Many of our international clients recently approached Taylor Wessing enquiring about market rumors that the use of virtual private network (VPN) services in China will be further restricted. There are concerns whether or not this will result in use of VPN being deemed illegal, resulting in the blocking of related services which could be disastrous for international operations that rely on VPN services. In below we share a clearer picture from a legal perspective.
Generally tightened control
It is true that something is happening in this field. For a long time, VPN services have been popular in the market which allows Internet users within China to access blocked overseas websites bypassing the Great Chinese Firewall. Many international companies who are having their IT facilities deployed globally also use VPN in China to improve cross border data flow performance as well as creating a seamless and integrated corporate IT environment. Against the background that cyber security becomes a top priority concern of the country, the Chinese government has taken a series of actions to strengthen its control in the cyber world (Please refer to our recent article published on EuroBiz regarding another similar legislative move which also has complicated implications concerning this industry (see An overcast outlook: cloud services in China)). On legislation side, the most remarkable move is the enactment of the new Cyber Security Law in 2016 which will take effect on June 1, 2017. As industrial watchdog, the Ministry of Industry and Information Technology (MIIT) followed up with very specific moves which include its Circular on Clearing up and Regulating the Internet Access Service Market (Circular 32) issued on January 17, 2017 to its local branches and various telecommunication operators. According to this Circular 32, MIIT will clear up and regulate the internet access service market nationwide from the date of its issuance until March 31, 2018. In general, Circular 32 stresses that any telecom business shall be conducted on the strength of the respective license granted. Sub-leasing, transferring business licenses, qualifications or offering resources to others in disguised form of technical cooperation is prohibited.
Fate of existing VPN use
As far as VPN services are concerned, Circular 32 explicitly states that the below activities shall be cracked down:
- without approval, conducting cross-border business operations by setting up on its own or leasing private leased circuits (PLC) including VPN and other information channels.
- PLC can only be used by users to handle their internal official business exclusively and shall not be used to connect onshore and offshore data centers or business platforms to carry out telecom business operations.
The above wording might appear straight forward. But if read in the context of business realities, it will lead to many questions, e.g. does the above mean that generally an integrated corporate IT environment connecting China and the rest of the world via VPN now becomes illegal? Does it mean that companies using VPN will in future need to obtain a special approval from MIIT before they may continue using VPN services?
In our view, at least in the context of Circular 32, most companies using VPNs do not need to worry about the above two questions. First, our read of Circular 32 indicates that it is targeting those who are offering VPN services including related facilities but not those who are using VPN services. During a recent press conference on January 24, 2017 (see http://www.miit.gov.cn/n1146295/n1652858/n1653018/c5476695/content.html), MIIT spokesman further confirmed this point and clarified that use of VPN by international companies for its internal business purpose shall not be impacted by Circular 32.
By assuming most international companies’ core business is not to offer VPN services (i.e. telecom business), they will stay legally safe after issuance of Circular 32. However, potential business impact shall not be underestimated. The reason to alert this is because some existing VPN services used by international companies may still be impacted on supply side. As a matter of fact, foreign investment in the Chinese telecom sector is still subject to many restrictions. Many international companies’ IT solutions are managed from head office abroad which quite often is deployed via a Western service provider who might not necessarily hold all the required licenses for the Chinese market and have to cooperate with a local partner. Performance and quality of domestic telecom services may still fall behind western expectation is also another factor driving up demand for better services with involvement of a western service provider. All these increase the chance of “grey area” practice on the market, which has already become a public secret. Due to this reason, many western service providers will need to insist on a disclaimer clause carving out its liabilities associated with compliance risks on the Chinese market. Therefore, our specific advice to you will be:
- check your existing IT structuring, in particular those relating to VPN, to detect any supplier side risks
- review contractual arrangement for your IT solutions to ensure you are legally safe from any potential incompliance risks on supplier side and you will be indemnified if something goes wrong
- revisit your internal IT policy to mitigate any potential user side risks, e.g. misuse of the sensitive VPN services by employees for purposes not yet allowed by Chinese law.