The Chinese side proposes a Global Initiative on Data Security

On September 8, 2020, Foreign Minister Wang Yi delivered a keynote speech at a high-level meeting of an international seminar themed with “Seizing Digital Opportunities for Cooperation and Development” and proposed a Global Initiative on Data Security (“Initiative”). The Initiative mainly includes the following.:

First, approach data security with an objective and rational attitude, and maintain an open, secure and stable global supply chain.

Second, oppose using information and communications technology (ICT) activities to impair other States’ critical infrastructure or steal important data.

Third, take actions to prevent and put an end to activities that infringe upon personal information, oppose abusing ICT to conduct mass surveillance against other States or engage in unauthorized collection of personal information of other States.

Fourth, ask companies to respect the laws of host countries, desist from coercing domestic companies into storing data generated and obtained overseas in one’s own territory.

Fifth, respect the sovereignty, jurisdiction and governance of data of other States, avoid asking companies or individuals to provide data located in other States without the latter’s permission.

Sixth, meet law enforcement needs for overseas data through judicial assistance or other appropriate channels.

Seventh, ICT products and services providers should not install backdoors in their products and services to illegally obtain user data.

Eighth, ICT companies should not seek illegitimate interests by taking advantage of users’ dependence on their products.


The Ministry of Public Security issued the Guiding Opinions on the Implementation of Multi-Level Protection System of Cybersecurity and Critical Information Infrastructure Security Protection System

Recently, the Ministry of Public Security issued the Guiding Opinions on the Implementation of Multi-Level Protection System of Cybersecurity and Critical Information Infrastructure Security Protection System (“Opinions”), the Opinions mainly include the following:

  1. Implementing the multi-level protection system of national cybersecurity
  • Deepening the work of network classification filing

Network operators which are classified as Level 2 or above shall file with the public security organ and the competent department of the industry.

  • Carrying out cybersecurity classification assessment regularly

Network operators which are classified as Level 3 or above shall entrust a classification assessment institution in line with the relevant provisions of the state to carry out cybersecurity classification assessment once a year, and timely submit the assessment report to the public security organ and the competent department of the industry. The new network above Level 3 should be put into operation after passing the classification assessment.

  • Implementing cryptography security protection requirements

Network operators which are classified as Level 3 or above shall correctly and effectively adopt cryptography technology for protection and use cryptography products and services meeting relevant requirements.

  1. Establishing and implementing the critical information infrastructure security protection system
  • Organizing to identify critical information infrastructure

The competent departments (hereinafter referred to as the “ Protection Departments”) of important industries and fields, such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry, shall formulate rules for the recognition of critical information infrastructure in their respective industries and fields and report them to the Ministry of Public Security for the record.

  • Strengthening the protection of important data and personal information.

Establishing and implementing the important data and personal information protection system. Operators shall store within the territory of the People’s Republic of China the personal information and important data collected and generated during its operation within the territory of the People’s Republic of China. Where such information and data have to be provided abroad for business purposes, security assessment shall be conducted pursuant to relevant provisions.

Beijing: allow foreign companies to invest in virtual private networks 

The State Council recently approved the Work plan for Deepening a New Round of Comprehensive Pilot Projects for the Opening up of Beijing’s Service Industry and the Construction of a Comprehensive Demonstration Area for the Expansion of National Service Industry (“Plan”), the Plan will:

  1. Allow foreign companies to invest in domestic internet virtual private networks (VPN), with a proportion of foreign shares not exceeding 50 percent. Overseas telecommunications carriers can set up joint ventures to provide such services for foreign enterprises in Beijing.
  2. Support the application of Internet of vehicles (intelligent connected-cars) and automatic driving map and build the Beijing–Shanghai Internet of vehicles highway.
  3. Standardize the safe and orderly cross-border flow of data, explore the establishment of data security management mechanisms such as data protection capability certification and promote the pilot project of security management and assessment on data cross-border transfer.


The China Banking and Insurance Regulatory CommissionTo standardize health management services of insurance companies to ensure the safety of relevant data and information

The China Banking and Insurance Regulatory Commission (“CBIRC”) has issued the Circular on Standardizing Health Management Services of Insurance Companies (the “Circular”) on September 6, 2020.

The Circular emphasizes the following personal information protection work:

  1. informing customers of the content, process, standard, term, precautions and possible risks of health management services in advance and obtain the informed consent of customers.Participation by any third-party service cooperation organization shall be informed at the same time;
  2. obtaining the consent of customer when obtaining the customer’s health data; and
  3. not providing the customer’s personal information or any health data without the authorization of the customer to ensure data security and protect personal privacy according to law.


The People’s Bank of China: To obtain the consent of financial consumers when collecting their financial information

 On September 15, 2020, the People’s Bank of China (“PBOC”) issued the Implementing Measures of the People’s Bank of China for Protection of Financial Consumers’ Rights and Interests (“Measures”), which will take effect on November 1, 2020.

On protection of financial information of consumers, the Measures provide that banks and payment institutions shall:

  • adhere to the principles of legitimacy, bona fide and necessity, and obtain the explicit consent of financial consumers or their guardians, unless otherwise stipulated by laws and administrative regulations;
  • not collect consumers’ financial information unrelated to their business, nor adopt improper means to collect consumers’ financial information, and nor force consumers to collect their financial information in disguise;
  • not refuse to provide financial products or services on the ground that financial consumers do not agree to have their financial information processed, except that processing their financial information is necessary for providing financial products or services;
  • use appropriate means to enable financial consumers to independently choose whether or not to consent to the use of their financial information by banks and payment institutions for the purposes of marketing, user experience improvement or market investigation. Where the financial consumers do not agree, banks and payment institutions shall not refuse to provide financial products or services.If banks and payment institutions send financial marketing information to financial consumers, they shall provide them with ways to refuse to continue receiving the financial marketing information;
  • specify in the terms the purpose, method and content of collection and scope of use, and remind financial consumers of the possible consequences of such consent in an obvious and easy-to-understand way where banks and payment institutions have obtained the consent to the collection and use of financial information from consumers under standard terms; and
  • use consumers’ financial information pursuant to the provisions of laws and regulations and for the purpose agreed between both parties and shall not use such information beyond the agreed scope.


The Ministry of Commerce promulgated the Provisions on the Unreliable Entity List

 On September 19, 2020,the Ministry of Commerce promulgated the Provisions on the Unreliable Entity List (“Provisions”) which shall take effect from the same date of the promulgation.

The State shall establish the Unreliable Entity List System (“System”) and a working mechanism participated by relevant central departments (hereinafter referred to as “the Working Mechanism”) to take charge of organization and implementation of the System. The Office of the Working Mechanism is located at the competent department of commerce of the State Council.

The Working Mechanism shall, based on the results of the investigation and by taking into overall consideration the following factors, make a decision on whether to include the relevant foreign entity in the Unreliable Entity List (“List”), and make an announcement of the decision:

  • the degree of danger to national sovereignty, security or development interests of China;
  • the degree of damage to the legitimate rights and interests of enterprises, other organizations, or individuals of China;
  • whether being in compliance with internationally accepted economic and trade rules; and
  • other factors that shall be considered.

The Working Mechanism may, based on actual circumstances, decide to take one or several of the following measures (hereinafter referred to as the “Measures”) against the foreign entity which is included in the List, and make an announcement of the decision:

  • restricting or prohibiting the foreign entity from engaging in China-related import or export activities;
  • restricting or prohibiting the foreign entity from investing in China;
  • restricting or prohibiting the foreign entity’s relevant personnel or means of transportation from entering into China;
  • restricting or revoking the relevant personnel’s work permit, status of stay or residence in China;
  • imposing a fine of the corresponding amount according to the severity of the circumstances; and
  • other necessary measures.


BeijingTo explore the establishment of international information industry and digital trade port

On September 21, 2020, the State Council announced the Overall Plan of China (Beijing) Pilot Free Trade Zone (the “Plan“).

The Plan points out that Beijing will explore the establishment of international information industry and digital trade port. The specific measures are as follows:

  • having priority to explore software real name certification, data origin label identification, import and export of data product, etc. on the premise of controllable risks;
  • building the digital copyright trading platform to promote the development of intellectual property protection and intellectual property financing business;
  • conducting efficient and convenient digital import and export inspection on software and Internet service trade;
  • actively exploring the third-party authentication mechanism for the data protection capability of enterprises; and
  • exploring the establishment of a website filing system to meet the needs of overseas customers.


Task Force on Personal Information Protection by Apps: 81 Apps have personal information collection and use problems

On September 17, 2020, the Task Force on the Personal Information Protection by Apps (“Task Force”) found that there were problems in the collection and use of personal information in 81 Apps after the assessment and suggested that the relevant App operators should rectify the existing problems in a timely manner, and feedback the rectification situation to the Task Force within 30 days from the date of the announcement. After the 30 days, the Task Force will verify the rectification situation and submit the review results to the relevant departments; App operators who fail to effectively rectify relevant problems will be punished according to the law.


FAQ and Handling Guide for Personal Information Protection by Mobile Internet Application (App) and other two standards released

In the recent 2020 National Cyber Security Promotion Week, the Task Force on the Illegal Collection and Use of Personal Information by Apps (“Task Force”) held a “App Personal Information Protection” theme release event in Beijing (“Event”). At the Event, three standards related to personal information protection by Apps, the FAQ and Handling Guide for Personal Information Protection by Mobile Internet Application (App) (“FAQ and Handling Guide”), Mobile Internet Application (App) System Permission Application Guidelines (“System Permission Guidelines”) and Security Guidelines for Third-Party Software Development Kit (SDK) in Mobile Internet Applications (App) (Draft for Comment) (“Draft SDK Security Guidelines”), were released.

The FAQ and Handling Guide addresses the problems of excessive collection, mandatory claims for permission, frequent claims for permission, and unsynchronized notification of the purpose of collection by Apps. Based on statistics on the frequency of related problems, it gives the top ten frequently asked questions and handling guidelines in current App personal information protection, in order to help App operators prevent and deal with related problems.

The System Permission Guidelines address typical issues such as mandatory, frequent, and excessive claims for system permissions by Apps, bundling authorization, privately calling permissions to upload personal information, and sensitive permissions abuse. It also provides the basic principles and security requirements for system permissions by Apps, which can help App providers standardize App system permission applications and use behaviors and prevent personal information security risks caused by improper use of system permissions.

The Draft SDK Security Guidelines address the problems of third-party SDK’s own security vulnerabilities, malicious third-party SDKs, and unlawful collection and use of personal information by third-party SDKs in the current third-party SDK use practice. Combined with current mobile Internet technology and application status, the Draft SDK Security Guidelines provide practical guidelines for App providers and third-party SDK providers on third-party SDK security issues, aiming to reduce App security and personal information security issues caused by third-party SDKs.

In addition to the above guidelines, the Event also released the promotion video and the English version of the national standard Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) for reader’s convenience; as well as other work results relating to such as App security certification, free evaluation tools, research reports and popular science areas.


The People’s Bank of China issued the Financial Data Security Guidelines for Data Security Classification 

On September 23,2020,the People’s Bank of China (“PBOC”) issued the Financial Data Security Guidelines for Data Security Classification (“Guidelines”). The Guidelines applies to financial institutions to carry out data security classification work, as well as third-party assessment institutions to carry out data security inspection and evaluation.

According to the Guidelines, the financial data involved in the security classification include but are not limited to:

  • data collected directly (or indirectly) in the process of providing financial products or services, including data signed or collected through the counter with paper agreement and transferred or saved in computer system after information processing, and electronic information signed or collected through information system;
  • data generated and stored in the information system of financial institutions, including business data, operation and management data, etc.;
  • electronic data generated, exchanged and filed in the internal office network and office equipment (terminal) of financial institutions. For example, daily business processing information, policies and regulations, business or business management data temporarily stored in business terminals, e-mail information, etc;
  • electronic data formed by scanning or other electronic means of the original paper documents of financial institutions;
  • other data that should be classified.

At the same time, the Guidelines provides that according to the influence objects and the degree of impact caused by the data security damage of financial institutions, the data security level is divided into Level 5 to Level 1 from high to low.


Implementation Plan for the Establishment of Beijing International Big Data Exchange: establish and perfect the new data element management system of “separation of ownership and right of use”

On September 29,2020, Beijing Local Financial Supervision and Administration and Beijing Municipal Bureau of Economy and Information Technology issued the Implementation Plan for the Establishment of Beijing International Big Data Exchange (“Plan”).

The Plan will establish and improve the new data element management system of “separation of ownership and right of use”, explore a new mechanism for orderly circulation and efficient utilization of data elements, deeply implement the Beijing big data action plan, and strengthen the integration and application of cross regional, cross domain, cross department and cross level data resources.

The Plan points out that Beijing municipal state-owned enterprises with high-quality data resources will restructure the existing exchange and change its name to Beijing International Big Data Exchange. Strategic investors such as central enterprises and Internet enterprises will be introduced in time to increase registered capital, change business scope and change trading varieties. The service content of Beijing International Big Data Exchange will include data information registration service, data product trading service, data operation management service, data asset financial service and data asset financial technology service



If you would like to receive our legal update via email, please contact

For more information, please contact:

Samuel Yang | Partner

AnJie Law Firm

P: +86 10 8567 2968

M: +86 1391 0677 369


Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.

Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.

Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.

Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.

by Samuel Yang, AnJie Law Firm and Practical Law China

An overview of the regulation of cloud computing in China. This note covers the characteristics of cloud computing, including its risks and benefits, the regulatory framework for cloud computing in China and key issues in negotiating cloud computing services.

Scope of this note

What is cloud computing?

Characteristics of cloud computing

Service models

Deployment models

Benefits of cloud computing

Risks of cloud computing

Cloud computing market development in China

Regulatory framework of cloud computing in China

Internet resource co-ordination services

Licences required for operating cloud services

Foreign investment restrictions

Work-around arrangements for foreign investors

Security assessment measures for cloud computing platforms

Key legal issues in negotiating cloud service contracts

Personal privacy and cybersecurity issues

IP protection issues

Service performance

Governing law and applicable law

Scope of this note

In recent years, China has been increasing its regulation in areas such as cybersecurity and data security with legislation such as the Cybersecurity Law 2016 (2016 CSL, with effect from 1 June 2017). Cloud computing is both a rapidly growing market in China as well as subject to this increasing regulatory regime. This note explores the general characteristics of cloud computing, including its risks and benefits, as well as its regulatory framework in China and key issues in negotiating cloud computing service agreements.

(For general information on regulatory developments of cybersecurity and data protection in China, see Practice  note, Quick guide: Cybersecurity and data protection: China.)

What is cloud computing?

Cloud computing is a style of computing in which dynamically scalable and often virtualised resources are provided as a service over the internet. The cloud is a metaphor for networks, internet, computers, laptops, mobile phones and other ways for users to access data centre operations according to their needs. Cloud computing can be powerful enough to reach 10 trillion operations per second, which can be used in computing-intensive operations such as simulating nuclear explosions and predicting climate change and market trends.

The Security Guide for Cloud Computing Services (2016) (Cloud Security Guide) (云计算安全指南2016) issued by the China Academy of Information Communications Technology (CAICT) (中国信息通信研究院) defined cloud computing as:

“a model that provides computing resource services through the network, through which customers, on a dynamic and self-service basis, receive and manage the computing resources provided by the cloud service providers according to their needs. Computing resources include servers, operating systems, networks, software, and storage devices.”

Characteristics of cloud computing

The characteristics of cloud computing include:

  • On-demand self-service. Customers can obtain the required computing resources with limited participation, or even without participation from cloud service providers. In some cases, customers can solely and independently determine the time and quantity of resources that they want to receive.
  • Ubiquitous access. Through a standard access mechanism, customers can use a computer, laptop, mobile phone, tablet or other terminals to access cloud computing services at any time and in any place.
  • Resource pooling. Cloud service providers provide resources (such as computing resources, storage resources and network resources) to multiple customers. These physical or virtual resources can be dynamically allocated or redistributed among the customers according to their needs.
  • Fast scalability. Customers can acquire and release computing resources as needed quickly, flexibly and conveniently. For customers, the resources are “infinite” and they can acquire additional resources at any time.
  • Measurable service. Cloud computing can automatically control or quantify resources in accordance with a variety of measurement methods (such as pay-per-view or re-charge). The measurements may include, for example, storage space, computing power, network bandwidth or active accounts.

Service models

Cloud computing technology is generally categorised into three different service models:

  • Infrastructure as a Service (IaaS). This model concerns the provision of computers, networking, storage, load balancing and virtual machines. These services and end-user hardware and software resources can be expanded or contracted according to customer needs.
  • Platform as a Service (PaaS). In this model, managed service providers help customers by providing work platforms, including execution time, databases, web services, development tools and operating systems, without the need for customers to manually allocate resources.
  • Software as a Service (SaaS). This model includes software components such as virtual desktops, utility applications, content resource management, email and software. In this model, the cloud service provider is responsible for installing, managing and operating the software, and customers log in and use the software through the cloud.

