Draft legislation to affect China cloud services market access January 2017 Draft Legislation to Affect China Cloud Services Market Access January 2017 1 Introduction On 25 November 2016, the Ministry of Industry and Information Technology ("MIIT"), China's telecommunications and Internet regulator, issued a draft Circular on Regulating Business Activities in the Cloud Services Market for public comment ("Draft Circular"). The stated aims of the Draft Circular are to improve the cloud services market environment and further regulate business activities in this sector. In addition to introducing a number of minimum service requirements that cloud operators must observe, the Draft Circular is of particular interest to the industry due to the rules it sets out for market participation by foreign technology companies, including through cooperation with license holders in the People's Republic of China ("PRC" or "China"). The period for public comments on the draft ended on 24 December 2016. Background The cloud market is currently experiencing a period of explosive growth in China, with Chinese Internet titans Tencent, Alibaba, Baidu and others vying with Amazon, IBM, Google, Microsoft and other international cloud computing giants to develop and capture the public, private and hybrid markets. According to the 2016 Cloud Computing White Paper released by the China Academy of Information and Communications Technology in September 2016, the overall size of China's cloud computing market in 2015 was RMB 37.8 billion, with a growth rate of 31.7%, meaning China's share of the global market had risen from 3.7% in 2012 to 5%. However, as cloud computing grows and more data is being stored in the cloud, businesses, ultimate end users, and the public at large are becoming increasingly concerned with the risks associated with maintaining service levels, as well as loss of user data or violation of data privacy rights. Standardization has also become an issue, as for quite some time cloud computing has lacked any specific recognition in China's regulatory framework for telecoms services. Things have improved somewhat in recent times, with the introduction of the category of Internet resource collaboration ("IRC") services in the Classification of Telecommunications Services Catalogue (2015 Edition) effective 1 March 2016 ("2015 Catalogue"). Moreover, cloud storage, big data and cloud computing have all become major line items in government planning at the highest levels, including in China’s 13th Five Year Plan, which places significant emphasis on Internet Plus and information technology, and the State Council's Actively Promoting the "Internet Plus" Action Plan Guidance Opinions introduced on 4 July 2015, which specifies 65 development tasks in relation to information technology to be implemented from 2018 to 2025. These developments are further accelerated by the recent adoption of the PRC Cyber Security Law which comes into effect on 1 June 2017. The Draft Circular follows the trend in recent legislation by specifically regulating previously "grey" services. In particular, the Draft Circular proposes standards for the protection of personal information and network security, licensing requirements, and approved methods for domestic/foreign collaborations. Below we discuss in greater detail how, if the Draft Circular is passed in its current form, cloud services will be regulated in the PRC, with a particular focus on licensing requirements and the approved methods for domestic/foreign collaboration. Licensing Requirements for Providing Cloud Services The Draft Circular clearly states that cloud services do indeed refer to the IRC services subcategory under the category of Internet data centre ("IDC") services, a Category One ValueAdded Telecommunications Services ("VATS") under the 2015 Catalogue. Such statement finally directly links IRC services to cloud and IDC services, a view that had been widely held Draft legislation to affect China cloud services market access 2 Hogan Lovells since the IRC services category was introduced in the 2015 Catalogue, but up until now had lacked a specific legal basis. As IRC services, cloud services will be subject to separate licensing requirements and technical assessments. As stated in the Draft Circular, cloud service business operators within the PRC must strictly comply with the requirements with respect to funding, personnel, venues, facilities and so forth under the various laws applicable to VATS, and are subject to passing technical assessments and obtaining VATS licenses. The applicable laws in question specifically include the Telecommunications Services Operating Permit Administrative Measures (MIIT Decree No.5) and the Circular on Further Regulating Market Entry for Internet Data Centre Services and Internet Access Services (MIIT Telecom Administrative Letter No. 552 of 2012 ("Letter No 552")). When IRC services were originally introduced into the 2015 Catalogue, it was not clear whether they would give rise to licensing requirements above and beyond those applicable to IDC licensing, or whether the 2015 Catalogue allowed all IDC license holders to engage in cloud services. It was also not clear whether all non-licensed providers were meant to be excluded from offering cloud services. The Draft Circular clarifies these points: additional licensing is required; having a normal IDC license is not enough; and there must be no direct-to-customer offering of cloud services by unlicensed entities. This is consistent with, and would codify, recent developments in MIIT practice, where we are already seeing implementation of separate testing and application materials for IRC services as a distinct subset of IDC and specific licensing (with the first IRC services license having been issued this year). It also appears from the Draft Circular and MIIT's recent practice that MIIT intends to stop any cloud services from being offered as "unregulated" services, likely bringing an end to regulated/unregulated split-services collaboration models in the cloud space (but see discussion below for what collaboration models will be allowed). Draft Legislation to Affect China Cloud Services Market Access January 2017 3 VATS Licensing for Entities with Overseas Investment Article 3 of the Draft Circular emphasizes that overseas investors investing in and operating cloud services business within the PRC must apply to establish a foreign-invested telecommunications enterprise ("FITE") which has been issued (as part of its establishment process) a corresponding VATS operating permit in accordance with the Foreign Invested Telecommunications Enterprises Administrative Regulations, the Agreement on Trade in Services under the Mainland and Hong Kong/Macau Closer Economic Partnership Arrangement ("CEPA") and other such policies concerning the liberalization of IDC services. At present, FITEs in the VATS sector may only (with some exceptions e.g. call centres in the Shanghai Free Trade Zone) be established as a joint venture between a foreign investor