When concluding an insurance contract, the insurance applicant has a duty of disclosure. The applicant is not obliged to disclose information unless the insurer enquires.

The insurer’s remedy for breach of this duty varies. The insurer can either:

  • Rescind the contract and keep the premium. The availability of this remedy depends on the degree of connection between the loss and the intention of the policyholder. If the policyholder deliberately breached this duty, then the insurer can avoid the policy, refuse all claims, and keep the premium.
  • Rescind the contract but return the premium.If the policyholder was merely negligent in breaching the duty, the insurer can avoid the contract but must return the premium.

The insurer has no right to rescind the contract if it underwrote the contract fully aware that the applicant had not provided honest answers.

Also, the right of an insurer to rescind a contract is extinguished if it is not exercised within 30 days from the date the insurer discovers the non-disclosure. Moreover, there is a two-year limitation period from the conclusion of the contract. After this expires, the insurer cannot take any action to avoid the policy.

What is insurance non-disclosure under Chinese law?

To control for adverse risks, the insurance industry is strictly regulated. In turn, insurance policies allocate risk in society. However, the conclusion of an insurance policy involves its own risks; risk of non-disclosure by one of the parties being foremost among them.

In light of its tremendous growth, it is easy to forget that insurance remains comparatively new in China. The first law on insurance, the Insurance Act (1995, the “Insurance Act“) was enacted in 1995 and then amended in 2002, 2009, and 2015.

Typically, non-disclosure arises out of the insured’s failure to disclose material information to the insurer. This is the basis for the doctrine of utmost good faith in the duty to disclose.

The rules governing the insured’s duty to disclose, misrepresentation, and remedies, are laid out in Article 16 of the Insurance Act.

The duty to disclose is found in paragraphs 16(1–2), together with the corresponding remedy of rescission for failing in this duty. Importantly, this duty only extends to non-disclosures or misrepresentations which go to the heart of the policy; in other words, which “affect the insurer’s decision on whether to underwrite the insurance or raise the insurance premium“:

Article 16

(1) Where the insurer makes any inquiry about the subject matter insured or about the insurant when entering into an insurance contract, the insurance applicant shall tell the truth.

(2) The insurance applicant fails to perform the obligation of telling the truth as prescribed in the preceding paragraph intentionally or for gross negligence, which is enough to affect the insurer’s decision on whether to underwrite the insurance or raise the insurance premium, and thus the insurer shall have the right to rescind the contract.

Per paragraph 16(3), there are strict time limits on the insurer exercising a right of rescission. The insurer’s right of rescission expires after 30 days of discovering the non-disclosure or misrepresentation. Moreover, there are no grounds for rescission two years after conclusion of the contract:

(3) The right to rescind as stated in the preceding paragraph shall be extinguished if not exercised within 30 days of the time the insurer knows of the cause for rescission. Once two years have elapsed after the contract is entered into, the contract may not be rescinded even if cause for rescission exists; where an insured incident occurs, the insurer shall be liable for paying indemnity or insurance benefit.

Paragraphs 16(4–5) describe intentional and grossly negligent misrepresentations in further detail, and treat the former more seriously than the latter. They both provide that the insurer shall not be liable for paying indemnity or insurance money for an insured incident that occurs before the contract is rescinded. The major difference is that whereas intentionally failing to tell the truth causes the insured to lose both benefits and premium, gross negligence will cause the insured to lose benefits but obtain a refund of the policy premium:

(4) Where the insurance applicant intentionally fails to perform the obligation of telling the truth, the insurer shall not be liable for paying indemnity or insurance money for an insured incident that occurs before the contract is rescinded, and shall not refund the insurance premium.

(5) Where an assured in gross negligence fails to make truthful disclosure so as to contribute materially to the occurrence of an insured event, the insurer shall not be liable for paying indemnity or insurance money for an insured incident which occurs before the contract is rescinded, but shall refund the insurance premium.

Under paragraph 16(6), the insurer has no right of rescission when it agrees to the policy despite knowing that the insured is not telling the truth:

(6) Where the insurer knowing the truth which the insurance applicant fails to tell enters into an insurance contract with the insurance applicant, the insurer, shall not rescind the contract and, if an insured incident occurs, shall be liable for paying indemnity or insurance money.

Finally, there is also a relevant portion of the Maritime Code of China, which addresses disclosure to a similar degree as the Insurance Act. Specifically, under Article 222,

[B]efore the contract is concluded, the insured shall disclose to the insurer material circumstances which the insured has knowledge of or ought to have knowledge of in his ordinary business practice and which would influence the insurer in deciding the premium or whether he agrees to insure or not.

Thus, while a Chinese insurer may rescind a policy for intentional or grossly negligent non-disclosure, it may not rescind for innocent or minor non-disclosures. While negligent non-disclosure (instead of grossly negligent or intentional non-disclosure) may entitle the insurer to other contractual remedies, this does not include rescission. That said, under Chinese law there are currently no legal definitions for the terms “intentional” or “gross negligence”, leading to judicial uncertainty. Even though the policies might have the definitions for “intentional” or “gross negligence”, the difference between gross negligence and negligence is  difficult to distinguish in many circumstances.

Note that not all non-disclosure by the insured will entitle the insurer to the right of rescission. non-disclosure which does not go to the heart of the agreement does not entitle a contractual party to rescission. According to some authors, there is a legal basis for this in the Interpretation of the Supreme People’s Court on Several Issues pertaining to Application of the Insurance Law of the People’s Republic of China (II), (the “SPC Interpretation II“). The SCP Interpretation II limits, under Article 6,  the insured’s duty to disclose to the insurer’s scope of inquiry (投保人的告知义务限于保险人询问的范围和内容), and furthermore puts the burden of proof on the insurer when a dispute over the scope or content of the enquiry arises. Another author posits that “if the insurer is not asking about important facts, the insured does not breach the duty even by concealing or misrepresenting.” For the latter opinion, there are disagreements in Chinese academia.

Thus while facts which involve assessing the underwritten risks are considered material, if the insurer asks about unimportant or irrelevant facts, the insured does not open the policy to rescission by concealing or misrepresenting such facts. Accordingly, the insurer’s inquiry should be limited to material facts and the insurer should not expect a right of rescission after discovering misrepresentation or concealment of facts which had little or no bearing on the conclusion of the policy.

Nevertheless, to avoid rescission, certain facts must be proactively disclosed by the applicant even absent a question from the insurer. While the Insurance Act itself does not address this, interpretive guidance was made available in the 2006 Reply on Issues Related to Insurance Contract Disputes (the “Reply on Insurance Contract Disputes“). Originally, under the Reply on Insurance Contract Disputes, when the insured “knows or should know of certain material matters upon which insurability may turn, and said matters affect the insurer’s decision on underwriting or pricing the premium, then even if the insurer has not made a clear inquiry, the insured must inform the insurer of said information.” That said, this was limited to only information which the insured knows (rather than should know) in Article 5 of the SPC Interpretation II, which specifically classifies information that the policyholder knows of (投保人明知的与保险标的或者被保险人有关的情况) as facts to be declared under paragraph 16(1) of the Insurance Act. Since the duty to disclose said facts falls under Article 16, the insured’s failure to disclose them will also entitle the insurer to the right of rescission.

The duty to proactively disclose facts therefore turns on two elements. First, the fact must be material. Second, the fact affects the insurer’s decision on underwriting or pricing the policy’s premium.

How then to decide which facts are material or immaterial? Somewhat confusingly, this appears to be a partially redundant enquiry between both the first and second elements. A material fact is one “[which] is enough to affect the insurer’s decision on whether to underwrite the insurance or raise the insurance premium.” Whether the standard used for “affect the insurer’s decision” is a subjective or objective one remains an unsettled question under Chinese law. That said, judges from many courts have adopted the “objective standard” of the prudent insurer, rather than place themselves in the shoes of the insurance provider at issue.

Since the first element of the test, on materiality, requires answering the second element of the test, on “affect[ing] the insurer’s decision”, the second element in practice turns on causation. In other words, after establishing that a fact [1] was material (because it would have affected a prudent insurer’s decision), the judge must then be satisfied that [2] the failure to disclose the fact did, in fact, affect the insurer’s decision on underwriting or pricing the policy. If both first and second elements are satisfied, then the insured will be found to have failed in their duty to proactively disclose the fact at issue.

Note that since PRC law does not distinguish between sophisticated insurance applicants and individual insurance applicants, or “business insurance” and “consumer insurance” applicants. Accordingly, the above rules on misrepresentation apply both to natural persons and legal persons applying for insurance. Note however that other specific rules apply when an insurance brokerage is involved in the policy’s negotiation.

What changes do the new Civil Code bring to insurance misrepresentation?

China’s new Civil Code brings very few additions to China’s insurance law regime. In fact, there are only a few articles related to insurance at all. These include, under the section on tort liabilities, a few clauses on compulsory automobile liability insurance (in connection with the Traffic Accident Social Assistance Fund). This is in order to ensure policies are in place to provide compensation to insureds and the third-party victims of traffic accidents. See Civil Code of the People’s Republic of China, arts 1213, 1215–1216. There are also passing references to insurance in the book on real property rights, art 390, on security interests, and art 461, on rights to insurance indemnities when in possession of another’s property, in addition to the book on contracts, which features art 909 on warehousing.

Nevertheless it is important to note that the Civil Code repealed the PRC Contract Law. As a result, Part III (Contracts) of the Civil Code is now the general law applicable to all contracts, including insurance agreements.

 

[1]ZHEN JING, CHINESE INSURANCE CONTRACTS LAW AND PRACTICE 32-43 (2017).

[2]Insurance Law of the People’s Republic of China (promulgated by the Standing Comm. Nat’l People’s Cong., June 30, 1995, effective Apr. 24, 2015), art. 16.

[3]Qihao He & Chun-Yuan Chen,  Insurance Law between Commercial Law and Consumer Law: Can the United States Inspire China in Insurance Misrepresentation, 26 CONN. Ins. L.J. 145 (2020), citing Zhen Jing, Remedies for Breach of the Pre-Contract Duty of Disclosure in Chinese Insurance Law, 23 CONN. INS. L.J. 327, at 348 (2017).

[4]Qihao He & Chun-Yuan Chen,  Insurance Law between Commercial Law and Consumer Law: Can the United States Inspire China in Insurance Misrepresentation, 26 CONN. Ins. L.J. 145 (2020) at 160.

[5]Qihao He & Chun-Yuan Chen,  Insurance Law between Commercial Law and Consumer Law: Can the United States Inspire China in Insurance Misrepresentation, 26 CONN. Ins. L.J. 145 (2020) at 160, citing Min Chang, Study on Insurance Contract Incontestability System, 2 GLOBAL L. Rev. 76-91 (2012).

[6]Qihao He & Chun-Yuan Chen,  Insurance Law between Commercial Law and Consumer Law: Can the United States Inspire China in Insurance Misrepresentation, 26 CONN. Ins. L.J. 145 (2020) at 160, citing the Reply on Issues Related to Insurance Contract Disputes, promulgated by the China Ins. Regulatory Comm’n, Feb. 21, 2006, effective Feb. 21, 2006).

[7]Qihao He & Chun-Yuan Chen, Insurance Law between Commercial Law and Consumer Law: Can the United States Inspire China in Insurance Misrepresentation, 26 CONN. Ins. L.J. 145 (2020) at 160.

[8]Qihao He & Chun-Yuan Chen, Insurance Law between Commercial Law and Consumer Law: Can the United States Inspire China in Insurance Misrepresentation, 26 CONN. Ins. L.J. 145 (2020) p 161, citing the Insurance Law of the People’s Republic of China (Standing Comm. Nat’l People’s Cong., June 30, 1995, effective Apr. 24, 2015), art. 16.

[9]Qihao He & Chun-Yuan Chen, Insurance Law between Commercial Law and Consumer Law: Can the United States Inspire China in Insurance Misrepresentation, 26 CONN. Ins. L.J. 145 (2020) at 160, citing (Zhen Jing, Insured’s Duty of Disclosure and Test of Materiality in Marine and Non-Marine Insurance Laws in China, J. BUS. L. 681, 686-87 (2006).)

[10]Ibid  at 163.

Michael Gu / Grace Wu / Vivian Wang [1]Introduction

The year 2020 is an unusual year. The outbreak of COVID-19 pandemic and continued international trade tensions posed challenges to Chinese antitrust law enforcement authority, the State Administration for Market Regulation (SAMR). Particularly, the SAMR was tested on their ability to address the impacts coming along with the crisis and to rapidly respond to new circumstances in the Chinese market. Despite the challenges, the SAMR maintained prudent in conducting the merger control review and even concluded more merger cases compared with the year 2019. In fact, the SAMR’s review process has become more efficient in 2020. On average, compared with 2019, it took less time for concluding a merger case review, especially for simple cases and normal cases with less competition impacts. According to the working report 2020 of the SAMR [2], the SAMR accepted filings of 481 cases and concluded the review of 473 cases. The figures represent an increase of 5% for accepted merger filings and 1.7% for concluded merger cases from 2019. The average time for case filing and conclusion fell by 27% and 14.5%, respectively.

As to conditionally-approved cases, the number is relatively stable in 2020 (four cases) compared with the previous year (five cases). Four cases were approved with behavioural conditions. Two of the four conditionally-approved cases in 2020 were withdrawn and resubmitted before the expiry of the first statutory merger review period (i.e., 180 days). This shows that the SAMR is still prudent in reviewing mega mergers which may raise competition concerns. Withdrawal of the filing also provides notifying parties with flexibility and sufficient time to communicate with the SAMR. From the first submission of filing materials to the case being conditionally concluded, the review process for the four cases above lasted for a minimum of 238 days [3] , a maximum of 358 days [4] , and an average of 291 days. There was no prohibition decision rendered by the SAMR in 2020.

Furthermore, the SAMR continued its tough stance against non-filers. The SAMR published 13 penalty decisions that failed to fulfil the notification obligations under Anti-monopoly Law.  In addition, the SAMR also clarified that the concentration involving variable interest entity (VIE) structure transactions [5] is within the scope of merger control review.

Legislation

Release of The Interim Provisions for Merger Control Review

On 7 January 2020, the SAMR released a draft of the Interim Provisions for Merger Control Review (hereinafter “the Interim Provisions”) for public comment. The final version of the Interim Provisions was adopted in October 2020 [6] . The Interim Provisions consolidate all major regulations for merger control review into one coherent, comprehensive and easy-to-follow regulation, although no substantial changes have been proposed thereunder. However, it is notable that, pursuant to Article 2 of the Interim Provisions, the SAMR can authorize its provincial branches to take charge of merger control review. The decentralization of antitrust enforcement serves the purpose to better allocate the heavy workload undertook by the SAMR, by which it could focus on reviewing relatively complex cases. Therefore, we expect that the SAMR will continue to lead the review process of most cases in the near future. However, specific questions remained to be answered. For example, in what types of cases will the SAMR authorize its provincial branches? When exactly will the SAMR authorize? If authorized, what scope, i.e. to what extent, will the authorization be? These questions are expected to be answered through observation of SAMR practices.

Revision of The Anti-monopoly Law in Process

On 2 January 2020, the SAMR released a draft of revisions to the Anti-monopoly Law for public comment (hereinafter “the Revised AML”) [7] . Although the Revised AML follows the current Anti-monopoly Law’s basic framework, it significantly enhances the legal liability of Anti-monopoly Law violators. For example, in accordance with Article 55 of the Revised AML, the proposed penalty will be up to 10% of the non-filer’s annual sales in previous year instead of the maximum amount of fine RMB500,000 under the current Anti-monopoly Law, which is clearly insufficient for deterring non-filers. The Revised AML also clarifies practical issues such as ‘controlling rights’ for merger filing purposes. In addition, the Revised Draft introduces the so-called ‘stop-clock’ clause that specifies three conditions to discontinue the mandatory timelines for merger review:

  • on application or consent by the notifying parties;
  • supplementary submissions of documents and materials at the request of the antitrust authority; or
  • remedy discussions with the antitrust authority.