Deployment models

Depending on how the cloud is deployed, there are four models of cloud computing which meet varying customer requirements:

  • Public cloud. In this model, standardised applications, resources, storage and other services are provided to a variety of customers on a shared, self-service, “pay as you go” basis. This deployment model typically provides scalable cloud services and can be efficiently set up.
  • Private cloud. A private cloud is the cloud infrastructure operated solely for a single organisation, that is managed either internally or by a third party, and hosted either internally or externally. In this model, correction, inspection and other security issues need to be taken care of by the organisation itself. In addition, the entire system also requires the organisation’s own money to buy, build and manage. This cloud computing model can provide the full benefit and functionality of the service to its owner.
  • Community cloud. This model is built on a specific group of multiple similar targets, such as companies, that share a common set of infrastructure and the related costs.
  • Hybrid cloud. A hybrid cloud is a mixture of two or more cloud computing models, such as public and private clouds. The models are independent of each other, but are all included within the cloud, so organisations can take advantage of a tailored mix of cloud computing models.

Benefits of cloud computing

The main benefits of cloud computing include:

  • Reducing overhead and energy consumption. The use of cloud computing services can convert hardware and infrastructure construction funds into on-demand services. Customers only pay for the resources used and do not need to bear the cost of building and maintaining the infrastructure, therefore avoiding incurring capital investment. Cloud service providers use a variety of technologies, such as cloud infrastructure, virtualisation, dynamic migration and workload consolidation, to improve resource utilisation so that free resource components can be shut down to reduce energy consumption. Multi-tenant sharing mechanisms and the centralised sharing of resources can meet the peak demand for multiple customers in different time periods, therefore avoiding wasting resources due to capacity design and impact on performance by peak demand. Cloud services reduce operating costs and energy consumption effectively, and therefore are considered to be environmentally friendly.
  • Enhancing business flexibility. Customers using cloud computing services do not need to build a dedicated information system. This shortens the business system construction cycle, enables customers to focus on business functions and innovation, and improves business response speed and quality of service.
  • Improving availability of business systems. The resource pooling and scalability of cloud services enable customers to expand their business systems dynamically to meet the rapid expansion of their business and avoid the interruption of customer service systems due to sudden increases in demand. The backup and multi-copy functions of cloud computing can improve the robustness and availability of business systems and avoid data loss and business failures.
  • Access to professional services. Cloud service providers have professional staff and can update or adopt advanced technologies and equipment in a timely manner. The professional technical, management and personnel support of cloud service providers can give access to a higher level of advanced technical services.

Risks of cloud computing

Major risks for customers using cloud computing solutions include:

  • Weakened ability to control data and business systems. In the cloud computing environment, customers migrate their data and business systems to cloud service providers’ cloud computing platforms, thereby losing the direct control over these data and business systems.
  • Difficulty in dividing responsibility between customer and cloud service provider. In the cloud computing environment, the responsibility for customer management and the responsibility for the customer’s data security are accorded to different persons, and it is not easy to delineate the responsibility between them. Furthermore, different service patterns and deployment patterns and the complexity of the cloud computing environment also increase the difficulty of dividing the responsibility between cloud service providers and customers. In addition, cloud service providers may also purchase services from other cloud service providers which will lead to more difficulty in defining their responsibility.
  • Jurisdiction issues. The actual storage location of the data is often outside the customer’s control. Authorities in some countries may require cloud providers to provide access to these data centres in accordance with their national laws, and may even require the providers to provide access to data stored in other countries’ data centres, which changes the jurisdictional relationship between an organisation and its data. (For more information on the Chinese regulatory regime on data transfers from China to other jurisdictions, see Practice note, Cross-border data transfers: China.)
  • Challenges to ownership of customer data. Customer data which is migrated to the cloud computing environment and the data which is generated and accessed in subsequent processes are both under the cloud service providers’ control, and the providers are able to access or use the customer data. In contrast, customers may need to be authorised by the cloud service providers to access, use and manage their own data. If there is no clear regulation, the customer’s ownership and control of its own data is difficult to be guaranteed.
  • Data protection is more difficult. Cloud computing platforms use virtualisation and other technologies to achieve multi-customer shared computing resources. Because the barriers and other protections between virtual machines are vulnerable to attack, the risk of unauthorised data access across virtual machines is significant. As the complexity of cloud computing platforms increases, it is more difficult to implement effective data protection measures against the risks of unauthorised access, tampering, disclosure and loss of customer data. The Chinese government is also planning a new Data Security Law, see Legal update, NPC Standing Committee circulates draft Data Security Law.
  • Data residue. Storage media that store customer data are owned by the cloud service providers, and customers do not manage or control the storage media directly. When customers exit the cloud computing services, the cloud service providers should completely delete the customers’ data, including the backup data. However, to date there are no valid mechanisms, standards or tools in place to verify that the cloud service providers have fully deleted these data. The data may still partially or even completely remain on the cloud computing platform after the client exits the cloud computing service.
  • Potential dependence on specific service providers. Due to the lack of uniform standards and interfaces, customer data and services on different cloud computing platforms are difficult to migrate between platforms, as well as to migrate back from a platform to the customer’s data centre. In addition, cloud service providers, for their own benefit, are often reluctant to provide portability for customers’ data and business. This potential dependence on specific cloud service providers may cause the customer’s business to break down with an interruption to the provision of cloud services that, if severe enough, could result in data and business migration to other cloud service providers at a high cost. Another factor in the potential over-reliance on specific service providers is that the cloud computing service market is still maturing, with limited cloud service providers to choose from.

Cloud computing market development in China

China’s cloud computing market is maintaining an overall trend of rapid development with the following features:

  • Public cloud services are expanding gradually from the internet sector to the industry market.
  • The hardware market dominates the domestic private cloud market.
  • Cloud services, and IaaS in particular, are fully embraced by domestic enterprise users. The domestic IaaS market is the first choice for small and medium enterprises for information technology (IT) resources construction in the fields of games, video and mobile internet.
  • PaaS services have become an important platform and the first choice for internet enterprises due to the low cost, fast deployment, and rich application programming interfaces (APIs) for developers. From the user application perspective, the market is demanding changes to services from initial search or map engine services and web services to big data analysis, security monitoring and other more complex services.
  • SaaS services account for the majority of the cloud computing market demand.

Regulatory framework of cloud computing in China

There were no specific laws and regulations regulating cloud computing services in China before the promulgation of the Circular of the Ministry of Industry and Information Technology on Issuing the “Classified Catalogue of  Telecommunications Services” 2015 (2015 Telecoms Catalogue, with effect from 1 March 2016) by the Ministry of  Industry and Information Technology (MIIT). Although the 2015 Telecoms Catalogue also does not define computing” or “cloud service”, it is generally accepted that the term “internet resource co-ordination services” (IRCS) (互联网资源协作服务业务) in the catalogue refers to cloud services.

For more general information on the regulatory framework of telecommunications in China, see Practice note, Regulation of telecommunications sector in China: Regulatory framework for telecoms sector.

Internet resource co-ordination services

According to the 2015 Telecoms Catalogue, IRCS means:

“the data storage, internet application development environment, internet application deployment and operation management and other services provided for users through internet or other networks in the manners of access at any time and on demand, expansion at any time and co-ordination and sharing, by using the equipment and resources built on database centres” (section B11).

In addition to the catalogue, the MIIT also released the Notice on the Regulation of Cloud Service Market’s Business  Conduct (Draft for Public Comment) (Draft Notice) (关于规范云服务市场经营行为的通知(公开征求意见稿) in November 2016, which expressly states that “cloud service” is one type of IRCS mentioned in the 2015 Telecoms Catalogue (Article 1).

Licences required for operating cloud services

Under the 2015 Telecoms Catalogue, IRCS is a type of Internet Data Centre Service (IDC) (互联网数据中心业 务), which are categorised as value-added telecoms services (VATS). Providing VATS in China requires a telecoms licence (VATS licence) (see Practice note, Regulation of telecommunications sector in China: Telecoms licensing).

Accordingly, the operation of cloud services in China requires a VATS licence dedicated for IDC business, which is also known as an IDC licence.

The description of the term “IRCS” in the 2015 Telecoms Catalogue is broad and generally understood to cover all types of cloud services, namely IaaS, PaaS and SaaS. Accordingly, in theory the operation of all these types of cloud services requires a VATS license dedicated for IDC business. However, according to the MIIT’s 2017 interpretation  the operation of certain types of SaaS services does not require a VATS license if those services are regarded as “pure software services” and do not involve other VATS under the 2015 Telecoms Catalogue.

Foreign investment restrictions

In theory, subject to some foreign capital ratio restrictions, foreign-invested enterprises (FIEs) can apply for an IDC licence according to the Provisions on the Administration of Foreign-Invested Telecom Enterprises 2008  (2008 Foreign-Invested Telecoms Regulations, revised in 2016). The 2008 Foreign-Invested Telecoms Regulations state that a foreign-invested telecommunications enterprise (FITE) operating VATS may not have foreign investors’ capital contribution exceeding 50% (Article 6). In addition, the regulations also require that an FITE providing VATS has registered capital meeting the following minimum capital requirements:

  • At least RMB10 million if the FITE’s operation is nationwide or cross-provincial.
  • At least RMB1 million if the FITE’s operation is within a single province. (Article 5.)

However, as IDC services were not part of the scope of VATS to be opened up to foreign investment that China made at its accession to the WTO on 11 December 2001, IDC licences have only been granted to Chinese companies and their joint ventures with Hong Kong and Macau investors, and not to companies invested in by investors from other jurisdictions. Although Hong Kong and Macau investors are to some extent also treated as foreign investors by Chinese authorities, their eligibility for IDC licences was specially granted in the Closer Economic Partnership Arrangements (each, a CEPA agreement) entered into by China in 2003 with Hong Kong and Macau, respectively. Each CEPA agreement allows Hong Kong and Macau investors to set up joint venture enterprises with Chinese investors in China to provide IDC services. Hong Kong and Macau service suppliers’ shareholding in these joint ventures may not exceed 50% and there is no geographic restriction for the provision of the IDC services within China. For more information on the preferential policies for Hong Kong and Macau service providers under other CEPA arrangements, see Practice note, Regulation of telecommunications sector in China: Preferential policies  under CEPAs.

Except for these special rules for Hong Kong and Macau, foreign investors from other jurisdictions are not eligible for the application of an IDC licence. According to the MIIT website, as of 14 August 2020 there are only twenty Sino-Hong Kong joint ventures which have been granted the VATS licence for the operation of IDC services.

Work-around arrangements for foreign investors

As most foreign-invested companies are not eligible to apply for the IDC licence, they are not allowed to operate cloud services in China under their own names. Foreign cloud service providers have to co-operate with Chinese IDC licence holders to provide cloud services to their customers. These types of co-operation are mainly based on contractual arrangements between the foreign cloud service providers and relevant Chinese IDC licence holders, such as technology licensing, brand licensing and other contractual arrangements, to ensure the foreign cloud service providers can participate in the relevant decision-making process.

However, some types of contractual arrangements between foreign cloud service providers and the relevant Chinese VATS licence holders seem to raise issues of concern to the MIIT, and the Draft Notice appears to have been issued to correct those suspect arrangements. According to the Draft Notice, foreign investors are required to strictly comply with the 2008 Foreign-Invested Telecoms Regulations and the CEPA agreements and other relevant policies concerning IDC services, and to apply for the establishment of FITEs and obtain the corresponding VATS licences before they can operate cloud services in China (Article 3). In addition, the Draft Notice specifically requires Chinese licensed cloud service providers to report their technical co-operation with “relevant entities” to the MIIT, and in the course of such co-operation the licensed cloud service providers should not:

  • Lease or assign their telecoms service licences to the counterparties in any form, or provide resources, venues, facilities or other conditions to the counterparties for their illegal operation.
  • Allow the counterparties to sign contracts with customers directly.
  • Allow the cloud services to be provided only under the trade marks and brands of the counterparties.
  • Illegally provide users’ personal information and network data to the counterparties.
  • Engage in any other illegal acts.

(Article 4.)

The Draft Notice also requires cloud service providers to establish their cloud service platforms in China. When cross-border connectivity is needed, the relevant servers should be connected to overseas networks through the international internet gateways approved by the MIIT. It is forbidden to establish or use other channels for cross border connectivity through private lines, virtual private networks (VPNs) and other means (Article 7). When providing services to domestic customers, service facilities and network data should be kept within China and cross border operation and maintenance and data flow should comply with the relevant regulations (Article 9(4)).

These restrictions on the co-operation between licensed cloud service providers and their contractual counter parties indicate that foreign cloud service providers, when co-operating with Chinese licensed cloud service providers, can only play a subordinate role and that any attempt to “control” the Chinese counterparties would likely be challenged by the MIIT.

Security assessment measures for cloud computing platforms

On 2 July 2019, the MIIT together with other ministries jointly issued the Measures on Security Assessments for Cloud Computing Services 2019 (Measures) (云计算服务安全评估办法), with effect from 1 September 2019. The Measures intend to further flesh out the provisions of the 2016 CSL by improving the security and controllability of cloud computing services procured and used by the Communist Party and government organs and operators of critical information infrastructure (CII). The Measures provide that a cloud computing services provider may apply to conduct a security assessment for a cloud platform, and must submit to the security assessment office a declaration form, as well as a cloud computing service system security plan, reports on the continuity of the business, the security of the related supply chain and the feasibility of customer data migration, and other materials.

For more information on the measures, see Legal update, CAC and others issue security assessment measures for cloud computing services platforms.

Key legal issues in negotiating cloud service contracts

Cloud service providers often do not allow changes to their standard terms and conditions. Considering the multi tenant shared operating model and the multiple components involved in cloud solutions (except for private cloud), proposed changes from different customers may vary greatly. Therefore, it is not economical for cloud service providers to spend time and resources negotiating with customers, especially small and medium-sized customers, to customise their contracts.

Where cloud service providers are willing to discuss changes to their terms and conditions (normally with large corporate customers that have stronger bargaining power), customers are recommended to do their due diligence first to understand any potential legal compliance issues with the proposed cloud solutions or if any gaps exist between the customers’ expectations and the proposed cloud solutions. Customers then need to prioritise the areas they want to mitigate against these issues and deal with them accordingly. The areas of data protection and cybersecurity, intellectual property (IP) rights and service performance are perhaps among the most important for all cloud computing contracts.

Personal privacy and cybersecurity issues

Personal privacy and cybersecurity issues have become some of the primary factors that customers need to take into account in deciding whether to migrate their IT infrastructure to the cloud. The service calculation mode, dynamic virtualisation management and multi-tenant shared operating model of cloud computing services pose a serious challenge to the security and privacy of personal and business data. Both customers and cloud service providers must comply with applicable laws governing personal privacy protection and cybersecurity. Although still at an early stage, various Chinese laws and regulations have imposed some fundamental principles for the protection of personal privacy and cybersecurity (for example, see Practice note, Data privacy in China and Security assessment measures for cloud computing platforms). Before entering into a cloud service contract, the customer needs to ensure that the transfer of personal data to the cloud service provider has been notified to the relevant personal data subjects and that the subjects have consented to the transfer. As the cloud service customer is primarily responsible for the security and personal privacy of its own customers’ data, it needs to ensure that personal data and other customer data are handed over to cloud service providers with sound and robust safeguards. The cloud service provider has the responsibility to ensure the safety of customer data, including personal data processed on behalf of the customers.

The Provisions on Protecting the Personal Information of Telecommunications and Internet Users 2013 issued by the MIIT require that telecommunications business operators and internet information service providers be responsible for the security of users’ personal information as collected and used during the provision of services.

This obligation applies to cloud service providers. Accordingly, in a cloud service contract the customer should require the cloud service provider to abide by all relevant legislation in the personal data protection and cybersecurity areas. The contract should stipulate that the cloud service provider must not release any information to a third party, even when they are requested to disclose the information by a foreign government.

Moreover, the customer should require the cloud service provider not to access, revise, release, use, transfer or destroy any data from the customer without the customer’s consent. (For more information, see Practice note, Data  privacy in China: Data privacy principles).

In addition, when entering into a cloud services contract both the customer and the cloud service provider need to take into account regulations restricting data flow to foreign jurisdictions. This restriction typically applies to those industries which are considered to concern the national security of China. For example, the 2016 CSL requires operators of CII to store within China personal information and important business data that was collected in China. However, these may be transmitted abroad on successful completion of a security assessment by the relevant authorities (Article 37). The cloud service customer therefore needs to assess whether its IT infrastructure can be regarded as CII and if so, it will need to take the relevant requirements into account in the selection of a cloud service provider, and work with the provider to put in place technical and management measures and contractual terms to ensure that the data flows are compliant.

For more information on the 2016 CSL, see Legal update, China passes Cybersecurity Law.

For more information on cross-border data transfers, see Practice note, Cross-border data transfers: China.

