In order to analyse whether or not it is permitted for overseas investors to provide cloud computing services inside the People's Republic of China ("PRC" or "China") or on a cross-border basis, it is necessary to examine China's WTO commitments.
Determining the classification of cloud computing under China's WTO commitments helps understanding the legal treatment to which cloud computing related services are entitled in China in terms of international law. In this respect, our view is that the classification of cloud computing related service under China's commitments may range from "no available category" to a classification under "Computer and Related Services" and "Value-Added Telecommunications Services", but in fact without fitting comfortably or fully into any of these "boxes".
One of the difficulties in classifying cloud computing for WTO purposes is that "cloud computing" covers a whole set of diverse services and delivery models. Furthermore, some
computer services which are supplied on-line have become nearly impossible to distinguish from value-added telecommunication services ("VATS"). However, in a background note published on 10 June 2009, the WTO Secretariat proposed a solution based on the distinction between "use" and "supply" for categorising services which appear to be caught under both computer services and telecommunications services. If, for example, a supplier actually provides computer services and merely uses telecommunications as a means of delivery for such computer services (our emphasis), the service provided would only fall under the category of computer services. On the other hand, if the supplier owns or operates its own telecommunications network, the supplier would be supplying both telecommunications and computer services. It seems unlikely at present that any cross-border provider would own the underlying telecommunications infrastructure in China, given the very limited foreign investment in basic operators to date.
For "Computer and Related Services", China made clear WTO commitments to impose no restrictions in terms of market access and national treatment on cross-border supply. However the commitment made by China under "Telecommunication Services" is not entirely clear. China limits foreign investment in telecoms services providers in China to joint ventures with a cap of 50% for VATS and 49% for basic telecoms services. In practice other restrictions apply on VATS in particular, deriving from the industry regulator's highly restrictive interpretation of China's WTO commitments in this regard.
Specific provisions of PRC law on cloud computing
There is currently no targeted legislation directly addressing cloud computing and its related services in China, so its legality is something of a grey area. China regulates telecoms and Internet services very heavily, but does not seem to have focused as yet on regulating application service provider-type services provided on a cross-border basis. It seems only a matter of time before it turns its heavy regulatory hand to this area.
However, we note that under PRC law, unlike under the law of certain other jurisdictions, the absence of an express prohibition on a certain commercial activity does not necessarily imply that such activity is permitted. As in other cases where the position at law is not clear, the tried and trusted method is to make no-names telephone enquiries with the relevant governmental authorities to seek their unofficial views. Whilst non-binding, these provide some level of guidance on how the authorities administer their functions and powers, especially where there is legislative ambiguity or (as here) a gap.
The authority in charge of all matters related to Internet services, information technology and telecommunications in China is the Ministry of Industry and Information Technology (the "MIIT"). Using a specific theoretical cross-border business model in relation to cloud computing, we made several no-names enquiries with the central MIIT in Beijing, as well as with its local branches located in various first-tier cities. None of the MIIT officials to whom we spoke was able to provide a definite or clear answer to the question of whether the theoretical model would be permitted under PRC law. In short, it seems Chinese officials are still trying to come to grips with the legal implications of this area.
China's policy environment
We note further that the cloud computing business apparently currently benefits from a favourable policy environment in China. The central and local PRC authorities have recently issued a series of policy statements encouraging research and development on cloud computing and related services in China and encouraging service outsourcing to China, where China is a long way behind India in that area. For example, at the national level, the central MIIT issued the Circular on the Main Points for the Standardisation Work of the MIIT for the Year 2010 (工业和信息化部关于印发《工业和信息化部2010年标准化工作要点》的通知) on 11 April 2010. Shortly after this, on 12 May 2010, the National Development and Reform Commission (the "NDRC"), the main agency under the State Council in charge of formulating and implementing macro-economic policies, issued the Circular on Promoting Work Relevant to the Development of High- Technology Services (关于当前推进高技术服务业发展有关工作的通知).
Whilst these circulars are merely policy documents aimed at encouraging the domestic development of cloud computing rather than normative documents creating legal rights and obligations for cross-border market participants, they nevertheless show, to a certain extent, the positive attitude of the central government towards cloud computing and related services. This makes it all the more puzzling as to the silence on the regulatory front. Perhaps China sees this as a lesser priority given the majority of the providers are currently overseas companies but will sharpen its focus as more domestic providers emerge.