The revision of Anti-monopoly Law has been scheduled as key legislative work for 2021 [8] , and the new Anti-monopoly Law is expected to be adopted in the near future.

Enhanced Antitrust Scrutiny on E-commerce Platforms

On November 2020, the SAMR released “Antitrust Guidelines for the Platform Economic Industry” for public comment (hereinafter “Guidelines for Platform”). Just within three months, the final version of Guidelines for Platform was approved and implemented on 7 February 2021 [9] . The Guidelines for Platform provide a chapter of regulations, specifically obliging business operators in the platform economic industry to merger control review, including the filing standard, evaluation of competition concerns and restriction conditions. It is also notable that the Guidelines for Platform clarify that the concentration involving VIE structure transactions is within the scope of merger control review. The Guidelines further clarify that transactions involving start-ups, new types of platform or free business models with the possibility of eliminating or restricting competition cannot be exempted from merger filing, even though they do not meet the turnover standard.

Unconditionally cleared cases

The SAMR unconditionally approved 469 cases in 2020 – slightly more than the previous year (460 cases). With regard to simple cases, a total of 364 cases were concluded in 2020, accounting for 76.96 per cent of all cases. The proportion of simple cases increased compared with that of 2019 (the number of simple cases accounted for around 73.3 percent of total cases in 2019). On average, simple cases took 12.81 days to be concluded (among which 12.79 days for the first quarter, 12.59 days for the second, 13.35 days for the third, and 13.35 days for the fourth), which was slightly reduced from 15.37 days in 2019 (among which 15.12 days for the first quarter, 18.29 days for the second, 18.24 days for the third, and 13.37 days for the fourth). And in 2020, 27.47 per cent of those cases were unconditionally approved upon expiration of the 10-day publication period. This demonstrates that simple case procedure plays an active role in enhancing the efficiency of concentration review, particularly in the sense of reducing the reviewing time.

Based on statistics above and our experience, we reckon that since the fourth quarter in 2020, the SAMR has been exploring tailored approach of review to different types and structures of transactions, and accelerating its process for certain transaction types. Moreover, we notice that from the fourth quarter in 2020, the accelerating rate of the SAMR’s efficiency on simple case review has slowed down. Accordingly, we estimate that time spent before acceptance of the case, i.e. the time from the submission of filing materials to the acceptance notice of filing, will be longer, had the SAMR intended to further reduce the interval time between the public notification and that of case conclusion. Notably, for the first time, the SAMR disclosed that the time spent before acceptance of the case was 24 days on average in 2019, as provided in its Annual Report on the Enforcement of Anti-monopoly Law of China (2019) [10] .

Concluding from recent cases, it appears that the SAMR has a varying standard with its merger control review process depending on the nature and structure of the transaction. Firstly, horizontal mergers typically attract greater level of scrutiny compared to non-horizontal mergers; secondly, the SAMR also pays closer attention to transactions concerning industries with higher level of concentration; thirdly, for purely offshore transactions, that is, transactions that only involve joint ventures or companies with a small asset base in China that do not engage in substantial economic activities within China, the level of scrutiny is noticeably (and unsurprisingly) lower compared to transactions with a domestic implication; fourthly, transaction that involves the acquisition of an equity stake would be more closely reviewed compared to joint ventures; finally, complex transactions, such as multi-stage acquisition, privatization of a listed company, and red-chip model restructuring, would likely endure a more prolonged review process by the SAMR.

Mingcha Zhegang Case [11]

On 16 July 2020, the SAMR unconditionally approved the joint venture between Shanghai Mingcha Zhegang Management Consulting Co., Ltd. (‘Mingcha Zhegang’) and Huansheng Information Technology (Shanghai) Co., Ltd. (‘Huansheng’). Mingcha Zhegang provides data analysis and artificial intelligence solutions to enterprises in the catering industry, whereas Huansheng is a subsidiary of Yum China which in turn owns brands including KFC, Pizza Hut, and Taco Bell. The joint venture proposes to engage in information and network technology development in the catering industry. This is the first case reviewed by the SAMR where it officially acknowledged the presence of a VIE structure used by a party to the transaction. Here, the ultimate controlling party of Mingcha Zhegang is a Cayman-incorporated company, Leading Smart Holdings Limited. Since the SAMR’s publication of the simple case review on 20 April 2020, the case received widespread attention due to the uncertain result of merger control review involving VIE arrangements.

Despite the lengthy approval process (88 days), which is significantly longer than the average review period of unconditionally approved cases, taking up almost the entire duration allowed for in simple case review, the delay, contrary to public perception, may be unrelated to the presence of the VIE structure. Instead, the delay was more likely a result of the reasonable objections by related third parties, with regard to relevant market definition, market share of the notifying parties, etc., which in turn led to competition concerns to the SAMR. As the transaction was likely motivated by data consolidation between the two notifying parties, it was also alleged that this would raise issues relating to data monopolization. Ultimately, however, these issues did not appear to be detrimental to the result of merger control review, as the SAMR approved the transaction unconditionally.

Car Inc (Shenzhou Zuche) Case [12]

On 25 November 2020, the SAMR published the simple case summary that it would be reviewing MBK Partners’ proposed acquisition of Car Inc (Shenzhou Zuche). MBK Partners is a private equity firm predominantly focused on the North Asia region, and Shenzhou Zuche is China’s largest car rental company. Similar to the Mingcha Zhegang Case, this case also involves the use of a VIE structure, though this would almost certainly not be the focus of the SAMR’s review. Instead, the SAMR closely scrutinized this transaction for competition concerns, as this particular transaction involves financial and transportation industries, which have been the focus of regulatory attention in recent years. With MBK’s shares in the consortium that took eHi Car Services, China’s second largest car rental firm, private last year, such competition concerns would certainly be more pronounced. Beyond anti-competition issues, this transaction may also trigger foreign investment concern with the recent passage of Measures on Security of Foreign Investments [13] . Ultimately, the SAMR approved this case on 21 January 2021, which was a rather lengthy approval process (57 days).

As highlighted by these two cases, the SAMR has signaled its intention to review, with heightened scrutiny, cases which involve VIE structures. Putting aside any extrapolation from these decisions of the SAMR’s stance on the legality of the VIE structure, it is evident that at least within the anti-monopoly enforcement framework, it would be imprudent for companies which employ a VIE structure to ignore filing obligations. This is further evidenced with the introduction of the ‘Guidelines for Platform’, the penalties opposed on three tech companies for failing to comply with their filing obligations, and from recent statements made by the SAMR [14] . Given the SAMR’s approval in the Mingcha Zhegang Case and Car Inc (Shenzhou Zuche) Case, the consensus among practitioners is that transactions involving VIE structure would not be adversely affected. Companies should thus proactively assess their situation and ensure that they are compliant with the Anti-monopoly Law.

Conditionally cleared cases

In 2020, the SAMR conditionally approved four cases, a relatively stable number compared with 2019 (five cases). Figure 1 (below) illustrates the number of cases conditionally cleared from 2009 to 2020.

Figure 1

These conditional cases cover automobile, computer, electronic components, and pharmaceutical industries. They are the key areas of antitrust enforcement. The relevant products involved in these cases are not only related to people’s daily life but also high-tech driven. For example, the relevant product markets in ZF Friedrichshafen AG’s acquisition of WABCO Holdings case is related to automatic manual transmission (AMT) controllers; in Nvidia’s acquisition of Melox case is related to Ethernet adapters; and in Danaher’s acquisition of GE’s BioPharma case is related to microcarrier and other biological analysis instruments. Due to the relatively strong technical nature of the relevant market, the notifying parties in two of the four conditional cases withdrew and resubmitted the notifications. From the first submission of filing materials to the case being conditionally concluded, the review process for the four cases lasted for a minimum of 238 days, a maximum of 358 days, and an average of 291 days. There are many reasons for the lengthy review process, which may include the following.

  • In the absence of the ‘stop-clock’ clause in Anti-monopoly Law, the process of preparation for supplementary materials and negotiation for restrictive conditions are included in the reviewing period. Therefore, the review time for complex cases may exceed the statutory merger review period;
  • The transaction structures and the relevant products are complicated (e.g. in GE/Danaher case, Danaher and the target had horizontal overlaps in 25 products);
  • The relevant market is highly technical and complicated (e.g. Ethernet adapter and data center server in Melox/Nvidia case); and
  • The SAMR becomes more cautious in analyzing the competition impact of these cases.

Danaher’s acquisition of GE’s BioPharma Case [13]

On 28 February 2020, the SAMR conditionally approved Danaher’s acquisition of GE’s BioPharma unit, almost a year after the transaction’s initial merger filing. Danaher is an American diversified conglomerate involved in the healthcare and environmental industry. GE’s BioPharma unit, renamed Cytiva, provides both hardware and software used in biopharmaceutical research.

In addition to implicating a sensitive and strategically important industry, this case stands out for its complexity, involving 25 different product markets where the notifying parties had horizontal overlaps. In the SAMR’s analysis, the relevant geographical market for these product markets is defined as the worldwide market given that there were minimal trade barriers (as evinced by the low ratio of shipping cost to sales price) and minimal price differentiation across borders. The SAMR found that in many of the product markets, including the markets for microcarriers, chromatography systems, and hollow fiber filter modules, the transaction would have the effect of eliminating or restricting competition. For example, the SAMR found that, in the microcarriers market, the notifying parties would have a combined market share of nearly 70 per cent to 75 per cent worldwide. In addition to market share, the SAMR also appeared to be concerned with the impact of the transaction on innovation and R&D, particularly in the hollow fiber filter module market.

After several rounds of consultation, the SAMR accepted Danaher and GE’s proposal for structural remedies to salvage the transaction, concluding that the remedies would reduce the transaction’s adverse impact on competition. Danaher was to divest various businesses, such as the businesses in the aforementioned product markets which raised competitive concerns, including all its tangible and intangible asset and staff. Moreover, Danaher was to reach transitional agreement and share its relevant tangible assets and proprietary research of the ‘Emily Project’ to buyers of its divested businesses, aimed to encourage R&D and investment into new products. This last remedy stands out with the SAMR going beyond its traditional anti-competition toolbox to impose conditions that the agency believed would encourage innovation and facilitate greater product selection within the relevant market, instead of merely eliminating the negative impact raised.

We expect that the SAMR will continue to explore and deepen its anti-competition toolbox in major scientific research fields in life sciences and other high-end scientific research fields (for example, cutting-edge R&D involving biopharmaceuticals, or transactions involving innovative drugs for the treatment of critical diseases and rare diseases). The notifying parties should weigh and coordinate the filing strategies of various jurisdictions and carefully submit remedies based on the impact on the Chinese market to resolve the competition concerns of the SAMR.

Penalties on Non-filers

In recent years, the antitrust authorities have never relaxed their supervision of non-filing cases. In 2020, the SAMR significantly strengthened its supervision of and penalties on non-filing parties. The SAMR published 13 non-filing cases with a total fine of RMB5.65 million. The highest fine issued was RMB500,000, while the lowest was RMB300,000.

MBK Partners/Siyanli Industrial Case [16]

On 6 January 2020, the SAMR published its penalty decision against MBK Partners for its failure to notify its acquisition of a 23.53 per cent stake in Siyanli Industrial (‘Siyanli’). By failing to do so, the notifying parties breached Article 21 of the Anti-monopoly Law and was fined RMB350,000 accordingly.

This case also marks the first penalty decision relating to an investment fund acquiring a minority interest, suggesting that the SAMR has not only kept itself up to date of market movements, but that it is taking up a proactive role in policing this area. While the stake of 23.53 per cent prima facie appears to be a small proportion of the overall business, it is likely that the SAMR took a strict approach with its interpretation on ‘controlling rights’. The reason could be that this transaction is distinguished from most other PE/VC transactions where there is a greater difference in the proportion of equity stake between the fund investor and controlling party, and where the investment fund was largely kept away from the operations of the business.

Based on our experience, notifying parties holding a minority interest would have to assess their filing obligations under specific circumstances. Typical considerations include:

  • the voting right arrangement on major corporate decisions (such as whether financial investors had veto power), and
  • the presence of any special shareholder rights (such as preemptive rights, preferential rights, drag-along rights, buyback rights).

If an investor in a later financing round shares the same special shareholder rights to previous investors due to a most-favored-nation clause, this may also trigger filing obligations.

Intime Retail Case, New Classics Media Case & China Post Smart Delivery Case

On 14 December 2020, the SAMR published its penalty decisions against three non-filers, namely, (1) Alibaba for its acquisition of Intime Retail (Intime Retail Case) , (2) China Literature Limited for its acquisition of New Classics Media (New Classic Media Case) [18] , and (3) Hive Box Technology for its acquisition of China Post Smart Delivery (Hive Box Technology Case) [19] . The three cases all involve Internet companies using a VIE structure. It is the first time where the SAMR penalized concentration involving a VIE structure.

Among the three cases, the SAMR’s investigation into the Intime Retail Case and New Classics Media Case each took approximately 40 days, whereas the SAMR’s investigation into the China Post Smart Delivery Case took 174 days, significantly longer than the other two. It is further worth noting that the actual transaction of the first two cases took place in 2017 and 2018 respectively, whereas Hive Box Technology’s acquisition of China Post Smart Delivery was only recently completed in May 2020, implying that the SAMR had begun its investigation only a month after the deal’s conclusion. According to the SAMR’s subsequent press conference (Press Conference) [20] , the SAMR had conducted a comprehensive review of the transactions’ impact on market competition, examining the underlying market condition and the effect that the concentration would have. In the end, however, the SAMR concluded that the three transactions would not reduce or eliminate competition.

Dohia Case [21]

On 9 September 2020, the SAMR published their penalty decision against Zhejiang Construction Investment Group (‘ZCIGC’) for its failure to notify the agency of its 29.83% acquisition of Dohia Group (‘Dohia’). The transaction was conceived as a reverse merger whereby ZCIGC, a private company, would bypass the IPO process and become publicly listed through a complex arrangement with Dohia Group. The first phase involved ZCIGC acquiring a 29.83% of shares in Dohia. This was completed on 10 May 2019, where ZCIGC became Dohia’s largest shareholder. The second phase involved an asset swap between the two entities such that ZCIGC’s shareholders would become shareholders in Dohia.

Relevantly, ZCIGC had notified the SAMR when it was engaging in the second phase of its reverse merger in October 2019. However, the SAMR found that filing obligations would already have been triggered in the first phase of the transaction, handing out a penalty decision accordingly. Based on the penalty decision, it is likely that the SAMR made its decision based on the ownership concentration. With the SAMR specifically highlighting the 29.83% of shares, this suggests that the SAMR intended to create a deterrence effect, serving as a clear warning sign for other undertakings, as in the MBK Partners/Siyanli Industrial Case [22] . Therefore, companies engaging in asset restructuring, reverse mergers, and other multi-stage transactions should critically assess and determine the relevant stage of which filing obligations may be triggered. Moreover, publicly listed companies with a disperse shareholder base should also be mindful that a minority interest less than 30% may still be considered to be controlling interest. Any transaction that involves a change in ownership should be critically assessed as to whether the transaction triggers filing obligations.

Concluding from the non-filing cases as stated above, it is likely that the SAMR will continue its ex-post crackdown on previous transactions involving Internet companies using a VIE structure which have failed to comply with their filing obligations. Such companies shall remain vigilant and ensure that a robust compliance framework is in place. Strategic decisions, including the order of transaction to be reported and the supplementary material to be provided, shall consider all potential repercussions. The aforementioned cases are good precedents which shed light into the SAMR’s approach in defining the relevant market and in determining whether the conduct engaged would amount to monopolistic behavior.

Comments and Conclusion

In 2020, the SAMR maintained a consistently rigorous and prudent attitude towards merger control review. Despite the COVID-19, the time scale for filing and approval of merger control review (especially simple cases) has shortened compared to the previous year. As to conditional cases, the SAMR has imposed various conditions based on the characteristics of relevant products and the competition and innovation conditions of the relevant market, so as to eliminate the possible negative effects of concentration. In addition, 13 non-filing cases published in 2020 shows that the SAMR maintains its supervision of and penalties on non-filing parties. The SAMR has also clarified its attitudes towards transactions in the Internet sector involving a VIE structure.

