China: TMT

Technology, as a general matter, is subject to a wide range of laws and regulations in the PRC. Aside from general and widely applicable laws such as the PRC Civil Code (which was promulgated on 28 May 2020 and took effect on 1 January 2021) and the PRC Criminal Law, a collection of laws govern various more specific aspects of technology, including:

• Intellectual property laws, e.g., the PRC Patent Law, the PRC Copyright Law and the PRC Anti-Unfair Competition Law (which covers, inter alia, trade secrets);
• Import and export laws (e.g., the PRC Administrative Regulations on Technology Imports and Exports);
• Employment laws and regulations to the extent they govern matters such as work-for-hire and moral rights;
• National and local laws promoting certain aspects of technology (e.g., the PRC Law on Promoting the Transformation of Scientific and Technological Achievements);
• Various sector-specific laws and regulations, e.g., within the PRC telecoms and Internet sectors, the PRC Telecommunications Regulations (Telecoms Regulations) promulgated by the State Council, the Catalog of Telecommunications Businesses (Catalog) issued by Ministry of Industry and Information Technology (MIIT) and the PRC Cybersecurity Law promulgated by the Standing Committee of the National People’s Congress, plus the more detailed laws and regulations flowing from it, as well as others; and
• Where a foreign party is involved, the PRC Foreign Investment Law and the ‘Negative Lists’ (the latest being the 2021 editions, which were promulgated on 27 December 2021 and have been in force since 1 January 2022).

Yes. Under the Telecoms Regulations, all telecoms business activities are classified as either ‘basic telecoms services’ (BTS) or ‘value-added telecoms services’ (VATS). BTS generally consist in providing public network infrastructure, public data transmission and basic voice communications services, while VATS generally consist in telecoms and information services provided through public network infrastructure. The Catalog provides affirmative definitions and specific descriptions of listed categories of PRC telecoms services, which in turn determine which licenses and permits a service provider must obtain from the MIIT in order to provide such defined services.

A wide range of activities are covered, as listed and categorized in the Catalog. For example, the primary authorisations consist of the ‘Basic Telecommunications Service Operating Permit’ for BTS and ‘Value-Added Telecommunications Service Operating Permit’ for VATS, each of which further specifies the sub-categories of activities that may be undertaken in connection with such permits pursuant to the Catalog and the Telecoms Regulations.

The MIIT is the specific regulator for the provision of communications-related services, although some aspects of Internet/telecoms services may in addition be regulated by other authorities, e.g., the Cyberspace Administration of China (CAC) regulates the content of information disseminated over the Internet.

No. The MIIT, CAC and most other regulators are departments of the State Council, the principal administrative authority of the PRC government.

Yes. The regulation of such services will depend primarily on where in the Catalog each specific service might fall. For example, information search engines fall under the banner of Internet information services (Category B25 under the Catalog) and are regulated primarily by the MIIT. Social media and content sharing services will likely fall under the same Catalog category but may also involve other regulators, e.g., the National Radio and Television Administration if such services include any audio/video functions.

As an initial matter, regulation has generally remained domestic, even in the case of legislative actions and technologies deployed to block access to certain foreign websites from within the PRC. However, China appears to be extending its jurisdiction to certain data processing activities outside China under most recent legislation, including the PRC Data Security Law and the PRC Personal Information Protection Law (PIPL). The PRC Data Security Law purports to apply to overseas data activities that impair the national security, public interest or people’s legitimate interests in China. The PIPL provides for two circumstances in which processing of personal information of natural persons within China done outside China will be subject to the PIIPL (plus a catch-all “other circumstances provided for by [other] laws and administrative regulations”): (1) the processing is for the purpose of providing products or services to natural persons within China; (2) the processing is for analysing and evaluating the behaviour of natural persons within China.

Recently, when releasing the Measures concerning the Security Assessment for Cross-Border Data Transfer (SA Measures), effective as of 1 September 2022, the CAC clarified in its press release that the following activities will be considered ‘cross-border’/‘offshore’ transfer of data and be subject to the security assessment requirement under the PRC Cybersecurity Law and the PIPL:

• Transferring or storing data that is initially collected or generated during operations carried out within mainland China to any entities or individuals located outside mainland China; and
• Accessing/viewing any data that is initially collected or generated and stored within mainland China by entities or individuals located outside of mainland China, even in cases where the data is otherwise not transferred or stored offshore.

No law or regulation explicitly provides that telecoms operators need to be domiciled in the country. In practice, however, many foreign service providers without onshore entities (and thus not legally eligible to host content or services on onshore servers, which requires at least an ICP filing by an onshore entity) experience service accessibility and network transmission issues.