For more information on the protection of personal data privacy in China generally, see Practice notes, Data privacy  in China and Data breach notification in China.

IP protection issues

Cloud computing can raise complex IP issues. On the one hand, IP rights are specific to jurisdictions. IP laws vary among jurisdictions, so a protectable IP right in one jurisdiction may not be protected equally, if at all, in another jurisdiction, and an infringement of IP rights in one jurisdiction may not be an infringement in another jurisdiction.

On the other hand, cloud computing is meant to break boundaries and work across jurisdictions, as in the cloud computing environment technology and data are frequently used beyond national borders. This tension can be a significant issue for both cloud service providers and their customers. Both parties should be clearly aware of the specific differences in IP laws that are relevant to their business operations, and should actively manage those discrepancies through their contractual arrangement with each other or through other means, to mitigate the risks of infringing the IP rights of third parties or suffering infringement of their own IP rights.

Another reason for the complexity of IP rights is that cloud computing solutions include multiple components and the relevant IP rights may belong to different licensors. The cloud service provider which signs the contract with a customer may not have the right to license or sublicense all of these IP rights to the customer. A defect which exists in any part of the licensing chain from the original licensor to the customer may present licensing risks and potential liabilities to the customer. Even if the cloud service provider has the right to license or sublicense the necessary IP rights to the customer, the customer may face the risk of service interruption if an essential IP licence in the cloud solution expires and the cloud service provider fails to renew it or provide an alternative solution. To mitigate these risks, the customer should seek full IP right indemnities from the cloud service provider for all service offerings in the cloud solution, while the cloud service provider may try to defend its position by only providing limited indemnities, or by leaving room for it to seek alternative solutions to replace the IP-flawed solutions without providing any indemnities to the customer.

Service performance

In a typical software licensing agreement or hardware sale agreement, there normally is no measurement, or only very simple measurements, provided to determine whether the product performs “normally”. Moreover, due to the vague standards of good performance, usually no compensation is provided to the customer if the software or hardware does not perform well enough. However, as cloud computing is provided as a service covering hardware, software, network and maintenance, there are several more measurable parameters which can be used to determine if the cloud service is provided up to certain standards. It is therefore possible, and necessary, to set up a mechanism of service performance measurement for cloud services and corresponding compensation payable to the customer for poor performance. This mechanism is now a common practice in the cloud industry and is known as a service level agreement (SLA).

The measurements under an SLA can include availability of the service (normally in the form of the percentage of usable time against a certain period of time), the cloud service provider’s response time for customer fault reports, time needed to fix problems (known as mean time to repair or MTTR) or other specific measurable parameters depending on the nature of the cloud services provided. Accordingly, if the cloud service provider fails to meet the relevant parameters set out in the relevant SLA, then a calculated compensation (known as service credits) will be paid by the cloud service provider to the customer. The customer should analyse the measurable parameters in its contracted cloud service and seek to agree with the cloud service provider on the applicable service credits and other SLA provisions. Given that customers may have migrated their essential operating systems and applications to the cloud, they may not tolerate any outage or interruption of the cloud service. A “business continuity” clause deals with how the cloud service provider should act to ensure that the customer can still use the contracted services in the event of an outage or interruption of service. This normally involves the customer requiring certain visibility, as a contractual right, of the cloud service provider’s business continuity plan (BCP). The customer may also require that the provider’s BCP and any changes to it should be discussed with and approved by the customer to ensure that the customer’s own BCP requirements will be integrated as part of the cloud service provider’s BCP practice.

Governing law and applicable law

Cloud service providers and their customers are sometimes located in different jurisdictions, and the operation of the cloud service may also involve other jurisdictions. Therefore, governing law issues should be carefully considered taking into account, for example, whether the law of the relevant jurisdiction has a different set of rules for the handling of personal data and business data from the principles agreed by the parties in the agreement. For example, the data protection rules of the EU are generally stricter than those in China (for more information, see Practice  notes, Data privacy in China and Overview of EU General Data Protection Regulation).

The concept of applicable law is different from the governing law of the agreement, and knowing this is especially important for a customer entering into a cloud service contract. Depending on the jurisdictions where the cloud service provider operates, the laws and regulations of multiple jurisdictions may be applicable to the cloud service.

While it is generally still a good practice for the customer to require the cloud service provider to comply with all applicable laws, the customer should assess whether it will become subject to the laws of a specific jurisdiction because its data will be processed or stored there. If those laws would present challenges to the secrecy and security of its data, the customer may need to consider whether technical measures should be put in place by the cloud service provider to prevent, if possible, the data from being stored or processed in that jurisdiction to avoid the application of its laws.

The Ministry of Commerce launches pilot program on security management for cross border data transfer

On August 14, 2020, the Ministry of Commerce (“MOC”) issued the Master Plan for Comprehensively Deepening the Pilot Program on Innovative Development of Trade in Services (“Plan”), covering 28 provinces and municipalities directly under the Central Government (regions), including Beijing, Tianjin and Shanghai, and the period for the pilot program will be three years.

The Plan proposes to:

  • establish dedicated Internet data channel in pilot areas where feasible, and the Ministry of Industry and Information Technology(“MIIT”) shall formulate relevant policies;
  • explore the classification and supervision model of cross-border data flow and carry out the pilot program for cross-border data transfer security management. Office of the Central Cyberspace Affairs Commission shall formulate relevant policies, pilot program work for cross-border data transfer security management shall be implemented in pilot areas such as Beijing, Shanghai, Hainan, and Xiong’an New Area;
  • develop cross-border services such as big data collection, storage, processing, analysis, mining and trading based on industrial Internet in pilot areas;
  • explore the rules and standards of data service collection, masking, application, trading, supervision, etc.;
  • promote the commercialization and securitization of data assets, and explore the formation of new models for trading of big data;
  • carry out security assessment on cross-border data flow in pilot areas; and
  • establish data security management mechanisms on data protection capability certification, data circulation backup review, cross-border data flow and transaction risk assessment, etc.; encourage cooperation in international cooperation on digital rules in pilot areas and strengthen the protection of data.

For more information ,please refer to


China proposes to tighten controls on import and export of commercial cryptography products.

On August 20, 2020, the State Cryptography Administration released the Regulations for the Administration of Commercial Cryptography (Draft for Comment) (“Draft Regulations”) to solicit public opinions by September 19, 2020.

The Draft Regulations provide that, import of the commercial cryptography in the “Commercial Encryption Import License List” and export of the commercial cryptography in the “Commercial Encryption Export Control List” should be subject to the import and export license for dual-use items issued by the competent commercial department of the State Council.

According to the Draft Regulations, operators of networks and information systems such as unclassified critical information infrastructure, network of Grade III or above (under the network graded protection regime), and national government information system shall:

• use commercial cryptography for protection;

• formulate commercial cryptography application scheme;

• have necessary funds and professionals;

• plan, construct and operate the commercial cryptography safeguard system synchronously;

• carry out the security assessment on commercial cryptography application by itself or commercial cryptography testing institutions.

The above-mentioned network and information systems can be put into operation only after the security assessment on commercial cryptography application. After operation, the assessment shall be conducted at least once a year, and the assessment results shall be filed with the local municipal cryptography administrative department.

The Draft Regulations provide that operators of networks and information systems such as unclassified critical information infrastructure, network of Grade III or above, and national government information system should use commercial cryptography products and services that have been tested or certified, and use commercial cryptography technology listed in the Guidance Catalog of Commercial Cryptography Technology.

The Draft Regulations stipulate that if operators of critical information infrastructure purchase network products and services involving commercial cryptography, which may affect national security, they shall pass the national security examination organized by the state cyberspace department, the state cryptography department and other relevant departments according to the law.

For more information ,please refer to


China released the revised Catalogue of Technologies Prohibited and Restricted from Export

On August 28, 2020, the Ministry of Commerce and the Ministry of Science and Technology jointly released the revised Catalogue of Technologies Prohibited and Restricted from Export (“Catalogue”). The revisions of the Catalogue removed 4 items of technologies prohibited from export, removed 5 items of technologies restricted from export, added 23 items of technologies restricted from export, and revised technical parameters of 21 items of technologies.

It is worth noting that, in the export restriction section, the Catalogue adds “personalized information push service technology based on data analysis” and “technology of unmanned aerial vehicles”.

For more information ,please refer to


NISSTC seeks public opinions on the Information Security Technology – Cyber-data Process Security Specification

On August 31, 2020, the National Information Security Standardization Technical Committee (“NISSTC“) issued the Information Security Technology – Cyber-data Process Security Specification (Draft for Comment) (“Draft Specification”) for public comments by October 27, 2020.

Highlights of the Draft Specification include:

Provision of data to others: Before providing data to others, network operators should conduct security impact analysis and risk assessment. If national security, public security, economic security, and social stability will be endangered, they must not provide the data to others.

Responsible person for data security: When network operators carry out business and service activities and collect important data and personal sensitive information, they should clarify the person responsible for data security and provide them with necessary resources to ensure that they perform their duties independently. The person in charge of data security should have professional knowledge of data security and relevant management work experience, participate in important decisions related to data processing activities, and perform the following duties:

a) organizing and determining the data protection catalog, formulating a data security protection plan and supervising the implementation;

b) organizing and carrying out data security impact analysis and risk assessment, and supervising the rectification of security risks;

c) reporting data security protection and incident handling to the cyberspace administration and relevant departments as required; and

d) organizing to accept and handle data security complaints and reports.

Transmission and storage: Network operators should take security measures for data transmission and storage activities, including:

a) When transmitting important data and personal sensitive information, security measures such as encryption should be adopted;

b) When storing important data and personal sensitive information, security measures such as encryption, secure storage, access control, and security audits should be adopted; and

c) The storage of personal information should not exceed the storage period agreed with the personal information subject, unless otherwise provided by laws and regulations.

The Draft Specification also provides special rules for the protection of personal information in public health emergencies. For example, in the process of providing information services, when face recognition is used as the authentication method, other authentication methods should be provided for users to choose in principle. The original image that can extract the face recognition information shall not be retained in principle when using face recognition information for identity verification.

For more information ,please refer to


MIIT: No user’s consent, No commercial SMS or calls

On August 31, 2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Administrative Regulations on Short Messages and Voice Call Service (Draft for Comments) (“Draft Regulations”) to seek public comments by September 30, 2020.

According to the Draft Regulations, any organization or individual shall not send commercial short messages or make commercial telephone calls to the user without his/her consent or request, or if he/she has explicitly refused to receive such SMS/calls. If the user does not explicitly agree, it shall be deemed as refusal. If the user agrees previously and explicitly refuses to accept it later, sending commercial short messages or making commercial telephone calls shall be terminated. If a short message service provider sends port type commercial short messages, it shall ensure that the relevant user has agreed or requested to receive these messages and keep the user’s consent proof for at least five months. A voice call service provider shall not make platform commercial calls, or provide communication resources, platform facilities and other conditions for organizations and individuals who make commercial calls in violation of the Draft Regulations.

For more information ,please refer to


Ministry of Culture and Tourism: Big data analysis and other technical means must not be abused to violate tourists’ rights

On August 31, 2020, the Ministry of Culture and Tourism issued the Interim Provisions on Administration of Online Tourism Business and Services (“Provisions”), which will take effect on October 1, 2020.

According to the Provisions, online tourism operators should implement graded protection system of cyber security, take management and technical measures for cyber security, formulate contingency plans for cyber security and organize regular trainings according to the PRC Cybersecurity Law and other relevant laws to ensure the normal development of online tourism business and services.

Online tourism operators shall protect the tourists’ right of comment and shall not arbitrarily shield or delete tourists’ comments on their products and services, nor shall they mislead, induce, substitute or force tourists to make comments. Comments made by tourists shall be saved and made public.

Online tourism operators should protect the security of tourists’ personal information and other data, and clearly indicate the purpose, method and scope of the collection of tourists’ personal information in advance and obtain the consent of the tourists.

Online tourism operators must not abuse technical means such as big data analysis to set unfair trading conditions based on tourists’ consumption records, travel preferences, etc., and infringe on the legitimate rights and interests of tourists.

According to the Provisions, online tourism operators refer to natural persons, legal persons and unincorporated organizations engaged in online tourism business and services, including online travel platform operators, operators on the platform, and operators who provide travel services through self-built websites and other network services.

For more information ,please refer to


Six government agencies call for recommendation of national green data centers in 2020

On August 6, 2020, the Ministry of Industry and Information Technology (“MIIT”) and five other government agencies issued the Circular on Organizing and Implementing the Recommendation of National Green Data Centers (2020) (the “Circular”).

According to the Circular, all regions shall recommend a batch of well-managed and representative data centers featuring high energy efficiency and advanced technology in major application fields of data centers, such as manufacturing, telecommunications, Internet, public institutions, energy, finance, and e-commerce, in accordance with the Evaluation Indicator System for Green Data Centers.

The Circular provides four basic conditions that a recommended data center shall meet:

  1. The owner of the data center shall have independent legal person status. The data center shall have clear property rights and shall abide by relevant laws, regulations, policies and standards in the process of construction and operation. In the past 3 years (including less than 3 years of establishment), it has had no major safety incidents, environmental protection incidents or other incidents, and no other serious illegal or untrustworthy conducts decided by judicial or administrative agencies;
  2. The data center shall have a clear and complete physical boundary, independent power supply and distribution, and a cooling system that meet the requirements of theAction Plan for Green and Efficient Refrigeration and has been officially operating for one or more consecutive years as of the application date;
  3. The construction and layout shall meet the requirements of the Guiding Opinions on the Construction Layout of Data Centers, and meet the requirements of the local construction planning and other local laws and regulations; and
  4. It is not included in the list of Special Supervision and Rectification for the Energy Efficiency of the Industrial Energy Conservation Supervision Data Center in 2019.

For more information ,please refer to


China issues the Guide to the Building of National Standard Framework for New Generation Artificial Intelligence

On August 7, 2020, the Standardization Administration and other four government departments issued the Guide to the Building of National Standard Framework for New Generation Artificial Intelligence (“Guide”).

According to the Guide, the framework of standards for artificial intelligence includes eight aspects, namely basic generality, supporting technology and products, basic software and hardware platforms, key general technologies, technologies in key fields, products and service, industry application and safety/ethnics.

The Guide requires that, the top-level design of artificial intelligence standardization should be clarified by 2021, when more than 20 key standards in key general technologies, technologies in key fields, ethics, etc. have been preliminarily researched. By 2023, an artificial intelligence standard system should have been initially established, focusing on the development of key and urgently needed standards such as data, algorithms, system services, and taking the lead in manufacturing, transportation, finance, security, home furnishing, elderly care, environmental protection, education, healthcare, justice and other key industries and fields.

For more information ,please refer to

NISSTC seeks public opinions on its proposed national standards to identify the boundaries for Critical Information Infrastructure

On August 10, 2020, the National Information Security Standardization Technical Committee (“NISSTC”) released the Information Security Technology – Method of Boundary Identification for Critical Information Infrastructure (Draft for Comment) (“Draft Method”) to seek public opinions.

The Draft Method provides that, boundary identification for critical information infrastructure (“CII”) deals with further analysis and sorting after the competent authority’s identification of the critical business, which the CII operator will identify the network facilities and information systems that are indispensable for the continuous and stable operation of the critical business for the purpose of providing a basis for the protection, review, and emergency response.

The Draft Method provides six factors that should be considered in identifying the boundaries of CII: critical business, network facilities, information system, critical business information, critical business information flow, and basic operation environment.

  • Critical business is the core element and the basis for boundary identification of CII;
  • Critical business information is an indispensable information resource for the normal operation of critical business, and also a bridge and link for network facilities and information system to support the informatization for critical business;
  • Network facilities and information system design, collect, integrate, process, present, apply, store and destroy critical business information according to business operation logic and functions to support the automated, intelligent and efficient operation of critical business;
  • Critical business information flow is the flow process in the whole life cycle of critical business information. By sorting out the critical business information flow, network facilities and information systems supporting informatization for critical business can be obtained;
  • Basic operation environment refers to the safety equipment, safety measures, rules and regulations, machinery, plant, water, electricity, etc. supporting basic operation for critical business.

For more information ,please refer to


NISSTC seeks public opinions on the Method for Evaluating Security Protection Capabilities of Critical Information Infrastructure

On August 10, 2020, the National Information Security Standardization Technical Committee (“NISSTC”) issued the Information Security Technology – Method for Evaluating the Security Protection Capabilities of Critical Information Infrastructure (Draft for Comment) (“Draft Method”) for public comments by October 9, 2020.

The Draft Method provides that the evaluation of security protection capabilities of critical information infrastructure (“CII”) includes three parts: capability domain level evaluation, graded protection evaluation, and cryptography evaluation. Before the evaluation of the security protection capability of CII, the CII should first pass the corresponding graded protection evaluation and related cryptography evaluation. Then, the organization should carry out the evaluation according to the evaluation content and evaluation operation method, give the judgment result and grade of each evaluation index, get each capability domain level, and finally obtain the security protection capability level of critical information infrastructure based on the evaluation results of capability domain level and graded protection.