The new trends and features of the SAMR should raise attention of enterprises in the relevant industries, whether it be the trend of scrutinizing transactions involving a VIE structure and the non-filing of minority stake investment by funds, or the trend of making intensive competition analysis of innovative markets. We expect that the SAMR will continue to accelerate the construction of antitrust enforcement system in 2021. When conducting the merger control review, the SAMR usually maintains the consistency between current and past cases, in particular, as to the market definition and certain factual issues. Meanwhile, to facilitate efficiency, high quality of notification materials will be required from the SAMR. Therefore, enterprises are advised to focus on the trends of antitrust enforcement and the revision process of the Anti-monopoly Law. In particular, enterprises shall understand the regulations of merger control review correctly, actively fulfill their filing obligations, and work closely with external experts to avoid delays in the closing of transaction, which would in turn affect their business plans. Furthermore, we expect that the SAMR will continue to strengthen the investigation and penalty of non-filing cases in 2021. Thus, before the revision of AML, enterprises shall consider to submit the post-consummation filing to the SAMR of such transactions.

 

FOOTNOTES:
Swipe up or down to view the contents
[1]Michael Gu is a partner of AnJie Law Firm based in Beijing. Michael specializes in competition law and M&A. Michael can be reached by email: michaelgu@anjielaw.com, or telephone at (86 10) 8567 5959. Grace Wu is an associate of AnJie Law Firm, and Vivian Wang is an intern of AnJie Law Firm.[2]The original Chinese version of the working report 2020 of the SAMR is available at the SAMR’s website:http://www.samr.gov.cn/xw/zj/202102/t20210205_325918.html

[3]Infineon’s acquisition of Cypress case, the announcement is available at the SAMR’s website

http://www.samr.gov.cn/fldj/tzgg/ftjpz/202004/t20200408_313950.html

[5]Nvidia’s acquisition of Melox case, the announcement is available at the SAMR’s website

http://www.samr.gov.cn/fldj/tzgg/ftjpz/202004/t20200416_314327.html

[5]A VIE structure is designed to allow foreign offshore investors to invest and control Chinese onshore business(es) through a series of contracts and agreements, overcoming foreign capital restrictions on particular sectors.

[6]The original Chinese version is available at the SAMR’s website:

http://gkml.samr.gov.cn/nsjg/fgs/20 2010/t20201027_322664.html

[7]The original Chinese version is available at the SAMR’s website:

www.samr.gov.cn/hd/zjdc/202001/ t20200102_310120.html.

[8]http://www.npc.gov.cn/npc/c30834/202012/f4fd27270f78471dbe8f88c31c47cb0f.shtml

[9]The original Chinese version is available at the SAMR’s website:

http://gkml.samr.gov.cn/nsjg/fldj/202102/t20210207_325967.html

[10]The original Chinese version is available at the SAMR’s website:

http://www.samr.gov.cn/xw/zj/202012/t20201224_324676.html

[11]The announcement of unconditional approval is available at the SAMR’s website:

http://www.samr.gov.cn/fldj/ajgs/wtjjzajgs/202007/t20200722_320099.html

[12]The publication of simple case review is available at the SAMR’s website

http://www.samr.gov.cn/fldj/ajgs/jzjyajgs/202011/t20201125_323881.html

[13]The original Chinese version is available at the NDRC’s website:

https://www.ndrc.gov.cn/xxgk/zcfb/fzggwl/202012/t20201219_1255025_ext.html

[14]The press conference of the SAMR is available at the SMAR’s website:

http://www.samr.gov.cn/xw/zj/202012/t20201214_324336.html

[15]The original Chinese version is available at the SAMR’s website:

http://www.samr.gov.cn/fldj/tzgg/ftjpz/202002/t20200228_312297.html

[16]The original Chinese version is available at the SAMR’s website:

http://www.samr.gov.cn/fldj/tzgg/xzcf/202001/t20200106_310261.html

[17]The original Chinese penalty decision is available at the SAMR’s website:

http://www.samr.gov.cn/fldj/tzgg/xzcf/202012/t20201214_324334.html

[18]The original Chinese penalty decision is available at the SAMR’s website:

http://www.samr.gov.cn/fldj/tzgg/xzcf/202012/t20201214_324340.html

[19]The original Chinese penalty decision is available at the SAMR’s website:

http://www.samr.gov.cn/fldj/tzgg/xzcf/202012/t20201214_324337.html

[20]The press conference is available at the SAMR’s website:

http://www.samr.gov.cn/xw/zj/202012/t20201214_324336.html

[21]The original Chinese penalty decision is available at the SAMR’s website:

http://www.samr.gov.cn/fldj/tzgg/xzcf/202010/t20201014_322326.html

[22]The original Chinese penalty decision is available at the SAMR’s website:

http://www.samr.gov.cn/fldj/tzgg/xzcf/202001/t20200106_310261.html

China’s Supreme Court made a final judgment applying HCCH 1965 Service Convention to serve a Japanese litigant by post in 2019, under the situation where the government of Japan opposed to postal service but the Japanese litigant agreed to accept it.

I. Overview

On 22 Nov. 2019, the Supreme People’s Court of China (“the SPC”) rendered a final judgment over guarantee liability matters, Tang Yimin v. China Development Bank[1], involving the issue of cross-border service by postal channels to a Japanese under HCCH 1965 Service Convention[2].

In this case, one of the litigants, the Japanese named Toshihide Inoue provided in writing to the SPC his mailing address in Japan and expressly accepted the court to serve him directly by mail. The SPC served the judicial documents to Toshihide Inoue by post even though Japan declared the opposition to Article 10(a) of HCCH 1965 Service Convention that “the freedom to send judicial documents, by postal channels, directly to persons abroad”[3] under the situations where China and Japan are both contracting states of HCCH 1965 Service Convention.

II. Case Brief

On 26 Mar. 2007, China Development Bank (hereinafter referred to as “CDB”) and Xu Hui (hereinafter referred as “Xu”) signed the “Guarantee Contract”. Xu assumed joint and several suretyships for the debts under the “Syndicated Loan Contract” with the amount of US$65 million.

On 23 Dec. 2011, Xu, the Guarantor, deceased. On 10 May 2017, Tianjin No. 2 Intermediate People’s Court made a final judgment[4] that Tang Yimin inherited 50% of Xu’s estate and Inoue Toshihide inherited 9% (other heirs not related to this article will not be described here).

On 24 Dec. 2018, Tianjin Higher People’s Court rendered the first-instance judgment. In this case, CDB sued Tang Yimin, Inoue Toshihide and other heirs of Xu to assume joint and several guarantee liabilities within the inheritance, the first-instance court supported the plaintiff’s claims.[5] Tang Yimin appealed to the SPC. In the second-instance trial, the SPC served judicial documents to one of the appellees, Inoue Toshihide, in the postal method. Finally, the SPC dismissed the appeal and upheld the first instance judgment.

III. The SPC’s Decision and Opinions

Regarding the service to the Japanese citizen Inoue Toshihide in the second instance of this case, the SPC ascertained that Japan is a contracting state of HCCH 1965 Service Convention, and gave notice of its declaration of opposition to Article 10(a) that “the freedom to send judicial documents, by postal channels, directly to persons abroad” on 21 December 2018. However, in this case, Toshihide Inoue provided the SPC with his mailing address in Japan, and expressly accepted the SPC to serve him by mail. After receiving the judicial documents from the SPC, Toshihide Inoue signed those documents and sent the corresponding certificate of service back to the SPC.

The SPC held that in terms of civil cases that require cross-border service, if one contracting State to HCCH 1965 Service Convention where the litigant domiciles made oppositions to the postal method of cross-border service, serving judicial documents in a postal manner by the other contracting States to litigants who domicile in the contracting State shall not have the procedural legal binding force. However, the SPC reasoned that HCCH 1965 Service Convention is a convention of private law in nature as its content mainly deals with the service abroad of judicial and extrajudicial documents in civil or commercial matters. In terms of specific cases, if the litigants expressly agree to accept the postal service from the courts of other countries, it shall be construed as a waiver of the party. Respecting the parties’ reasonable choices based on their own places is conducive to the protection of the parties’ litigation interests and the justice of procedure.

Therefore, the waiver that Japanese citizen Toshihide Inoue has made in a private law case involving his own interests is not inconsistent with the Japanese government’s opposition to the way of service by post. Subject to the written consent and the actual acceptance of Inoue Toshihide, the postal service of judicial documents by the SPC complies with due process.

IV. Comments

Article 267 paragraph 1 of Civil Procedure Law (“CPL”) of China stipulates the ways for Chinese courts to serve judicial documents towards parties who do not have a domicile in China, that is, ” in the way specified in the international treaties concluded or acceded to by both the China and the country where the person on whom service is to be made resides”. In the realm of cross-border service, HCCH 1965 Service Convention has a strong influence around the world, both China and Japan are contracting parties to it. In this case, the SPC applied HCCH 1965 Service Convention to serve judicial documents to a Japanese litigant by mail according to the litigant’s clear choice, even if the Japanese government opposed the postal service.

Service abroad is a vital part of international civil procedure. It not only directly relates to whether the transnational litigation in a certain jurisdiction can be carried out in a timely and legal manner, but also relates to whether the procedural rights of the parties are fully protected, and whether the judicial sovereignty of a territory where the party is served is respected as necessary. In this case, the SPC tended to balance the side of judicial efficiency, judicial sovereignty, and the procedural rights of the parties.

 

References:

[1] (2019) Zui Gao Fa Min Zhong No. 395.

[2] Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters concluded on15 November 1965 by Hague Conference on Private International Law (HCCH).

[3] TABLE REFLECTING APPLICABILITY OF ARTICLES 8(2), 10(a)(b) AND (c), 15(2) AND 16(3) OF THE HAGUE SERVICE CONVENTION, see:

https://assets.hcch.net/docs/6365f76b-22b3-4bac-82ea-395bf75b2254.pdf .

[4] (2016) Jin 02 Min Zhong No. 4339.

[5] (2014) Jin Gao Min Er Chu Zi No.0052.

REGULATIONS

CAC seeks comments on revising Administrative Measures for Internet Information Services

On January 8, 2021, the Cyberspace Administration of China (“CAC”) issued the Administrative Measures for Internet Information Services (Revised Draft for Comments) (the “Draft for Comment”) for public comments by February 7, 2021.

The Draft for Comment applies to any organization or individual within the territory of the People’s Republic of China providing Internet information services to domestic users by using domestic and foreign network resources.

The Draft for Comment requires that those who engage in Internet information services, which belong to operating the business of telecommunications, shall obtain the business license from the competent department of telecommunications; those who do not belong to operating the business of telecommunications shall undertake the filing-for-record formalities with the competent department of telecommunications. Those who have not obtained the business license of telecommunication business or have not completed the filing-for-record formalities shall not engage in Internet information services.

The Draft for Comment requires that Internet information service providers, Internet network access service providers and their staff shall adopt technical measures and other necessary measures to protect the identity information and log information collected and used from leakage, damage and loss.

http://www.cac.gov.cn/2021-01/08/c_1611676476075132.htm

 

MOFCOM issued the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and Other Measures

On January 9, 2021, the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and Other Measures (“Rules”), are hereby promulgated by Ministry of Commerce of the People’s Republic of China (“MOFCOM”) and shall be effective as of the date of the promulgation.

These Rules apply to situations where the extra-territorial application of foreign legislation and other measures, in violation of international law and the basic principles of international relations, unjustifiably prohibits or restricts the citizens, legal persons or other organizations of China from engaging in normal economic, trade and related activities with a third State (or region) or its citizens, legal persons or other organizations.

These Rules require that where a citizen, legal person or other organization of China is prohibited or restricted by foreign legislation and other measures from engaging in normal economic, trade and related activities with a third State (or region) or its citizens, legal persons or other organizations, he/it shall truthfully report such matters to the competent department of commerce of the State Council within 30 days.

These Rules require that the State shall establish a working mechanism composed of relevant central departments (“Working Mechanism”), to take charge of counteracting unjustified extra-territorial application of foreign legislation and other measures. Where the Working Mechanism, upon assessment, confirms that there exists unjustified extra-territorial application of foreign legislation and other measures, it may decide that the competent department of commerce of the State Council shall issue a prohibition order to the effect that, the relevant foreign legislation and other measures are not accepted, executed, or observed (“prohibition order”). The prohibition order may be suspended or withdrawn by decision of the Working Mechanism based on actual circumstances.

A citizen, legal person or other organization of China may apply to the competent department of commerce of the State Council for exemption from compliance with a prohibition order. Meanwhile, these Rules follow that where a person complies with the foreign legislation and other measures within the scope of a prohibition order, and thus infringes upon the legitimate rights and interests of a citizen, legal person or other organization of China, the latter may, in accordance with law, institute legal proceedings in a people’s court, and claim for compensation by the person.

http://www.mofcom.gov.cn/article/zwgk/zcfb/202101/20210103029710.shtml\

 

PBOC issued the Administrative Measures for Credit Reporting Business (Draft for Comment)

On January 11, 2021, the People’s Bank of China (“PBOC”) issued the Administrative Measures for Credit Reporting Business (Draft for Comment) (the “Draft for Comment”) for public comments by February 10, 2021.

On credit information collection, the Draft for Comment stipulates that credit agencies should:

  • follow the principle of “minimum and necessary” and credit information collection should not be excessive;
  • examine the business legitimacy, information source, information quality, information security and authorization of information subject of the information provider to ensure the legality, accuracy and sustainability of credit information collection;
  • clarify with the information provider their respective rights and obligations in data correction, objection of handling, information security, etc.; and
  • obtain the information subject’s consent, and inform the information subject clearly of the purpose, source and scope of credit information collection, as well as the possible adverse consequences of not agreeing to the information collection.

http://www.pbc.gov.cn/tiaofasi/144941/144979/3941920/4160598/index.html

 

MIIT launches pilot program on classified and graded management of cybersecurity of industrial Internet enterprises

On January 13, 2021, the Ministry of Industry and Information Technology (“MIIT”) issued the Circular on Launching the Pilot Program on Classified and Graded Management of Cybersecurity of Industrial Internet Enterprises (the “Circular”).

The Circular provides that, in light of the actual development of the industrial Internet in various regions, and by taking into full consideration the willingness of various regions to participate in the program, 15 provinces (autonomous regions and municipalities directly under the Central Government) including Tianjin, Jilin, Shanghai, Jiangsu, Zhejiang, Anhui, Fujian, Shandong, Henan, Hunan, Guangdong, Guangxi, Chongqing, Sichuan, Xinjiang are initially scheduled to launch the pilot program.

The Circular requires that, through the pilot program:

  • the rationality, effectiveness and operability of rules, standards and procedures of classification and grading for cybersecurity of industrial Internet enterprises, and security-series protection specifications for industrial Internet shall be perfected, and the construction of a classified and graded management system for cybersecurity of industrial Internet enterprises shall be accelerated;
  • the main responsibility of the cybersecurity of pilot enterprises shall be performed, to form a reproducible and popularized classified and graded management model of cybersecurity of industrial Internet enterprises; and
  • a batch of typical solutions for cybersecurity of industrial Internet shall be summarized, a batch of excellent demonstration enterprises shall be selected, and a batch of professional service organizations shall be cultivated.

https://www.miit.gov.cn/jgsj/waj/gzdt/art/2021/art_eb95e60794794fc29f768233e7d7739d.html

 

SPP issued the Provisions on the Handling of Cybercrime Cases by the People’s Procuratorates

On January 25, 2021, the Supreme People’s Procuratorate (“SPP”) issued the Provisions on the Handling of Cybercrime Cases by the People’s Procuratorates (the “Provisions”) for implementation as of the date of issuance.

The Provisions has a total of 65 articles in seven chapters, including general provisions, guided collection of evidence and case review, review of electronic data, and attendance in court in support of public prosecutions.

