In the past decade, physical servers and computer hardware have struggled to keep up with the astronomical amount of data that companies and individuals have created. Cloud computing has been introduced as a solution to harness large amounts of information for public and private access through flexible online "cloud" services.
The Chinese government has also taken note of the impact cloud computing is set to have on the world and plans to invest approximately RMB ¥1.1 trillion in cloud initiatives in the future. Despite the promise cloud computing technology has shown in the Chinese market, foreign investment restrictions, censorship, privacy protection, and jurisdictional issues – legal issues central to the successful delivery of cloud services – remain ambiguous.
This memo seeks to delineate China's current regulatory structure and address the potential impact that these legal issues may have on the growth of cloud computing operations.
What is Cloud Computing?
Cloud computing is the delivery of on-demand computing resources (e.g. networks, servers, and storage) to a large group of end-users. Unlike the traditional use of localized general-purpose hardware and servers to save and process data, cloud computing utilizes web-based infrastructure to store information and offer extra computing capabilities, eliminating the need to build massive server farms and purchase expensive storage systems. Cloud-based services enable greater flexibility by making information freely available through the internet, and information technology giants such as Google, Apple, and Microsoft have all launched cloud services in the past several years.
Cloud computing can be implemented in various forms, including:
- Software as a Service ("SaaS"): SaaS providers offer a range of online software applications that users can access through their web browser. Examples of SaaS include Hotmail and Microsoft's online word processing service, Office Web Apps.
- Infrastructure as a Service ("IaaS"): IaaS providers give consumers access to additional computing resources, including expanded storage capacity and webservers. A notable example is Amazon's Elastic Compute Cloud, which helped the New York Times to prepare its digitized hardcopy archive (spanning 1851-1980) for public availability within 24 hours by providing the Times flexible cloud infrastructure to host their content.
- Platform as a Service ("PaaS"): PaaS providers offer a platform for software development and hosting, allowing users to create distributed web-based applications. A well-known example of this kind of service is Google's App Engine.
With technology growing at a rapid rate in China, cloud computing is proving to be an ideal solution to the expansion of internet usage and the continuing commercialization of data. However, current Chinese laws and regulations may pose some problems for foreign companies seeking to operate cloud-based services within China.
Limits on Foreign Investment in China's Cloud Computing Market
Internet information services remain a heavily regulated sector in China. The main regulatory framework for the Chinese telecommunications industry is the Telecommunications Regulations of the People's Republic of China (2000) ("Regulations")1. The Regulations categorize services as either "Basic Telecommunications Services" or "Value-added Telecommunications Services" ("VAS") in the Catalogue of Telecommunications Services annexed to the Regulations. Within this categorization framework, cloud computing is theoretically classifiable as a VAS. This is because cloud computing may fall under one of two broadly defined categories: "Internet Access Services," or "Information Services," both of which are subsumed within the category of VAS. Therefore, foreign investors interested in providing cloud computing services in China are subject to all regulations governing foreign investment in VAS, which include the Guidance Catalogue of Industries for Foreign Investment (2011) ("Foreign Investment Catalogue")2 and the Provisions on the Administration of Foreign-Invested Telecommunications Enterprises (2002) ("Foreign-invested Provisions").3
The Foreign Investment Catalogue establishes VAS as a restricted industry and limits foreign investors to holding less than 50% of the shareholding interest in a telecommunications joint venture ("JV") formed with a Chinese partner, and the Foreign-invested Provisions also contain a similar shareholding limitation. China's Ministry of Commerce ("MOFCOM") has delegated the authority to approve foreign investments of no more than US $50,000,000 in restricted industries to local commerce departments at the provincial level, but foreign investment in restricted industries like VAS is still subject to central MOFCOM approval if the investment exceeds US $50,000,000.4 In addition, the Foreign-invested Provisions further provide that telecommunications JVs offering cross-border services must obtain the approval of the State Council department responsible for the information industry, and conduct their services through an international communications gateway provided by one of the three state-owned telecommunications operators.5 JV cloud service providers are generally subject to these approval and gateway requirements because they often store data on servers located outside China. The VAS JV structure, therefore, has the disadvantage of being subject to the undesirable 50% shareholding restriction, as well as being subject to time-consuming and complex approval requirements.