Major China regulatory issues
Although, as noted above, China has no specific legislation on cloud computing and related services, certain features and elements of a cloud computing business may be caught by existing PRC laws. In this context, we set out below a list of the main China regulatory issues which may be applicable to the provision of cloud computing related services.
China regulates and requires a telecoms operating permit ("Telecoms Permit") for services such as pay-to-play websites such as eBay or online gaming (as Internet Information Providers), ISPs, Internet Data Centres (all VATS). It is still unclear whether an overseas service provider who provides cloud computing related services to China users from within China needs to obtain a telecom license. For overseas providers, the key issue is whether the service amounts to provision of a telecoms service within the PRC, in which case a Telecoms Permit would be needed.
Registration of imported software
China has specific legislation on registration and filing of software (include imported software and domestic software). While the registration (again with MIIT) is often seen more as a condition to obtaining certain preferential treatment for the domestic software industry than as a hard legal requirement (as there is no explicit penalty for non registration), we have received conflicting views from MIIT officials on the consequences of non-registration.
Registration of imported technology
China has a specific technology import/export regime which covers registration/approval of technology import and export contracts. The import of "restricted" category technologies has to be approved by the Chinese Ministry of Commerce ("MOFCOM"), whilst imports of "unrestricted" technologies only have to be registered with MOFCOM. Failure to obtain the registration or approval would make it difficult for the Chinese user (in particular a corporate user) to convert RMB and make foreign exchange payments to the overseas service provider, and in the case of restricted technologies only, would invalidate the underlying contract.
Complex encrytion issues
Encryption technology, particularly foreign encryption technology, is a sensitive political issue as far as the Chinese government is concerned, because the use of encryption can potentially prevent it from reading intercepted communications traffic. The importation of foreign encryption technology and equipment applied in cloud computing related business for transmitting client data, in particular, if cross-border, is subject to heavy regulation by the PRC government, although foreigners and foreign invested enterprises (and possibly others) in China may be able to obtain one-off import permits for self-use foreign encryption technology and equipment.
Content controls in China
China has widely drafted regulations which govern the content that can be sent over a telecoms or Internet communications network. The rules prohibit any internet information service provider (i.e. ICP) from creating, reproducing, publishing or disseminating, and any organisation or individual from using telecommunications networks to create, reproduce, publish or disseminate information containing prohibited content. The forbidden categories are sufficiently broad to allow wide scope for interpretation.
Rules on State secrets
When a foreign service provider is providing cloud computing services to a China user, it may also have to consider an issue relating to the PRC rules on "State secrets". The PRC government has broad discretion to determine which information falls within the category of State secrets, for example, by law the trade secrets of certain State-owned enterprises may be deemed be constitute "State secrets". Breach of the laws governing State secrets (including supplying them to overseas persons) is a criminal offence in China, with potentially very serious consequences.
We are aware that under the laws of certain jurisdictions, one of the main challenges for organisations looking to move to web-based software and data storage is the local data protection rules. For example, in certain jurisdictions, organisations may be prohibited from transferring personal information of their employees to foreign jurisdictions that do not offer an adequate level of protection with respect to personal information or subjected to other onerous requirements as a condition to being permitted to make such a transfer. A purchaser of cloud computing services and/or the service provider may be violating the laws of such jurisdictions if the data flows to overseas servers in prohibited jurisdictions.
In China, the legal framework relating to individual privacy and personal data protection is extremely fragmented and incomplete, with only a few relevant provisions dispersed in piecemeal fashion throughout various laws and regulations in China. A data protection law has been circulating in draft form since 2005 but is still not law. Whilst there are currently no express restrictions on cross-border transfers of data per se (but see "content controls" above), we believe that China will impose restrictions on this type of activity in the foreseeable future.
The legal status of cloud computing under Chinese law remains unclear and a work-in-progress. However, that does not mean that cloud computing-related activities are unregulated in China. As noted above, many of the activities around cloud computing will be caught by other areas of existing legislation, and hence these will need to be considered before putting together any proposed service offering inside China or on a cross-border basis. The lack of a legal framework can be seen either as a challenge or as an opportunity: what is clear is that when this area does become specifically regulated, given China's patchy track record of opening up other information industry services markets to foreign investment since China's WTO accession, it may become much more challenging for foreign players to enter the market.