The Provisions require that the people’s procuratorate should strengthen the punishment in handling cybercrime cases in whole and pay attention to examining and discovering the clues of upstream and downstream related crimes. For a suspected crime, if the public security organ does not put it on file for investigation and should apply for approval of arrest but does not apply for approval of arrest, or if the case should be transferred for prosecution but does not be transferred for prosecution, supervision shall be carried out according to law.

https://www.spp.gov.cn/spp/xwfbh/wsfbh/202101/t20210125_507446.shtml

 

CONTACT US

If you would like to receive our legal update via email, please contact jianghongyu@anjielaw.com.

For more information, please contact:

Samuel Yang | Partner

AnJie Law Firm

P: +86 10 8567 2968

M: +86 1391 0677 369

E: yanghongquan@anjielaw.com

Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.

Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.

Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.

Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.

Let’s talk tech and Chinese money.

Since antiquity, China had led the world with its adoption of cutting-edge currency

Today, there is an immense amount of interest surrounding China’s new digital yuan (“DCEP” – Digital Currency Electronic Payment).

However, China’s history of currency innovation goes back to ancient times. Unlike Roman coins, ancient Chinese coins are marked by a square hole in the middle, allowing the bearer to efficiently string large amounts together for ease of transport.

A “开元通宝”, kāiyuán tōng bǎo; ‘Circulating treasure from the inauguration of a new epoch’. Attribution: Unknown.

Another innovation was the use of bolts of silk. In ancient times, silk was issued to garrisoned troops along the silk road as a form of payment, because it was lighter than coins and easier to transport overland from the then-imperial capital of Chang’An (present-day Xi’an).

A plain, basket-weave (one thread over, one thread under) bolt of silk from the 3rd or 4th century CE and currently housed at the British Museum. Before it snapped in half, this bolt was sent as payment to garrisoned Chinese troops in the silk road city of Krorän (also known as Loulan). Attribution: Valerie Henson, The Silk Road, Colour Plate 5A.

Promissory bank notes appeared a few hundred years after silk bolts were used, in Tang dynasty China. These promissory notes allowed merchants to conclude large transactions without needing to carry heavy loads of metal coins (Tiě qián, 贴钱) on their person. Another few hundred years later, real paper currency (Jiāo zi, 交子) appeared in Song dynasty China (although Chinese paper already existed when silk was used as payment, it was mostly for wrapping and it took some time for paper currency Jiāo zi to emerge).

China is starting a new chapter in its currency innovations

Fast forward to today: with the proliferation of Wechat Pay and Alipay during the 2010s, China has, more than a millennium after inventing paper bank notes, become the first major economy to transform into a cashless society. In this regard, China is already miles ahead of other developed markets.

In line with its history of currency innovation, China is again writing a new chapter. However this time, there is one major difference. Past Chinese improvements on money were usually incremental. Paper and silk are lighter than copper, and digital wallets weigh no more than the smartphone they’re carried. That latter also bring some additional record-keeping features, like a basic receipt for the parties’ reference.

Unlike these incremental evolutions, the DCEP is a revolutionary advance in currency. Allowing near-instant foreign exchange settlement and built on blockchain, the DCEP is perfectly traceable and allows the People’s Bank of China (“PBOC“, Chinese Central Bank) and state owned banks to collect data not only on transactions between users (the parties, the date, and the amount exchanged, among other details) but also on each subsequent transaction using DCEP. There is immense potential for using this ledger data to fuel the growth of fintech in China.

To better understand this, imagine for a moment if every transaction for every US Dollar in circulation — for the lifetime of each dollar — were recorded by the Federal Reserve on a ledger. These dollars are stored and exchanged in digital wallets, each of which has an “address” (like a bank account number) tied to a person or company.

Whether in New York, Paris, or Shanghai, the Federal Reserve now knows the name, timestamp, and amount exchanged for every transaction completed in USD. Now imagine that the Federal Reserve makes this data available to tech giants, either to help detect crime, encourage innovation, or even to help the government raise money. Imagine also that they share this information with law enforcement to help them identify and catch criminals, and fight money laundering and tax evasion.

Obviously, the Federal Reserve won’t be able to realize these scenarios for legal and political reasons. It is very limited in what it can do with a digital dollar. It would be illegal for it to sell user data without user consent and privacy concerns in the US would quickly lead to public backlash against sharing data with law enforcement programs. It should be noted that the US Federal Reserve is considering a Central Bank Digital Currency (CBDC), though this has yet to launch and its scope is set to be much narrower than in the scenarios described above.

The PBOC, on the other hand, is more than ready to push a digital currency to its fullest potential, from government departments to beyond China’s borders. As of January 2, 2020, the PBOC had already filed 84 patent applications for the DCEP, and the DCEP is scheduled to be in use in time for the 2022 Winter Olympics in Beijing. The plan is to first implement its use across government institutions, then large Chinese companies, and then finally to help forge a path along the new land, maritime, and “digital” silk roads as a settlement layer in the Belt and Road Initiative (“BRI“). Former PBOC Governor Zhou Xiaochuan recently spoke at length on the potential for the DCEP to transform cross-border trade.

There are plans to share DCEP data to fight crime. According to Yao Qian, founder of the PBOC’s Digital Currency Research Lab, the DCEP’s data will also be shared with law enforcement. Of course, as suggested in a report by the Bank of International Settlements, the benefits to law enforcement could be minimal because ordinary criminals will tend to avoid a fully traceable currency. That said, it could be used to great effect to fight white-collar crime and corruption. For example, after government treasuries convert all Yuan to the DCEP, their spending (and the spending of government contractors) could be tightly monitored. This may lead to much greater transparency in areas like government product procurement, construction, and other public tenders, which are particularly vulnerable to bad actors. Similarly, once large companies convert to DCEP, it follows that their staff payroll and a funds paid to suppliers will also be traceable.

Moreover, there are already plans in place for the mass-commoditization of data in China, which may enable marketing DCEP data. This year, it was revealed that Shenzhen will establish a “data trading market” and “take the lead” in exploring new mechanisms for data property rights protection and utilisation (see 2020 Implementation Plan for the Pilot Comprehensive Reform of Building a Pilot Demonstration Zone of Socialism with Chinese Characteristics in Shenzhen). To be clear so far, there is no indication this this is intended to market DCEP data, but it does open very interesting opportunities should the government decide to do so.

Implications of China’s DCEP for Insurtech & Insurers

In terms of creating Insurtech products for end-users, the DCEP’s implications for Insurtech depend in part on whether and to what extent the DCEP will enable or support smart contracts. Smart contracts are already featured on other crypto tokens, most notably the Ethereum Virtual Machine (“ERC-20“) which supports developing smart contracts by using the Solidity programming language, a combination of Javascript and C++.

While initially a cause for alarm in some jurisdictions, blockchain smart contracts hold great potential that is increasingly well-understood by regulators. In addition to powering the telematics behind Insurtech products (for more on the potential for telematics in China see our past article, “Can Foreign Investors Capitalize on Insurtech’s Growth in China?”), smart contracts enable automating transfers of rights in exchange for funds and lowering transaction costs (especially for multi-party agreements).

This technology forms the basis of Initial Coin Offerings (“ICO“). Through ICOs, smart contracts allow a fundraising venture to execute only after sufficient investors have agreed to the financing terms. In exchange for funding the venture, the investors receive a token, a kind of digital share certificate recorded on blockchain.

Although ICOs provide an innovative and potentially important vehicle to support fundraising for new ventures and ideas, lack of regulation and rampant fraud raised serious regulatory concerns when they became popular a few years ago. For more on this, see Zetzsche et al., “The ICO gold rush: It’s a scam, it’s a bubble, it’s a super challenge for regulators”, Harvard International Law Journal, vol. 60, no. 2, 2019. ICOs have been banned in the PRC Mainland since September 2017 (PBOC, CAC, MIIT, SAIC, CBRC, CSRC, and CIRC Announcement on Preventing Financial Risks from Initial Coin Offerings).

While ICOs remain restricted in the PRC, they are now legally regulated in Hong Kong and Taiwan as Security Token Offerings (“STO“). STOs combine the power of an ICO with the stringent regulations of the securities market.

Integrating the digital Yuan with an eventual STO regime would be revolutionary in a couple of different ways. First, allowing STOs — whether in Hong Kong or in the PRC assuming they are legalized — to be denominated in DCEP would greatly benefit fundraising for this innovative space. This would be a win for both private investors and the government: investors gain access to a powerful new fundraising tool, while the government can monitor and regulate STOs under its financial exchanges by bringing them within the fold of Chinese securities laws. This would allow regulators to implement mandatory disclosure rules to protect investors from the risks of fraud associated with ICOs, and further displace unofficial cryptocurrencies by channeling existing ICO action into the legitimate STO system. Together, these changes would make institutional investors more likely to treat STOs as serious investment opportunities. As a result, enabling the DCEP to support STOs would cement the DCEP’s appeal for fundraisers and institutional investors while helping the government keep tabs on this new activity in public exchanges.

Legalizing STOs and allowing them to be denominated in DCEP also opens up major new underwriting opportunities for property insurers. Say, for example, that an opportunity presents itself for a new insurance line of business — a new Chinese rocket company wants to launch missions into space to replenish the International Space Station, or launch a new satellite. Given the risks, it cannot find an insurer willing to underwrite and sell such an insurance policy.

With a DCEP-denominated STO, an insurer could decide to underwrite such a policy on the condition that an STO attracts an adequate number of co-insurers and reinsurers, and then exchange the tokens as financial assets. If there’s adequate market interest after the STO is listed, then the policy would launch (as would the rocket ship!), be divided into token shares, and then be distributed into each insurer and reinsurer’s book of business in exchange for their DCEP payments. After the STO is written, all of these subsequent steps would happen automatically and significantly reduce transaction costs. Innovations like this are already occurring, for example Nexus Mutual, a blockchain company providing a decentralized financial alternative to insurance cover. Depending on how innovative the regulators wish to be, such “policy tokens” could then be resold as securities to investors on the Shanghai, Shenzhen, or Hong Kong stock exchange. In an interview with Sergey Nazarov, co-founder of Chainlink (a company developing “oracles” for smart contracts), one possibility under discussion is for the revenue from such policies to  even become tokenized, and then bought and sold as a fixed-income investment asset.

Due to its instant settlement capability, denominating these investments in DCEP would also open the door for participation from foreign insurers provided that they satisfy market access requirements (for more on this, see our past articles, WFOE Shopping — How Do Beijing, Shanghai, And Shenzhen Compare For Establishing An Insurance WFOE In China?; and China, GATS, Trump: Do Non-US Insurers Get A Piece Of The China-US Trade Deal?).

Second, integrating the DCEP with an STO regime would be particularly welcome for insurance investors, for whom restrictions on equity investments were recently relaxed in November 2020. Coming into effect on November 12, the Notice on Matters Related to Insurance Fund Financial Equity Investment (the “Notice“) lifts a significant number of prohibitions on equity investments by insurers. In particular, it divides permissible investments into a positive and a negative list. Generally, as long as an equity investment prospect is safe, liquid (stable cash flow and a track record of dividends), profitable, legally registered and not engaged in serious legal disputes, is led by an honest team, presents no risk of related-party transactions, is not involved in real estate, is not a serious environmental polluter, and is not on the NDRC’s negative list, then an insurer is free to invest in it. Although in practice a significant number of ICOs were risky, failed, and would not meet these criteria for investment, in theory this opens the door for lucrative new investment opportunities if the government opens the door to PRC STOs with sufficient securities regulations in place.

While this DCEP/STO revolution is far from a reality, the government is already moving towards an “internet of blockchains” that would allow the DCEP to work far better with existing smart contract ecosystems. One government initiative, the Blockchain Services Network (“BSN“, 区块链服务网络, qū kuài liàn fúwù wǎngluò) is designed to allow cross-platform compatibility and support popular Western frameworks such as “Hyperledger Fabric (already supported), Ethereum, EOS and Digital Asset’s DAML” (Forbes). The BSN is aimed at “providing a robust, low-cost, high-availability, multi-cloud, internet-of-blockchains infrastructure”, and was launched in collaboration with large Chinese enterprises including UnionPay, China Mobile Communications Corporation, Design Institute, and China Mobile Communications Corporation Government (ibid).

As for personal insurance, this would depend in large part whether and to what extent DCEP data will be turned over to the private sector. Realistically, most personal data would be off-limits — absent user consent, we most likely will not enter a dystopian future where central banks sell data on personal lifestyle habits to insurers in order to adjust health policy rates. However, as discussed above, it would be feasible for the PBOC to make some personal data available to some financial institutions in order to help fight financial crimes, and this may including combating risks such as insurance fraud. It would also be feasible for new insurance contracts to stipulate that some benefits will only be paid out in DCEP. While insurers would not collect DCEP data, they may thereafter be able to request production of such data in the event of a lawsuit disputing the claim, and detect suspicious activity after the benefits are paid with the help of forensic experts.

Besides fraud prevention, one form of data that would be particularly helpful is data on insurance disputes. Insurtech smart-contracts could feasibly house not only insurance policies, but also dispute resolution provisions which connect to mediation, arbitration, or even Chinese internet courts. One example, SageWise, already provides a dispute resolution clause to be integrated within smart contracts. The data generated from disputes, i.e. the nature of the disputed claim, the amount, and the party which prevails, could help regulators identify and take action against standard clauses showing a high-frequency of disputes, while allowing insurance companies to better allocate resources in drafting and communicating sensitive policies to their clients. This would allow not only resolution of disputes, but also prevention of future disputes.

If allowed to be used by the private sector, we can expect there to be strict guardrails in place for how DCEP data is used, which would make it especially difficult for foreign insurers seeking to enter China’s Insurtech market to satisfy local requirements. Under Article 37 of China’s Cybersecurity Law (2017) (“CSL“), Chinese citizens’ personal data, together with critical business data collected in China, must be stored within mainland China, and companies must undergo a security assessment before exporting such data across the border. Thus although possible to make visible from an insurer’s headquarters in London or New York, this would almost certainly require a local Chinese partner or subsidiary that can pass the CSL’s security assessment prior to sending such data to a foreign server.

Conclusion

From bolts of silk to blockchain bits and bytes, China has a rich history of currency innovation that continues to the present day.

This time, China is implementing a currency innovation so revolutionary that it will take years to fully grasp its potential. The DCEP allows near-instant settlement and will play a significant role in the land, maritime, and digital silk roads, with the potential to transform cross-border trade.

Legalizing STOs and allowing them to be denominated in DCEP would unleash a wide range of new investment and underwriting opportunities for insurers. The DCEP would be especially powerful if it can support smart contracts. As for data, the DCEP may present great advantages to insurers in terms of risk and fraud detection, though this depends in large part on the extent to which PBOC data is shared with other financial institutions.

In light of the DCEP’s untapped potential, the 2022 Winter Olympics in Beijing will — just like the 2008 Beijing Summer Olympics — display to the world a modern, dynamic China with its sight set on even further horizons.

REGULATIONS

CAC seeks comments on scope of necessary personal information required for 38 types of Apps

On December 1, 2020, the Cyberspace Administration of China (“CAC”) issued the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications (Draft for Comment) (the “Draft for Comment”) for public comments by December 16, 2020.

The Draft for Comment stipulates the scope of necessary personal information required for 38 common types of Apps such as map navigation App, online car-hailing App, and instant messaging App. In particular, the Draft for Comment provides that as long as a user gives consent to the collection of its necessary personal information required for an App, such App shall not refuse the user’s installation and use. Meanwhile, a total of 12 types of Apps, including online live streaming App, online audio and video App, short video App, and browser App, shall provide basic functional services without asking personal information of users.

http://www.cac.gov.cn/2020-12/01/c_1608389002456595.htm

 

Three departments released the Announcement on Issuing the Import Licensing List and Export Control List of Commercial Cryptography and Relevant Administrative Measures

On December 2, 2020, the Ministry of Commerce (the “MOC”), the State Cryptography Administration (the “SAC”) and the General Administration of Customs (the “GAC”) jointly released the Announcement on Issuing the Import Licensing List and Export Control List of Commercial Cryptography and Relevant Administrative Measures (the “Announcement”).

