1. Introduction

It is difficult to give a sense of the extent to which the Internet has changed the lives of Chinese people across the nation since September 1987, when China first became connected to the Internet.  China's netizen population has skyrocketed to over 500 million (to put this in context, the entire population of the United States is approximately 314 million people in 2012) and further rapid growth is anticipated.  Increased internet access has transformed China's economic and media landscape.  More and more businesses are going online to tap into ecommerce as an alternative or even as their sole sales channel.  Meanwhile, new technological phenomena like microblogs, or Weibo, are making it easier for individuals to select, re-tweet and sometimes even create news of their own on their mobile devices, regardless of location.  Chinese citizens have latched onto microblogs because they are seen as pushing at the boundaries of what type of information can be disseminated on the Internet in China.

Against this backdrop, the Chinese authorities have been scrambling to catch up with the technological advances of the Internet era.  Things move so fast in this space that regulators may find that the technology has outrun the legislation before the ink has dried on it.  In yet another attempt to revamp and update its regulatory framework, the State Council (Internet) Information Office ("SCIO") and the telecoms and Internet industry regulator, the Ministry of Industry and Information Technology ("MIIT") released a circular on 7 June 2012 to solicit public opinions until July 6 2012 on the Internet Information Services Administrative Procedures (Revised Draft for Seeking Comments) ("Deliberation Draft").  The current regulations in this area, the Internet Information Services Administrative Procedures (the "2000 Internet Information Procedures") were originally promulgated by the State Council on, and effective as of, 25 September 2000.

Twelve years in the Internet space is like several lifetimes in other areas, not just in terms of how far the technology has moved on, but also in terms of the economic context and environment surrounding the Internet (one of the first modern social media websites "Friendster" was founded in 2002): the 2000 Internet Information Procedures were, in common with much of the legislation at the time, issued in something of a flurry to deal with the unstoppable tide of the 'dot.com' boom (which was followed by the inevitable bust). They now look very dated.

Clearly the whole regulatory framework in this area is in dire need of an overhaul: the Catalogue for the Classification of Telecommunications Services (the "Telecoms Catalogues") issued by MIIT's predecessor regulator, the Ministry of Information Industry, which remains the key reference for determining which telecoms services should be regulated as value added telecoms services ("VATS") and which should be regulated as basic services remains stuck in a time warp, doggedly unchanged since it took effect on 1 April 2003, whilst the technologies underlying such services have undergone a quantum leap and many new services which do not fit neatly into any of the descriptions in the Telecoms Catalogue have emerged.  

2.            Regulations are trying to catch up with the technological advancements of the internet (blogs, microblogs, etc.)

2.1     New Licensing Requirement

The latest Internet phenomenon grabbing the attention of the Chinese regulatory authorities is the microblogs, which enjoy a huge following in China, partly because they tend to publish (albeit often temporarily and before the censors can intervene) an unfiltered version of events as compared to the heavily State and propaganda department-controlled and standardised news stories appearing in traditional media.  Initially introduced to China in 2007, Chinese microblogs have developed hundreds of millions of active users to date.  As the leading microblogging service in China, Sina Weibo alone boasts more than 300 million registered users, half of them accessing their accounts via mobile devices.

As with the 'dot.com' phenomena in 2000, the government is now responding to the new technological phenomenon and zeitgeist by rolling out another layer of regulation.  Internet information services which allow Internet users to communicate information to the public(1) (e.g., Internet forums, blogs, and microblogs, collectively "Blogging Services" hereinafter) will, under the Deliberation Draft, also be subject to a licensing requirement in much the same way as Internet news providers have been hitherto regulated(2) (and the latter is notably an area off-limits to foreign investment).  A similar licensing requirement already applies to Internet information search services, such as Baidu, which have been historically regulated as Internet information service providers ("ICPs"), which is classified as a VATS under the Telecoms Catalogue. 