In general, the PRC has been gradually opening up more and more telecoms services to foreign investment. For example, since the Negative Lists revised in 2019, there are no longer any foreign investment restrictions applicable to call centre services in the PRC. However, there is still a complicated framework of foreign-ownership restrictions on telecoms operators (per the Catalog, the Negative Lists and other related regulations). For example, foreign stakes in BTS categories are statutorily restricted to 50% or less. The prohibitions and restrictions applicable to foreign participation in VATS sectors, in addition to being divided by categories and subcategories, are divided in terms of whether the foreign party seeking to participate in such activities is a qualified service provider established in Hong Kong or Macau, whether the investment is being made in a foreign trade zone of China or whether neither of the two preceding situations applies.

Yes. The Telecoms Regulations provide the general framework to regulate such interconnections, including that the interconnection of telecommunications networks must be effected on the basis of the principles of technical feasibility, economic sense, fairness, impartiality and mutual complementation. The PRC Administrative Provisions on the Interconnection between Public Telecoms Networks (Interconnection Provisions) provides further detailed provisions and procedures for interconnections between telecommunication networks. For example, the Interconnection Provisions prohibit a telecoms operator from rejecting any interconnection request from another telecoms operator and from restricting users from selecting any telecoms service of another telecoms operator.

Yes. Under the Interconnection Provisions, an operator will be deemed ‘dominant’ if it controls necessary telecoms infrastructure and operates a fixed local telephone business which accounts for 50% or more of the market share of the same type of business within the scope of local networks such that the operator would have substantial influence over other business operators’ access into the telecoms market. Certain rules apply only to such dominant telecoms operators, including requirements to provide non-dominant telecoms operators with information on network functions, equipment configuration as well as other aspects related to the interconnection; to provide accommodative coordination and allow the use of communication facilities by non-dominant service providers without any unreasonable additional terms; and to provide, at the request of a non-dominant operator, a telephone number inquiry service to consumers of the other party’s networks.

The PRC Cybersecurity Law and other data protection and privacy laws, the Telecoms Regulations, the PRC Law on the Protection of Consumer Rights and Interests (PRC Consumer Protection Law) and other related laws and regulations include consumer protection provisions. For example, the data protection and privacy laws provide for the protection of personal information as it is collected, processed, stored and transferred by telecoms operators. Among other things, it affords consumers the right to request operators to correct or delete such consumers’ personal information (see further below, Question 15). The Telecoms Regulations provide general protections to consumers, e.g., that telecoms operators must supply services on time and collect opinions from users. Further, the PRC Administrative Measures for the Licensing of Telecommunications Businesses require telecoms operators who discontinue their operations to notify their customers, to reach agreements with them regarding arrangements after discontinuance and to collect their opinions accordingly.

Recently, the CAC released the Provisions on the Administration of Internet User Account Information, effective as of 1 August 2022, which stipulates that the providers of instant communication services and others are required to verify any false or misleading account names to avoid information scamming. The CAC also amended the 2016 Provisions on the Administration of Mobile Internet Applications Information Services, emphasizing the responsibilities of the operators of mobile apps in terms of cybersecurity, personal information protection, etc., to sync with many other, more modern legislation and regulation.

The PRC Copyright Law and associated regulations (e.g., the PRC Regulations on Computer Software Protection) grant copyrights over computer software to its author/creator (unless otherwise agreed), along with the rights of publication, authorship, modification, distribution and communication. The PRC Anti-Unfair Competition Law also includes protective provisions for trade secrets, which cover know-how and source code. For example, businesses are prohibited from disclosing, using or allowing others to use trade secrets in violation of confidentiality and from obtaining others’ trade secrets by theft, bribery, intimidation, electronic intrusion or other improper means.

No. However, the PRC Copyright Law may provide the same rights as referred to above (Question 13) to selective collections of data (or datasets) and database software. Moreover, databases and relevant data therein may be deemed trade secrets and protected under the PRC Anti-Unfair Competition Law (see Question 13 above).

Personal information, defined as information that may alone or in combination with other data identify a person, is protected primarily by the PRC Cybersecurity Law and PIPL (supplemented by a number of regulations and national standards, including the Information Security Technology – Personal Information Security Specification and the Information Security Technology – Guideline for Personal Information Protection within Information Systems for Public and Commercial Services). Key protections include the requirement to obtain consent from data subjects for the collection as well as further uses of the personal information, the requirement on some operators to undergo security assessment procedures prior to an overseas transfer (see below, Question 16) and such further general principles as ‘legitimacy, rightfulness and necessity’ in the collection and use of personal information. The PRC Data Security Law provides an overarching legislative framework for data security in the PRC, broadly defined, and will run in parallel with the PRC Cybersecurity Law and the PIPL. The PRC Consumer Protection Law sets similar requirements on the collection of consumer information by business operators. Other high-level laws, e.g., the PRC Tort Law, the PRC Civil Code and the PRC Criminal Law, provide general privacy protections.

