Use the Lexology Getting the Deal Through tool to compare the answers in this article with those from other jurisdictions.

Market overview

Kinds of transaction

What kinds of cloud computing transactions take place in your jurisdiction?

Three models of cloud computing have been adopted in China. These are:

  • Public cloud model: this market has been growing quickly since 2015. According to data from the biannually published China Cloud Service Tracker of 2017 released by the International Data Corporation (IDC), the total market value of the public cloud services reached US$4 billion. In the public cloud market, the infrastructure-as-a-service (IaaS) accounts for the largest market share, with an increase of 72 per cent in 2017, with the users in the IaaS market mainly being start-up companies, internet companies and so on. Software-as-a-service (SaaS) is the second biggest segment of the market with an increase of 40.1 per cent, with their users mainly coming from traditional industries. The smallest segment of the market is the platform-as-a-service (PaaS) sector, which is mainly adopted by individual developers and small to medium-sized enterprises.
  • Private cloud model: the market volume of the private cloud model has reached 34.48 billion yuan in China, which is a 25.1 per cent increase than that of 2015, according to the China Private Cloud Development and Investigation Report issued by the China Academy of Information and Communications Technology (CAICT) in April 2017. It also mentioned that, among the interviewed enterprises by the CAICT, there was a 25.4 per cent increase of the enterprises that deployed cloud computing in 2016 and the deployment of private cloud thereof has increased 8.9 per cent. The private cloud is mostly applied in the IT system within the enterprise, including the management system, office system and communication system.
  • Hybrid cloud model: this combines the advantages of both the public cloud (least costly) and the private cloud (security). It is estimated that the hybrid cloud model will be most common in large and medium-sized enterprises.

It worth mentioning that, to increase the technology level of cloud computing transaction in China, China tried to innovate the transaction of cloud computing service by establishing its first cloud computing transaction platform - Xinjiang Central-Asian Commodity Trading Centre - in September 2014, with the strong support of local government. It carries out spot transitions, using ‘cloud computing’ as trading variety, and it can match seller and buyer of cloud computing on the transaction platform. For instance, a client can transfer its extra cloud computing to another client who needs it through this platform.

Active global providers

Who are the global international cloud providers active in your jurisdiction?

According to the IDC’s China Public Cloud Service Tracker 2015, Amazon.com took sixth place and accounted for 4.3 per cent of IaaS market share in China in 2015, IBM took 11th place and accounted for 0.1 per cent of the market share. Although Oracle and VMware were also listed, no specific market shares were recorded. It is worth noting that global international cloud providers have to operate in the Chinese market by cooperating with domestic service providers or technology licensing and so on. For instance, Amazon.com cooperated with Beijing Sinnet Technology Co Ltd to conduct formal commercial application in China in 2016. Before that, it could only cooperate with clients, such as Xiaomi and TCl, with limited preview service. Similarly, upon cooperating with 21Vianet and CapitalOnline Date Service in terms of private cloud and public cloud services respectively, IBM announced in March 2017 that it will cooperate with an affiliate of the Wanda Group to provide IaaS and PaaS cloud computing services, and according to the IBM spokesperson, their cooperation will be in charge of the distribution, construction and operation of the IBM cloud platform in China. Microsoft Azure has also entered China by cooperating with 21Vianet, and it is said that it has more than 70,000 enterprises clients in China. Other global international cloud providers in China are Oracle, which announced its cooperation with Tencent Cloud in September 2016 in hope of promoting its cloud computing service in China; and Cisco, which entered the Chinese cloud market by investing UnitedStack, a Chinese open-source cloud computing enterprise at the end of 2015. In addition, Apple is also a cloud provider in China owing to its iCloud service, and it is reported that Apple started to store the iCloud data of its Chinese users in the China Telecom cloud service in 2014.

Active local providers

Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?

According to the IDC report, Alicloud is the biggest cloud service provider in China and its major users are internet enterprises. Alicloud is an Iaas, and provides a virtual hardware platform for development, as well as services, such as elastic compute, storage, database, internet, domain name and website. It is reported that it accounted for 31 per cent of the IaaS market share in China in 2015, and its fast growth can be attributed to the fast growth of internet enterprises, development of mobile end, transition of traditional industry ecommerce, as well as the drive of game industry and oversea expansion. China Telecom and China Unicom are the second and third largest cloud service providers focused on services, such as cloud server, object-oriented storage, content delivery network and so on, and most of their users are government institutions and enterprises. In addition, 21Vianet, Kingsoft, ChinaCache, among others, are also the top cloud service providers in China.