For more information ,please refer to


MIIT seeks public opinions on Guidelines on the Construction of Data Security Standard System in Telecom and Internet Industries

On August 11, 2020,the Ministry of Industry and Information Technology (“MIIT”) issued the Guidelines on the Construction of Data Security Standard System in Telecom and Internet Industries (“Draft Guidelines”) to seek public opinions.

According to the Draft Guidelines, the data security standard system of telecom and Internet industries includes four categories of standards, namely the standards for basic generality, critical technologies, security management and critical fields:

  • the standards for basic generality include definitions of terms, data security framework, and data category and classification;
  • the standards for critical technologies deal with data security technology from the dimensions of the entire life cycle, including data collection, transmission, storage, processing, exchange, and destruction;
  • the standards for security management include data security specifications, data security assessment, monitoring and early warning and handling, emergency response and disaster backup, and security capability certification; and
  • the standards for critical fields mainly include 5G, mobile Internet, connected-car, Internet of Things, Internet of Industry, cloud computing, big data, artificial intelligence, blockchain and other critical fields.

For more information, please refer to


The Ministry of Justice: To strengthen protection of trade secrets and confidential business information in administrative licensing

On August 14, 2020, the Ministry of Justice (“MOJ”) issued the Guiding Opinions on Strengthening the Protection of Trade Secrets and Confidential Business Information in Administrative Licensing (Draft for Comment) (the “Draft Opinions”) for public comments by September 30, 2020.

The Draft Opinions provide that applicants for administrative licenses shall expressly indicate their trade secrets pursuant to the Anti-Fair Competition Law or other laws or regulations, as well as their business information that are needed to be kept confidential when making an administrative license application to an administrative authority, and correctly identify the scope of confidentiality.

When applicants submit the application materials to the administrative authorities, they must clearly indicate the key points of confidentiality, and not generally regard all materials as trade secrets and confidential business information. Such information should be clearly marked on the first page of the paper-based or electronic materials submitted and the key points of confidentiality.

For more information, please refer to


Shandong Province releases classification management rules on health care big data

On August 25, 2020, the People’s Government of Shandong Province issued the Measures for the Management of Health Care Big Data in Shandong Province (the “Measures”), which will take effect on October 1, 2020.

According to the Measures, health care big data falls into three categories:

  • health care data involving trade secrets, personal privacy or other types of data which are not allowed to be accessed according to laws and regulations shall be categorized as inaccessible data;
  • health care data with higher requirements for data security, processing capacity, and timeliness or that needs to be acquired continuously shall be categorized as conditional accessible data; and
  • health care data other than the above two categories shall be categorized as unconditional accessible data.

The Measures also stipulate that:

  • for unconditional accessible data, citizens, legal persons and other organizations can access it through the health care big data platform.
  • for conditional accessible data, health care big data management institutions and data using organizations should sign data using agreements to access the data. The agreement shall specify the scope, conditions, data products, confidentiality responsibilities and security measures, etc. of the data.
  • for inaccessible data, it can be accessed after the consent of the relevant obligees or after the desensitization and declassification, unless otherwise provided by laws and regulations.

For more information, please refer to


If you would like to receive our legal update via email, please contact


For more information, please contact:

Samuel Yang | Partner

AnJie Law Firm

P: +86 10 8567 2968

M: +86 1391 0677 369


Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.

Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.

Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.

Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.

 Author:Hannibal El-Mohtar   Agnes Wang


(Attribution: Ravi Kant)

I. How can Hong Kong and foreign insurers currently sell insurance to MainlandChina?

Despite the COVID-19 pandemic, many Mainland residents find foreign insurance policies more attractive than those found in the mainland and continue to cross borders to get their hands on them.

Take Hong Kong for example. The Provisional Statistics of Hong Kong Insurance Industry in the First Quarter of 2020 released by the HK Insurance Authority shows that new office premiums in respect of policies issued to Mainland visitors amounted to $5.4 billion in the first quarter of 2020.

Despite their popularity, when mainlanders purchase HK insurance products, there is a unique set of risks associated with the agreement for all parties concerned. In 2016, the China Insurance Regulatory Commission (“CIRC” the predecessor of the China Banking and Insurance Regulatory Commission, “CBIRC”) issued a risk reminder for Mainland citizens regarding purchasing insurance products in Hong Kong. Specifically, it warned Mainland citizens that:

  • Policies issuedby Hong Kong insurers are not protected by PRC legislation;
  • Risks of changes to PRC or other laws applicable to foreign exchange should not be ignored;
  • There is uncertainty with regard to investment-kind policy yields.

Moreover, CIRC’s warning included a notice for mainland insurance intermediaries. A special 2016 campaign was launched to crack down on the illegal promotion of Hong Kong policies in Mainland China. At least one Mainland insurance intermediary has been sanctioned for illegally promoting or selling foreign insurance products in the Mainland, see Shanghai Banking Insurance Regulatory Insurance Punishment Juezi [2019] No. 36.

Hong Kong insurers, for their part, face risks in navigating restrictions on the PRC’s insurance market access. They are for the most part eager to provide their services to prospective Mainland clients in the PRC’s thriving insurance market. However, like other foreign insurers, they cannot directly sell insurance products unless they have successfully established a joint venture or wholly foreign-owned enterprise (“WFOE”) insurance company in Mainland China.

II. Why is the Insurance Connect Significant for HK and Foreign Insurers?

Through the Greater Bay Area Insurance Connect (the “GBA IC”) Shenzhen will become a unique foothold for Hong Kong insurers serving Mainland clients. The GBA IC allows them to provide post-sale services to Mainland policyholders thanks to unique insurance market access permissions granted specifically to Shenzhen. So far, what is known is that under the GBA IC , two service centers (the “Service Centers”) will be established in Shenzhen — plus one other city, to be determined — featuring “counters for Hong Kong insurers” (the “Service Counters”). The Hong Kong Federation of Insurers, the industry body in Hong Kong, will take the lead in renting office space in each of these two cities. HK-based insurers will then be allowed to set up Service Counters in these Service Centers to serve policy holders living in the Greater Bay Area (the “GBA”). This will allow GBA policyholders to pay premiums for their policies, and modify their personal details under their policies without entering Hong Kong.

Why is this significant? Shenzhen is increasingly sharing Hong Kong’s role as a GBA financial hub. To understand how significant this step is, let’s place this development in context.

Shenzhen already had more financial autonomy than other Chinese cities since it became China’s first special economic zone (“SEZ”) in 1980 (see 1980 Guangdong Special Economic Zone Regulations 广东省经济特区条例).

Shanghai’s dominant status as China’s financial hub has not lessened Shenzhen’s own ambitions as a financial services center. A month after Shanghai’s stock exchange (the “SSE”) reopened, Shenzhen established its own in December 1990 (the “SZSE”). To this day the SZSE remains the only exchange in Mainland China besides the SSE. Note that since 2014, both have been connected with each other and Hong Kong through the Shenzhen/Shanghai-Hong Kong Stock Connect (the “Stock Connect). More recently, in 2017, an announcement making Shenzhen into the “first pilot city for the development and innovation of insurance” (Shenzhen Insurance Regulatory Commission (2017) No. 14, the SIRC Announcement) was promulgated.

In 2019, Shenzhen received additional consideration as a financial center after being designated China’s “Model City” through the Opinions of the Central Committee of the Communist Party of China on Supporting Shenzhen’s Pioneering Zone for Building Socialism with Chinese Characteristics (2019 Shenzhen Opinions, 中共中央 国务院关于支持深圳建设中国特色社会主义先行示范区的意见). Under para 5 of the Shenzhen Opinions, the Central Committee encouraged the city to promote interconnection and mutual recognition of financial products with Hong Kong and Macao’s financial markets.

In line with the city’s plans for financial reforms, an announcement from this year announcements shows Shenzhen is now set to become a “pilot city” for the development and innovation of the insurance sector in China. On April 24, 2020, the People’s Bank of China, CBIRC, the China Securities and Regulatory Commission, and the State Administration of Foreign Exchange (“SAFE”) released the Opinions on Financial Support to the Construction of Guangdong-Hong Kong-Macao Greater Bay Area [Yin Fa 2020, N. 95] (the “Financial Support Opinions”).

According to the Fiancial Support Opinions, Hong Kong and Macau insurers will be invited to conduct pilot operations in GBA cities, paving the way for the further opening up of China’s insurance market. In addition, it will facilitate the GBA insurance business for HK/Macau insurers and facilitate GBA financial consumers’ access to HK/Macau insurance products.

Actioning these earlier goals, the GBA IC therefore represents a concrete step towards greater market access for Hong Kong insurers. It builds on the Financial Support Opinions, the Shenzhen Opinions, and the SIRC Announcement on becoming a “pilot” city for insurance innovation and development. It is also a feather in Shenzhen’s cap; putting these previous goals into practice is an important confirmation of the city’s direction and its promise as an insurance hub.

Note that as stated, the new GBA insurance regime will not make market access much easier than before for HK capital. At present, it only refers to post-sale transactions. Nevertheless the GBA IC and its integration with, among others, the policies mentioned in the Financial Support Opinions, will certainly make the GBA a more attractive place for foreign capital.

(Attribution: Aline Nadai)

III. How does Shenzhen now compare with Beijing and Shanghai for establishing an Insurance WFOE?

Market Access

When compared to Beijing and Shanghai, Shenzhen’s market access reforms are leading and offer the greatest potential for preferential treatment for foreign insurers. This section examines Beijing and Shanghai’s market access reforms, and then compares them with Shenzhen’s new foreign investment regime.


Recent measures build on Beijing’s role as a China’s financial management center and make the city a more favorable site for investing foreign capital in the financial services and insurance sectors. For one, Beijing is the only city in the comprehensive pilot project for the extensive opening-up of the professional services industry. In 2015, the State Council issued the Reply on Approving the Overall Plan for a Comprehensive Pilot Project in Further Opening-up of the Service Industry in Beijing Municipality (国务院关于北京市服务业扩大开放综合试点总体方案的批复, the “2015 Beijing Reply”), which allows Beijing to test a wide range of innovative opening-up policies. This Reply laid out the plans for the further opening-up of Beijing’s service industry, whereby the establishment of foreign-funded professional health and medical insurance institutions would be supported. Since then, the State Council has issued two replies in 2017 and 2019 (the “2019 Beijing Reply”), with the latter putting forward a three-year plan for reform and encouraging professionals in finance to work in the city. These Replies indicate the national government’s past and continued support for expanding Beijing’s role as a financial services center.

Beijing has also been proactive in implementing more permissive rules on foreign ownership in the finance and insurance sectors. In June 2020, the Beijing Municipal Commerce Bureau published the Beijing Action Plan for New Opening-Up Measures (北京市实施新开放举措行动方案,the “Beijing Action Plan”), taking “further opening-up of the financial sector” as a “key task”. Regarding how to further open up the financial sector, the document clearly states that life insurance companies, together with securities companies, fund management companies and futures companies can be fully owned by foreign capital, and foreign insurance institutions can establish health insurance and pension companies in Beijing. Note however that this latter item, permitting full foreign ownership of insurance companies and their provision of pension and life insurance policies, is the implementation of China’s new foreign investment policy as of April 1, 2020 (see our China and the GATS article). It is not a Beijing-specific policy pilot; rather this is expected to eventually be applied by all sub-national jurisdictions in China.

Beijing’s airport districts are also set to become pilot areas for certain financial reform programs. Use of airports to this end is mentioned explicitly in the 2019 Beijing Reply. For Daxing Airport Free Trade District (Beijing), a list for institutional innovations is now available. The list contains 81 measures which involve nearly all governmental institutions responsible for the reform of the District. There are several innovation measures marked as “strong implementability” in the list, among them encouraging foreign investment in the financial sector.


Historically, Shanghai has been a pilot zone for testing market access liberalization for financial services. For a time, Shanghai was the only city where foreign insurers could operate (see China’s first Schedule of Commitments to the GATS, 1994, and our analysis of China and its GATS insurance commitments).

The past decade has been no exception. When the Shanghai FTZ was founded in 2013, one of the opening up measures included providing special market access for foreign-invested specialized health and medical insurance institutions (as a testament to this pilot’s success, such market access has now been extended to cover most of China). Shortly thereafter in 2014, the CIRC issued 2 notices on supporting the development of the Shanghai FTA, which included 11 measures in the insurance sector.[1] A notable development, Shanghai was also the site for the WFOE insurance holding company in China, Allianz insurance, four years earlier than initially planned. As recently as August 2020, Tesla registered with AMR for its own insurance brokerage in Shanghai to support insurance policies for Tesla owners.

Within Shanghai, the city’s Lingang area will be the site for important policies to encourage insurance investment going forward. Under the Lingang Measures, Shanghai will support foreign funds to set up holding or wholly owned life insurance companies (in addition to securities, fund management, and futures companies), as well as form joint ventures. In 2020, new policies regarding Lingang New Area (Several Measures for Comprehensively Promoting the Financial Opening and Innovative Development of Lingang Special Area of China (Shanghai) Pilot Free Trade Zone/全面推进中国(上海)自由贸易试验区临港新片区金融开放与创新发展的若干措施) take this development a step further. Paragraph 4, specifically, indicates additional support for market access for foreign insurers, with the government “[s]upporting the establishment of foreign-controlled or wholly foreign-owned personal insurance companies.” Moreover, a February 2020 circular encourages insurance asset management companies to set up specialized asset management subsidiaries in Shanghai (para 10), and opens the door to pilot the permitting of insurance funds to invest in gold, oil and other commodities on a trial basis in Shanghai. It also encourages, generally, insurance institutions to invest in science and innovation investment funds in the Lingang area (para 1) (Yinfa [2020] No. 46).

Most recently, Shanghai has announced ambitious development plans for its Hongkou district, intending to replicate “China’s Wall Street” along the North Bund waterfront to drive economic growth in the aftermath of COVID-19 (the “Hongkou Plan”). The development includes plans to attract 100 major companies, particularly in the finance sector, to the North Bund’s Hongkou area. This follows an earlier March announcement that Shanghai authorities would strive to bring 40 new regional headquarters for multinationals into the city and further open up controlled sectors, including insurance, as a part of its post-COVID recovery plans.

Comparison with Shenzhen

Despite Beijing and Shanghai’s support for reforming and opening up their financial services and insurance sectors, neither of these cities’s commitments match the level of detail available in Shenzhen commitments. Nor do they appear to share the same promise as the GBA, and particularly Shenzhen, for insurers’ current and future market access.

Many of the most promising elements in Shanghai’s Lingang Measures and the Hongkou Plan remain non-specific. The provisions of Yinfa [2020] No. 46 are encouraging, especially for insurance institutions planning on investing in commodities or science and innovation. However they have not yet been put into action and more details are needed to properly weigh the effects of measure. The same can be said for the other measures within the Hongkou Plan, which are even more general.

For its part, Beijing has similarly sent encouraging signals that it intends to pilot market access schemes that are beneficial to foreign insurers, but concrete policies have yet to be put into place. The role given to airport districts for financial reform, in particular, is one to watch.

Comparing the three cities, we can now see that while each has sent strong signals in favor of piloting greater market access benefits for foreign insurers, Shenzhen leads the pack and may go the furthest distance in implementation. Through the GBA IC, the Shenzhen and GBA authorities are already implementing the Financial Support Opinions, Shenzhen Opinions, and SIRC Announcement policies to bring greater market access to foreign insurers, especially for insurers based in Hong Kong. Although Shanghai’s expected Lingang pilots encouraging commodity, science, and innovation investments by insurers may end up being more preferable to insurance institutions with a strong interest in these sectors, Shenzhen still offers the most insurance-specific measures. Thus while the GBA IC is currently limited to post-sales services, placed in its proper context, it becomes clear that this is a greater priority for Shenzhen than for other cities and will be the first of many market access pilots to come.

Foreign Exchange

Among the three cities, Shenzhen’s foreign exchange measures are the most encouraging. This section examines and compares the foreign exchange policies of Shenzhen, Shanghai, and Beijing in turn.


Currency traders within the city limits of Shenzhen enjoy special foreign exchange privileges. Under the supervision of the People’s Bank of China and SAFE, Shenzhen is the first mainland city to progressively liberalize the conversion of foreign capital into the Yuan. Expanded from the city’s initial Qianhai district Free Trade Zone Yuan Convertibility Pilot to now extend across all of Shenzhen, this program moves the city away from the mainland’s approval-based system. This allows settlement of exchanges within minutes, rather than hours. This is in line with  the above-described Financial Support Opinions. The above-described 2019 Shenzhen Opinions also encourage Shenzhen’s role in internationalizing the Yuan.

According to the Financial Support Opinions, there are other plans beneficial to the introduction of foreign capital generally. This includes facilitating cross-border capital pooling and the establishment of a bank account system integrating the Yuan and foreign currencies.

