Weathering China’s Cloud Computing Regulations
By Dezan Shira & Associates
Editors: Jake Liddle and Alexander Chipman Koty
Last summer, Chinese tech giants Tencent and Alibaba announced investments into cloud computing services worth US$1.57 billion and US$1 billion, respectively. In 2014, cloud computing sales accounted for only five percent of China’s total IT market compared to 11 percent globally, but Bains predicts this number to swell to 20 percent by 2020, reaching US$20 billion in value and representing an annual growth rate of over 40 percent.
Despite the positive outlook for cloud computing, China’s complex and restrictive regulations governing data and internet services make entering the rapidly expanding market a complicated process.
Telecommunications services and business requirements
After entering the World Trade Organization (WTO) in 2001, the Chinese government pledged to gradually open the country’s borders to seven value-added telecommunications services, including foreign email and voicemail services. Content-related commitments to these services are outlined in China’s “Telecommunications Directory 2015 Edition” as follows:
Foreign-invested companies are permitted to establish Sino-foreign joint ventures and apply to acquire relevant professional certification. However, foreign investment in internet data centers (IDCs) and internet service providers (ISPs) remains prohibited. Notably, the Shanghai Free Trade Zone’s negative list expressly forbids foreign investment into IDCs, but the Free Trade Zone negative list released at the national level does not contain this restriction. The Closer Economic Partnership Agreement (CEPA) previously opened up the IDC sector to investment originating from Hong Kong and Macau, explaining why the State Council’s negative list does not include IDCs. Therefore, this should not be seen as a sign that IDCs are open to foreign investment from outside of Hong Kong and Macau.
Foreign investment ratio requirements for telecoms
In accordance with the above-mentioned restrictions, foreign investment into telecommunications services in China must be in the form of a joint venture with a commercial presence. The following foreign investment proportion stipulations require special attention:
（1）According to the 2015 edition of the Guiding Catalogue of Foreign Investment, the proportion of foreign investment permitted in value-added telecom services may not exceed 50 percent, with the exception of e-commerce, which can be 100 percent. Those involved in basic telecoms may not exceed 49 percent.
（2）Foreign ownership restrictions for value-added telecommunications services in the Shanghai Free Trade Area have been further liberalized. For example, businesses engaging in information services are allowed 50 percent foreign ownership, and up to 100 percent for mobile apps. The proportion of foreign investment in internet access services may exceed 50 percent.
The impact of cloud computing data supervision on foreign-invested companies
China’s policies for data supervision can be summarized as follows:
Data must not be removed from the territory of the People’s Republic of China
In recent years, China’s laws and policies directed at data security and user identity have been gradually implemented and strengthened. Data removal measures are evident in many laws and regulations. Below is a summary of the main points.
（1）Personal credit information: Sorting, storage, and processing of information collected by credit institutions in China should be carried out in China.
（2）Personal financial information: Storage, management, and analysis of personal financial information collected in China must be carried out within China. Banking and financial organizations must not provide countries outside of China with personal financial information, unless otherwise stated by rules and regulations or rules made by the People’s Bank of China.
（3）Population health information should not be stored, entrusted to, or leased to overseas servers.
（4）Map data should be stored in servers within the People’s Republic of China.
（5）Governmental information: Data centers and cloud services that serve governmental organizations must be located in China.
（6）Accounting information: Accounting system information server deployment must comply with relevant state provisions. Data centers outside of China must keep a backup of accounting data, and must be backed up every month. For accounting information involving state secrets, information related to national economic security, without the approval of the competent authorities, must not be taken, transported, or transferred overseas.
（7）Human genetic resource information: Unless otherwise stated by laws and regulations, under special situations where it is imperative that genetic information is temporarily required to be supplied to an outside entity, it is required to fill out and complete a human genetic resources information export declaration form and other required documents for the examination department. Once authorization and approval is obtained by the China human genetic resource department of the local authority or State Council, an export certificate will be issued.
（8）A series of documents on standardization have proposed that cloud service providers must ensure that their server centers are located in China and fulfil the technology requirements of Chinese law.
In addition, in June 2015 the Network Security Act (draft) was made public. The act clearly states that key information infrastructure operators should store the personal information of Chinese citizens within the country. Those who do need to store information overseas will be evaluated in accordance with safety regulations. This legislation also reflects the policy that personal data cannot leave the country.
Maintain a data interface
Apart from the above-mentioned policy, the ‘anti-terrorism act’, which was passed this January, clearly states that telecommunications operators and internet service providers must provide a technical interface and other decryption support by which public security organs and state security agencies may investigate terrorist activities. Mandatory national standards also require that internet service providers provide safety organizations with a compliant technical interface and ensure the timely and effective delivery of relevant evidence. Maintaining a data interface does not necessarily mean that relevant authorities are permitted to freely access data without any procedure. However, these regulations may increase worries for foreign investors.
Foreign-invested cloud computing businesses operating in China need to be aware of the various restrictions over data governance, and other related issues. Even if they are clearly in a joint venture with a domestic enterprise, foreign investors also need to consider the legal compliance of their cooperation agreement, including qualification compliance, data storage restrictions, and other regulatory policies, in addition to business management cooperation framework management, access to income and transfer, customer services, and other management issues.
Investing in internet and information-related businesses in China is a complicated exercise owing to the government’s stringent security measures and active supervision. Regulatory compliance is particularly important in this sector, as foreign investors face heightened scrutiny and risk drawing the ire of the government. The potential of the market makes navigating these issues worthwhile, however, as Chinese businesses and consumers are increasingly willing to invest in internet services that improve convenience and optimize performance.
Asia Briefing Ltd. is a subsidiary of Dezan Shira & Associates. Dezan Shira is a specialist foreign direct investment practice, providing corporate establishment, business advisory, tax advisory and compliance, accounting, payroll, due diligence and financial review services to multinationals investing in China, Hong Kong, India, Vietnam, Singapore and the rest of ASEAN. For further information, please email firstname.lastname@example.org or visit www.dezshira.com.
Stay up to date with the latest business and investment trends in Asia by subscribing to our complimentary update service featuring news, commentary and regulatory insight.
Internet Challenges & Solutions When Doing Business in China
In this special edition of China Briefing magazine, we highlight how and why foreign companies will be negatively affected by China’s internet, and provide methods to help solve these problems. We discuss ISP selection, internet connection types, CDNs and VPNs, and internal control systems. Finally, we examine the importance of network security in China and how it can help augment a company’s internet connection.
How IT is Changing Payroll Processing and HR Admin in China
In this edition of China Briefing magazine, we examine how foreign multinationals can take better advantage of IT in the gathering, storing, and analyzing of HR information in China. We look at how IT can help foreign companies navigate China’s nuanced payroll processing regulations, explain how software platforms are becoming essential for HR, and finally answer questions on the efficacy of outsourcing payroll and HR in China.
China Investment Roadmap: the e-Commerce Industry
In this edition of China Briefing magazine, we present a roadmap for investing in China’s e-commerce industry. We provide a consumer analysis of the Chinese market, take a look at the main industry players, and examine the various investment models that are available to foreign companies. Finally, we discuss one of the most crucial due diligence issues that underpins e-commerce in China: ensuring brand protection.