Market size

How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?

It was reported in an article titled: ‘Cloud Computing Market will Reach 57.064 billion in 2019, Internet Giants Set off Multi-dimensional Competition’ published by caijing.com.cn on 13 January 2017, that the cloud computing service market has been growing continuously in recent years, and it is estimated that the total market value will reach 279.7 billion yuan in 2016, an increase of 41.7 per cent year on year.

As estimated by the Ministry of Industry and Information Technology (MIIT) in its Three Year Action Plan for Development of Cloud Computing, China’s cloud computing industry will reach 430 billion yuan in 2019. Also, according to an interpretation of the MITT’s Action Plan, the cloud computing industrial structure continues to optimise, and the industry chain tends to complete. Key technologies such as large-scale concurrent processing, mass data storage and data centre energy-saving have achieved breakthroughs, and even reached the international advanced level. Backbone enterprises have been rapidly developing the strategic layout including efficiencies to improve their business categories. Large enterprises, government agencies and financial institutions continue to accelerate the pace of application of cloud computing, and the application areas of cloud computing continue to expand into manufacturing, government, finance, education, medicine and other fields.

Impact studies

Are data and studies on the impact of cloud computing in your jurisdiction publicly available?

There are some data and studies on the impact of cloud computing in China available publicly. For instance, a report called the ‘Cloud Computing Development White Book’ (2015) issued by China Center for Information Industry Development (CCID), a research institution affiliated to the MIIT, is available online; and the China Private Cloud Development and Investigation Report issued by CAICT (see question 1).

According to these reports, the traditional IT enterprises have been vigorously launching cloud computing businesses and have speeded up the expansion of the market share through mergers and acquisitions in order to meet the requirement of the market; and the application of cloud computing is involved in traditional IT outsourcing and other IT transactions. As of 2015, 52 government departments and more than 300 business applications of Jinan City use cloud services, which accounts for more than 80 per cent of the non-confidential e-government system (the White Book by CCID). According to another report, the ‘Cloud Computing Industry Research Report’ issued by the Soochow Securities, the ‘Golden Power’ platform of China Financial Computerization Corp, an enterprise directly under the People’s Bank of China, can provide disaster-based data centre services based on the heterogeneous IaaS platform, and provide cloud services such as disaster relief, training, takeover, recovery, switching and back-cutting services for small and medium-sized financial institutions. So far, it has provided disaster recovery services for the People’s Bank of China and more than 20 small and medium-sized financial institutions.

Although China’s cloud computing technology is not yet very mature, it has been extensively used in software engineering. The traditional software engineering development and relevant technology is bound to make significant changes accordingly.

Policy

Encouragement of cloud computing

Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?

Yes, the Chinese government issued several policies concerning the development of cloud computing as follows:

  • Opinions of the State Council concerning the Promoting Innovation and Development of Cloud Computing and Cultivating New Format of Information Industry issued in January 2015, which is the most important policy as the guideline of cloud computing development in China. The Opinions indicate six main tasks to strengthen the growth of new format, industrial support and security, including:
  • enhancing the ability of cloud computing services, vigorously developing the public cloud computing services, and guiding enterprises to adopt safe and reliable cloud computing solutions;
  • enhancing the ability of independent innovation, and breaking the cloud computing and large data key core technology;
  • exploring the new model of e-government cloud computing development;
  • strengthening the development and utilisation of large data;
  • optimising the layout of cloud computing infrastructure, and accelerating the optimisation and upgrading of information network infrastructure; and
  • improving the security capabilities, researching and improving the cloud computing information security policies and regulations, and strengthening the assessment review and monitor.
  • Opinions concerning Enhancing Cloud Computing Service Network Safety Management of the Party and Government Department issued in May 2015, which focus on cloud computing security issues. According to the Opinions, the cloud computing service platforms and data centres that provide service for the party and government should be located in the territory of China, and sensitive information should not be transmitted, processed or stored outside China. A security or confidentiality agreement should be signed by the departments and the provider. Regarding businesses relating to state secrets or work secrets, social cloud computing services should not be applied though.
  • Guideline Opinion of the State Council concerning Actively Promoting ‘Internet +’ Actions issued in July 2015, which points out the direction of combining the cloud computing and traditional industries (eg, industry, financing, social services).
  • Action Outlines of Promoting Big Data Development issued by the State Council in August 2015. The State Council promises to promote the healthy development of the big data industry, by encouraging enterprises to increase the data key technology research and development, and improving the regulatory and standard system.