Most recently, in June 2020, SAFE further approved a reform to allow eligible banking institutions in Shenzhen to support mobile foreign exchange transactions for cross-border currency conversions (facilitating payments both for Chinese workers abroad and foreigners in China).


Shanghai will also begin experimenting with pooling foreign capital.  Under the Several Measures for Comprehensively Promoting the Financial Opening and Innovative Development of Lin-gang Special Area of China (Shanghai) Pilot Free Trade Zone (the “Lingang Measures“, 全面推进中国(上海)自由贸易试验区临港新片区金融开放与创新发展的若干措施), unveiled on May 8th, 2020, the Lingang New Area of the Free Trade Zone will pilot a cross-border capital pool.

Shanghai will also support foreign funds seeking to invest in pension management and wealth management firms in Lingang. Note that one of the five basic objectives of the Shanghai FTZ, when it was founded in 2013, was “[to] deepen opening up and innovation of the financial sector.” Lingang will also host an integrated account system for local and foreign currencies. Previously, multinational companies operating in China needed to open separate Yuan (managed by the People’s Bank of China) and foreign exchange accounts (under the management of SAFE). This was a burden on capital collection and payment.


Daxing Airport Free Trade District is one of the many recent examples of Beijing’s foreign-exchange initiatives, and indicates that Beijing intends to compete seriously to become a favorable destination for foreign capital. In April, the Beijing Department of SAFE released the Implementing Rules on Foreign Exchange Reform of Daxing Airport Free Trade District (Beijing)( 中国(河北)自由贸易试验区大兴机场片区(北京区域)外汇管理改革试点实施细则). About 9 new measures in the foreign exchange sector are planned to be implemented in the Daxing Airport Free Trade District (Beijing), including allowing the implementation of facilitating services for the payment of foreign exchange income from capital account; relaxation of the requirements that the contract currency, withdrawal currency, and repayment currency for cross-border financing must be consistent; and simplification of the registration, modification and cancellation procedures relating to direct investment.


After examining each city’s regime, we can now see why Shenzhen’s foreign exchange reforms are the most encouraging. While each city offers promises of preferential forex pilots going forward, Shanghai and Beijing’s remain in the planning stages whereas some important foreign-exchange policies have already been successfully implemented in Shenzhen. Specifically, the completed Yuan convertibility pilot and SAFE’s approval of mobile forex support in Shenzhen both remove significant burdens for transactions requiring foreign exchange within the city limits.

However, Shanghai’s programs are not far behind. Its Lingang integrated local/foreign currency account system is a pilot to watch for, as is the expected Lingang capital pool.


Shenzhen’s tax environment appears to be the most favourable for foreign insurers considering entering establishing a headquarters in mainland China.

As a GBA city, Shenzhen benefits from Guangdong’s preferential income tax policy for foreigners. The Ministry of Finance (MOF) and the State Administration of Taxation (SAT) issued Caishui [2019] No. 31 on March 14, 2019 (the “2019 GBA Circular”). The 2019 GBA Circular allows foreign talents working in GBA cities like Shenzhen to benefit from a tax rebate covering taxes in excess of 15% of their Individual Income Tax (“IIT”). The 2019 GBA Circular ends on December 31, 2023.

[Source: Department of Commerce of Guangdong Province, 2020 Invest Guangdong]

Measures for the other two cities are positive but non-specific. In Shanghai, there have been some generally favourable announcements applicable within the Lingang area, but they remain general in nature. Specifically, under No.6 (9) of the Lingang Measures, overseas high-end and urgently-needed talents working in Lingang will be allowed to benefit from certain IIT subsidies. A similar claim is made in the 2020 Shanghai Foreign Investment Guide (p. 59), which specifies that financial professionals are eligible for this subsidy, but otherwise does not provide particulars. Beijing, for its part, does not appear to have implemented or announced preferential IIT tax measures of this nature.

Shenzhen also benefits from Guangdong province’s preferential foreign investment awards. On August 21, 2020, Guangdong issued the revised version of the Policies and Measures of Guangdong Province on Further Expanding Opening-up and Actively Attracting Foreign Direct Investment (Ten Policies and Measures for Foreign Investment). One enumerated incentive is an award (one-time) of 30% of a foreign investor’s financial contribution made when establishing a regional or national headquarters within Guangdong. Beijing and Shanghai do not offer such an award.


 The financial costs for WFOE formation will be similar across Shenzhen, Beijing, and Shanghai, although local requirements and processing standards may lead to slightly faster service depending on the city.

Across Beijing, Shenzhen, and Shanghai, some interactions with SAMR are moving online. In each of these cities, the Application Form for Foreign Funded Enterprises in China (在中国设立外资企业申请表) is being replaced by SAMR-administered online forms. For example, the Shanghai form (the “one window, one form”, exclusively in Chinese) is available on the Shanghai government’s website.[2] Similarly, Shenzhen has its own online portal, [3]as does Beijing.  This “one window, one form” policy is in line with a broader push by the Chinese government to improve the country’s business environment and lessen bureaucratic red tape. [4]

Once the greatest hurdle is cleared, namely of getting approval from CBIRC, each city provides relatively similar processing times:


Statutory time limit

(Working day)

Promised time limit

(Working day)

Shanghai 15 1
Shenzhen 7 1
Beijing 15 3


Note that when establishing a WFOE, an applicant must already have possession of an office address within the desired city at the time of application. Planning ahead on how to satisfy this administrative requirement will help avoid costly delays in company formation.

(Attribution: Matheus Natan)


For data management and control, an important consideration for insurers entering China, the applicable laws are national. The Guidelines on the Information System Security Management of Insurance Companies(2011)/ 保险公司信息系统安全管理指引, together with the Cyber Security Law, apply with equal force in Beijing, Shanghai and Shenzhen.

As such data management rules should not be a factor in how a foreign insurer evaluates individual cities for its market-entry analysis.


For decades now, Beijing, Shanghai, and Shenzhen have attracted significant foreign investment in the financial and insurance sectors.

However, in light of Shenzhen’s recent pilots and reforms, in particular the GBA IC, it is now the most favourable destination for foreign insurers seeking to establish a WFOE in mainland China. In terms of market access, foreign exchange controls, and tax policies, the city has shown the greatest level of initiative and implemented the greatest number of preferential policies that benefit foreign insurance institutions.

Nevertheless, this does not mean that insurers already based in Beijing and Shanghai should relocate to Shenzhen. Both Beijing and Shanghai have clearly demonstrated that they intend on piloting their own reforms in these areas. Additionally, as China’s “Model City”, many pilots that succeed in Shenzhen are, eventually, well-received in other cities. Thus the above-described competitive advantages in Shenzhen may, relative to cities like Shanghai and Beijing, be temporary. That said, developing a dynamic and robust insurance sector is clearly a priority for Shenzhen, and its special support from both the state and provincial levels, combined with its proximity to well-established players in Hong Kong’s own insurance sector, allow it to act on that priority in exceptionally promising ways.


[1]Please refer to:

1)Notice of the CIRC on Supporting the Development of the China (Shanghai) Pilot Free Trade Zone/保监会支持中国(上海)自由贸易试验区建设的通知

2) Notice of the General Office of the CIRC on Further Simplifying Administrative Examination and Approval to Support the Development of the China (Shanghai) Pilot Free Trade Zone/中国保监会办公厅关于进一步简化行政审批支持中国(上海)自由贸易试验区发展的通知

3) Administrative Measures of the China (Shanghai) Pilot Free Trade Zone for the Record-Filing of Insurance Institutions and Senior Management Personnel/中国(上海)自由贸易试验区保险机构和高级管理人员备案管理办法

[2]Shanghai Municipal Government, “上海市开办企业 ‘以窗通‘网上服务”. Due to the presence of its free trade zone, Shanghai was able to pioneer online registration for companies doing business in areas not on the negative list before any other administrative area.

[3]Shenzhen Municipal Government, “深圳市开办企业 ‘一窗通‘网上服务”, online: <>.

[4]Dezan Shira & Associates, “Shanghai Business Registration: Online Platform for Foreign Invested Enterprises Launched” China Briefing, August 22, 2018, online: <>


Have questions about accessing China’s insurance market? Anjie is a Chambers ranked, Band 1 law firm for PRC Insurance law, and has the largest insurance practice in mainland China  

Feel free to send consultation requests to An Na ( or An Chencheng (

Authors: Zhan Hao, Song Ying, Yang Zhan

In June 2020, the Anti-Monopoly Bureau of the State Administration for Market Regulation (“SAMR”) published a new book, the 2019 Compilation of Antitrust Regulations and Guidelines, which contains four previously unpublished guidelines covering the automotive sector, intellectual property rights, leniency policy, and commitments by undertakings. The Guidelines on Leniency for Horizontal Monopoly Agreements (the “Leniency Guidelines”) detail SAMR’s leniency policies towards horizontal monopoly agreements (cartels) under China’s antitrust law system.

Monopoly agreements by competitors are generally highly secretive, and with the exception of extreme scenarios, the parties to such agreements lack an incentive to whistle-blow to the competition authorities. SAMR’s leniency policy is formulated to encourage such parties to voluntarily self-report and hand over substantive evidence, by granting them exemptions or fine reductions.

In China, Article 46 of the Anti-Monopoly Law (the “AML”) provides that, where an operator who is engaged in a monopoly agreement voluntarily reports said monopoly agreement and provides material evidence thereof to the authorities, that party could be eligible for a reduction or exemption from punishment. Inter alia, Articles 33 and 34 of the Interim Provisions on Prohibiting Monopoly Agreements (the “Interim Provisions”) promulgated by SAMR further clarify how reductions or exemptions from penalties apply, define “material evidence”, and set out factors used to “mark” an applicant for consideration by the authorities.

Preparations for the Leniency Guidelines by anti-monopoly authorities go back as far as 2015. In June 2015, the Office of the Anti-Monopoly Commission of the State Council (the “Office”) organized the three former antitrust enforcement agencies, i.e. the Ministry of Commerce, the National Development and Reform Commission (“NDRC”) and the previous State Administration for Industry and Commerce to Draft the Leniency Guidelines. In February 2016, the National Development and Reform Commission released the Draft Leniency Guidelines to solicit public comments. In February 2017, the Office revised the Draft Leniency Guidelines based on the opinions of the members and experts of the Anti-Monopoly Commission under the State Council. Due to the administrative re-structuring of the State Council, in August 2018, certain provisions of the Draft Leniency Guidelines were further amended. Upon approval of the Anti-Monopoly Commission under the State Council, the Leniency Guidelines were officially issued on January 4, 2019, and then published along with the other three guidelines in the above-mentioned book.

The current Leniency Guidelines provided relatively specific guidance to SAMR and market players regarding how SAMR’s leniency policy should be implemented. Specifically, it establishes a “marker” system with different fine reduction “levels”. It clarifies the requirements for obtaining leniency, reporting procedures, and practices for the submission of material evidence. It also provides guidance to enforcement agencies on leniency application reviews. Compared to the previous draft version, there are several changes in the application and review procedures, and specific requirements to which the operators should pay more attention if applying for leniency in an antitrust investigation. This article elaborates on the main highlights and implications of the Leniency Guidelines below. 

I. Application scope of the leniency policy

The leniency policy applies only to horizontal monopoly agreements concluded between competitors as defined under Article 13(1) of the AML. Vertical monopoly agreements and abuse of market dominance are not applicable. It also should be noted that not all the applicants under the leniency policy will be fully exempted from penalties. The Leniency Guidelines provides that if an operator organizes or forces other operators to participate in reaching or implementing monopoly agreements, or impedes other operators from terminating their illegal conduct, the authority will not grant an exemption but can instead allow a limited penalty reduction. Penalty reduction or exemption is generally applied against fines imposed on the parties to a monopoly agreement, but will not allow such parties to keep ill-gotten gains under their agreement.

II. When are operators entitled to apply for leniency?

The time limit for operators to apply for leniency is not very strict. Operators are entitled to apply for leniency (i) before the enforcement agency initiates a case or launches an investigation procedure under the AML, or (ii) after the enforcement agency initiates a case or launches an investigation procedure but before issuance of a prior notice on administrative penalty by the authorities.

III. Application report and “key evidence” required for the leniency application

When a party applies for a leniency, the following documents are required: the application report and “key evidence”. If the authority decides not to grant the leniency, it will not determine the illegal acts based on the relevant materials filed by parties for the purpose of leniency application.

  1. Application report

For the first applicant, the application report must include:

  • Basic information of the parties to the monopoly agreement, including but not limited to name, address, contact details, and representative.
  • Description and main content of the monopoly agreement, including but not limited to time and place that the agreement is reached or implemented, main content, specific participants, and what stage the operators reached in agreeing to and implementing the agreement.
  • Geographical scopeand market scale affected the agreement.
  • Duration of the agreement’s implementation.
  • Explanation of the evidence.
  • Whether the party has applied for a leniency in other jurisdictions.

For subsequent applicants, the application report shall cover participants of the monopoly agreement, products or service involved, time and place that the agreement is reached or implemented.

  1. Key evidence

The Leniency Guidelines clarify that, for the first applicant, key evidence refers to the materials that the enforcement agencies have not collected yet and would be sufficient to trigger initiation of an investigation, or (if they have already initiated the case or launched the investigation procedure) sufficient for agencies to find a monopoly agreement.

For subsequent applicants, key evidence refer to materials that the enforcement agencies have not collected and would be of significant or probative value in detecting a monopoly agreement. Most importantly, this includes how the agreement was reached and implemented, its main content, the timeline involved in reaching and implementating it, the products or services involved, and the relevant participants.

IV. Other requirements for leniency

In addition to the above requirements, the Leniency Guidelines also request the applicant to: (i) immediately terminate the illegal conduct (except for the cases where the authority requires applicants to continue the illegal conduct), (ii) cooperate with the authorities in a prompt, consistent, full, and reliably manner in the investigation, (iii) properly preserve and provide evidence and information, and to not conceal, destroy or transfer evidence or provide false material or information, (iv) not to disclose applications for leniency without the consent of the authorities, and (v) not to have any conduct that may affect the investigation.

V. Who can ask for a marker?

A marker system is applied in many jurisdictions worldwide. In the EU, the marker system “is designed to preserve and protect the applicant’s place in a leniency queue for a definite period of time.”[1]  The Leniency Guidelines establish a marker system in China as well and provide an exemption for the first applicant that meets its requirements; for each subsequent successful applicant, it provides a reduction in fines. Note that only the first immunity applicant can hold their marker’s priority without delivering all of the required evidence: if an operator initially submits a monopoly agreement information report the authorities and then provides related key evidence, the authority can decide to mark the time of the initial submission as that of applying for leniency, and request the applicant to supplement all related materials generally within 30 days, or 60 days for special cases. If the first applicant cannot supplement the related materials within the required period, it will lose its priority under the marker system; if so, the next successful applicant for a reduction in penalties can automatically become the first-in-time immunity applicant.

VI. How are applicants classed?

The Leniency Guidelines clarify the range of fine reductions available to undertakings for the first, second, or third place applicants: exemption from penalty or of reduction of fines by no less than 80% for the first, a 30%–50% reduction for the second applicant, 20%~30% for the third applicant, and no more than 20% for subsequent applicants. In general, the enforcement agency may grant leniency to up to three operators in an investigation. If a high-profile case is relatively complicated and involves more than three parties to agreements applying for leniency, the enforcement agency has the discretion to grant reductions in penalties to more than three applicants. Similarly, the confiscation of illegal gains may also be referred to exemption or reduction of fines on parties of monopoly agreements, subject to the authority’s discretion.

VII. Decision and publication of leniency

Subject to the Leniency Guidelines, the authorities are obliged to publish the leniency decision if they agree to grant an exemption or reduction of fines to the applicants. Without the consent of relevant parties, the application report and all other related materials submitted for leniency application shall not be published, and none of any other third parties are entitled to review. This provision may to some extent relieve companies’ practical concerns that the materials submitted for a leniency application may be used as evidence against them in future civil actions by other parties.

The leniency policy provides a very valuable and practical approach to help global antitrust enforcement agencies in the detection and termination of infringing monopoly agreements. The Leniency Guidelines propose a relatively reliable leniency system under the AML, which is of great significance for improving the effectiveness of antitrust enforcement, while providing a valuable source of guidance for Chinese market players to follow up on.

The automobile industry has been under the radar of China’s antitrust enforcement for a number of years. Since 2014, the agency had successively issued fines against many players in the automobile supply chain, including auto parts manufacturers, and motor vehicle suppliers and distributors. By November of 2019, the aggregate antitrust fine in the car sector reached up to RMB 2.5 billion. Excepting those cartel-related penalties against 12 Japanese auto parts manufacturers in 2014, all of other penalties related to the violation of vertical restraints.