Main contents of the Announcement are as below:

  1. In order to safeguard national security and public interests, it is hereby decided to carry out import licensing and export control for relevant commercial cryptography.
  2. Regarding the import of items and techniques set out in the Import Licensing List of Commercial Cryptography, i.e., encrypted telephone sets, encrypted fax machines, cryptographic machines (cards) and encrypted VPN equipment, the import license of dual-use items and techniques shall be applied for with the MOC.
  3. Regarding the export of items and techniques specified in the Export Control List of Commercial Cryptography, including security chips, key management products, special cryptographic equipment and cipher development and production equipment, the export license of dual-use items and techniques shall be applied for with the MOC.

This Announcement shall enter into force on January 1, 2021, and the Announcement No. 18 of the State Cryptography Administration and the General Administration of Customs, the Announcement [2012] No. 64 of the General Administration of Customs and the State Cryptography Administration, the Announcement No. 27 of the State Cryptography Administration and the General Administration of Customs, and the Announcement No. 38 of the State Cryptography Administration, the Ministry of Commerce and the General Administration of Customs are to be repealed simultaneously.

http://www.mofcom.gov.cn/article/zwgk/zcfb/202012/20201203019733.shtml

 

MIIT announced the seventh batch of Apps for infringement on users’ rights and interests

On December 21, 2020, the Ministry of Industry and Information Technology (“MIIT”) announced the seventh batch of apps for infringement on users’ rights and interests. The main problems involved are as follows:

  1. collecting and using personal information in violation of laws and regulations;
  2. asking for permission mandatorily and in an excessively frequent way;
  3. deceiving and misleading users to download Apps; and
  4. App information on the App distribution platform is not clear.

https://www.miit.gov.cn/jgsj/xgj/gzdt/art/2020/art_13136b980ab444519feac1c3b3c48086.html

 

MHRSS: A human resource service agency shall ensure personal information security

On December 23, 2020, the Ministry of Human Resource and Social Security (“MHRSS”) issued the Administrative Provisions on Online Recruitment Services (the “Provisions”), which will take effect from March 1, 2021.

On personal information protection, the Provisions provide:

  • A human resource service agency engaged in online recruitment services shall strengthen cybersecurity management, fulfill cybersecurity protection obligations, and take technical or other necessary measures in accordance with the requirements of national cybersecurity laws, administrative regulations and multi-level protection system of cyber security, to ensure the security of the recruitment service network, information system and user information.
  • A human resource service agencyshall establish and improve the information protection system for online recruitment service users, and shall not disclose, tamper with, damage or illegally sell, or illegally provide other people with the ID card number, age, gender, address, contact information and business status of the employer.
  • Ahuman resource service agency shall conduct self-examination on the information protection of online recruitment service users at least once a year, record the self-examination situation, and timely eliminate the security risks found in the self-examination.
  • Where a human resource service agency engaged in online recruitment services does need to provide an overseas institution with the personal information and important data collected and generated in its operations within the territory of China due to business needs, it shall comply with relevant laws and administrative regulations of the State.

http://www.mohrss.gov.cn//xxgk2020/fdzdgknr/zcfg/bmgz/202012/t20201223_406512.html

 

MIIT issued the Construction Guidelines of Data Security Standard System in Telecom and Internet Industry

On December 25, 2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Construction Guidelines of Data Security Standard System in Telecom and Internet Industry (the “Guidelines”)

The Guidelines include standards of basic generality, critical technology, safety management and critical areas. The standards of basic generality include the definition of terms, data security framework, data classification and grading, etc., which provide basic support for various standards. The critical technology standards regulate the critical technology of data security from a whole life cycle dimensions of data collection, transmission, storage, processing, exchange, destruction, etc. Security management standards include data security specification, data security assessment, monitoring, early warning and disposal, emergency response and disaster backup, security capability certification, etc. Critical areas standards include 5G, mobile Internet, Internet of vehicles, Internet of things, industrial Internet, cloud computing, big data, artificial intelligence, blockchain and other critical areas.

Data security standards in the field of the Internet of vehicles mainly include the data security of the cloud platform of the Internet of vehicles, the data security of V2X communication, the data security of the intelligent connected vehicle, and the data security of the mobile App of the Internet of vehicles, etc.

Data security standards in the field of mobile Internet mainly include personal information protection of mobile applications, SDK security of mobile applications, etc.

Data security standards in the field of artificial intelligence mainly include data security of artificial intelligence platform, personal information protection of artificial intelligence terminal, etc.

https://www.miit.gov.cn/zwgk/zcwj/wjfb/txy/art/2020/art_4a6aca0048b742ea97cfb280e981125e.html

 

CONTACT US

If you would like to receive our legal update via email, please contact jianghongyu@anjielaw.com.

For more information, please contact:

Samuel Yang | Partner

AnJie Law Firm

P: +86 10 8567 2968

M: +86 1391 0677 369

E: yanghongquan@anjielaw.com

Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.

Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.

Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.

Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.

REGULATIONS

NISSTC issued the Guidelines for Data Security of Online Car-booking Services (Draft for Comment)

On November 10, 2020, the Secretariat of the National Information Security Standardization Technical Committee (“NISSTC”) issued the Information Security Technology – Guidelines for Data Security of Online Car-booking Services (Draft for Comment) (the “Draft”) for public comments by January 8, 2021.

The Draft specifies the types, scope, methods and conditions of collection, storage, use, sharing, public disclosure and deletion of data, as well as data security management requirements.

The requirements of data collection are as follows:

  • before collecting the personal information of users, online car-booking service operators shall inform users and obtain the consent of users;
  • When users refuse to provide personal information other than the minimum necessary personal information, online car-booking service operators shall not refuse to provide the online car-booking service; and
  • When users refuse to provide the minimum necessary personal information corresponding to the optional business function of online car-booking service, online car-booking service operators can refuse to provide the corresponding optional business function service but should not refuse to provide online car-booking service.

The requirements of data transmission and storage are as follows:

  • When online car-booking service operators transmit personal information through the Internet, they should adopt security measures such as encryption;
  • Online car-booking service operators shall store the personal identification information, facial recognition features and audio and video trip recordings data of passengers and drivers separately;
  • It is not suitable for online car-booking service operators to store the travel track and audio and video trip recordings data in the office terminal, but in the server with security measures.

The Draft also stipulates that online car-booking service operators should not abuse big data analysis and other technical means to set unfair trading conditions based on user consumption records and consumption preferences, thus infringing on users’ legitimate rights and interests.

https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20201110160208&norm_id=20201030200001&recode_id=40116

 

NISSTC issued the Guidelines on the Code of Ethics for Artificial Intelligence (Draft for Comment)

On November 9, 2020, the Secretariat of the National Information Security Standardization Technical Committee (the “NISSTC”) issued the Practice Guide to Cybersecurity Standards – Guidelines on the Code of Ethics for Artificial Intelligence (Draft for Comment) (the “Draft”) for public comments by November 23, 2020.

The Draft gives safety risk warnings regarding potential ethical issues associated with artificial intelligence (“AI”), and provides guidelines for AI research and development, design and manufacturing, deployment and application, consumer use and other related activities.

On deployment and application, the Draft stipulates that the deployer should explain the functions, limitations, risks and impacts of systems, products or services related to AI to users in a timely, accurate, complete, clear and unambiguous manner, and explain the relevant application process and application results. The deployer should also provide users with a clear and easy way to operate mechanism to refuse or stop using systems, products or services related to AI. After users refuse or stop using systems, products or services related to AI, the deployer should provide users with alternative non-AI options as far as possible.

https://www.tc260.org.cn/front/postDetail.html?id=20201109163419

 

RCEP: To protect the personal information of electronic commerce users

On November 15, 2020, the Regional Comprehensive Economic Partnership Agreement (“RCEP”) was concluded. The RCEP consists of 20 chapters, covering comprehensive market access commitments on goods, services, investment and other areas.

The Chapter “Electronic Commerce” of RCEP stipulates that the party to the RCEP is:

  • encouraged to improve trade management and procedures through electronic means;
  • required to create a favorable environment for electronic commerce, to protect the personal information of electronic commerce users, provide protection for online consumers, and strengthen supervision and cooperation on unsolicited commercial electronic information.

On cross-border transfer of information by electronic means, RCEP also provides the party shall not prevent cross-border transfer of information by electronic means where such activity is for the conduct of the business of a covered person.

http://fta.mofcom.gov.cn/rcep/rceppdf/d12z_en.pdf

 

Announcement on 35 App for non-compliance with collecting and using personal information

On November 13, 2020, Task Force on Apps for Illegal Collection and Use of Personal Information (“Force”) finds that there are problems in the collection and use of personal information of 35 Apps. It is suggested that the relevant App operators should rectify the existing problems in time and feedback the rectification situation to the Force within 30 days from now on. After the 30 days, the Force will verify the rectification situation, submit the review results to the relevant departments, and handle those that cannot be effectively rectified according to laws.

https://mp.weixin.qq.com/s/KGFSSM9yuIxs9Wrv2tR24w

 

Live streaming platforms shall establish a mechanism for personal information protection 

On November 13, 2020, the Cyberspace Administration of China (“CAC”) issued the Administrative Provisions on Live Streaming Marketing Information Content Services (Draft for Comment) (the “Draft”) to solicit public comments by November 28, 2020.

The Draft stipulates that live streaming platforms shall establish a sound mechanism for registration and cancellation of accounts and live streaming marketing business, information security management, codes of conduct for marketing, minors’ protection, users’ rights protection, personal information protection, credit evaluation and data security. At the same time, the Draft provides live streaming platforms shall strengthen the service management of live streaming information on the Internet. If illegal and bad information is found, it shall immediately take measures to deal with it, keep relevant records and report to the relevant competent authorities. Live streaming platform shall prevent and stop illegal advertising, price fraud and other violations of users’ rights and interests and warn users of the risks of private transactions outside the platform in a prominent way.

http://www.cac.gov.cn/2020-11/13/c_1606832591123790.htm

 

PBOC issued the Testing and Evaluation Guidelines for Classified Protection of Cybersecurity of Financial Industry and the Implementation Guidelines for Classified Protection of Cybersecurity of Financial Industry

On November 11, 2020, the People’s Bank of China(“PBOC”) formally issued two standards in financial industry, namely the Testing and Evaluation Guidelines for Classified Protection of Cybersecurity of Financial Industry (“Testing and Evaluation Guidelines”) and the Implementation Guidelines for Classified Protection of Cybersecurity of Financial Industry (“Implementation Guidelines”).

The Testing and Evaluation Guidelines stipulate the general requirements and extended requirements of security evaluation for Level-2, Level-3 and Level-4 protected objects in the financial industry. The Testing and Evaluation Guidelines are applicable to guide financial institutions, evaluation institutions and the competent departments of cybersecurity classified protection in the financial industry to conduct security evaluation on the security status of the classified protection objects.

The Implementation Guidelines include six parts, which regulate:

  • the cybersecurity framework of the financial industry and the security requirements corresponding to different security levels,
  • the basic framework and terminology definition of the cybersecurity level protection work in the financial industry,
  • the cybersecurity post setting requirements of financial institutions,
  • the cybersecurity post ability requirements,
  • the cybersecurity personnel ability evaluation requirements,
  • the cybersecurity training related requirements, and
  • the financial institutions cybersecurity level protection audit implementation requirements, etc.

The Implementation Guidelines are applicable to guide financial institutions, evaluation institutions and competent departments of financial industry to implement classified cybersecurity protection.

https://www.cfstc.org/bzgk/gk/view/bzxq.jsp?i_id=1891

https://www.cfstc.org/bzgk/gk/view/bzxq.jsp?i_id=1885

 

NISSTC issued the Practice Guide to Cybersecurity Standards – Security Guidelines for Using Software Development Kit (SDK) for Mobile Internet Applications

On November 27, 2020, the Secretariat of the National Information Security Standardization Technical Committee (“NISSTC”) issued the Practice Guide to Cybersecurity Standards – Security Guidelines for Using Software Development Kit (SDK) for Mobile Internet Applications (“Guidelines”).

The Guidelines provide the responsibilities of the parties involved in the use of the SDK and the common security issues, as well as the security principles and measures of App providers and SDK providers for common problems. The Guidelines are applicable to preventing SDK security and compliance risks when App providers use the SDK, and also provide reference for SDK providers in protecting SDK security and user personal information.

According to the Guidelines, App providers should take adequate security measures to ensure that there is no security risk when using SDKs, such as conducting security assessment on the SDK before integrating SDKs, conducting continuous dynamic monitoring or regular security assessment on the integrated SDK, signing a cooperation agreement with SDK providers or further improving the cooperation agreement with the SDK providers.

Besides, SDK providers should collect personal information at the lowest frequency necessary to realize its own business functions, and enhance its own security by means of code audit and code obfuscation.

https://www.tc260.org.cn/upload/2020-11-27/1606438309423027911.pdf

 

CONTACT US

If you would like to receive our legal update via email, please contact jianghongyu@anjielaw.com.

For more information, please contact:

Samuel Yang | Partner

AnJie Law Firm

P: +86 10 8567 2968

M: +86 1391 0677 369

E: yanghongquan@anjielaw.com

Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.

Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.

Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.

Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.

REGULATIONS

MIIT launches 2020 program of checking cyber security in telecommunications and internet industries

On October 9, 2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Circular on Working Effectively on the 2020 Program of Checking the Cyber Security in the Telecommunications and Internet Industries (the “Circular”).

The Circular provides that the checking object includes networks and systems constructed and operated by basic telecommunication enterprises, Internet enterprises, domain name registration management and service institutions that have obtained the permission of competent telecommunication authorities according to the law. In addition, the checking will focus on the critical information infrastructure as well as important network units and their carrying information systems of the telecommunications and Internet industries, including but not limited to 5G network infrastructure, Mobile App Store, Internet of Things platforms, Industrial Internet platform, Internet of Vehicles application service platform and online car-hailing information service platforms.

Three main contents of the checking are the implementation of cyber security management, technical measures for cyber security protection, and hidden dangers of major cyber security risks.

http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057724/n3057729/c8112434/content.html

CAC seeks opinions on revising Administrative Provisions on Information Services Provided through Official Accounts to Internet Users

On October 15,2020, the Cyberspace Administration of China (“CAC”) issued the Administrative Provisions on the Information Services Provided through Official Accounts to Internet Users (Draft for Comments) (the “Draft”) for public comments by October 30, 2020.

The Draft stipulates that a platform for the information services provided through official accounts should: prohibit those official accounts that have been closed in accordance with the law and agreement from re-registering with the same account names; review the application for the registration of official accounts engaged in producing the information on the economic, education, health, justice and other fields, and require users to provide the evidentiary materials related to their professional background and professional qualifications when registering; official account information service platform can suspend or terminate the provision of services according to the service agreement for those official accounts that are not logged in or used for more than six months after Internet users have registered; prohibit the compulsory subscription to or following of official accounts of other users without the informed consent of Internet users; and ten kinds of behaviors are prohibited, among which it is required not to “manipulate and utilize multiple platform accounts, release homogeneous information in batch, generate false traffic data, and create false public opinion hot spots”.

http://www.cac.gov.cn/2020-10/15/c_1604325530663495.htm

Standing Committee of the National People’s Congress adopts the Export Control Law

 The Export Control Law of the People’s Republic of China (the “Export Control Law”), adopted at the 22nd Session of the Standing Committee of the 13th National People’s Congress on October 17, 2020, is promulgated, effective on December 1, 2020.

According to the Export Control Law, the term “export control” refers to prohibitive or restrictive measures taken by the State against the transfer of controlled items from the territory of the People’s Republic of China to overseas, and the provision of controlled items by citizens, legal persons and other non-incorporated organizations of the People’s Republic of China to foreign organizations and individuals.

The Export Control Law provides reciprocal measures: where any country or region harms the national security and interests of the People’s Republic of China by abusing the export control measures, the People’s Republic of China may take reciprocal measures against such country or region in light of the actual situations.

The Export Control Law also stipulates that where an exporter has established an internal compliance system for export control and is in good operation, the State’s export control authorities may grant it a general license or take other facilitation measures for relevant controlled items exported by it. Specific measures shall be formulated by the State’s export control authorities.

http://www.npc.gov.cn/npc/c30834/202010/cf4e0455f6424a38b5aecf8001712c43.shtml

China will establish a biosafety information sharing system and biosafety information release system

The Biosecurity Law of the People’s Republic of China (the “Biosecurity Law”) is adopted at the 22nd Session of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China on October 17, 2020, effective April 15, 2021.