Incentives

Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?

Yes, according to MITT’s Three-Year Action Plan for Development of Cloud Computing, the government will provide fiscal and other support for cloud computing enterprises, including but not limited to:

  • optimising the financing environment for such enterprises, simplifying the financing process, promoting policy banks, industrial investment institutions and security agencies to increase the support of cloud computing enterprises, and increasing credit support;
  • supporting cloud computing enterprises to finance from capital market, conduct acquisition and expand the market;
  • encouraging cooperation between the enterprises and universities for talent training;
  • enhancing brand-making in the industry;
  • supporting key enterprises in the industries’ overseas development; and
  • speeding up the establishment and improvement of cloud computing in the field of international cooperation and exchange platforms by setting up professional, market-oriented overseas market service systems in order to support the overseas layout of the backbone cloud computing enterprises.

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

Yes, the importance of cloud computing, big data and such like have been recognised by more and more industries, even in the legal system. For instance, there are more online legal databases providing judgment and case studies, such as the China Judgments Online, which is a platform of the people’s courts in China to publish their judgments, as well as some commercial legal database. The public, especially the parties concerned in a case, may also find important judicial information or data, such as dishonest persons subject to enforcement or other lawsuit information. In addition, at the Computing Conference 2016 held in Hangzhou, a legal robot that could realise AI case analysis and lawyer selection based on legal big data was launched.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

The cloud computing or data service should comply with the provisions concerning cyber operation and information security stated in the PRC Cyber Security Law and the PRC Counterterrorism Law. There are also other regulations that govern the data security as well as data transfer in certain fields. For instance, the Opinions concerning Enhancing Cloud Computing Service Network Safety Management of the Party and Government Department mentioned above, specifically provide that a cloud computing service platform and data centre for the party and government departments must be established within China. Also, certain kinds of information or data, such as personal credit information, personal financial information, health information, map data, government information, enterprises’ accounting information and human inheritance resource information and the like, are prohibited or restricted from being transferred overseas.

In addition, there is a national standard named ‘Information Security Technology - Security Capability Requirements of Cloud Computing Services’ concerning the issue.

Also, in order to conduct IDC and internet service provider (ISP) services that cover the cloud computing services in China, such service providers, whether they are domestic or foreign providers, must obtain the relevant IDC/ISP licence from the MITT. However, such licences are only open to foreign investment from Hong Kong and Macao in accordance with the Closer Economic Partnership Arrangement signed between the Chinese central government and the governments of the Hong Kong Special Administrative Region and the Macao Special Administrative Region respectively. In other words, for foreign cloud service providers (excluding those from Hong Kong or Macao) that want to conduct cloud computing service in China, they cannot directly conduct such operation in China unless they cooperate with qualified domestic service providers as mentioned in question 2. If such cooperation is in the form of creating a joint venture to run a cloud service operation in China, the ratio of the foreign investment in the joint venture should be further subjected to the restrictions (no more than 50 per cent for a value-added telecoms service and no more than 49 per cent for a basic telecoms service) provided in the Catalogue for the Guidance of Foreign Investment Industries (amended in 2015).

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Legislation or regulations that involve information protection (eg, data privacy) may indirectly prohibit, restrict or otherwise govern cloud computing in China: General Provisions of the Civil Law, Criminal Law, Tort Law, Public Security Administration Punishments Law, Law on the Protection of Consumer Rights and Interests, Provisions on Protecting the Personal Information of Telecommunications and Internet Users, Regulation on Internet Information Service of the People’s Republic of China, Provisions on the Administration of Communications Short Message Services, Administrative Measures for Online Trading, among others.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

A breach of the laws and regulations mentioned above will result in the breaching party facing administrative, civil or criminal liabilities depending on the circumstances. Taking the breach of the PRC Cyber Security Law as an example, where an internet operator violates the obligations concerning internet operation and information security, the operator will face administrative penalty from the government authorities, including, but not limited to, a warning, an order for rectification, suspension, cancellation of permission or business licence, confiscation of illegal gains or an administrative fine. The person in charge of the operator that violates the obligation may also face an administrative fine, administrative detention and a ban from re-entering the key position of the cyber-security management and internet operation. Apart from the administrative liabilities above, if the violation is so severe that it may constitute a crime, the operator will face criminal liability as well. Also, where the violation causes damage to an individual, such operation will come under civil liability in accordance with the General Principle of the Civil Law, the Tort Law and others.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