Pre-existing businesses already engaging in Blogging Services and Internet information search services will also be required to go through the licensing procedures.  However, the Deliberation Draft provides a grace period of 6 months for businesses that are unable to fully comply when the Deliberation Draft becomes effective.  Those still failing to comply within the extended timeframe may face forced closure by the SCIO.  In other words, the underlying theme here is to provide a legal basis for closing down any unlicensed participants in the market that are outside of SCIO's regulatory net.  In short, this could herald a clear-out and heavier regulation of the sector.  MIIT's existing approval or record filing requirement and procedures are re-emphasized under the Deliberation Draft, though this may not affect existing businesses which have already completed the approval or record filing procedures.  However, the Deliberation Draft does not specify whether the current system will be maintained or there will be new or additional SCIO licensing requirements, procedures, timelines or documentation requirements for Blogging Services and Internet information search services.  Rather, these will be left to separate regulations to be promulgated at a later stage.  

2.2          Real-name User Registration for Blogging Services

The Deliberation Draft does specify a requirement that Blogging Services must have its users use their true identities when registering.  This nationwide requirement comes in the wake of several local pilot programs requiring microbloggers to register using their real identities, which were launched recently in Beijing(3), Shanghai, Tianjin, Guangzhou and Shenzhen.  These raised concerns about data privacy and broader issues of bloggers being held accountable for politically objectionable content.  Under the Deliberation Draft, Internet access service providers ("ISPs") will also be required to record the true identity, website name, and Internet address information of those engaging in Blogging Services. Penalties will be imposed on providers of Blogging Services and ISPs if they fail to enforce the aforesaid requirements.  Blogging Services may incur liabilities ranging from an administrative warning, an order for rectification within a specified timeframe, to an order for suspension or termination of services and ultimately revocation of licences or registrations.  ISPs may also be subject to fines from RMB 100,000 (approximately USD 15,000) to one million (approximately USD 150,000).  The relative severity of the punishments suggests a quite significant concern on the part of the Chinese government, and underlines how important China's officials believe it is to regain and retain control over this burgeoning new area.   

2.3          Record Retention

Under the Deliberation Draft, the record retention obligations for Internet businesses will become increasingly burdensome. ICPs will be required to retain records of information communicated by themselves and their users for 6 months. ICPs and ISPs must archive logs for 12 months and provide technological support for information searches by China's public security and State security authorities in accordance with law. Under the currently effective 2000 Internet Information Procedures (Article 14), the retention period is merely 60 days for ICPs and ISPs. While helpful for the Chinese authorities to scrutinize the Internet, the new retention requirements will inevitably increase the compliance cost of Blogging Services in China, not to mention providing yet another legal basis for obliging providers to turn over information on dissidents to the State.

3.            Personal Data Protection

3.1    Personal Data Protection Obligations

Whilst requiring ICPs and ISPs to collect and retain personal information like identification and logs, the Deliberation Draft nonetheless requires service providers to observe certain data protection obligations.  Under the Deliberation Draft, ICPs and ISPs will be prohibited from selling, changing, intentionally divulging, or illegally utilising the personal information of their users. 

3.2         Potential Criminal Liability

This is in line with the Chinese government's recent efforts to combat abuse of personal data which led to the recent amendment to Article 253 of the People's Republic of China Criminal Law (effective 28 February 2009), which now provides for a new criminal offence whereby workers within State organs or privately-held financial, telecommunication (presumably including Internet), transportation, educational, medical and other such like units, in breach of provisions of the State, sell or unlawfully provide the personal information of citizens collected in the course of performing their duties or in the course of providing services to others.  It also criminalises any person obtaining such information by means of theft or other "unlawful" means.  Where the circumstances are serious, this newly-created criminal offence carries a custodial sentence or criminal detention of up to three years, and/or a fine. However, the lack of a statutory definition for "personal information" in such law and the lack of practical official guidance on the so-called "unlawful" acts makes it difficult to apply this law in practice.