The Biosecurity Law provides that the State will establishes a biosafety information sharing system. The national biosafety work coordination mechanism shall organize to establish a unified national biosafety information platform, and the relevant authorities shall collect and deliver the biosafety data and materials and other information to the national biosafety information platform to achieve information sharing.

In addition, the Biosecurity Law provides that the State will establishes a biosafety information release system. Major biosafety information such as the overall situation of the national biosecurity, major biosecurity risk warnings, major biosecurity incidents and their investigation and handling information shall be released by the members of the national biosafety work coordination mechanism according to the division of their responsibilities; other biosafety information shall be released by the relevant departments under the State Council, the local people’s governments at or above the county level and the relevant departments thereof according to their responsibilities and authority. No organization or individual may fabricate or spread false biosafety information.

The Biosecurity Law also requires that where the information on human genetic resources of China is to be provided or made available for use to any overseas organization or individual or the institution established or actually controlled thereby, a report shall be submitted in advance to the department in charge of science and technology under the State Council and information backup shall be submitted.

http://www.npc.gov.cn/npc/c30834/202010/85c189382f6641f8aac2fa1994809df7.shtml

The Chapter Network Protection has been added to the Law on the Protection of Minors

The 22nd Session of the Standing Committee of the 13th National People’s Congress adopted the Law of the People’s Republic of China on the Protection of Minors (Revised in 2020) (the “Law “) on October 17, 2020, which shall take effect from June 1, 2021.

The Chapter Network Protection has been added to the revised Law and the provisions on the protection of minors’ personal information are as follows:

  • Information processors who process personal information of minors through the Internet shall follow the principles of legality, legitimacy and necessity. On processing the personal information of minors under the age of 14, the consent of their parents or other guardians shall be obtained, except as otherwise provided by laws and administrative regulations.
  • If minors, theirparents or other guardians require the information processor to correct or delete the personal information of minors, the information processor shall take timely measures to correct or delete the personal information, unless otherwise provided by laws and administrative regulations.
  • If the Internet service provider discovers that minors release private information through the Internet, they shall prompt them in time and take necessary protection measures.
  • If the Internet service provider discovers that the user publishes or disseminates information that may affect the physical and mental health of minors without making a noticeable reminder, it shall make a reminder or notify the user to be reminded; if no reminder is given, the relevant information shall not be transmitted.
  • If the Internet service provider finds that the user publishes and disseminates the information that endangers the physical and mental health of minors, it shall immediately stop transmitting the relevant information, take measures such as deleting, shielding and disconnecting links, keep relevant records, and report to the cyberspace administration, public security and other departments.
  • If the Internet service provider discovers that a user has committed an illegal or criminal act against a minor by using its Internet service, it shall immediately stop providing Internet service to the user, keep relevant records and report to the public security organ.

http://www.npc.gov.cn/npc/c30834/202010/82a8f1b84350432cac03b1e382ee1744.shtml

Network transaction operators shall keep the personal information collected strictly confidential 

On October 20, 2020, the State Administration for Market Regulation issued the Measures for the Supervision and Administration of Online Transactions (the “Draft”) for public comments by November 2, 2020.

On the protection of personal information, the Draft stipulate that network transaction operators shall obtain the authorization and consent of the collector when collecting and using the personal information of users, and clearly state the purpose, necessity, scope and method of collection and use based on the principle of legality, legitimacy and necessity. It is not allowed to adopt a one-off general authorization method, or to force or disguisedly force the collector to agree to the collection and use of information that is not directly related to business activities by default authorization, binding with other authorizations, or stopping installation and use. When collecting and using sensitive information such as biometric information, health information, property information, social information, etc., authorization and consent of the collector shall be obtained one by one. Network transaction operators and their staff shall keep the personal information collected strictly confidential and shall not provide it to any third party, including related parties, without the authorization and consent of the collector.

http://www.samr.gov.cn/hd/zjdc/202010/t20201020_322434.html

MIIT strengthens in-process and ex-post regulation of foreign-funded telecommunications enterprises

On October 20,2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Circular on Strengthening the In-process and Ex-post Regulation of Foreign-invested Telecommunications Enterprises (the “Circular”).

The Circular provides that the MIIT will cease to approve and issue the Examination Decision on Foreign Investment in Telecommunications (the “Decision”) from the date of issuance of the Decision of the State Council on Cancelling and Decentralizing a Number of Administrative Licensing Items, and the examination of foreign investments will be included in the process of approval of business licensing for telecommunications accordingly. The Circular further clarifies that foreign-invested enterprises that have been approved with the Decision issued previously may continue to apply for the business licensing for telecommunications in accordance with legal procedures. When directly applying for the business licensing for telecommunications or for changes in the telecommunications business, subsequent foreign-invested enterprises are required to concurrently submit relevant application materials on foreign investments, and the MIIT will handle the applications in accordance with laws and regulations.

The Circular also stipulates that restrictions on shareholding ratio held by foreign investors and other access policies and requirements shall be still subject to the Administrative Provisions on Foreign-funded Telecommunications Enterprises, the Telecommunications Regulations of the People’s Republic of China, the Special Administrative Measures (Negative List) for Foreign Investment Access, and other legal documents.

http://www.miit.gov.cn/n1146295/n1652858/n1652930/n3757020/c8126050/content.html

The Law of the People’s Republic of China on Personal Information Protection (Draft) is released

On October 21, 2020, the 22nd Session of the Standing Committee of the 13th National People’s Congress released the Law of the People’s Republic of China on Personal Information Protection (Draft) (the “Draft”) for public comments by November 19, 2020.

The Draft provides it shall apply to activities conducted by organizations and individuals to process the personal information of natural persons within the territory of the People’s Republic of China. And it shall also apply to activities outside territory of the People’s Republic of China to process the personal information of natural persons within the territory of the People’s Republic of China under any of the following circumstances:

  • personal information processing is to serve the purpose of providing products or services for natural persons within the territory of the People’s Republic of China;
  • personal information processing is to serve the purpose of analyzing and evaluating the behaviors of natural persons within the territory of the People’s Republic of China; or
  • having other circumstances as stipulated by laws and administrative regulations.

On the cross-border transfer, the Draft requires that critical information infrastructure operators and personal information processors who process personal information up to the amount as specified by the State cyberspace authorities shall store within the territory of the People’s Republic of China the personal information which they collect and generate within the territory of the People’s Republic of China. If it is really necessary to provide such information overseas, critical information infrastructure operators and personal information handlers shall pass security assessment organized by the State cyberspace authorities; if any law, administrative regulation or the State cyberspace authorities stipulate that security assessment may not be conducted, such provision shall prevail.

The Draft also provides that where personal information is processed in violation of this Law or personal information is processed without any necessary security protection measure in compliance with regulations, authorities performing personal information protection duties shall order a correction, confiscate any unlawful income, and issue a warning; and, if correction is not made, a fine of up to CNY1 million shall be imposed on the personal information processor if it is an organization; and any directly liable person-in-charge or any other directly liable individual shall be fined between CNY10,000 and CNY100,000. If the unlawful act mentioned in the preceding paragraph is grave, authorities performing personal information protection duties shall order a correction, confiscate any unlawful income, and impose a fine of up to CNY50 million, or 5% of last year’s annual revenue, and may also order the suspension of related business operations or suspension of business for rectification, and/or report to relevant competent authorities for the cancellation of the related business permit or cancellation of the business license; and any directly liable person-in-charge or any other directly liable individual shall be fined between CNY100,000 and CNY1 million.

http://www.npc.gov.cn/flcaw/userIndex.html?lid=ff80808175265dd401754405c03f154c

The Ministry of Industry and Information Technology announced the fifth batch of Apps on infringement of users’ rights and interests

The Ministry of Industry and Information Technology recently organized a third-party testing agency to inspect the mobile phone application software and urge enterprises which do not meet relevant requirements to rectify. As of October 26, there are 131 Apps that have not been rectified, and these Apps should be rectified before November 2. In this test, many problems were found in input method Apps, travelling Apps, e-commerce Apps, audio and video Apps. Some App stores and mobile application distribution platform management entities have not fulfilled their responsibilities, and SDK enterprises illegally collected user personal information.

http://www.miit.gov.cn/n1146290/n1146402/c8136537/content.html

 

CONTACT US

If you would like to receive our legal update via email, please contact jianghongyu@anjielaw.com.

For more information, please contact:

Samuel Yang | Partner

AnJie Law Firm

P: +86 10 8567 2968

M: +86 1391 0677 369

E: yanghongquan@anjielaw.com

Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.

Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.

Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.

Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.

REGULATIONS

The Chinese side proposes a Global Initiative on Data Security

On September 8, 2020, Foreign Minister Wang Yi delivered a keynote speech at a high-level meeting of an international seminar themed with “Seizing Digital Opportunities for Cooperation and Development” and proposed a Global Initiative on Data Security (“Initiative”). The Initiative mainly includes the following.:

First, approach data security with an objective and rational attitude, and maintain an open, secure and stable global supply chain.

Second, oppose using information and communications technology (ICT) activities to impair other States’ critical infrastructure or steal important data.

Third, take actions to prevent and put an end to activities that infringe upon personal information, oppose abusing ICT to conduct mass surveillance against other States or engage in unauthorized collection of personal information of other States.

Fourth, ask companies to respect the laws of host countries, desist from coercing domestic companies into storing data generated and obtained overseas in one’s own territory.

Fifth, respect the sovereignty, jurisdiction and governance of data of other States, avoid asking companies or individuals to provide data located in other States without the latter’s permission.

Sixth, meet law enforcement needs for overseas data through judicial assistance or other appropriate channels.

Seventh, ICT products and services providers should not install backdoors in their products and services to illegally obtain user data.

Eighth, ICT companies should not seek illegitimate interests by taking advantage of users’ dependence on their products.

https://www.fmprc.gov.cn/web/ziliao_674904/1179_674909/t1812949.shtml

  

The Ministry of Public Security issued the Guiding Opinions on the Implementation of Multi-Level Protection System of Cybersecurity and Critical Information Infrastructure Security Protection System

Recently, the Ministry of Public Security issued the Guiding Opinions on the Implementation of Multi-Level Protection System of Cybersecurity and Critical Information Infrastructure Security Protection System (“Opinions”), the Opinions mainly include the following:

  1. Implementing the multi-level protection system of national cybersecurity
  • Deepening the work of network classification filing

Network operators which are classified as Level 2 or above shall file with the public security organ and the competent department of the industry.

  • Carrying out cybersecurity classification assessment regularly

Network operators which are classified as Level 3 or above shall entrust a classification assessment institution in line with the relevant provisions of the state to carry out cybersecurity classification assessment once a year, and timely submit the assessment report to the public security organ and the competent department of the industry. The new network above Level 3 should be put into operation after passing the classification assessment.

  • Implementing cryptography security protection requirements

Network operators which are classified as Level 3 or above shall correctly and effectively adopt cryptography technology for protection and use cryptography products and services meeting relevant requirements.

  1. Establishing and implementing the critical information infrastructure security protection system
  • Organizing to identify critical information infrastructure

The competent departments (hereinafter referred to as the “ Protection Departments”) of important industries and fields, such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry, shall formulate rules for the recognition of critical information infrastructure in their respective industries and fields and report them to the Ministry of Public Security for the record.

  • Strengthening the protection of important data and personal information.

Establishing and implementing the important data and personal information protection system. Operators shall store within the territory of the People’s Republic of China the personal information and important data collected and generated during its operation within the territory of the People’s Republic of China. Where such information and data have to be provided abroad for business purposes, security assessment shall be conducted pursuant to relevant provisions.

http://www.nanning.gov.cn/zt/rdzt/2020wsxcz/zcfg_0910/t4461545.html

Beijing: allow foreign companies to invest in virtual private networks 

The State Council recently approved the Work plan for Deepening a New Round of Comprehensive Pilot Projects for the Opening up of Beijing’s Service Industry and the Construction of a Comprehensive Demonstration Area for the Expansion of National Service Industry (“Plan”), the Plan will:

  1. Allow foreign companies to invest in domestic internet virtual private networks (VPN), with a proportion of foreign shares not exceeding 50 percent. Overseas telecommunications carriers can set up joint ventures to provide such services for foreign enterprises in Beijing.
  2. Support the application of Internet of vehicles (intelligent connected-cars) and automatic driving map and build the Beijing–Shanghai Internet of vehicles highway.
  3. Standardize the safe and orderly cross-border flow of data, explore the establishment of data security management mechanisms such as data protection capability certification and promote the pilot project of security management and assessment on data cross-border transfer.

http://www.gov.cn/zhengce/content/2020-09/07/content_5541291.htm

 

The China Banking and Insurance Regulatory CommissionTo standardize health management services of insurance companies to ensure the safety of relevant data and information

The China Banking and Insurance Regulatory Commission (“CBIRC”) has issued the Circular on Standardizing Health Management Services of Insurance Companies (the “Circular”) on September 6, 2020.

The Circular emphasizes the following personal information protection work:

  1. informing customers of the content, process, standard, term, precautions and possible risks of health management services in advance and obtain the informed consent of customers.Participation by any third-party service cooperation organization shall be informed at the same time;
  2. obtaining the consent of customer when obtaining the customer’s health data; and
  3. not providing the customer’s personal information or any health data without the authorization of the customer to ensure data security and protect personal privacy according to law.

http://www.cbirc.gov.cn/cn/view/pages/ItemDetail.html?docId=927766

 

The People’s Bank of China: To obtain the consent of financial consumers when collecting their financial information

 On September 15, 2020, the People’s Bank of China (“PBOC”) issued the Implementing Measures of the People’s Bank of China for Protection of Financial Consumers’ Rights and Interests (“Measures”), which will take effect on November 1, 2020.

On protection of financial information of consumers, the Measures provide that banks and payment institutions shall:

  • adhere to the principles of legitimacy, bona fide and necessity, and obtain the explicit consent of financial consumers or their guardians, unless otherwise stipulated by laws and administrative regulations;
  • not collect consumers’ financial information unrelated to their business, nor adopt improper means to collect consumers’ financial information, and nor force consumers to collect their financial information in disguise;
  • not refuse to provide financial products or services on the ground that financial consumers do not agree to have their financial information processed, except that processing their financial information is necessary for providing financial products or services;
  • use appropriate means to enable financial consumers to independently choose whether or not to consent to the use of their financial information by banks and payment institutions for the purposes of marketing, user experience improvement or market investigation. Where the financial consumers do not agree, banks and payment institutions shall not refuse to provide financial products or services.If banks and payment institutions send financial marketing information to financial consumers, they shall provide them with ways to refuse to continue receiving the financial marketing information;
  • specify in the terms the purpose, method and content of collection and scope of use, and remind financial consumers of the possible consequences of such consent in an obvious and easy-to-understand way where banks and payment institutions have obtained the consent to the collection and use of financial information from consumers under standard terms; and
  • use consumers’ financial information pursuant to the provisions of laws and regulations and for the purpose agreed between both parties and shall not use such information beyond the agreed scope.

http://www.pbc.gov.cn/tiaofasi/144941/144957/4099060/index.html

 

The Ministry of Commerce promulgated the Provisions on the Unreliable Entity List

 On September 19, 2020,the Ministry of Commerce promulgated the Provisions on the Unreliable Entity List (“Provisions”) which shall take effect from the same date of the promulgation.

The State shall establish the Unreliable Entity List System (“System”) and a working mechanism participated by relevant central departments (hereinafter referred to as “the Working Mechanism”) to take charge of organization and implementation of the System. The Office of the Working Mechanism is located at the competent department of commerce of the State Council.

The Working Mechanism shall, based on the results of the investigation and by taking into overall consideration the following factors, make a decision on whether to include the relevant foreign entity in the Unreliable Entity List (“List”), and make an announcement of the decision:

  • the degree of danger to national sovereignty, security or development interests of China;
  • the degree of damage to the legitimate rights and interests of enterprises, other organizations, or individuals of China;
  • whether being in compliance with internationally accepted economic and trade rules; and
  • other factors that shall be considered.