China’s antitrust agency’s greatest competition concerns in the automobile sector relate to vertical restraints. Possibly underscoring this concern, the newly published Antitrust Guidelines on Automobile Industry (the “Automobile Antitrust Guidelines”) placed its main focus on clarifying issues arising from vertical restraints. Therefore, it is critical to take stock of this publication in order to better understand the enforcer’ attitude towards vertical restraints for companies in the automobile sector.

To help companies in the automobile industry better make their own assessments on antitrust compliance in China, this article explains the antitrust rules related to vertical restraints provided in these guidelines and analyzes their implications.

I. The Assessment Framework for Vertical Restraints

On whether a given vertical restraint constitutes a vertical monopoly agreement banned by the AML, the Automobile Antitrust Guidelines clarify a three-step assessment framework that China’s antitrust agency will usually employ. First, the agency determines whether a given agreement falls into the scope of vertical monopoly agreements prohibited by the AML. Second, it assesses whether the “assumed exemption”, which is similar to the block exemption in the EU and will be further explained later, could be applied. Third, if the assumed exemption is not applicable, the agency will assess whether an individual exemption could instead be granted.

II. Conditions forAssumed and Individual Exemptions

One valuable development in the Automobile Antitrust Guidelines is how they clarify the conditions under which the assumed exemption applies. Note that although at present the assumed exemption mechanism only applies to the automobile sector, theoretically it can also be of reference value to other industries.

According to these guidelines companies that lack appreciable market power could, when imposing vertical restraints on territories or customers, usually be exempted from being considered as imposing a vertical monopoly agreement. These guidelines further clarify that a company usually does not have market power if its market share in the relevant market is below 30%, though this is a rebuttable presumption.

For individual exemptions, the Automobile Antitrust Guidelines do not provide rules for the automobile sector besides those already described in Article 15 of the AML. However, with a view to clarifying its applicability for companies, these guidelines do illustrate circumstances under which assumed exemptions or individual exemptions usually apply. They are explained further in the below sections.

III. Enforcement Attitudes Toward RPM in Automobile Sector

It should be noted that in practice, China’s antitrust enforcement agency typically finds fixing resale or minimum resale prices (“RPM”) to be per se illegal, although judicial practice shows a different attitude towards RPM by Chinese courts. The Automobile Antitrust Guidelines implicitly confirm that the assumed exemption will not apply to RPM. However, the guidelines do not exclude the possibility of granting an individual exemption to companies fixing RPM, subject to specific circumstances, even though the chance of doing so is relatively low. To provide more guidance, these guidelines further provide four scenarios where individual exemptions are more likely to be granted.

First, fixing RPM in the short term for new energy automobiles may be individually exempted. This is in light of their benefits for energy conservation, environmental protection, avoidance of service free riding. The aforesaid “short-term” is further clarified in these guidelines as constituting nine months from the day when the automobile supplier issues its first wholesale invoice. This term is subject to potential adjustment in the future.

Second, where the distributor only serves the function of a middleman, fixing RPM may also be individually exempted. This scenario mainly refers to when the automobile suppliers directly negotiate the sales price with specific third parties or ending consumers, while the distributor just provides ancillary sales functions such as delivery, collection of payment, issuance of invoice and other services.

Third, fixing RPM in the course of government procurement may be individually exempted. This is because in practice automobile suppliers and distributors usually are required to collectively bid after agreeing on the quotation in government procurement projects. If the distributor in a government procurement scenario only plays a role in assisting completion of transaction, like a middleman, then they may also be exempted.

Fourth, the RPM imposed by automobile suppliers in e-commerce may be also individually exempted. This exemption should be narrowly interpreted, as when automobile suppliers directly sell to ending users through e-commerce platforms, and the distributor only plays a role fulfilling the sale, such as delivering the automobile, collecting payment and issuing the invoice for such transactions concluded through e-commerce platforms.

IV. Enforcement Attitudes Toward Territorial and Customer Restraints in the Automobile Sector

As mentioned above, restrictions on territory and customers imposed by suppliers with a market share below 30%, with justifiable reasons, can be assumed to be exempted. To provide further guidance, these guidelines illustrate the circumstances where the assumed exemption is usually applied. These are elaborated below.

First, the distributors are required to only engage in distribution activities within their own business premises, but are not restricted from passive sales and cross-supply with other authorized distributors. Second, the suppliers restrict distributors from actively selling to the exclusive territories or customers which said suppliers reserve for another distributor. Third, the suppliers restrict wholesalers from directly selling to end users. Fourth, to avoid the spare parts being used by customers to produce the same products as the suppliers, the suppliers restrict distributors from selling spare parts to such customers.

In the meantime, to provide further clarification, these guidelines also provide circumstances where the assumed exemption usually is inapplicable. This includes restricting passive sales and cross-supply between distributors, and restricting distributors and service providers from supplying spare parts for repair and maintenance purposes to ending users.

However, it should be noted that, even if the assumed exemption cannot be applied to specific territorial or customer restrictions, companies theoretically could continue to assess whether they may instead be eligible for an individual exemption.

V. Indirect Vertical Restraints on Aftersales Service and Distribution of Spare Parts

Concerns over insufficient competition in the automobile aftersales market for repair and maintenance services have been articulated for a long time. These concerns are also reflected in the Automobile Antitrust Guidelines, which specifically stress that, if automobile suppliers impose unreasonable restrictions on the aftersales services and distribution of spare parts through warranty terms, they may raise competition issues. Such circumstances include but are not limited to, first, the automobile suppliers requiring that all maintenance work not covered by their warranty be completed by service providers within an authorized maintenance network, and denying said warranty when the supplier uses service providers outside that network. Second, for parts not covered by the warranty, the automobile suppliers conditioning performance of said warranty on that distributors and service providers’ exclusive use of original parts. A third instance is when automobile suppliers restrict their maintenance network from providing aftersales service to parallel imported vehicles.

VI. Other Vertical Restraints Related to Sales and Service Capacity

In addition, the Automobile Antitrust Guidelines also enumerate other typical circumstances where a vertical monopoly agreement may be found, to remind companies of the potential antitrust risks.

First, the automobile suppliers obligate distributors and service providers to purchase automobiles, aftersales spare parts, consumables, repair tools, and testing instruments that distributors and service providers did not order. Second, the suppliers force distributors or repairers to accept unreasonable sales targets, inventory variety, automobile quantities, or aftersales parts orders. Third, the suppliers force distributors to bear the costs of advertising and promotion in the name of suppliers or restrict the specific ways and media that the distributors use to carry out promotions, at their own expense. Fourth, the suppliers force distributors or service providers to use only the services of specific design or construction companies, or require them to use only specific brands, suppliers and supply channels for building materials, general equipment, information management systems, or office facilities. Fifth, the suppliers restrict distributors from dealing with other suppliers’ goods. Lastly, the suppliers refuse supply or terminate the distribution agreement ahead of time due to the distributors or service providers engaging in activities that promote competition.


The Automobile Antitrust Guidelines does not only clarify the rules for market players in the automobile sector, but also provide valuable reference for companies in other sectors which heavily rely on external distributors, on how to structure internal controls and limit antitrust risks. Specifically, in China, a large portion of manufacturers rely on external forces to distribute their products, and vertical restraints on distributors are oftentimes indispensable for them in the commercial world. Clarifications provided in the Automobile Antitrust Guidelines are undoubtably beneficial for in-house counsels to conduct their own internal assessments. However, it should be recognized as well that the real commercial world is diverse, and these guidelines cannot cover all commercial situations that may occur. When facing more complicated situations, seeking specialized legal advice from external counsel is recommended.

State Council to formulate the CII security protection regulations

On July 8, 2020, the General Office of the State Council issued the 2020 Legislative Plan, including several laws in the cyber security sector, such as the Regulations on Network Protection of Minors and the Regulations on the Security Protection of Critical Information Infrastructure.

Supreme People’s Court and the National Development and Reform Commission: To strengthen the protection of data rights and personal information security.

On July 20, 2020, the Supreme People’s Court and the National Development and Reform Commission issued the Opinions on Providing Judicial Services and Supports to Accelerate Improvement of the Socialist Market Economy System in the New Era (“Opinions”).

The Opinions emphasize that the state should strengthen the protection of data rights and personal information security. The state should also respect the law of the socialist market economy and the development practice of data-related industries, protect data collection, use, trading and the intellectual achievements according to the law, improve the legal system for data protection, properly handle various data-related dispute cases, promote the deep integration of big data and other new technologies, new fields, and new business forms, and serve the innovative development of the data element market. The state should also implement the provisions of the Personality Rights Part of the Civil Code on the protection of personality interests, improve the judicial protection mechanism for personal information rights and interests such as biological and social data of natural persons, grasp the boundary between the development of information technology and personal information protection and balance the relationship between personal information and public interests.


Shenzhen proposes local data protection regulations to protect “Data Right”

On July 15, 2020, the Justice Bureau of Shenzhen Municipality issued the Data Regulations of Shenzhen Special Economic Zone (“Draft Regulations”) to solicit public opinions by August 14, 2020.

The Draft Regulations propose the concept of “data right” for the first time, defining it as “data is the description and induction of objects (such as facts, events, things, processes, or thoughts), and is the material that can be processed or reinterpreted through automation and other means. Natural persons, legal persons, and unincorporated organizations enjoy data right in accordance with laws, regulations and these Regulations and no organization or individual may infringe upon such right. Data right is the right of the right holder to make independent decisions, control, process, gain, and claim compensation for specific data in accordance with the law.”

The Draft Regulations stipulate the ownership of personal data and public data. According to the Draft Regulations, natural persons have, and no organization or individual may infringe upon data rights to their personal data in accordance with the law. Public data is a new type of state-owned assets, and its data rights belong to the state. The Shenzhen Municipal Government shall exercise the data rights of public data on behalf of the state and authorize the municipal data coordination department to formulate public data asset management measures and organize their implementation.

The Draft Regulations provide that personal data includes personal information data and private data. Personal information data refers to data recorded through automation and other means that can identify the personal identity of a natural person alone or in combination with other data; private data refers to data and its derived data that are closely related to the private life of a natural person and the private space, private activities, and private information that are unwilling to be known to others.


MIIT to crack down unlawful behaviors in information and communications industry as exposed in the “3·15” program by CCTV

On July 16, 2020, CCTV’s 3.15 program exposed the chaos of third-party SDK plug-ins of mobile phone in collecting and using users’ personal information. It was reported that, technicians have found that the SDK plug-ins from two companies, i.e. Credit X and Zhaocai Dog, embedded in more than 50 Apps collect user’s information without prior notice to the user.

In response to the unlawful collection and use of personal information made by the SDK plug-ins, the Ministry of Industry and Information Technology (“MIIT”) immediately organized relevant entities to conduct thorough inspections, and strictly investigated and dealt with the enterprises involved in accordance with laws and regulations. The MIIT requires,

  1. the Beijing Communications Bureau and Shanghai Communications Bureau to inspect the two companies involved;
  2. third-party testing institutions to conduct technical testing on 50+ Apps that use the above SDKs;
  3. major domestic application stores such as Alibaba, Tencent, Baidu, Huawei, Xiaomi, OPPO, vivo, 360, etc., to conduct thorough investigations on similar problems as soon as possible; Apps found of problems should be removed as soon as possible; application stores are also required to promptly notify the App operation developer to conduct self-examination and self-correction to promptly discover and process the SDK that unlawfully collects and uses user’s personal information.

In the next step, the MIIT will adopt normalized regulatory measures to strengthen the comprehensive management of Apps. MIIT is about to increase the handling and exposure of various unlawful activities, such as collection and use of user’s personal information without consent, to effectively protect the legitimate rights and interests of users.


MIIT exposes the second and third batches of Apps infringing upon user’s rights and interests

Recently, the Ministry of Industry and Information Technology (“MIIT”) organized third-party testing agencies to conduct inspection on mobile applications (“Apps”) and issued the Second and Third Batches of Apps that Infringe Upon User’s Rights and Interests, requiring operators of these Apps to make rectification. As of now a number of Apps still have not completed rectification and the MIIT requires them to complete rectification before designated timelines, failing which the MIIT may impose punishment on these Apps.

The above Apps are found of the following problems:

  • asking for permission frequently or excessively;
  • rejecting providing services if no permission is given;
  • collecting personal information without consent or beyond the agreed scope;
  • sharing personal information with third parties without consent;
  • forcing users to use target pushing functions; and
  • difficult to de-register the account.


2020 Governance Work campaign on illegal collection and use of personal information by Apps officially launched

On July 22, 2020, the Central Cyberspace Administration, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation held a meeting in Beijing and started the 2020 governance work on illegal collection and use of personal information by Apps in 2020.

The governance work in 2020 will continue to focus on the following aspects:

(1) Formulate and release the key points of personal information security assessment for SDKs and mobile phone operating systems, and conduct in-depth assessments of Apps, SDKs, and mini programs that have a large scale of users and attract large volume of complaints;

(2) In response to the typical problems reflected by the public, such as illegal collection and use of biometric information (e.g. facial features), self-activation, associated activation of Apps, upload of personal information without asking for user’s permission by Apps, and the abuse of sensitive permissions such as recording and photographing, special research and in-depth inspections are to be carried out;

(3) Intensify the detection, exposure, and punishment of illegal collection and use of personal information. According to the severity of the circumstances and the consequences, punishments such as interviews, warnings, removals, and fines will be imposed in accordance with laws and regulations;

(4) Formulate and release guidelines for App stores to review and manage the collection and use of personal information by Apps, and guide and urge App stores to carry out security reviews properly before Apps go online;

(5) Release free technical tools to guide small and medium-sized enterprises to conduct self-assessment on collection and use of personal information to improve the legal compliance of personal information collection and use activities by small and medium-sized enterprises;

(6) Promote security certification for the protection of personal information by Apps; and

(7) Strengthen personal information security assessment trainings and promote the standardization of personal information security assessment.


MIIT launches a special campaign to promote governance on Apps that infringe upon user’s rights and interests.

In order to effectively strengthen the protection of users’ personal information, the Ministry of Industry and Information Technology (“MIIT”) issued the Notice on Carrying out the Special Campaign to Promote Governance on Apps that Infringe upon User’s Rights and Interests (“Notice”) on July 24, 2020, requiring that a national App technology testing platform management system should be launched before the end of August 2020, which is expected to complete testing for 400,000 mainstream Apps before December 10, 2020.

This campaign focuses on the following illegal behaviors by service providers of Apps and SDK, as well as application distribution platforms:

  1. illegal behaviors of Apps and SDKs, including illegal collection of personal information, collection of personal information beyond the scope, illegal use of personal information and forcing users to use target pushing functions;
  2. setting up barriers and frequently harassing users, such as forcing users to give permission, frequently asking for permission or excessively asking for permission made by Apps, and frequent self-activation and associated activation of Apps;
  3. deceiving and misleading users, including deceiving or misleading users to download Apps or providing personal information; and
  4. failure to perform obligations by application distribution platforms, including not clearly stating the information about Apps distributed by them, and not implementing the management responsibility.

According to the Notice, MIIT will organize third-party testing agencies to conduct technical testing of Apps and SDKs and supervise and inspect the implementation of the main responsibilities of the application distribution platform. For companies that are found to have problems during the first inspection, they will be ordered to complete rectification within 5 working days. If there are still problems after rectification, they may face punishments including public exposure, removals, administrative penalties and listing as bad business operations or untrustworthy telecommunications businesses. Companies that have repeated problems in different versions of the Apps will be exposed to the public, and face follow-up disposal measures.


NISSIT seeks public opinions on Security Requirements for Supply Chain of Information Technology Products

On July 27, 2020, the National Information Security Standardization Technical Committee (“NISSIT”) released the Information Security Technology — Security Requirements for Supply Chain of Information Technology Products (Draft for Comment) (“Draft Requirements”) to seek public opinions by September 26, 2020.

The Draft Requirements, as a recommended national standard, will apply to the security management activities of the information technology product supply chain of government information systems and critical information infrastructure and can also provide a reference for the supply chain security management activities of other information systems.

According to the Draft Requirements, the supplier of information technology products should meet the following requirements:

  • carrying out supply chain security risk assessment;
  • developing the traceability strategy of purchased information technology products and components, recording and retaining information such as the origin and original supplier of information technology products and components;
  • establishing and implementing the safety development process of information technology products, clarifying development management requirements, safety control measures and personnel codes of conduct, etc.

The customer of information technology products should meet the requirements such as:

  • establishing and maintaining a catalog of qualified suppliers;
  • regularly assessing the risks of interruption of information technology product supply, suspension of authorization, refusal to provide product upgrades or technical support services;


NISSIT issues Self-Assessment Guidelines for Apps to Collect and Use Personal Information

On July 25, 2020, the Secretariat of National Information Security Standardization Technical Committee (“NISSIT”) released the Practical Guide to Cyber Security Standards – Self-Assessment Guidelines for Apps to Collect and Use Personal Information (“Guidelines”) to guide App operators to carry out self-assessment.