There is no law or regulation that specially or directly regulates the protection of consumers in terms of cloud computing yet. However, the Law on the Protection of Consumer Rights and Interests provides rights entitled by the consumers and obligations of the operators in general that naturally covers the field of cloud computing; and in articles 14, 29, 50 and 56 thereof, it especially states the rights, obligations and liability concerning personal information protection. Also, in the Administrative Measures for Online Trading, it specifies various measures to protect consumers’ right that also could apply to cloud computing, including, but not limited to, providing customers with detailed trading information (eg, information concerning goods or services, payment, returning policy, warning, after-sales), providing receipts or invoices in paper or electronic form to consumers, seven-day returning policy without reasons (excluding certain goods), privacy protection, application of standard clauses, dispute resolution channels and so on.

In addition, an operator of cloud computing may be subject to a tort liability when its wrongdoing infringes consumers’ civil rights or interests, including the right to name, reputation, privacy and IP right in accordance with articles 2 and 6 of the Tort Law. Also, a well-designed cloud computing contract for consumers can be a consumer protection measure under the Contract Law.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

In accordance with the Cyber Security Law, operators of key information infrastructure should store personal information and important data collected and generated during its operation within the territory of China. Key information infrastructure includes public telecommunications and message services, energy, transportation, water conservation, financing, public service, e-government, as well as those that may severely threaten national security, people’s livelihoods and public interest once such key information infrastructure is damaged, malfunctions or suffers data loss.

Also, as mentioned in question 9, information and data are prohibited from being transferred overseas. Those sectors include, but are not limited to, credit investigation, banking and financing, health information, map data, government information, enterprises’ accounting information and human inheritance resource information and so on.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

There is no specific insolvency law or regulation concerning the cloud computing field in China. In cases where a cloud computing supplier that possesses data or information owned by a customer goes bankrupt, the customer who is the rightful owner or legal holder of the data or information may claim the right to its data or information as a creditor in accordance with article 38 of the PRC Bankruptcy Law, which provides that ‘if, after the people’s court accepts the bankruptcy petition, the debtor is in possession of property not belonging to it, the holder of the rights in such property may recover the same through the administrator, unless otherwise specified in this Law’.

Data protection/privacy legislation and regulation

Principal applicable legislation

Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.

The principal data protection or privacy legislation applicable to cloud computing in China includes, but is not limited to, the PRC Cyber Security Law, General Provisions of the Civil Law, Criminal Law, Tort Law, Public Security Administration Punishments Law, the Law on the Protection of Consumer Rights and Interests, Provisions on Protecting the Personal Information of Telecommunications and Internet Users, Regulation on Internet Information Service of the People’s Republic of China, Provisions on the Administration of Communications Short Message Services, Administrative Measures for Online Trading, Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks, Regulation on the Administration of Credit Investigation Industry, Notice of the People’s Bank of China on Urging Banking Financial Institutions to Do a Good Job in Protecting Personal Financial Information and Measures for the Administration of Population Health Information (for Trial Implementation).

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

Cloud computing contracts in China are usually in written form (electronic form available) and most of the clauses therein are standard clauses prepared by the cloud computing service provider.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

In China, the formation, validity, implementation and interpretation of a cloud computing contract is governed and construed in accordance with the Contract Law and other relevant laws and regulations of China, and any dispute arising out of the contract can be resolved by negotiation, or be submitted to a Chinese people’s court with jurisdiction (eg, the people’s court where the cloud computing service provider is located) or an arbitration institution in rare circumstances.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

In China, a typical cloud computing contract usually includes the following clauses: service content, parties’ rights and obligations (especially focused on the users’ obligations), intellectual property, cap of liability and so on. Among them, in the users’ rights and obligations part, it usually specifies the compliance obligations that must be observed by the users. For instance, users should not use the cloud service to conduct or provide convenience to non-compliance or even illegal actions (eg, gambling, sending unsolicited emails, damaging or disturbing the operation of the cloud service). As to price and payment clause, this may not be included in the main service contract on the grounds that it may be contained in a separate order, and the price and payment clauses are quite different owing to the versatile services provided by different providers in order to meet the users’ varied needs .