The Working Mechanism may, based on actual circumstances, decide to take one or several of the following measures (hereinafter referred to as the “Measures”) against the foreign entity which is included in the List, and make an announcement of the decision:

  • restricting or prohibiting the foreign entity from engaging in China-related import or export activities;
  • restricting or prohibiting the foreign entity from investing in China;
  • restricting or prohibiting the foreign entity’s relevant personnel or means of transportation from entering into China;
  • restricting or revoking the relevant personnel’s work permit, status of stay or residence in China;
  • imposing a fine of the corresponding amount according to the severity of the circumstances; and
  • other necessary measures.

http://www.mofcom.gov.cn/article/b/fwzl/202009/20200903002593.shtml

 

BeijingTo explore the establishment of international information industry and digital trade port

On September 21, 2020, the State Council announced the Overall Plan of China (Beijing) Pilot Free Trade Zone (the “Plan“).

The Plan points out that Beijing will explore the establishment of international information industry and digital trade port. The specific measures are as follows:

  • having priority to explore software real name certification, data origin label identification, import and export of data product, etc. on the premise of controllable risks;
  • building the digital copyright trading platform to promote the development of intellectual property protection and intellectual property financing business;
  • conducting efficient and convenient digital import and export inspection on software and Internet service trade;
  • actively exploring the third-party authentication mechanism for the data protection capability of enterprises; and
  • exploring the establishment of a website filing system to meet the needs of overseas customers.

http://www.gov.cn/zhengce/content/2020-09/21/content_5544926.htm?_zbs_baidu_bk

 

Task Force on Personal Information Protection by Apps: 81 Apps have personal information collection and use problems

On September 17, 2020, the Task Force on the Personal Information Protection by Apps (“Task Force”) found that there were problems in the collection and use of personal information in 81 Apps after the assessment and suggested that the relevant App operators should rectify the existing problems in a timely manner, and feedback the rectification situation to the Task Force within 30 days from the date of the announcement. After the 30 days, the Task Force will verify the rectification situation and submit the review results to the relevant departments; App operators who fail to effectively rectify relevant problems will be punished according to the law.

https://mp.weixin.qq.com/s/hLK2EziD8NSF3G1_0VR_Hg

 

FAQ and Handling Guide for Personal Information Protection by Mobile Internet Application (App) and other two standards released

In the recent 2020 National Cyber Security Promotion Week, the Task Force on the Illegal Collection and Use of Personal Information by Apps (“Task Force”) held a “App Personal Information Protection” theme release event in Beijing (“Event”). At the Event, three standards related to personal information protection by Apps, the FAQ and Handling Guide for Personal Information Protection by Mobile Internet Application (App) (“FAQ and Handling Guide”), Mobile Internet Application (App) System Permission Application Guidelines (“System Permission Guidelines”) and Security Guidelines for Third-Party Software Development Kit (SDK) in Mobile Internet Applications (App) (Draft for Comment) (“Draft SDK Security Guidelines”), were released.

The FAQ and Handling Guide addresses the problems of excessive collection, mandatory claims for permission, frequent claims for permission, and unsynchronized notification of the purpose of collection by Apps. Based on statistics on the frequency of related problems, it gives the top ten frequently asked questions and handling guidelines in current App personal information protection, in order to help App operators prevent and deal with related problems.

The System Permission Guidelines address typical issues such as mandatory, frequent, and excessive claims for system permissions by Apps, bundling authorization, privately calling permissions to upload personal information, and sensitive permissions abuse. It also provides the basic principles and security requirements for system permissions by Apps, which can help App providers standardize App system permission applications and use behaviors and prevent personal information security risks caused by improper use of system permissions.

The Draft SDK Security Guidelines address the problems of third-party SDK’s own security vulnerabilities, malicious third-party SDKs, and unlawful collection and use of personal information by third-party SDKs in the current third-party SDK use practice. Combined with current mobile Internet technology and application status, the Draft SDK Security Guidelines provide practical guidelines for App providers and third-party SDK providers on third-party SDK security issues, aiming to reduce App security and personal information security issues caused by third-party SDKs.

In addition to the above guidelines, the Event also released the promotion video and the English version of the national standard Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) for reader’s convenience; as well as other work results relating to such as App security certification, free evaluation tools, research reports and popular science areas.

https://www.tc260.org.cn/front/postDetail.html?id=20200920124356

 

The People’s Bank of China issued the Financial Data Security Guidelines for Data Security Classification 

On September 23,2020,the People’s Bank of China (“PBOC”) issued the Financial Data Security Guidelines for Data Security Classification (“Guidelines”). The Guidelines applies to financial institutions to carry out data security classification work, as well as third-party assessment institutions to carry out data security inspection and evaluation.

According to the Guidelines, the financial data involved in the security classification include but are not limited to:

  • data collected directly (or indirectly) in the process of providing financial products or services, including data signed or collected through the counter with paper agreement and transferred or saved in computer system after information processing, and electronic information signed or collected through information system;
  • data generated and stored in the information system of financial institutions, including business data, operation and management data, etc.;
  • electronic data generated, exchanged and filed in the internal office network and office equipment (terminal) of financial institutions. For example, daily business processing information, policies and regulations, business or business management data temporarily stored in business terminals, e-mail information, etc;
  • electronic data formed by scanning or other electronic means of the original paper documents of financial institutions;
  • other data that should be classified.

At the same time, the Guidelines provides that according to the influence objects and the degree of impact caused by the data security damage of financial institutions, the data security level is divided into Level 5 to Level 1 from high to low.

https://www.cfstc.org/bzgk/gk/view/bzxq.jsp?i_id=1873

 

Implementation Plan for the Establishment of Beijing International Big Data Exchange: establish and perfect the new data element management system of “separation of ownership and right of use”

On September 29,2020, Beijing Local Financial Supervision and Administration and Beijing Municipal Bureau of Economy and Information Technology issued the Implementation Plan for the Establishment of Beijing International Big Data Exchange (“Plan”).

The Plan will establish and improve the new data element management system of “separation of ownership and right of use”, explore a new mechanism for orderly circulation and efficient utilization of data elements, deeply implement the Beijing big data action plan, and strengthen the integration and application of cross regional, cross domain, cross department and cross level data resources.

The Plan points out that Beijing municipal state-owned enterprises with high-quality data resources will restructure the existing exchange and change its name to Beijing International Big Data Exchange. Strategic investors such as central enterprises and Internet enterprises will be introduced in time to increase registered capital, change business scope and change trading varieties. The service content of Beijing International Big Data Exchange will include data information registration service, data product trading service, data operation management service, data asset financial service and data asset financial technology service

http://jrj.beijing.gov.cn/tztg/202009/t20200929_2103035.html

 

CONTACT US

If you would like to receive our legal update via email, please contact jianghongyu@anjielaw.com.

For more information, please contact:

Samuel Yang | Partner

AnJie Law Firm

P: +86 10 8567 2968

M: +86 1391 0677 369

E: yanghongquan@anjielaw.com

Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.

Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.

Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.

Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.

by Samuel Yang, AnJie Law Firm and Practical Law China

An overview of the regulation of cloud computing in China. This note covers the characteristics of cloud computing, including its risks and benefits, the regulatory framework for cloud computing in China and key issues in negotiating cloud computing services.

Scope of this note

What is cloud computing?

Characteristics of cloud computing

Service models

Deployment models

Benefits of cloud computing

Risks of cloud computing

Cloud computing market development in China

Regulatory framework of cloud computing in China

Internet resource co-ordination services

Licences required for operating cloud services

Foreign investment restrictions

Work-around arrangements for foreign investors

Security assessment measures for cloud computing platforms

Key legal issues in negotiating cloud service contracts

Personal privacy and cybersecurity issues

IP protection issues

Service performance

Governing law and applicable law

Scope of this note

In recent years, China has been increasing its regulation in areas such as cybersecurity and data security with legislation such as the Cybersecurity Law 2016 (2016 CSL, with effect from 1 June 2017). Cloud computing is both a rapidly growing market in China as well as subject to this increasing regulatory regime. This note explores the general characteristics of cloud computing, including its risks and benefits, as well as its regulatory framework in China and key issues in negotiating cloud computing service agreements.

(For general information on regulatory developments of cybersecurity and data protection in China, see Practice  note, Quick guide: Cybersecurity and data protection: China.)

What is cloud computing?

Cloud computing is a style of computing in which dynamically scalable and often virtualised resources are provided as a service over the internet. The cloud is a metaphor for networks, internet, computers, laptops, mobile phones and other ways for users to access data centre operations according to their needs. Cloud computing can be powerful enough to reach 10 trillion operations per second, which can be used in computing-intensive operations such as simulating nuclear explosions and predicting climate change and market trends.

The Security Guide for Cloud Computing Services (2016) (Cloud Security Guide) (云计算安全指南2016) issued by the China Academy of Information Communications Technology (CAICT) (中国信息通信研究院) defined cloud computing as:

“a model that provides computing resource services through the network, through which customers, on a dynamic and self-service basis, receive and manage the computing resources provided by the cloud service providers according to their needs. Computing resources include servers, operating systems, networks, software, and storage devices.”

Characteristics of cloud computing

The characteristics of cloud computing include:

  • On-demand self-service. Customers can obtain the required computing resources with limited participation, or even without participation from cloud service providers. In some cases, customers can solely and independently determine the time and quantity of resources that they want to receive.
  • Ubiquitous access. Through a standard access mechanism, customers can use a computer, laptop, mobile phone, tablet or other terminals to access cloud computing services at any time and in any place.
  • Resource pooling. Cloud service providers provide resources (such as computing resources, storage resources and network resources) to multiple customers. These physical or virtual resources can be dynamically allocated or redistributed among the customers according to their needs.
  • Fast scalability. Customers can acquire and release computing resources as needed quickly, flexibly and conveniently. For customers, the resources are “infinite” and they can acquire additional resources at any time.
  • Measurable service. Cloud computing can automatically control or quantify resources in accordance with a variety of measurement methods (such as pay-per-view or re-charge). The measurements may include, for example, storage space, computing power, network bandwidth or active accounts.

Service models

Cloud computing technology is generally categorised into three different service models:

  • Infrastructure as a Service (IaaS). This model concerns the provision of computers, networking, storage, load balancing and virtual machines. These services and end-user hardware and software resources can be expanded or contracted according to customer needs.
  • Platform as a Service (PaaS). In this model, managed service providers help customers by providing work platforms, including execution time, databases, web services, development tools and operating systems, without the need for customers to manually allocate resources.
  • Software as a Service (SaaS). This model includes software components such as virtual desktops, utility applications, content resource management, email and software. In this model, the cloud service provider is responsible for installing, managing and operating the software, and customers log in and use the software through the cloud.

Deployment models

Depending on how the cloud is deployed, there are four models of cloud computing which meet varying customer requirements:

  • Public cloud. In this model, standardised applications, resources, storage and other services are provided to a variety of customers on a shared, self-service, “pay as you go” basis. This deployment model typically provides scalable cloud services and can be efficiently set up.
  • Private cloud. A private cloud is the cloud infrastructure operated solely for a single organisation, that is managed either internally or by a third party, and hosted either internally or externally. In this model, correction, inspection and other security issues need to be taken care of by the organisation itself. In addition, the entire system also requires the organisation’s own money to buy, build and manage. This cloud computing model can provide the full benefit and functionality of the service to its owner.
  • Community cloud. This model is built on a specific group of multiple similar targets, such as companies, that share a common set of infrastructure and the related costs.
  • Hybrid cloud. A hybrid cloud is a mixture of two or more cloud computing models, such as public and private clouds. The models are independent of each other, but are all included within the cloud, so organisations can take advantage of a tailored mix of cloud computing models.

Benefits of cloud computing

The main benefits of cloud computing include:

  • Reducing overhead and energy consumption. The use of cloud computing services can convert hardware and infrastructure construction funds into on-demand services. Customers only pay for the resources used and do not need to bear the cost of building and maintaining the infrastructure, therefore avoiding incurring capital investment. Cloud service providers use a variety of technologies, such as cloud infrastructure, virtualisation, dynamic migration and workload consolidation, to improve resource utilisation so that free resource components can be shut down to reduce energy consumption. Multi-tenant sharing mechanisms and the centralised sharing of resources can meet the peak demand for multiple customers in different time periods, therefore avoiding wasting resources due to capacity design and impact on performance by peak demand. Cloud services reduce operating costs and energy consumption effectively, and therefore are considered to be environmentally friendly.
  • Enhancing business flexibility. Customers using cloud computing services do not need to build a dedicated information system. This shortens the business system construction cycle, enables customers to focus on business functions and innovation, and improves business response speed and quality of service.
  • Improving availability of business systems. The resource pooling and scalability of cloud services enable customers to expand their business systems dynamically to meet the rapid expansion of their business and avoid the interruption of customer service systems due to sudden increases in demand. The backup and multi-copy functions of cloud computing can improve the robustness and availability of business systems and avoid data loss and business failures.
  • Access to professional services. Cloud service providers have professional staff and can update or adopt advanced technologies and equipment in a timely manner. The professional technical, management and personnel support of cloud service providers can give access to a higher level of advanced technical services.

Risks of cloud computing

Major risks for customers using cloud computing solutions include:

  • Weakened ability to control data and business systems. In the cloud computing environment, customers migrate their data and business systems to cloud service providers’ cloud computing platforms, thereby losing the direct control over these data and business systems.
  • Difficulty in dividing responsibility between customer and cloud service provider. In the cloud computing environment, the responsibility for customer management and the responsibility for the customer’s data security are accorded to different persons, and it is not easy to delineate the responsibility between them. Furthermore, different service patterns and deployment patterns and the complexity of the cloud computing environment also increase the difficulty of dividing the responsibility between cloud service providers and customers. In addition, cloud service providers may also purchase services from other cloud service providers which will lead to more difficulty in defining their responsibility.
  • Jurisdiction issues. The actual storage location of the data is often outside the customer’s control. Authorities in some countries may require cloud providers to provide access to these data centres in accordance with their national laws, and may even require the providers to provide access to data stored in other countries’ data centres, which changes the jurisdictional relationship between an organisation and its data. (For more information on the Chinese regulatory regime on data transfers from China to other jurisdictions, see Practice note, Cross-border data transfers: China.)
  • Challenges to ownership of customer data. Customer data which is migrated to the cloud computing environment and the data which is generated and accessed in subsequent processes are both under the cloud service providers’ control, and the providers are able to access or use the customer data. In contrast, customers may need to be authorised by the cloud service providers to access, use and manage their own data. If there is no clear regulation, the customer’s ownership and control of its own data is difficult to be guaranteed.
  • Data protection is more difficult. Cloud computing platforms use virtualisation and other technologies to achieve multi-customer shared computing resources. Because the barriers and other protections between virtual machines are vulnerable to attack, the risk of unauthorised data access across virtual machines is significant. As the complexity of cloud computing platforms increases, it is more difficult to implement effective data protection measures against the risks of unauthorised access, tampering, disclosure and loss of customer data. The Chinese government is also planning a new Data Security Law, see Legal update, NPC Standing Committee circulates draft Data Security Law.
  • Data residue. Storage media that store customer data are owned by the cloud service providers, and customers do not manage or control the storage media directly. When customers exit the cloud computing services, the cloud service providers should completely delete the customers’ data, including the backup data. However, to date there are no valid mechanisms, standards or tools in place to verify that the cloud service providers have fully deleted these data. The data may still partially or even completely remain on the cloud computing platform after the client exits the cloud computing service.
  • Potential dependence on specific service providers. Due to the lack of uniform standards and interfaces, customer data and services on different cloud computing platforms are difficult to migrate between platforms, as well as to migrate back from a platform to the customer’s data centre. In addition, cloud service providers, for their own benefit, are often reluctant to provide portability for customers’ data and business. This potential dependence on specific cloud service providers may cause the customer’s business to break down with an interruption to the provision of cloud services that, if severe enough, could result in data and business migration to other cloud service providers at a high cost. Another factor in the potential over-reliance on specific service providers is that the cloud computing service market is still maturing, with limited cloud service providers to choose from.