The Guidelines provide 28 self-assessment items in total, covering the following six aspects:

  1. whether the rules on collection and use of personal information are made public;
  2. whether the purpose, method and scope of collection and use of personal information are clearly stated;
  3. whether the collection and use of personal information is subject to the user’s consent;
  4. whether the principle of necessity is complied with, under which only personal information in relation to the services being provided is collected;
  5. whether the provision of personal information to others is subject to the user’s consent; and
  6. whether functions of deleting or correcting personal information are provided, or methods for complaint are made public.

The Guidelines are formed on the basis of the Method for Identifying the Illegal Collection and Use of Personal Information by Apps jointly issued by the Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security and State Administration for Market Regulation and the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps issued by the App Governance Panel.

NISSIT issues the draft Guidelines for Application and Use of System Permissions by Apps

On July 29, 2020, the Secretariat of National Information Security Standardization Technical Committee (“NISSIT”) released the Practical Guide to Cyber Security Standards— Guidelines for Application and Use of System Permissions by Mobile Internet Applications (App) (Draft for Comment) (“draft Guidelines”) to seek public opinions by August 12, 2020.

The Guidelines provide the basic principles and general requirements for Apps to apply for and use system permissions, as well as the application and use requirements for ten types of Android system permissions including such as call log, SMS, location.

The Guidelines also list the common sensitive system permissions, typical issues in applying for and using system permissions, and the system permissions that are not recommended to apply for by common business functions.


Tianjin: personal privacy data cannot be traded

On July 30, 2020, Tianjin Cyberspace Administration released the Interim Measures for Data Transaction Management in Tianjin (Draft for Comment) (“Draft Measures”).

The draft Measures classify data into tradable data and data that are prohibited to be traded. Tradable data refers to all kinds of data obtained according to law, which cannot identify specific data providers and cannot be recovered.

Data prohibited to be traded include:

  • data related to national security, public security and personal privacy;
  • data involving trade secrets without authorization and consent of the legal obligee;
  • data involving personal information without the explicit consent of the subject of personal information; data involving personal information of minors above the age of 14 without express consent of the minors or their guardians; data involving personal information of minors under the age of 14 without express consent of guardians;
  • data obtained by means of fraud, deception and misleading, or from illegal and undue channels;
  • data that is clearly prohibited by other laws and regulations or legal agreements.

The Measures require that data providers should conduct security risk assessment on the data to be traded and issue security risk assessment reports. The data trading service agency shall review the security risk assessment report to ensure that the data to be traded do not contain data prohibited to be traded.

Anhui Province proposes regulations to boost development and application of big data 

On July 6, 2020, the Government of Anhui Province issued the Regulations on the Development and Application of Big Data in Anhui Province (“Draft Regulations”) to seek public opinions.

The Draft Regulations encourage enterprises, universities, scientific research institutions and other organizations and individuals to engage in research and development of big data technology and develop software and hardware products; to use big data to develop new industries, new formats and new models, develop online economy, and give full play to the economic value and social benefits of data resources.

The Draft Regulations further encourage and guide data trading parties to conduct data transactions in big data trading service institutions established according to law. It also clarifies that data resource transaction shall follow the principles of voluntariness, fairness, honesty and credibility, that data resource transaction shall abide by laws and regulations, and respect social morality; and that data resource transaction shall not disclose, sell or illegally provide personal information, privacy and business secrets to others, and shall not damage the interests of the state, the public and the legitimate rights and interests of others.


MoT solicits opinions on Guidelines for Constructing National Connected Car Industry Standard System (Intelligent Transport Related) 

The Ministry of Transport (“MoT”) released the Guidelines for Constructing National Connected Car Industry Standard System (Intelligent Transport Related) (“Draft Guidelines”) on July 31, 2020 to seek opinions from relevant competent authorities and associations by August 14, 2020.

The Draft Guidelines set out the key fields where standards should be developed:

  • standards of basic generality, including the terms and descriptions, classification codes and symbols, and data management;
  • road facilities, including general requirements, traffic perception, traffic control and guidance, intelligent roadside, roadside communication, and map and positioning;
  • vehicle-road interaction, including information interaction, vehicle and portable terminal, and vehicle assistance and safe driving;
  • management and service, including travel service, transportation organization, and management platform; and
  • information security, including certificate keys, and network security protection.

According to the Draft Guidelines, a standard system supporting the application and industrial development of connected car should be initially established by the end of 2022, when more than 20 standards related to intelligent transport in areas such as intelligent transport infrastructure and assisted driving will have been developed and revised. By 2025 it is expected more than 40 standards will have been developed and revised.


If you would like to receive our legal update via email, please contact

For more information, please contact:

Samuel Yang | Partner

AnJie Law Firm

P: +86 10 8567 2968

M: +86 1391 0677 369


Author: Samuel Yang, Nicholas Blackmore

China’s legislature, the National People’s Congress, recently enacted a Civil Code which will come into force on 1 January 2021. The Civil Code is a major landmark in Chinese legal history – it is the first comprehensive codification of the civil laws of the People’s Republic of China, which has been a goal of Chinese governments since the Qing Dynasty.

The Civil Code covers the full scope of Chinese civil law, including property rights, contracts, tort and family law – and also includes sections on privacy and the protection of personal information. Samuel Yang (Partner from Anjie Law Firm) and Nicholas Blackmore (Special Counsel from Kennedys) outline the impact of the new Civil Code on Chinese data privacy law.

Most of the provisions of the Civil Code regarding privacy and personal information are not new. Much of the Civil Code is a restatement and consolidation of the existing privacy laws contained in the Decision of the Standing Committee of the National People’s Congress on Strengthening the Network Information Protection, the Cybersecurity Law, and the Law on the Protection of Consumer Rights and Interests. However, the Civil Code does extend these laws in some respects, most significantly in providing a clearer basis for individuals to take legal action in relation to breaches of their privacy rights.

Like existing PRC privacy laws, the provisions of the Civil Code regarding privacy and personal information are not as detailed or prescriptive as Hong Kong’s Personal Data (Privacy) Ordinance or Europe’s General Data Protection Regulation. Rather, they are a set of general principles which leave considerable room for interpretation. However, the National People’s Congress have flagged the introduction of a personal information protection law and a data security law as the next step in the development of Chinese data privacy law, and it is likely that these laws will be more prescriptive.

The provisions of Part IV of the Civil Code dealing with privacy and personal information are in several sections:

  • articles 990 to 1000 contains general provisions regarding “personality rights”, which include an individual’s right to privacy;
  • articles 1032 and 1033 more specifically prohibit activities which infringe on an individual’s right to privacy, such as spying, eavesdropping, photographing or filming private body parts or spaces, or sending uninvited messages; and
  • articles 1034 to 1039 deal specifically with the processing of personal information.

The legislators have apparently noted the overlap between “privacy” and “personal information”, which is an academic and practical question debated by legal professionals for a long time. The Civil Code provides a principle to deal with such overlap by providing that those provisions on privacy (articles 1032 and 1033) shall apply to the “private information” in personal information; in the absence of such provisions, the provisions on the protection of personal information (articles 1032 and 1033) shall apply.

Individuals may take legal action to prevent or obtain compensation for an infringement of their personality rights. While the Civil Code does not expressly state when personality rights will be infringed, the structure of Part IV strongly suggests that this will include the activities prohibited under articles 1032 and 1033 and the processing of personal information in breach of articles 1034 to 1039. There is an exception for the conduct of news reporting carried out in the public interest, but only to the extent that the use of the individual’s name and other personal information is reasonable.

“Personal information” is defined as information recorded electronically or otherwise that is capable of identifying a specific natural person, alone or in combination with other information, including the person’s name, date of birth, ID number, biometric information, address, phone number, email address, health information, and location information. The key provisions concerning the processing of personal information include:

  • processing of personal information must be lawful, justified, necessary and not excessive;
  • processing of personal information is only permitted with the express consent of the individual or as required by law – although article 1036 states that reasonable processing of personal information is also permitted if: (a) the individual voluntarily disclosed their personal information and did not explicitly refuse to allow processing; or (b) the processing is carried out to protect the public interest or the individual’s legitimate rights or interests;
  • individuals have the right to obtain access to personal information a processor holds about them and to correct that information if it is inaccurate;
  • individuals have the right to require a processor to delete their information if the processing is in breach of the law or an agreement between the parties;
  • processors should take technical and other necessary measures to ensure the security of the personal information they hold; and
  • in the event of a data breach, the processor should take remedial measures in a timely manner and notify the breach to the affected individuals and the relevant competent authority.

Most of these provisions will be familiar to global businesses who already comply with the General Data Protection Regulation or other privacy laws. In some respects, however, they are more strict. In particular, it appears that there is less scope under the Civil Code than under many other privacy laws for personal information to be processed without the consent of the individual.

Most of the above provisions strongly resemble those already in the Decision on Strengthening the Network Information Protection, the Cybersecurity Law and the Law on the Protection of Consumer Rights and Interests. However, being in the Civil Code, they will apply more broadly. For example:

  • the Decision on Strengthening the Network Information Protection is limited to the protection of personal information in electronic form, whereas the Civil Code applies to all forms of personal information;
  • the Cybersecurity Law applies only to network operators, whereas the Civil Code applies to all businesses handling personal information, regardless of whether they also operate a computer network; and
  • the Law on the Protection of Consumer Rights and Interests only protects the rights of consumers of goods and services, whereas the Civil Code applies to all natural persons.

Most importantly, the Civil Code will make it easier for individuals to take civil action in relation to privacy breaches. The existing laws do not expressly provide any right for individuals to take such action; they only provide for the authorities to impose administrative fines and penalties. Consequently, it has been difficult for individuals to obtain compensation for breaches. In one widely- reported case, 42 individuals unsuccessfully sought to sue Amazon in relation to an incident in which their personal information was obtained by scammers.

The Civil Code makes clear that an individual will have the right to seek a court order to prevent a breach of their privacy rights which is continuing or is about to occur, and compensation for damage (including emotional damage) which is caused by a breach of their privacy rights. The court may also order that an apology or other public announcement be published. If the individual is deceased, their family may take such legal action in their place.

The official Chinese text of the Civil Code is available here; no English translation is available at this time.

While the new Civil Code largely restates the existing Chinese laws on privacy and personal information protection, it does apply these laws more broadly and make it easier for individuals to take civil action in relation to breaches. As such, we are likely to see privacy and personal information protection laws enforced more often and more broadly in China from next year onwards. Companies who process personal information in China should double-check that their existing privacy practices comply with the new Civil Code from 1 January 2021.


Hannibal El-Mohtar


(Photo attribution: Karolina Grabowska)


Despite the tortuous path ahead for the US 2020 election campaigns, and the trials and tribulations of this year, the US-China Phase 1 Trade Deal (the “P1 Deal) remains in place.[1]

Although commitments under the P1 Deal are only between China and the US, international trade law limits the extent to which benefits under such agreements can be strictly bilateral.

In particular, Most Favoured Nation (“MFN”) requires World Trade Organization (“WTO”) members (like China and the USA) to give all WTO members the same benefits they give to a preferential trading partner.

This might leave some non-US entities with business in China wondering: is the P1 Deal beneficial only for US entities, or do other foreign entities also benefit?

Foreign Insurance Institutions (“FIIs”) especially may wonder: as China begins to further open its financial market, do non-US FIIs have any chance of benefitting from China’s treatment of US insurers, specifically under the insurance heading of the P1 Deal’s financial services chapter (Article 4.6)? If only US insurers benefit, would that be a Global Agreement on Trade in Services (“GATS”) violation, or would it be GATS compliant?

These are thorny legal questions, and answering them begins with a look at China’s commitments under GATS, the P1 Deal’s Article 4.6 insurance heading, and MFN under GATS.

As we will see, China has already voluntarily passed GATS compliant legislation extending one bilateral commitment in Article 4.6 to all foreign investors. It is certainly possible that China will follow a similar course of action with its other bilateral insurance commitments to the US. However, as is often the case with international trade law, whether it decides to do so will depend on both legal and diplomatic concerns rather than solely on legal considerations.


I. China’s P1 Deal Insurance Commitments Fall in Line with Prior Plans


(Attribution: Adrianna Calvo)

Modernizing and improving China’s insurance sector has been a strategic state goal since as early as 2014, with the passing of the Several Opinions of the State Council on Accelerating the Development of the Modern Insurance Service Industry (2014, the “Opinions”). Among the goals contained within the Opinions is that by 2020, insurance will become an essential means of risk and financial management for government, enterprises, and residents, with specific targets for greater insurance penetration (5%) and density (RMB 3,500 Yuan per person). [2]

In line with these objectives, at the start of the 2020 two sessions (两会, the “2020 Lianghui”) Premier Li Keqiang announced “higher government subsidies for basic medical insurance for rural and non-working urban residents” (third session of the 13th National People’s Congress). After the end of the 2020 Lianghui, the State Council also encouraged insurers to increase coverage for Chinese exporters and small to medium enterprises impacted by COVID-19 in its Guidelines about Further Strengthening Financial Services for SMEs and Micro Enterprises (Yin Fa 2020 No.120).

Like these more recent measures, many Chinese commitments to US insurers in the P1 Deal also dovetail with earlier Chinese reform plans. The text of Article 4.6 reads as follows:

Article 4.6: Insurance Services

  1. No later than April 1, 2020, China shall remove the foreign equity cap in the life, pension, and health insurance sectors and allow wholly U.S.-owned insurance companies to participate in these sectors. China affirms that there are no restrictions on the ability of U.S.-owned insurance companies established in China to wholly own insurance asset management companies in China. 
  1. No later than April 1, 2020, China shall remove any business scope limitations, discriminatory regulatory processes and requirements, and overly burdensome licensing and operating requirements for all insurance sectors (including insurance intermediation), and shall thereafter review and approve expeditiously any application by U.S. financial services suppliers for licenses to supply insurance services. In accordance with this commitment, China affirms that it has eliminated the requirement of thirty-years of insurance business operations for establishment of new foreign insurance companies. 
  1. The United States acknowledges current pending requests by Chinese institutions, including by China Reinsurance Group, and affirms that such requests will be considered expeditiously.


Observers will note that prior to the conclusion of the P1 Deal, the concession outlined in 4.6.1. was already scheduled to be passed. To this end, on December 06, the China Banking and Insurance Regulatory Commission had issued both the Detailed Rules for Implementing the Regulations Administering Foreign-Invested Insurance Companies in the PRC together with the Notice Clarifying the Timeline to Cancel Foreign Equity Ratio Restrictions in Joint Venture Life Insurance Companies. Most importantly, the concession in 4.6.1 was granted not solely to US enterprises (which would be a GATS violation, as we will discuss below), but rather to all foreign investors in China.

The US acknowledging “pending requests by Chinese institutions” in 4.6.3. relates to applications from Citic Group, China Re, and China International Capital Corp (CICC) for licensing in the US.

The only possible friction between China’s insurance sector P1 Deal and GATS commitments would be 4.6.2., where China singles out US firms for what appears to be preferential treatment: “review and approve expeditiously any application by US financial services suppliers for licenses to supply insurance services.”


II. The Road to Accession: China Included Insurance in its GATS Schedules of Commitments in 1994 and 2002


(Attribution: Manual Joseph)

Would this friction result in a possible GATS violation? Let us first examine China’s GATS commitments. For brevity, the particulars of these commitments are not listed in this article.

China’s first GATS commitments were published in 1994, prior to its accession to the World Trade Organization (“WTO”). A fundamental concept in understanding GATS commitments is the difference between “positive” and “negative” lists. WTO Members use a “positive” list to indicate their specific commitments to provide market access and national treatment in a schedule of commitments (“SOC”). On the other hand, a blanket MFN commitment applies to all areas of GATS, unless there is a “negative” reservation in the form of an exemption (discussed later, together with other exceptions). Whether or not a positive commitment is listed in the SOC, a WTO Member must not discriminate among its trading partners in terms of market access or national treatment.

At the time China made this SOC, foreign insurers had a minimal presence in China. The only FII in China in 1994 was AIA (a subsidiary of AIG), which had established a branch in Shanghai in 1992 (becoming the first foreign-invested insurance entity in the PRC). Later, in 1996, Manulife (a Canadian insurer) set up the PRC’s first life insurance joint venture with Sinochem.

Later, in 2001 China acceded to the WTO and a year later in 2002, China issued another SOC under GATS, leading to further liberalization. The ensuing relaxation of market entry rules ushered in a series of new insurance players in the PRC market. To better understand what this liberalization entailed, by way of overview, we can look at China’s commitments for its four “modes of supply” that took place. These “modes” refer to the four means for supplying services listed in GATS (see GATS I:2). Mode [2] (consumption abroad) became open for all but brokerages (meaning that China still reserves the right to restrict consumption of insurance services from brokerages based abroad). Most significantly, [3] dealing with commercial presence, was opened (but still subject to a number of restrictions). Modes of supply [4] (presence of natural persons) and [1] (cross-border trade) remained “unbounded” (meaning China had made no commitment to liberalize them), but with some exceptions for mode [1].