3.3         Corporate Crimes

It is notable that this newly-created crime can be committed by legal persons such as companies, which can then be subject to fines, and the directly responsible persons in charge and other directly responsible persons can be punished as if they had personally committed the crime. 

3.4         Similar Personal Data Protection Rules for ICPs

These provisions on personal data protection are broadly consistent with those were already introduced on 29 December 2011 when MIIT promulgated the Regulating the Internet Information Service Market Order Several Provisions (the "Internet Information Service Provisions").(4)  The Internet Information Service Provisions define "users' personal information" as "any information associated with a user, which, either independently or when combined with other information, is able to identify such user".  Without the prior consent of the user, ICPs are prohibited from collecting or disclosing users' personal information, except where otherwise provided by the laws and regulations.  ICPs must clearly inform users of the method, content and purpose of collecting users' personal information.  Additionally, ICPs are prohibited from collecting users' personal information other than as is necessary or utilising it for purposes other than in connection with the product or service provided.  Non-compliance may result in administrative penalties ranging from a warning, an order for rectification, and a fine between RMB 10,000 (approximately USD 1,500) and 30,000 (approximately USD 4,500).  Despite these rather light penalties (it is interesting to compare and contrast these with the much heavier penalties for ISP operators and Blogging Services operators who fail to enforce the real names rules and keep proper records of their users referred to in paragraph 2.2 above), MIIT has the power to 'name and shame' those who have been hit with an administrative sanction, which may prove to be the bigger deterrent in practice. 

3.5          Other Privacy Laws and Regulations on the Horizon

At present, China does not currently have a stand-alone law which deals specifically and comprehensively with privacy or protection of personal data.  Proposals have been made to enact more comprehensive laws and regulations addressing personal data privacy.  However, to date no such laws or regulations have been enacted, due to reported disagreements between interested parties on where to draw the line on personal data protection versus freedom of commerce.  Some commentators openly question whether at its current stage of development China is 'ready' for a full-blown personal data protection law.

The most recent proposals in this regard are the draft Personal Information Protection Law ("Draft Privacy Law") and the draft Information Security Technology -- Guide of Personal Information Protection (the "Draft Guidelines", issued jointly by the General Administration of Quality Supervision Inspection and Quarantine and the Standardisation Administration of the PRC on 30 January 2011).  While the Draft Privacy Law has been tabled for several years, there seems to be no prospect of it becoming law in the foreseeable future. The Draft Guidelines on the other hand, reflect a recent, less ambitious attempt by regulatory agencies to put in place a set of rules to further clarify the responsibilities of data processors.  For instance, data processors would be required to clearly identify, inter alia, the purpose of personal information collection, the scope of use, the length of the retention period and safety measures. The Draft Guidelines also prohibit PRC data processers from transferring personal data to processors registered outside of China, unless otherwise stipulated by the Chinese law or the authorities in charge of the specific industry in question (e.g., transfer of electronic banking data to its offshore parent by foreign invested financial institutions for necessary and permitted business or management purposes) or with consent of the data subject. The Draft Guidelines are intended to prohibit the collection processing and transfer of personal information without the informed consent of the data subject.  The Draft Guidelines will, however, be administered as a recommended technical standard, rather than a mandatory legal requirement.  Furthermore, the Draft Guidelines give a definition for personal information that is similar to the definition found under the aforesaid Internet Information Service Provisions.

4.            Market Entry - Thorny Issues that Remain Unresolved  

4.1     Licensing Requirements

The Deliberation Draft continues the current regulatory approval regime based on the distinction between commercial/operational/profit-making ("经营性") ("Commercial ICPs") and non-commercial/operational/non-profit making ("非经营性") ICPs ("Non-Commercial ICPs").  Commercial ICPs will continue to be subject to a licensing requirement, whereas Non-Commercial ICPs will be only subject to simpler record filing procedures. 