Under the PRC Cybersecurity Law, aside from the requirement applicable to all operators to obtain consent from data subjects, a ‘critical information infrastructure operator’ (CIIO, i.e., in essence, an entity involved in important industries or undertakings with the potential to seriously impair national security, the national economy, people’s livelihoods or other public interests) is also subject to certain ‘security assessment’ procedures before transferring data with personal information (or other important data) overseas.

Furthermore, the PIPL provides that transferring personal information outside China due to business needs must meet one of following requirements: (a) pass a ‘security assessment’ organized by CAC when personal information transferors are CIIOs or the personal information volume to be processed by the processors reaches a threshold specified by CAC; (b) obtain a personal information protection certification from a specialized body designated by CAC; or (c) have an agreement with the overseas party covering both sides’ rights and obligations (to satisfy the rights and obligations provided by the PIPL) and supervise the overseas party’s PI processing to ensure it complies with the PIPL.

The SA Measures set forth the detailed criteria, procedures and timeline for the security assessment, and a number of service providers have begun undergoing the security assessment procedures, e.g., in order to satisfy certain listing requirements for overseas IPOs.

Under the PIPL, ‘serious’ illegal processing of personal information can result in a fine of up to RMB 50 million or five percent of the previous year’s annual business volume (as well as suspension of relevant operations, suspension of business for ‘correction’ and revocation of relevant business permits or licenses), plus fines of RMB 100,000 to 1 million on directly responsible persons. Under the PRC Data Security Law, the administrative fine is now up to RMB 2 million for failing to notify competent authorities in the event of a data breach, and up to RMB 10 million for illegal export of important data.

China is reinforcing its data protection regime by developing more and more legislation in this area. The PRC Cybersecurity Law, promulgated in 2017, is comprised mostly of general or high-level provisions, while most implementing regulations have until relatively recently not included very specific provisions or are non-mandatory or still in draft form. Nevertheless, even they have indicated some additional protections, which have been reinforced with the latest round of major laws and regulations, particularly the PRC Data Security Law and PIPL, both promulgated after the middle of 2021. A major requirement is that certain data collected or generated in China be stored in China (i.e., on servers physically located onshore). The PRC Data Security Law imposes cross-border transfer restrictions on ‘important data’. The PIPL intends to set different requirements for CIIOs and non-CIIO operators, i.e., security assessment for CIIOs and similarly important operators versus contract protections for less important operators. As an example of a more subtle difference, while the GDPR contains some requirements on proper storage of biometric data, a non-mandatory national standard under PRC law specifies that for personal biometric information, technical measures should be used to process the data before storage, e.g., storing only a digest of the data.

Cloud-based services are specifically listed in the Catalog within the category of Internet resource collaborative (IRC) services, itself a sub-category of Internet data centre (IDC) VATS activities. Cloud-based service providers should obtain the corresponding license from the MIIT pursuant to the Telecoms Regulations. Another set of major obligations applicable to cloud-based service providers consists of rules concerning the collection and use of personal information (see above, Questions 15 and 16), and it is likely that at least some major cloud-based service providers could be deemed CIIOs under the PRC Cybersecurity Law and thus be subject to additional obligations.

An electronic signature is defined under the PRC Law on Electronic Signatures (Electronic Signatures Law) as the data that is incorporated in or attached to a data message in electronic form and is used to identify a signatory’s identity and to indicate the signatory’s acknowledgement of the contents contained thereof. A ‘reliable’ electronic signature (including an electronic seal) has the same legal effect as a written signature (or physical seal). The Electronic Signatures Law further provides that electronic signatures meeting the following requirements will be deemed ‘reliable’:

• at the time that the data was used to make the electronic signature, it was owned exclusively by the electronic signatory;
• at the time of signing, the data used for the electronic signature was controlled exclusively by the electronic signatory;
• any alteration to the electronic signature after signing can be determined; and
• any alteration to the content and form of the data message after signing can be determined.

There is no PRC law or regulation providing for the automatic transfer of employees, assets or third-party contracts in the event of an outsourcing of IT services.

As an initial matter, taking two common scenarios involving commercial use of software, the party that sells/distributes the software program to end users or provides the software program as a service would normally be liable for any malfunction of the software, though contract provisions may result in the software developer (to the extent it is not the seller/distributor or service provider) or another party bearing liability.

(a) The PRC Cybersecurity Law provides a general principle that operators should take measures to secure the safety of networks and that individuals and organizations may neither engage in activities endangering cybersecurity, including illegally invading or interfering with others’

networks (see further below, b), nor provide programs or tools specifically used for activities endangering cybersecurity. Further, under PRC law, cybersecurity includes network operation security and network information security. The PRC Data Security Law has refined many of these principles into somewhat more specific rules.