III. GATS MFN Applies to the P1 Deal, and no Exemptions or Exceptions Apply

Under GATS, there are two general, unconditional (with certain exceptions) obligations. The first is MFN, the second is the obligation of transparency. Only the first, MFN, is relevant to this analysis. The operative MFN provision for GATS is:

GATS Article II.1 (Most Favoured Nation)

With respect to any measure covered by this Agreement, each Member shall accord immediately and unconditionally to services and service suppliers of any other Member treatment no less favourable than that it accords to like services and service suppliers of any other country.

The effect of MFN is to forbid discrimination among a Member’s trading partners. For example, if China gives special market access to a US bank, it cannot deny that same access to a Canadian bank (except with some exceptions, discussed below).

Under GATS Article II, the test to determine whether a measure violates China’s MFN obligations is to ask whether it modifies “the conditions of competition to the detriment of like services or service suppliers of any other Member” (Appellate Body Report, Argentina – Financial Services, paras. 6.114-6.115.). Such an analysis must begin “with careful scrutiny of the measure, including consideration of the design, structure, and expected operation of the measure at issue” (Appellate Body Report, Argentina – Financial Services, para. 6.127).

As a result, any favourable treatment afforded solely to the US under the P1 Deal is discriminatory and must also extend to other foreign investors under MFN. For any measure covered by the GATS (in other words falling under the definitions in GATS Article I), a WTO member cannot give favourable treatment to services and service suppliers of any country without immediately and unconditionally giving no less favourable treatment to all WTO members (GATS Article II). This applies irrespective of whether that measure is the subject of a specific commitment in the SOC.


IV. Depending on How They Are Implemented, China’s Commitments to the US May Engage GATS and Extend to Other WTO Members


(Attribution: Mihai Vlasceanu)

China has already voluntarily extended many of its P1 Deal concessions to all foreigners. Recall that China already granted the concessions in Article 4.6.1 to all foreign insurers, making it GATS-compliant. As of January 1, 2020, all foreign insurers (and not just US insurers) are allowed full ownership of Chinese life insurance companies. Beginning April 1, 2020, this commitment also extends to the pension and health insurance markets. As mentioned in another article, under China’s new Foreign Investment Law, all FIIs will also now be governed by the Company Law of the People’s Republic of China rather than ad-hoc foreign investment laws.

However it remains to be seen whether China’s above commitments under Article 4.6.2 of the P1 Deal will violate GATS. Article 4.6.2, which can be split into two parts, appears to signal an intent to give US firms special treatment. The first part commits China to remove “any business scope limitations, discriminatory regulatory processes and requirements, and overly burdensome licensing and operating requirements for all insurance sectors (including insurance intermediation).” This part complies with GATS. The second, however, requires China to “thereafter review and approve expeditiously any application by U.S. financial services suppliers for licenses to supply insurance services.” This second part strongly indicates an intent to grant preferential, discriminatory treatment for the benefit of US firms.

The question is, will China:

  • Extend 4.6.2. commitments to all FIIs willingly, as it did with 4.6.1. commitments
  • Overtly discriminate in favour of US insurers (“De Jure Discrimination”) or
  • Covertly discriminate in favour of US insurers (“De Facto Discrimination”)?

In the case of [1], there is no MFN violation. This may happen and it is entirely possible for China to formulate regulations in its implementing measures which meet this P1 Deal term while affording equal treatment to other WTO Members.

In the case of [2], De Jure Discrimination, the MFN violation is straightforward and other WTO Members may initiate dispute settlement proceedings under the auspices of the Dispute Resolution Body (“DSB”), and most likely obtain a favorable decision. Chinese authorities are well aware of this and as a result [2] is unlikely.

In the case of [3], De Facto Discrimination, the issue becomes much more complicated and guiding WTO caselaw becomes necessary. In EC — Bananas III, the European Communities argued that MFN under GATS does not extend to De Jure discrimination, only De Facto discrimination. This was rejected (Appellate Body Report, EC – Bananas III, paras. 231-234). Applying the above analysis from Argentina Financial Services, any treatment which modifies the “conditions of competition” against one Member in favour of another falls afoul of MFN. In the Appellate Body (the “AB”)’s reasons in EC — Bananas for ruling against the EC, the AB expressly applied this standard to De Facto licensing discrimination: “various aspects of the EC licensing procedures at issue created less favourable conditions of competition for service suppliers of the complainants’” (Appellate Body Report, EC – Bananas III, see paras. 240-248).

The standard for breaching MFN in this context is low, and there is no separate enquiry into the regulatory objective or concerns behind a measure’s impact on the conditions of competition (Appellate Body Report, Argentina – Financial Services, paras. 6.105-6.106):

This legal standard does not contemplate a separate and additional inquiry into the regulatory objective of, or the regulatory concerns underlying, the contested measure. Indeed, in prior disputes, the fact that a measure modified the conditions of competition to the detriment of services or service suppliers of any other Member was, in itself, sufficient for a finding of less favourable treatment under Articles II:1 and XVII of the GATS.

As a result, if China visibly moves the needle in favour of licensing US insurers, it breaches GATS, but if it does so inconspicuously, it would be insufficient to mount a GATS challenge. If China wishes to grant favourable licensing terms US insurers in a way that does not lead to losing a GATS challenge, it must do so in a manner that is almost imperceptible and at the least, non-provable. For example, any kind of quid pro quo that leads to a US firm being licensed in China shortly after the US licenses a Chinese firm (like China Re, Citic Group, or CICC) would appear transactional, arouse suspicion, and could be challenged as a MFN violation. In challenging any discriminatory treatment, the fact that in the text of the P1 Deal, China’s 4.6.2 commitment (to approve US insurers) immediately precedes the US’ 4.6.3 commitment (to acknowledge the “pending requests” of Chinese insurers) may be used as a smoking gun to show discriminatory intent.



Legally under GATS, Chinese concessions to the US must be legislated in ways that do not discriminate between WTO Members. If these concessions instead extend only to the US, or if it is discovered that a government measure in fact discriminates against other WTO Members, then those Members may initiate consultations. Failing consultations, those Members may pursue dispute settlement under the auspices of the DSB.

So far all of China’s measures implementing the Phase 1 Deal appear to have been GATS compliant and have not led to a challenge from another Member.

However, what might possibly occur, and raise questions about compliance with GATS, is a quid pro quo between the Chinese and US administrations. For example, licensing a US insurer in exchange for the US licensing a Chinese insurer. This would be a MFN violation. However, as a form of De Jure Discrimination, such violations are notoriously difficult to prove.

This means that, from an evidentiary standpoint, there is room — however narrow — for China to license US insurers on a preferential basis without demonstrably affecting the conditions of competition in the Chinese insurance market. Nevertheless WTO precedent on the matter is clear and if such De Jure Discrimination were to be proven, it would not be difficult to show that such treatment adversely affects the conditions of competition in violation of MFN. [4]

Although preferential licensing of US insurers is an option available to China, diplomatic considerations will be taken into account on whether or not to pursue it. China voluntarily extended the commitment in Article 4.6.1 to all FIIs, and has been carefully planning this phase in its insurance reform since before the release of the 2014 Policy. It may find that the economic benefits of greater competition and variety in the PRC insurance market are more valuable to its long-term reform plans than the diplomatic points it would gain through a licensing quid pro quo with the current US administration. If that is the case, it would be logical to then also voluntarily extend the commitment in Article 4.6.2 to all FIIs.


[1]In fact, damaging floods and spiking corn prices have pushed Chinese importers to buy record volumes of U.S. corn, which could help the government fulfil a pledge under the P1 Deal. See Hallie Gu, Dominique Patton, “Exclusive: China plans wheat, rice sales to tame surging corn prices – sources”, Reuters, July 21, 2020, online: <>

[2]Zhen Jing, Chinese Insurance Contracts: Law and Practice, (Abingdon, Routledge 2017) at 23.

[3]There are a few exceptions to the MFN requirement in Article II, none of which apply to the P1 Deal. For one, if the P1 Deal were an Economic Integration Agreement (“EIA”), China could give the US preferential access under GATS Article V. However, in order for an agreement to qualify as an EIA it must, among other requirements, have “substantial sector coverage” under services, GATS Article V. The P1 Deal cannot be characterized as having “substantial sector coverage”, because among other reasons, the P1 Deal does not liberalize all four GATS modes of supply (a key requirement for substantial sector coverage). It also cannot be characterized as a regional trade agreement, which like an EIA could spare China from Article II MFN commitments, because the US and China do not share a border (Article II.3). If either were the case, China could have claimed the right to liberalize its market solely for the benefit of US insurers under the P1 Deal, and not extend that same treatment to all other WTO Members.

A couple of other exceptions are worth reviewing briefly, but they do not apply either. The first is exemptions. A WTO Member may enter reservations to its MFN obligations through MFN “exemptions” in its Annex to the GATS. However, China’s insurance commitments were not exempted in its annex. The only exempted industries are those relating to transportation (maritime, international, and freight and passengers). In other words, under GATS, the Chinese insurance sector (including life, pension, and health insurance) is not exempt from MFN treatment. Second is government procurement: direct purchases of insurance services by the Chinese government are not subject to MFN. It is unclear, however, whether or not MFN would apply to purchases by state owned enterprises (“SOEs”).


[4]In 2020, should China continue to go through the motions of showing GATS compliance, though? The WTO does not have any teeth, and cannot enforce any of its decisions. The WTO’s dispute resolution platform also continues to face a crisis due to the US blocking the appointment of AB panelists.

The answer is most likely yes. Unfavourable rulings do carry consequences. They sometimes lead to countermeasures from trading partners and continue to carry weight in international diplomacy. Members prefer to avoid unnecessary pressure from other Members, and it is unlikely China will overtly ignore GATS rules.


Have questions about accessing China’s insurance market? Anjie is a Chambers ranked, Band 1 law firm for PRC Insurance law, and has the largest insurance practice in mainland China

Feel free to send consultation requests to An Na ( or An Chencheng (

Authors: Wan Jia, Liu Sichen

I. The Background Information of the Raised Question

The rapid spread of the COVID-19 pandemic has left a huge impact on business operations worldwide. For many companies, a business interruption (“BI”) that could result from this impact is a hazard which features among their greatest operational risks this year.

Although many companies are insured against BI, their coverage under their insurance policies may not extend as far as they believe. In legal practice, the question of whether BI caused by the infectious diseases is covered by a BI insurance policy provided has given rise to great controversy.

The mainstream view holds that BI insurance is generally an additional insurance to “all risk” or other types of property insurance, therefore only those losses consequent on property damage are covered by BI. However, if there are BI extension clauses such as the infectious disease clause expanding the scope of the covered losses, the BI losses caused by the infectious disease can be compensated based on the relevant applicable extension clause, even if the insured has not suffered from property damage.

Why is compensation under a BI policy be on the condition that “damage to property” has occurred? There are a number of historical and contextual factors behind this rule, and this article sheds some light on them.

II. The reason why the insurer’s BI loss must result directly from “damage to property”

BI in China is considered to be a foreign transplanted product. Most of the mainstream insurance companies in China adopt the terms similar to those in the insurance markets of the UK or the USA.

Taking the BI clause of a large property insurance company in China on record with China Banking Insurance Regulatory Commission for example, article 3 of the clause states that,

“[D]uring the insurance period, where the insured suffered losses on the property used for its business operations due to the risks covered by the main property loss insurance clause (hereinafter referred to as the “property insurance loss”), resulting in the interference or interruption of the insured’s business operations, the loss of gross profit thereof occurring during such indemnity period shall be compensated by the insurer in accordance with this insurance policy. The indemnity period mentioned in this insurance contract refers to the period from the date of the occurrence of the insured property loss, to the insured’s business continuously affected by the insured property loss, but the maximum period shall not exceed the maximum indemnity period agreed in this insurance contract [emphasis added].”

For its part, the London Business Interruption Association (“LBIA”) issued a BI guide which indicates that BI insurance compensates for the indirect losses resulting from direct property damage. In summarizing business interruption insurance liability practice in the UK, the LBIA guide provides that, “the insurer will pay the amount of the Consequential Loss resulting from interruption of or interference with the Business carried on by the insured at the Premises consequence upon DAMAGE to Property used by the Insured at the Premises in accordance with the undernoted definition.”  [1]

  1. BI is Established to Cover the Indirect Losses Caused by the Property Losses Which Would Not Be Covered by the Traditional Property Insurance

Traditional property insurance only compensates for the direct property losses of the insured subject matter against the risks within the scope of insurance liability, and the insurer is not responsible for indirect property losses of the insured arising from suspension of production, reduction of production, or business interruption, etc.

At the end of the 18th century and the beginning of the 19th century, after experiencing a significant increase in productivity owing to the Industrial Revolution, business risks increased. Traditional property insurance like all risks insurance, could not cover the indirect losses of profits due to the accidents. The time had come for a compensation policy based on recovery of daily losses. This became the prototype for modern BI insurance.[2]

Another earlier name for BI, Use and Occupancy Insurance, can better reflect its direct relationship with property losses. [3] Under this type of policy, the insurance company shall pay, according to the calculation method agreed in the insurance clauses, for the losses resulted from interruption of the insured’s normal use and occupancy of the insured property because of the insured property risk. Different disputes might arise in different cases because of the specific wording of the insurance clauses, but the general principle is that BI covers losses consequent upon damage to the insured property.

  1. The Losses Covered by BI Need to Be Calculated Based on the State of the Insured’s Damaged Property

As discussed, the idea behind BI insurance is to cover the indirect profit losses that result when an insured peril arises. The period of business interruption is the period required to repair or replace the damaged property, namely from the time when the insured must interrupt their business due to the occurrence of the insured accident to the time when the insured resumes business. BI will thereby ensure that the insured can still operate with the same business revenue it would have generated had the accident not occurred. That is, however, the limit of what BI insures: not a penny less, not a penny more. Therefore, the insurable interest of BI is the business profits brought by the insured property.

The above mentioned LBIA BI Guide summarizes the two mainstream calculation standards for UK BI losses as Gross Profit Basis (“GPB”) and Gross Revenue Basis (“GRB”). GBP calculates the losses by including the reduction of turnover and the increase in maintenance costs, and the latter, GRB, calculates the losses by referring to the amount which shall fall short of the Standard Gross Revenue. [4]

In China, the domestic underwriters will generally calculate the insured business interruption losses by referring to the losses during the indemnity period in terms of gross profit. The calculation involves three aspects: the loss of gross profit due to a decrease in operating income, the loss of gross profit due to an increase in operating expenses, and the saved costs because of the insured accident. The sum of the first two minus the amount from the third equals, generally, the gross profit losses that need to be indemnified.

  1. Even If there are BI Extension Clauses, the Establishment of Insurance Liability is Still Premised on the Incurred Risk of Losses of Damage to Property

The above calculation of BI losses is based on the premise that the insured property suffered from damage, and that damage led to BI losses. Based on different needs of the insureds from different industries, BI policies often have their respective BI extension clauses to extend the concepts such as the Insureds, Business types, Business Premise, etc., thus covering some circumstances intended to cover by the parties.

Common extensions of BI include Communicable or Infectious Diseases, Denial of Access, and Civil Authority Orders, among others. However, even if the extension clauses are applied to expand the scope of insurable losses, the premise for the establishment of BI liability of the insurer is still that it incurred insured risk of damage to the insured property.

It needs to be added that, in China, most BI insurance clauses provided by domestic insurance companies are as additional insurance  thus making the limit of the indemnity foreseeable. However, BI does not by itself need to be a form of additional insurance by considering its original purpose. If the underwriting risk and the scope of property can be clearly defined in the BI policy, there is no major threshold for the insured to apply for a separate and independent BI policy.

In practice, disputes arising out of BI will also concern the subsequent identification of insured risks, whether BI extension clauses including infectious diseases clause have been triggered, whether the claimed losses are caused by the damage to property, and the specific losses calculation method, etc. However, the premise that needs to be clarified is that BI does not cover all losses due to business interruption, but those losses caused by business interruption due to the losses arising out of the damage to insured property. Otherwise, all unforeseen circumstances that may affect the business of the company will be the cause of possible claims, deviating from the spirit of BI and its coverage of insurance liability.


[1]See Guide to business interruption insurance and claims, p5,Insured%20DAMAGE%207%20Indemnity%20period%207%20Turnover%208

[2] Tao Cunwen, Geng Yuting, “Overseas Business Interruption Insurance System and Its Enlightenment”, published in Insurance Research, No. 4 of 2008.

[3]Pamela Levin & Thomas H. Nienow, Business Interruption Coverage – Demystifying the Causation Analysis, 24 Brief 30 (1994).

[4]See supra 1, page 13, “Standard Gross RevenueThe Gross Revenue during that period in the twelve months immediately before the date of the occurrence of the incident which corresponds with the Maximum Indemnity Period”