One interesting development in the Deliberation Draft is that all definitions of Commercial ICPs and Non-Commercial ICPs which often appeared in other rules in this area have been removed.  It has long been a source of contention for some ICPs, particularly for those with innovative or new business models as to whether they are Commercial ICPs or Non-Commercial ICPs.  The existing regulations distinguish between the two types of ICPs based on whether the users of the information provided are charged or not.  After realising this somewhat unsophisticated and rigid test to fails address a myriad of Internet business models (such as ones based on advertising fees rather than charging information users), MIIT's predecessor tried to clarify this in 2002.  In a reply to its local counterpart in Liaoning Province(5), Commercial ICP services were initially characterised as commercial activities for profit-making purposes and interpreted by the MIIT to include providing users with chargeable content, Internet advertisements, webpage design or other online applications.  Business websites advertising their own products or businesses, however, were classified as Non-Commercial ICPs. 

However, the MIIT seems to have changed track in a subsequent circular(6) issued the same year to its local counterparts nationwide by providing that only ICPs providing chargeable content or webpage-making services to users are deemed to be Commercial ICPs, while all those not involving the aforesaid paid-for services are Non-Commercial ICPs.  In other words, ICPs (in its simplest form, a company website) which do not charge users for accessing content and which do not provide paid-for webpage design services and which are driven by, say, advertising revenues are not treated as Commercial ICPs.  On the other hand, websites such as Taobao where sellers pay fees, or online gaming websites where users pay a fee to access online content ('pay-to-play websites') would be firmly within the 'Commercial ICP' camp.

Several years later, in 2010, the local MIIT authorities in Beijing indicated(7) that Commercial ICPs should be those deriving income through Internet advertisements, webpage design, leasing of server space, server hosting, (online) provision of chargeable content, ecommerce, and other online application services.  This illustrative approach is helpful, but is significantly different from the MIIT's 2002 interpretation and subsequent circular, inevitably leading to some confusion as to the current position.  

Therefore, the distinction remains unclear to many website owners or operators, particularly when the Internet service is being provided as a non-critical element of, or as an ancillary offering for a commercial product, solution or process rather than a separate, independently-priced service. We have seen examples where clients have understandably been confused by receiving inconsistent opinions even between MIIT officials in different locations when asked the question in relation to the same business model on the same day.  While it remains to be seen whether the Deliberation Draft will address this rather thorny technical issue in its finalised version (we doubt this), the vague distinction can hardly be papered over by a simple removal of the existing definitions, vague and unsatisfactory as they may be.  Until there is a more useful and practical test for this, foreign investors and domestic investors alike will still need to closely consult with MIIT and its local counterparts whenever there is ambiguity over whether a given service will be treated as a Commercial ICP.  The distinction is important as such a finding would mean that a VATS licence would be necessary.    

4.2          Offshore Listing and Foreign Investment

Another unaddressed issue is foreign investment in Commercial ICPs.  In order to engage in VATS in China, foreign investors must set up a foreign-invested telecoms enterprise ("FITE") which must be in the form of a Sino-foreign equity joint venture, where the aggregate foreign investment does not exceed 50% and obtain a licence from MIIT as per the Foreign Invested Telecommunications Enterprises Administrative Regulations issued by the State Council with effect from 1 January 2002 (the "FITE Regulations") which were intended to implement China's Word Trade Organisation ("WTO") commitments in this regard.  However the FITE Regulations mask a much more complex picture, as a cursory reading of the FITE Regulations would suggest that all VATS are open to foreign investment subject to the 50% foreign investment cap.  The reality is very different.

China's WTO commitments are phrased as opening up VATS "including … […]" and then list out some mainly insignificant services from a commercial perspective (with the exception of online database search and retrieval (i.e. ICP)).  The list notably leaves out many key VATS from the business perspective, such as call centres, ISPs, Internet Data Centres (IDC) and so forth.  Whilst those on the other side of the WTO table may have thought that this formulation was the proverbial lawyer's "including, but not limited to", MIIT interpreted "including" more restrictively to mean "namely".  This meant that as far as MIIT was concerned, China made no commitment to open up ISPs, IDCs and call centres to foreign investment at all.