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

In China, the typical terms of a cloud computing contract include a term concerning confidentiality, which normally provides that one party will keep the other party’s personal information (eg, technologies, trade secret, proprietary information) confidential unless it is required to by law, regulations or competent authorities. Typical terms of a cloud computing contract concerning confidentiality may include content as follows:

  • confidential information normally refers to technical and business information that is unknown to the public, but can bring economic benefits, be practical and have taken confidential measures, information related to business activities or operating methods such as customer information and marketing programmes and so on, technical information, statistical data, methods and results for technical improvements and their forms and carriers;
  • forms of confidential information generally include computer data forms - written, graphic, symbol and other written form or picture form; media forms - recording sound and images; and oral communication forms;
  • confidentiality period; and
  • responsibility for leakage.

The term of such confidentiality clause will continue after the termination of the cloud computing contract.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

In China, the typical terms of a cloud computing contract concerning liability or warranties may include the following content: the cloud computing service provider will not warrant that its service will meet all the users’ requirements, nor that its service will be timely, safe, reliable without interruptions or errors. The service provider will not be liable for service interruption owing to reasons such as force majeure (eg, natural disaster, act of government), fault of infrastructure operator, internet security incident and other circumstances that the service provider could not foresee or avoid even if it has foreseen such circumstances. Also, any indirect losses arising from the contract are usually excluded from the liability of the service provider.

A customer is obliged to ensure that all the information provided by it:

  • is true and effective;
  • conforms to Administrative Measures for Internet Information Services and other relevant law and regulations;
  • does not contain any information that poses a threat to national security, promotes violence and crime, war, terrorism, militarism, Nazism and national hatred, or involve obscene content;
  • does not harm the health of children; and
  • does not infringe others’ IP rights or privacy or violate public morality or public order.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

In China, the typical terms of a cloud computing contract concerning IPR may include content as follows: the intellectual property rights (eg trademark right, copyright) entitled by each party are exclusively owned by each party, and one party will not use the other party’s intellectual property rights without the other party’s prior permission. One party will warrant that software, material and the like obtained or used by such party does not infringe any third party’s legal right. The IPR term will continue after the termination of the contract.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

In China, a cloud computing contract may be terminated due to various reasons including mutual agreement, the term of service depending on the user’s payment made to the service provider or violation of the obligations by users. Upon termination, the user may be given a certain period (eg, seven days), which varies depending on the service provider, to transfer all the data. The fee incurred from such period will also be borne by the user. After the said period expires, the service provider will delete the user’s data.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

There is no labour and employment law or regulation that applies specifically to cloud computing in China. The cloud computing enterprises have to comply with labour-related laws and regulations, such as the PRC Labour Law and the PRC Labour Contract Law among others, as other enterprises do.

Taxation

Applicable tax rules

Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.

In accordance with the Opinions of the State Council concerning Promoting Innovation and Development of Cloud Computing and Cultivating New Format of Information Industry, the cloud computing companies could be incorporated into the definition of software enterprises, state planning key software enterprises, high and new tech enterprises and advanced technology service enterprises, and be entitled to relevant preferential tax policy, assuming that the cloud computing companies meet the requirements of those enterprises. Once the cloud computing companies are recognised as one of those enterprise types mentioned above, they may enjoy various preferential tax policies, such as a rate of 10 per cent of incorporate income tax for state planning key software enterprises, 15 per cent for high and new tech enterprises and so on. (The standard rate of incorporated income tax is 25 per cent.)

Indirect taxes

Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.

For provision of computing services in China, the cloud computing service provider is subjected to the same major taxes as other enterprises face, including, but not limited to, income tax, VAT, tariffs and so on. As to importing cloud computing services from outside, the relevant tax policy is to be specified.

Recent cases

Notable cases

Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.

In a second instance judgment issued by the Beijing Intellectual Property Court in April 2016, it maintained the first instance decision that the Cloud Cell Phone Assistant operated by Aliyun, a cloud computing service platform under the Alibaba Group, infringed certain works’ information online broadcasting rights that were owned by ChineseAll.com (the plaintiff). The plaintiff claimed that it owned the exclusive right for the online broadcasting of 12 books, as authorised by the author. In January 2015, the plaintiff found that the Cloud Cell Phone Assistant of Aliyun incorporated an application that contained the unauthorised 12 books mentioned above for downloading by users. Although a warning letter was sent to Aliyun, no response was received by the plaintiff and the infringed works could still be downloaded thereafter. During the trial, Aliyun argued that, according to its Application Service Cooperation Agreement, it only provided a displaying and promoting service for a third party’s application and software. For instance, a third party could transfer its product to Aliyun by email, FTP, URL, among others, and start an information service through the Aliyun platform; and Aliyun would introduce such party’s product to its application centre for users’ downloading. The court considered that Aliyun constituted providing works based on cooperation and division of labour with an outside party, other than merely providing storage room or linking service. Even if it was only considered as providing the storage room or linking service, it must take immediate measures and delete infringing content upon the receipt of infringement notice from the rightful owner. According to the first instance judgment, Aliyun was ordered to compensate the plaintiff for financial loss amounting to 120,000 yuan.