Previously, an alternative to the VAS JV could be found in the form of a Variable Interest Entity (also known as a "Sina Structure").6 By using a VIE structure, a foreign investor could ensure effective control over a business located in China without going through the lengthy VAS JV approvals. The VIE Structure was initially designed to allow foreign investors to hold a controlling interest in an otherwise restricted area, such as telecommunications. This was accomplished by one or more foreign investors, who together with one or more PRC natural or legal persons formed an offshore entity, which in turn was owned or controlled an onshore Wholly Foreign-owned Enterprise ("WFOE"). This foreign-controlled WFOE would then execute control contracts which allowed the WFOE to have power over the ownership and management of a domestic-Chinese company that held the necessary licenses to operate within the VAS arena. While this arrangement served to relieve the restrictions placed on the allowed percentage of foreign investment by ensuring that the company seeking licensing was not legally "foreign" in nature, the recent downfall of the VIE due to its inherent flaws has made this option undesirable.7 Alternative corporate structures have been developed to fill the hole left by the failure of the VIE model, including that of the Multi-Jurisdictional Captive Company (MJCC).
Censorship and the "Great Firewall"
Censorship in China has always been a major problem for foreign-based companies, especially for those operating within the internet services industry. This has been especially true in cases when a foreign company has been unwilling to submit its services to the control exercised by the Chinese government. Additionally, the Great Firewall has hindered the availability of foreign cloud services such as Google Apps, which is often completely inaccessible to Chinese users.
Because cloud-based services are completely dependent on reliable internet availability, companies may find it difficult to satisfy their clients while facing restraints imposed by the Chinese authorities. Although cloud services have been praised for their convenience, users in China may prefer physical servers and hard drives over cloud computing because such physical resources are subject to fewer external service interruptions and encounter less latency overall. Both VAT JVs and companies utilizing alternate corporate structures such as VIEs and MJCCs may mitigate the impact of the censorship apparatus by locating key elements of the service outside of the reach of Chinese governmental authorities, but censorship and political sensitivity can still disrupt the smooth delivery of cloud computing services.
Since the Chinese government is fiercely protective of state secrets, cloud computing firms need to be aware of the fact that operating these services in China may be seen to compromise state secrecy. Due to the nature of sharing and collecting information on an online platform, cloud computing may pose a greater threat to state secrets than other technology services, and therefore may be subject to strict scrutiny. This is especially important as the Chinese government has the discretion to classify any information as dangerous, whether outwardly compromising or not, and may consequently censor the offending data. Companies acting in violation of the censorship regulations run the risk of suffering heavy penalties and having their services suspended or even terminated.
In the case of service termination, companies will need to have a procedure in place to allow users to retrieve their information from the online services, or alternatively to create a method of transferring the data to somewhere else. Companies are advised to establish practical exit plans and backup services to avoid data loss to their clients.
Because Chinese laws have not traditionally enforced stand-alone privacy rights, companies offering cloud-based services need to be cautious when they are operating within the Chinese market. Although increased pressure from technological advances has led to the continuing development of new piecemeal laws and regulations, China still lacks an overarching "data privacy" law to regulate the protection of information, and recent efforts to establish such a law have stalled. The current draft of the law includes restrictions on the transfer and sharing of information, but has yet to be implemented.
However, China has recently made a significant effort to address the privacy rights issue by amending the Criminal Law.8 Under the amendment, government and private sector employees who sell or unlawfully provide information obtained through their work duties to third parties are considered to have committed a criminal offense. Additionally, unlawfully obtaining such confidential information is also defined as an offense. Though the amendment is a crucial step in recognizing the need for privacy protection, it is still necessary to enact a stand-alone law to fully address the issue and achieve greater clarity.
The new Tort Law of the People's Republic of China ("Tort Law") also acts to supplement the criminal law with regard to privacy rights. The Tort Law specifically addresses the liability of a website operator with regard to infringing content that is posted within its database, and allows individuals to seek civil damages.9 Despite it being an important complement to the Criminal Law's amendment, the Tort Liability Law still lacks the enforceability of a stand-alone law.
The forthcoming Information Security Technology Guidelines for Personal Information Protection (the "Guidelines") represent another effort by the government to address the growing need for privacy protection. The Guidelines contain a set of principles governing the collection, processing, use, transfer, and maintenance of personal data on computer networks, which is expected to become the national standard for relevant companies. Internet giants such as Baidu and Sina have offered input towards the current draft of the Guidelines, which is still in the early stages of its development. However, even if the Guidelines do become an official standard they will lack the enforceability of a law, as a "recommended" standard is difficult to put into effect and relies on a company's willingness to abide by it.