This may explain why, after sifting through information publically disclosed by MIIT, we have found no more than 30 foreign-invested VATS providers licensed by MIIT, including Commercial ICPs as well as other VATS providers such as call centres (there are a large number of non-commercial ICPs). Commercial ICPs and ISPs are classified as VATS in China under the Telecoms Catalogue, although there remains a question of which ICPs are subject to Chinese regulatory jurisdiction at all: the Chinese authorities usually cannot and do not, for practical reasons, assert jurisdiction over those which use servers based outside of China and which do not maintain a business presence in, or send over staff to, China.  China's post-WTO opening of telecoms services remains one of the most problematic and disappointing industry sector stories, and compares poorly to areas such as trading or banking where real substantive progress on opening up to foreign investment has been achieved.  The approval procedures under the FITE Regulations involving dual MIIT and MOFCOM approval processes read like an 'obstacle course' for foreign investors that reflect MIIT's very conservative stance on foreign investment in this highly-sensitive sector.

Compared with the current version, the Deliberation Draft no longer retains the language regarding MIIT's prior approval for onshore/offshore listing of ICPs or FITEs.  That does not mean that such approval is no longer required.  It may simply be because this issue is already covered (with respect to FITEs at least) in Article 23 of the FITE Regulations, so the reference is partially redundant, however the 2000 Internet Information Procedures, in common with the new regulations likely to emanate from the Deliberation Draft, relate to all ICPs, including domestic capital ICPs, so this does leave a gap for new legislation to fill.  This then raises the question of whether there are pending changes in this area following the resurgence of the VIE issue. It has been widely reported that a proposal drafted by an official within the China Securities Regulatory Commission ("CSRC") to encourage ICPs to turn away from offshore markets to list on China's domestic stock markets has been submitted to the State Council.  This used the spectre of the threat to national information security to call on the MOFCOM as well as MIIT to regulate ICPs and other Internet plays using the VIE structure and make them subject to government approvals.  However its fate since that point is not known, and the issue of whether retrospective measures could be imposed on existing offshore listed or otherwise ICPs has been left hanging, even if the report suggests grandfathering existing offshore listed ICPs.

Most offshore-listed ICPs from China use the so-called Variable Interest Entity structure ("VIE")(8) to circumvent China's restrictions on foreign investment in this sector as well as other potential regulatory approval procedures by MOFCOM, MIIT or CSRC. 

The VIE structure has also been widely adopted in many venture capital-type private foreign investments in China's VATS sector, although no one seems to have a clear picture of the total sums involved. Furthermore nobody seems to know exactly how many VIEs there are in place, but it seems entirely possible that they would number in the thousands and many of them will be outside restricted sectors like telecoms services. Therefore, international investors have been keeping a close eye on the position of the Chinese authorities in this regard.  Many international investors are betting that the VIE structures are so prevalent and involve so much money that the edifice created is too big to fail. They like to point out there are too many Chinese interests tied up in such companies (many of which are listed outside China) which would also suffer (not to mention other investors) if the Chinese authorities were to embark on a heavy-handed crackdown. Certainly the impact on China's emerging companies sector would be enormous, as the local venture capital market in China remains immature and foreign funds play a key role.  

The Chinese authorities, on the other hand, have been very discreet and - with a few exceptions - have refrained from commenting publicly on this sensitive issue.  Those with long memories, however, will remember the forced exit by foreign investors who had invested in mobile telecoms ventures with China Unicom under the predecessor of the VIE structure, the Chinese-Chinese-Foreign structure, in the late 1990s. 

