to strengthen the regulation of cloud computing services following the promulgation of the Cyber Security Law. In particular when faced to the upcoming restrictions in technical cooperation, the IDC VATS license holders and their partners, especially the foreign partners, must carefully review of their practice in China to avoid being punished by authorities or being ordered to suspend operations.

Besides that, the foreign investors shall note that IDC VATS permit is not opened up to foreign invested enterprises except for the qualified Hong Kong and Macau invested joint ventures where 1) the Hong Kong and Macau investors shall qualify under the Closer Economic Partnership Arrangements between the Mainland and Hong Kong/Macau, 2) the cap on foreign investment is fixed at 50%, 3) the foreign investors shall obtain the Opinion on the Examination and Approval of Foreign Invested Telecom Enterprise Project from MIIT authorities prior to the application for IDC VATS permit.

Because the Draft Notice is fairly generic, subsequent amendments or interpretations could well be more practical following the further implementing rules of the Cyber Security Law. We will continue to keep close watch over such regulatory developments in China and will provide an update as developments occur.