For network operation security, all network operators must, among other things:

• formulate internal security management systems and operating instructions, determine the persons responsible for cybersecurity and implement cybersecurity protection measures;
• take technological measures to prevent computer viruses, network attacks, network intrusions and other actions endangering cybersecurity; and
• take technological measures to monitor and record the network operation status and cybersecurity incidents, preserving relevant web logs for no less than six months.

CIIOs have additional obligations, including to:

• set up independent security management institutions, designate persons responsible for security management and review their and other key personnel’s security backgrounds;
• periodically conduct cybersecurity education, technical training and skill assessments;
• formulate contingency plans for cybersecurity incidents and periodically carry out drills; and
• make disaster recovery backups of important systems and databases.

Furthermore, the PRC Measures for Cybersecurity Review provides that a CIIO will need to conduct its own assessment to determine whether any applicable network product or service to be purchased would, once in use, affect or even potentially affect ‘state security’.

For network information security, all operators must follow the principles of ‘legitimacy, rightfulness and necessity’, disclose their rules of data collection and use, clearly express the purposes, means and scope of collecting and using the information and obtain data subjects’ consent, including to provide the personal information to others. Operators must adopt technical and any other necessary measures to ensure the security of the personal information they have collected and to prevent such information from being divulged, damaged or lost.

(b) Illegally invading others’ networks, interfering with the normal functions of others’ networks and stealing cyber data or providing tools for such actions is prohibited. The PRC Criminal Law includes provisions specifically aimed at activities such as hacking. For example, the following acts in relation to hacking/DDOS attacks are subject to criminal liability:

• invading computer information systems in the fields of state affairs, national defence construction or sophisticated science and technology;
• invading any other computer information system to obtain data stored, processed or transmitted in the system or to exercise illegal control over it;
• deleting, altering, adding or jamming the functions of any computer information system, making the system impossible to operate normally and causing serious consequences;
• deleting, altering or adding the data stored in or handled or transmitted by the system, causing serious consequences; and
• intentionally creating or disseminating destructive programs, such as computer viruses, thus affecting the normal operation of a computer system and causing serious consequences.

The various technological developments in artificial intelligence, cross-border e-commerce, blockchain, cloud computing and Internet of Things are likely to create the most legal change in the PRC in coming years. The topics of Metaverse and NFT are also gaining popularity but their impact on the legislation are yet to be observed.

The restrictions and qualification requirements for foreign parties to engage or invest in many commercial sectors, particularly in TMT, are of paramount concern. However, the relatively new PRC Foreign Investment Law, which is based on the principle of equal national treatment, as well as the latest Negative Lists, are both generally welcome developments in the direction of reducing restrictions and qualification requirements for foreign parties. As a very recent development, the State Council issued a decision on 7 April 2022 to amend the Administrative Provisions on Foreign-Invested Telecommunications Enterprises (FITEs) and eased the market entry requirements applicable to foreign-invested enterprises (FITEs) seeking to obtain PRC telecoms operating licenses, among which the most important change is the removal of the previous requirement placed on foreign-invested companies seeking to obtain telecoms operating licenses (and thus become FITEs) to demonstrate that their principal shareholders/parent companies have a “good track record in the telecoms business”. As a result, telecom companies may now more often seek direct investments in the Chinese telecom market as opposed to using variable-interest entity (VIE) structures and other solutions.

As reflected by their unparalleled development in China over the past decade, the PRC legal system encourages digital services. Even cutting-edge additions to digital services (such as blockchain) have already been adopted widely in China’s e-commerce landscape. Giants such as JD and Alibaba regularly extend their offerings, e.g., applying blockchain technology to their logistics services so suppliers and consumers can better trace products through production, transportation and storage. As another example, Shenzhen recently issued the first local regulation in China allowing for the commercial operation of fully autonomous vehicles.

There are currently no PRC laws or regulations specifically regarding the creation, development or use of artificial intelligence (AI). However, that does not mean AI has been wholly unregulated (or wholly prohibited). An example, aside from the recently issued autonomous vehicle regulation in Shenzhen, is cybersecurity. Given that the operation of AI generally calls for large data sets, those developing and implementing AI services will be subject to the requirements of the PRC Cybersecurity Law, PRC Data Security Law and associated regulations. While China’s cybersecurity regime is in a relatively early phase of development, China thereby also has advantages such as flexibility in further developing the regulatory framework applicable to AI in tandem with the development of the technology itself. At the same time, China will have to update other, older laws, such as the PRC Copyright Law, which currently does not appear to protect work and content created via AI.