Recently, we have seen an exception to the authorities' widespread "radio silence" about VIE structures.  On 14 August 2012, MOFCOM published its decision clearing Wal-Mart's acquisition of a stake in a company controlling Yihaodian, a popular e-commerce website in China, subject to conditions.(9) The decision was adopted under the People's Republic of China Anti-Monopoly Law, but the conditions imposed seem entirely unrelated to antitrust.  The Yihaodian website serves both as a platform for Yihaodian's own online supermarket as well as a platform for third parties to sell their products online.  Providing an online sales platform to third parties is considered to constitute VATS under Chinese law. Two of the three conditions imposed by MOFCOM in its decision under the Anti-Monopoly Law mirror the existing legal requirements, namely that the holding company, in which Wal-Mart will hold an indirect majority stake following the transaction, can use the website as its own sales platform (i.e. a Non-Commercial ICP) but must obtain a license from MIIT to offer the platform to third-party suppliers (i.e. as a Commercial ICP).  As a third condition, MOFCOM explicitly required Wal-Mart not to use a VIE structure to provide VATS through the Yihaodian business.  That fact that the word "VIE" – in English! – appeared in an official antitrust decision indicates the sensitivities that the concept still triggers among Chinese government officials.

The decision raises more questions than it answers. It is not entirely clear from the decision whether Yihaodian is already set up as a VIE controlled by the wholly foreign-owned enterprise at the end of the chain of companies Wal-Mart bought into, but that seems inconsistent with the third condition discussed above, but on the other hand, under China's WTO commitments, by definition a WFOE cannot operate a commercial ICP business and/or hold a VATS permit, as this would mean 100% foreign ownership (whereas the limit for foreign investment in VATS is 50%).

Thus it will be interesting to observe whether MIIT was attempting to send some kind of message with the aforesaid language change in the Deliberation Draft.

5.         Conclusion

Overall, we have not detected any clear signals that the Chinese government is going to change direction from its previous path of heavily regulating the virtual world.  Despite its political desire to do so, the Chinese government will inevitably find itself lacking resources to effectively monitor the ever-increasing public participation in China's economic and political life through the Internet.  As such, the government is trying to enlist (some would say 'conscript') the support and assistance of ICPs and ISPs.  It goes without saying that it is much easier to oversee a smaller number of businesses which are clustered around locations like Beijing and Shanghai than keeping tabs on the millions of netizens scattered across China. 

On the political front, ISPs are required to monitor their users all the way from initial registration, ongoing monitoring, to subsequent support in tracking down 'infringing' users and retaining records and logs.  Know your client-type requirements are now being imposed on ISPs to check the qualification/licences of ICPs that use their services, and for ICPs to check that its commercial users who engage in ecommerce activities have the required licences. 

On the commercial front, existing approval requirements have not been relaxed for ICPs, particularly those with foreign investment, and this remains a 'problem' area for foreign investment, so much so that in our experience most non-industry investors prefer to go the VIE route despite the possible challenges to it to avoid investing time and money in a joint venture in China and the labyrinthine approval process for a FITE.  Some overseas VATS operators opt against a FITE because they would prefer not to have to share their crown jewels technology with a Chinese joint venture partner, thereby depriving the Chinese consumer of access to some cutting-edge services developed overseas. 

The Chinese government, on the other hands, has been greeting emerging new Internet phenomena (such as microblogs) with censorship (particularly at sensitive times), additional controls and regulation.  

These monitoring 'pyramids' may help the Chinese government to establish an effective peer-to-peer, business-to-customer, proxy government oversight organisation for activities on the Internet.  However, stifling Internet activity comes at a price. China is at a crossroads in its development and faces a challenge in terms of the economic road ahead.  China needs to revisit its business model and develop its domestic markets and service industries as its share of the export-driven pie diminishes. To that end, on the one hand China wants and needs its citizens to act and think creatively in a business sense, which means having unfettered access to information and debate that can stimulate new business ideas, but is opposed to any loosening of controls over the virtual world because of the consequences of allowing political debate or criticism to go unchecked on line.  This is admittedly a difficult balancing act, but it would be an unfortunate and no doubt undesirable result if on the one hand politically-led heavy-handed regulation were to lead to stifling of creativity and new business ventures and on the other foreign investors  were to decide not to export their most valuable and innovative intellectual property rights and services to China because of a challenging regulatory environment.