Just like clouds that constantly move from one place to another, cloud computing services constantly move data from one data center to another to maximize efficiency. However, certain jurisdictional issues will inevitably arise when data migrates across national borders, creating legal uncertainty for cloud computing providers. For example, the fluid location of data can become a problem when the governing law as specified in the contract between the user and the provider is in conflict with the law of the jurisdiction where the data resides. This conflict of laws is most acute in issues concerning confidentiality and privacy. Different jurisdictions afford varying levels of privacy protection, and information that is deemed private in one jurisdiction may be subject to unwarranted searches in another.
The general cultural and political differences between Western countries and China may also pose a major challenge to Western cloud computing providers who want to do business in China. When the Chinese authorities imprisoned reporter Shi Tao in 2005, Yahoo! China was accused of providing his personal information to the Chinese police without asking what the information was for. Yahoo!'s conduct led to an international outcry, a public-relation crisis, a U.S. congressional investigation, and a settlement for an unspecified amount with Mr. Shi. Although most conflict of laws issues are less dramatic than the case of Shi Tao, foreign cloud computing providers must be careful to take the difference between Chinese and Western legal systems into consideration.
Companies that wish to operate cloud-based services in China currently face a number of challenges. These include a complex regulatory environment, limitations on foreign investment, as well as censorship, privacy, and jurisdictional issues. Cloud computing companies who wish to operate in China need to carefully balance efficient service delivery with risk control mechanisms, and ensure that they are structured to maximize their potential while minimizing the risk of undue governmental interference. This is especially important in sensitive areas, as the Chinese government takes censorship seriously and foreign businesses seeking to break into the internet services industry will continue to face closer scrutiny. Violations of local regulations could lead to data loss for both the company and its clients, as well as service interruptions, ultimately resulting in client dissatisfaction. A balance must be struck to ensure that such services can flourish in this new market.
1. Dianxin Tiaoli (电信条例) [Telecommunications Regulations] (promulgated by St. Council, Sept. 25, 2000, effective Sept. 25, 2000) (Westlaw).
2. Waishang Touzi Chanye Zhidao Mulu (外商投资产业指导目录) [Guidance Catalogue of Industries for Foreign Investment] (promulgated by Nat'l Dev. & Reform Comm'n and Ministry of Commerce, Dec. 24, 2011, effective Jan. 30, 2012) (Westlaw) (China).
3. Waishang Touzi Dianxin Qiye Guanli Guiding (外商投资电信企业管理规定) [Provisions on the Administration of Foreign-Invested Telecommunications Enterprises] (promulgated by the St. Council, Dec. 11, 2011, effective Jan. 01, 2002) (Westlaw) (China) [hereinafter Foreign-invested Provisions].
4. Shangwubu Guanyu Xiafang Waishang Touzi Shenpi Quanxian Youguan Wenti De Tongzhi (商务部关于下放外商投资审批权限有关问题的通知) [Notice of the Ministry of Commerce on Decentralizing the Examination and Approval Power for Foreign Investment] (promulgated by Ministry of Commerce, June 10, 2010, effective June 10, 2010) (Westlaw) (China).
5. Foreign-invested Provisions, art. 17.
6. For more information on the VIE structure and potential complications, please refer to CWT Clients & Friends Memorandum, "Understanding the VIE Structure: NecessaryElements for Success and the Legal Risks Involved" (Aug. 10, 2011) (available at http://www.cadwalader.com/assets/client_friend/081011UnderstandingtheVIEStructure.pdf); as well as CWT Clients & Friends Alert, "UPDATE – MOFCOM's New Security Review Measures (Announcement No. 53): Increased Scrutiny of VIE Structures Operating in Areas of PRC National Concern" (Sept. 2, 2011) (available at http://www.cadwalader.com/assets/client_friend/090211MOFCOMNewSecurityReview.pdf).
7. This downfall was the result of a confluence of factors, including increased regulation against VIEs within China, a lack of remedy for foreign investors in case of breach, and a lack of enforceability under Chinese law. For a more detailed account, please inquire about Cadwalader's forthcoming Clients &Friends Memo entitled "The End of the Variable Interest Entity: A Crisis of Confidence in a Flawed Structure."
8. See Xingfa Xiuzheng An (Qi) (刑法修正案(七)) [Amendment VII to the Criminal Law] (promulgated by Standing Comm. Nat'l People's Cong., Feb. 28, 2009, effective Feb. 28, 2009) (Westlaw) (China).
9. Ginquan Zeren Fa (侵权责任法) [Tort Law] (promulgated by Standing Comm. Nat'l People's Cong., Dec. 26, 2009, effective July 1, 2010) art. 36, (Westlaw) (China).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.