and a domestic enterprise, with the foreign investor's maximum capital contribution capped at 50%. In practice, however, this goes back to MIIT's interpretation of its World Trade Organisation ("WTO") commitments: essentially the consistently-held view has been that if a service is not included in the WTO list of liberalised VATS (neither IDC nor IRC were) it is not open to foreign investment unless MIIT decides otherwise. Only the CEPA route has really been open to qualifying Hong Kong entities and even then it has proven difficult to obtain approval for FITE JVs in IDC services. What is not clear from the Draft Circular is whether foreign investors will be required to obtain an IDC permit in order to operate non-infrastructure type cloud services, such as Software-as-aService ("SaaS") as opposed to Infrastructureas-a-Service or Platform-as-a-Service, as there is no need for a SaaS operator to have its own infrastructure and the significant costs associated with this. Article 6 of the Draft Circular suggests not ("Operators of cloud services must use network infrastructure, IP addresses, bandwidth and other such access resources provided by a telecommunications provider having the appropriate permits and qualifications"), but the reference to Letter No 552 and the fact that IRC is a sub-category under IDC services tend to suggest the contrary. Because of these historical market access issues, many foreign technology companies have focused their efforts on participating in the Chinese market via some form of non-equity holding technical services collaboration with a domestic Chinese partner ("Cooperative Model"). This form of collaboration is also addressed under the Draft Circular. Collaboration between Cloud Service Providers and Other Partners In practice, Cooperative Models have taken various forms, with various structures being utilized by different industry participants with respect to contracting, client interfacing, service arrangements, billing, and issuance of tax invoices. The Draft Circular proposes to unify this, setting strict rules in these areas, and bringing the structuring of Cooperative Models officially under direct government regulatory scrutiny, as set forth in Article 4 of the Draft Circular, which provides that cloud services operators engaging in technical collaborations with relevant organizations have an affirmative duty to report the details of their cloud services collaboration in writing to the telecommunications administrative authority. By way of comparison, only in the media industry do you have a similar level of regulatory scrutiny where cross-border collaborations are subject to approval. Further, the following activities are not permitted during the course of collaboration: (1) the leasing, lending or transfer of a telecommunications services operating permit to a partner in a disguised manner by any means, or providing to any partner the resources, venues, facilities or other conditions for unlawful operations; 4 Hogan Lovells (2) a partner entering into contracts directly with users; (3) using only the trademark and brand of a partner to provide services to users; (4) unlawfully providing to any partner user personal information and network data; and (5) other activities which violate laws and regulations. Pursuant to the above provisions, the nonlicensed party in a Cooperative Model is not permitted to enter into contracts with users directly or provide services to users by using their trademark and brand only. In other words, such unlicensed party must serve in a subordinate capacity without a direct relationship with the cloud customer, thus undermining the value proposition for many overseas providers. The 'sweep up' in (5) could be a veiled reference to Variable Interest Entity ("VIE") structures, which have, in recent arbitration decisions at least, been found to violate mandatory provisions of PRC laws by circumventing the obligation on the foreign 'operator' to obtain a VATS permit in China. It also specifically bans circumventing the great firewall of China by an operator linking [its servers] to an international network by using leased lines, virtual private networks or selfbuilt international channels. Some foreign technology providers operating under a Cooperative Model may already have operating structures that are aligned with the rules in the Draft Circular. Others, however, will need to review their current or contemplated collaboration arrangements with domestic cloud service providers in light of the implication of the Draft Circular, should it come into effect as currently written. Conclusion It was inevitable that cloud services were going to be regulated. However the key issue raised by the Draft Circular for foreign investors is whether they were going to be partially or wholly shut out of this lucrative and fastgrowing market. By aligning the category with IRC and IDC, which has traditionally been closed to all but the CEPA qualified Hong Kong investors, the Draft Circular suggests that this may well be the case – depending on whether the reference to CEPA should be read as excluding all those who do not fit within the CEPA tests and thereby potentially depriving China of the skills and technologies of some of the most advanced operating models and operators in the world. Cross-border collaboration remains possible, with some restructuring needed for existing models that do not conform, but at the end of the day, the real question is whether in practice MIIT will create a true level playing field and will allow foreign investors to set up FITEs in this area without imposing an unnecessary financial burden on them to invest in infrastructure (for SaaS). Contacts Andrew McGinty Partner, Shanghai firstname.lastname@example.org Liang Xu Partner, Beijing email@example.com Philip Cheng Partner, Shanghai firstname.lastname@example.org Nolan Shaw Associate, Beijing email@example.com Alicante Amsterdam Baltimore Beijing Brussels Budapest Caracas Colorado Springs Denver Dubai Dusseldorf Frankfurt Hamburg Hanoi Ho Chi Minh City Hong Kong Houston Jakarta Johannesburg London Los Angeles Louisville Luxembourg Madrid Mexico City Miami Milan Minneapolis Monterrey Moscow Munich New York Northern Virginia Paris Perth Philadelphia Rio de Janeiro Rome San Francisco São Paulo Shanghai Shanghai FTZ Silicon Valley Singapore Sydney Tokyo Ulaanbaatar Warsaw Washington, D.C. Zagreb Our offices Associated offices www.hoganlovells.com "Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses. The word "partner" is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant with equivalent standing. Certain individuals, who are designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members. For more information about Hogan Lovells, the partners and their qualifications, see www.hoganlovells.com. Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney advertising. Images of people may feature current or former lawyers and employees at Hogan Lovells or models not connected with the firm. ©Hogan Lovells 2017. All rights reserved.