Cloud computing market development in China

China’s cloud computing market is maintaining an overall trend of rapid development with the following features:

  • Public cloud services are expanding gradually from the internet sector to the industry market.
  • The hardware market dominates the domestic private cloud market.
  • Cloud services, and IaaS in particular, are fully embraced by domestic enterprise users. The domestic IaaS market is the first choice for small and medium enterprises for information technology (IT) resources construction in the fields of games, video and mobile internet.
  • PaaS services have become an important platform and the first choice for internet enterprises due to the low cost, fast deployment, and rich application programming interfaces (APIs) for developers. From the user application perspective, the market is demanding changes to services from initial search or map engine services and web services to big data analysis, security monitoring and other more complex services.
  • SaaS services account for the majority of the cloud computing market demand.

Regulatory framework of cloud computing in China

There were no specific laws and regulations regulating cloud computing services in China before the promulgation of the Circular of the Ministry of Industry and Information Technology on Issuing the “Classified Catalogue of  Telecommunications Services” 2015 (2015 Telecoms Catalogue, with effect from 1 March 2016) by the Ministry of  Industry and Information Technology (MIIT). Although the 2015 Telecoms Catalogue also does not define computing” or “cloud service”, it is generally accepted that the term “internet resource co-ordination services” (IRCS) (互联网资源协作服务业务) in the catalogue refers to cloud services.

For more general information on the regulatory framework of telecommunications in China, see Practice note, Regulation of telecommunications sector in China: Regulatory framework for telecoms sector.

Internet resource co-ordination services

According to the 2015 Telecoms Catalogue, IRCS means:

“the data storage, internet application development environment, internet application deployment and operation management and other services provided for users through internet or other networks in the manners of access at any time and on demand, expansion at any time and co-ordination and sharing, by using the equipment and resources built on database centres” (section B11).

In addition to the catalogue, the MIIT also released the Notice on the Regulation of Cloud Service Market’s Business  Conduct (Draft for Public Comment) (Draft Notice) (关于规范云服务市场经营行为的通知(公开征求意见稿) in November 2016, which expressly states that “cloud service” is one type of IRCS mentioned in the 2015 Telecoms Catalogue (Article 1).

Licences required for operating cloud services

Under the 2015 Telecoms Catalogue, IRCS is a type of Internet Data Centre Service (IDC) (互联网数据中心业 务), which are categorised as value-added telecoms services (VATS). Providing VATS in China requires a telecoms licence (VATS licence) (see Practice note, Regulation of telecommunications sector in China: Telecoms licensing).

Accordingly, the operation of cloud services in China requires a VATS licence dedicated for IDC business, which is also known as an IDC licence.

The description of the term “IRCS” in the 2015 Telecoms Catalogue is broad and generally understood to cover all types of cloud services, namely IaaS, PaaS and SaaS. Accordingly, in theory the operation of all these types of cloud services requires a VATS license dedicated for IDC business. However, according to the MIIT’s 2017 interpretation  the operation of certain types of SaaS services does not require a VATS license if those services are regarded as “pure software services” and do not involve other VATS under the 2015 Telecoms Catalogue.

Foreign investment restrictions

In theory, subject to some foreign capital ratio restrictions, foreign-invested enterprises (FIEs) can apply for an IDC licence according to the Provisions on the Administration of Foreign-Invested Telecom Enterprises 2008  (2008 Foreign-Invested Telecoms Regulations, revised in 2016). The 2008 Foreign-Invested Telecoms Regulations state that a foreign-invested telecommunications enterprise (FITE) operating VATS may not have foreign investors’ capital contribution exceeding 50% (Article 6). In addition, the regulations also require that an FITE providing VATS has registered capital meeting the following minimum capital requirements:

  • At least RMB10 million if the FITE’s operation is nationwide or cross-provincial.
  • At least RMB1 million if the FITE’s operation is within a single province. (Article 5.)

However, as IDC services were not part of the scope of VATS to be opened up to foreign investment that China made at its accession to the WTO on 11 December 2001, IDC licences have only been granted to Chinese companies and their joint ventures with Hong Kong and Macau investors, and not to companies invested in by investors from other jurisdictions. Although Hong Kong and Macau investors are to some extent also treated as foreign investors by Chinese authorities, their eligibility for IDC licences was specially granted in the Closer Economic Partnership Arrangements (each, a CEPA agreement) entered into by China in 2003 with Hong Kong and Macau, respectively. Each CEPA agreement allows Hong Kong and Macau investors to set up joint venture enterprises with Chinese investors in China to provide IDC services. Hong Kong and Macau service suppliers’ shareholding in these joint ventures may not exceed 50% and there is no geographic restriction for the provision of the IDC services within China. For more information on the preferential policies for Hong Kong and Macau service providers under other CEPA arrangements, see Practice note, Regulation of telecommunications sector in China: Preferential policies  under CEPAs.

Except for these special rules for Hong Kong and Macau, foreign investors from other jurisdictions are not eligible for the application of an IDC licence. According to the MIIT website, as of 14 August 2020 there are only twenty Sino-Hong Kong joint ventures which have been granted the VATS licence for the operation of IDC services.

Work-around arrangements for foreign investors

As most foreign-invested companies are not eligible to apply for the IDC licence, they are not allowed to operate cloud services in China under their own names. Foreign cloud service providers have to co-operate with Chinese IDC licence holders to provide cloud services to their customers. These types of co-operation are mainly based on contractual arrangements between the foreign cloud service providers and relevant Chinese IDC licence holders, such as technology licensing, brand licensing and other contractual arrangements, to ensure the foreign cloud service providers can participate in the relevant decision-making process.

However, some types of contractual arrangements between foreign cloud service providers and the relevant Chinese VATS licence holders seem to raise issues of concern to the MIIT, and the Draft Notice appears to have been issued to correct those suspect arrangements. According to the Draft Notice, foreign investors are required to strictly comply with the 2008 Foreign-Invested Telecoms Regulations and the CEPA agreements and other relevant policies concerning IDC services, and to apply for the establishment of FITEs and obtain the corresponding VATS licences before they can operate cloud services in China (Article 3). In addition, the Draft Notice specifically requires Chinese licensed cloud service providers to report their technical co-operation with “relevant entities” to the MIIT, and in the course of such co-operation the licensed cloud service providers should not:

  • Lease or assign their telecoms service licences to the counterparties in any form, or provide resources, venues, facilities or other conditions to the counterparties for their illegal operation.
  • Allow the counterparties to sign contracts with customers directly.
  • Allow the cloud services to be provided only under the trade marks and brands of the counterparties.
  • Illegally provide users’ personal information and network data to the counterparties.
  • Engage in any other illegal acts.

(Article 4.)

The Draft Notice also requires cloud service providers to establish their cloud service platforms in China. When cross-border connectivity is needed, the relevant servers should be connected to overseas networks through the international internet gateways approved by the MIIT. It is forbidden to establish or use other channels for cross border connectivity through private lines, virtual private networks (VPNs) and other means (Article 7). When providing services to domestic customers, service facilities and network data should be kept within China and cross border operation and maintenance and data flow should comply with the relevant regulations (Article 9(4)).

These restrictions on the co-operation between licensed cloud service providers and their contractual counter parties indicate that foreign cloud service providers, when co-operating with Chinese licensed cloud service providers, can only play a subordinate role and that any attempt to “control” the Chinese counterparties would likely be challenged by the MIIT.

Security assessment measures for cloud computing platforms

On 2 July 2019, the MIIT together with other ministries jointly issued the Measures on Security Assessments for Cloud Computing Services 2019 (Measures) (云计算服务安全评估办法), with effect from 1 September 2019. The Measures intend to further flesh out the provisions of the 2016 CSL by improving the security and controllability of cloud computing services procured and used by the Communist Party and government organs and operators of critical information infrastructure (CII). The Measures provide that a cloud computing services provider may apply to conduct a security assessment for a cloud platform, and must submit to the security assessment office a declaration form, as well as a cloud computing service system security plan, reports on the continuity of the business, the security of the related supply chain and the feasibility of customer data migration, and other materials.

For more information on the measures, see Legal update, CAC and others issue security assessment measures for cloud computing services platforms.

Key legal issues in negotiating cloud service contracts

Cloud service providers often do not allow changes to their standard terms and conditions. Considering the multi tenant shared operating model and the multiple components involved in cloud solutions (except for private cloud), proposed changes from different customers may vary greatly. Therefore, it is not economical for cloud service providers to spend time and resources negotiating with customers, especially small and medium-sized customers, to customise their contracts.

Where cloud service providers are willing to discuss changes to their terms and conditions (normally with large corporate customers that have stronger bargaining power), customers are recommended to do their due diligence first to understand any potential legal compliance issues with the proposed cloud solutions or if any gaps exist between the customers’ expectations and the proposed cloud solutions. Customers then need to prioritise the areas they want to mitigate against these issues and deal with them accordingly. The areas of data protection and cybersecurity, intellectual property (IP) rights and service performance are perhaps among the most important for all cloud computing contracts.

Personal privacy and cybersecurity issues

Personal privacy and cybersecurity issues have become some of the primary factors that customers need to take into account in deciding whether to migrate their IT infrastructure to the cloud. The service calculation mode, dynamic virtualisation management and multi-tenant shared operating model of cloud computing services pose a serious challenge to the security and privacy of personal and business data. Both customers and cloud service providers must comply with applicable laws governing personal privacy protection and cybersecurity. Although still at an early stage, various Chinese laws and regulations have imposed some fundamental principles for the protection of personal privacy and cybersecurity (for example, see Practice note, Data privacy in China and Security assessment measures for cloud computing platforms). Before entering into a cloud service contract, the customer needs to ensure that the transfer of personal data to the cloud service provider has been notified to the relevant personal data subjects and that the subjects have consented to the transfer. As the cloud service customer is primarily responsible for the security and personal privacy of its own customers’ data, it needs to ensure that personal data and other customer data are handed over to cloud service providers with sound and robust safeguards. The cloud service provider has the responsibility to ensure the safety of customer data, including personal data processed on behalf of the customers.

The Provisions on Protecting the Personal Information of Telecommunications and Internet Users 2013 issued by the MIIT require that telecommunications business operators and internet information service providers be responsible for the security of users’ personal information as collected and used during the provision of services.

This obligation applies to cloud service providers. Accordingly, in a cloud service contract the customer should require the cloud service provider to abide by all relevant legislation in the personal data protection and cybersecurity areas. The contract should stipulate that the cloud service provider must not release any information to a third party, even when they are requested to disclose the information by a foreign government.

Moreover, the customer should require the cloud service provider not to access, revise, release, use, transfer or destroy any data from the customer without the customer’s consent. (For more information, see Practice note, Data  privacy in China: Data privacy principles).

In addition, when entering into a cloud services contract both the customer and the cloud service provider need to take into account regulations restricting data flow to foreign jurisdictions. This restriction typically applies to those industries which are considered to concern the national security of China. For example, the 2016 CSL requires operators of CII to store within China personal information and important business data that was collected in China. However, these may be transmitted abroad on successful completion of a security assessment by the relevant authorities (Article 37). The cloud service customer therefore needs to assess whether its IT infrastructure can be regarded as CII and if so, it will need to take the relevant requirements into account in the selection of a cloud service provider, and work with the provider to put in place technical and management measures and contractual terms to ensure that the data flows are compliant.

For more information on the 2016 CSL, see Legal update, China passes Cybersecurity Law.

For more information on cross-border data transfers, see Practice note, Cross-border data transfers: China.

For more information on the protection of personal data privacy in China generally, see Practice notes, Data privacy  in China and Data breach notification in China.

IP protection issues

Cloud computing can raise complex IP issues. On the one hand, IP rights are specific to jurisdictions. IP laws vary among jurisdictions, so a protectable IP right in one jurisdiction may not be protected equally, if at all, in another jurisdiction, and an infringement of IP rights in one jurisdiction may not be an infringement in another jurisdiction.

On the other hand, cloud computing is meant to break boundaries and work across jurisdictions, as in the cloud computing environment technology and data are frequently used beyond national borders. This tension can be a significant issue for both cloud service providers and their customers. Both parties should be clearly aware of the specific differences in IP laws that are relevant to their business operations, and should actively manage those discrepancies through their contractual arrangement with each other or through other means, to mitigate the risks of infringing the IP rights of third parties or suffering infringement of their own IP rights.

Another reason for the complexity of IP rights is that cloud computing solutions include multiple components and the relevant IP rights may belong to different licensors. The cloud service provider which signs the contract with a customer may not have the right to license or sublicense all of these IP rights to the customer. A defect which exists in any part of the licensing chain from the original licensor to the customer may present licensing risks and potential liabilities to the customer. Even if the cloud service provider has the right to license or sublicense the necessary IP rights to the customer, the customer may face the risk of service interruption if an essential IP licence in the cloud solution expires and the cloud service provider fails to renew it or provide an alternative solution. To mitigate these risks, the customer should seek full IP right indemnities from the cloud service provider for all service offerings in the cloud solution, while the cloud service provider may try to defend its position by only providing limited indemnities, or by leaving room for it to seek alternative solutions to replace the IP-flawed solutions without providing any indemnities to the customer.

Service performance

In a typical software licensing agreement or hardware sale agreement, there normally is no measurement, or only very simple measurements, provided to determine whether the product performs “normally”. Moreover, due to the vague standards of good performance, usually no compensation is provided to the customer if the software or hardware does not perform well enough. However, as cloud computing is provided as a service covering hardware, software, network and maintenance, there are several more measurable parameters which can be used to determine if the cloud service is provided up to certain standards. It is therefore possible, and necessary, to set up a mechanism of service performance measurement for cloud services and corresponding compensation payable to the customer for poor performance. This mechanism is now a common practice in the cloud industry and is known as a service level agreement (SLA).

The measurements under an SLA can include availability of the service (normally in the form of the percentage of usable time against a certain period of time), the cloud service provider’s response time for customer fault reports, time needed to fix problems (known as mean time to repair or MTTR) or other specific measurable parameters depending on the nature of the cloud services provided. Accordingly, if the cloud service provider fails to meet the relevant parameters set out in the relevant SLA, then a calculated compensation (known as service credits) will be paid by the cloud service provider to the customer. The customer should analyse the measurable parameters in its contracted cloud service and seek to agree with the cloud service provider on the applicable service credits and other SLA provisions. Given that customers may have migrated their essential operating systems and applications to the cloud, they may not tolerate any outage or interruption of the cloud service. A “business continuity” clause deals with how the cloud service provider should act to ensure that the customer can still use the contracted services in the event of an outage or interruption of service. This normally involves the customer requiring certain visibility, as a contractual right, of the cloud service provider’s business continuity plan (BCP). The customer may also require that the provider’s BCP and any changes to it should be discussed with and approved by the customer to ensure that the customer’s own BCP requirements will be integrated as part of the cloud service provider’s BCP practice.

Governing law and applicable law

Cloud service providers and their customers are sometimes located in different jurisdictions, and the operation of the cloud service may also involve other jurisdictions. Therefore, governing law issues should be carefully considered taking into account, for example, whether the law of the relevant jurisdiction has a different set of rules for the handling of personal data and business data from the principles agreed by the parties in the agreement. For example, the data protection rules of the EU are generally stricter than those in China (for more information, see Practice  notes, Data privacy in China and Overview of EU General Data Protection Regulation).

The concept of applicable law is different from the governing law of the agreement, and knowing this is especially important for a customer entering into a cloud service contract. Depending on the jurisdictions where the cloud service provider operates, the laws and regulations of multiple jurisdictions may be applicable to the cloud service.

While it is generally still a good practice for the customer to require the cloud service provider to comply with all applicable laws, the customer should assess whether it will become subject to the laws of a specific jurisdiction because its data will be processed or stored there. If those laws would present challenges to the secrecy and security of its data, the customer may need to consider whether technical measures should be put in place by the cloud service provider to prevent, if possible, the data from being stored or processed in that jurisdiction to avoid the application of its laws.