Update and trends

Update and trends

What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

The main challenges facing cloud computing within, from or to China stem from the information security aspect, which involves issues such as data cross-border transfer, personal information protection, data processing and mining among others.

Taking the data cross-border transferring as an example, in accordance with the Cyber Security Law, operators of critical information infrastructure should store personal information and important data collected and generated during its operation within the territory of China in China. Critical information infrastructure includes public telecommunication and message services, energy, transportation, water conservation services, financing, public services, e-government, as well as those services that may severely threaten national security, people’s livelihoods and public interest, if damage to those infrastructure services takes place. If a business is involved in the provision of critical information infrastructure services in China, it could find that complying with the Cyber Security Law is onerous.

As to personal information protection, although there are no unified measures for regulating the cross-border transfer of personal information in general, personal information in relation to credit information, financial information, health information and the like, are subject to restrictions. It is worth of noting that, ‘personal information’ has been defined as referring to ‘various information that can identify a certain natural person or reflect certain natural person’s activity, whether individually or combining with other information, in electronic or other format, according to the Information Security Technology’ - Personal Information Security Specification (GB/T35273-2017 (the Specification)), which came into effect on 1 May 2018. More specifically, it is now known that personal information may include the following:

  • personal basic information (eg, name, birthday, sex, etc);
  • personal identity information (eg, ID card, passport, driving licence, etc.);
  • personal biological identifying information (eg, genetic details, finger print, vocal print, etc);
  • online identity information (eg, system account, IP address, etc);
  • personal health physical information (eg, relevant record generated from medical treatment, etc);
  • personal education and work information (eg, personal occupation, title, etc);
  • personal property information (eg, bank account, etc);
  • personal communication information (eg, communication record and content, etc);
  • contact information (eg, contact record, friend list, etc);
  • personal internet surfing record (eg, user’s operation record stored by log file, etc);
  • personal often used equipment information;
  • personal location information; and
  • other information.

The Specification also sets out the definition of ‘personal sensitive information’, which means personal information that may endanger personal and property security, resulting in damage to personal reputation, physical and mental impairment or discriminatory treatment and so on, once it is disclosed, illegally provided or abused. The scope of personal sensitive information is similar to that of personal information.

Furthermore, in the latest draft of the Measures of Security Assessment of Personal Information and Important Data Exported Abroad issued in 2017, personal information and data being transferred abroad may be subject to evaluation by the industry administrative or supervision departments under certain circumstances, such as containing, or cumulatively containing, the personal information of more than 500,000 individuals; amount of data more than 1000GB; data in the fields of nuclear facility, chemical biology, national defence, demographic health, among others.

On 13 April 2018, the China Financial Standardization Technical Committee (CFSTC) issued a notice concerning solicitation of public opinions for three financial industry standards relating to cloud computing. The three drafted standards are ‘Financial application specification of cloud computing technology - Technical architecture’; ‘Financial application specification of cloud computing technology - Security technical requirement’; and ‘Financial application specification of cloud computing technology - Disaster recovery’.

According to CFSTC’s drafting statement, the purpose of such drafts is to encourage and regulate information technology to be applied in the financial industry, effectively prevent financial risk, enhance finance’s ability to serve the real economy, and fully bring the cloud computing into the play of financial information establishment. Those standards can be applied to various service models, such as IaaS, Paas and SaaS, and different deployment models, such as private cloud, community cloud or hybrid cloud.

The drafts include three parts, which are technology framework, security technology requirements and disaster recovery. In terms of technical architecture, it divides the financial industry cloud computing technology framework into different levels from bottom to top, including basic hardware resource level, resource abstract control level, cloud service level, as well as operation management level; and brings up relevant requirements.

In terms of security technical requirements, it brings up requirements from various aspects, including basic hardware, resource abstract and control, optional components, application, data and management, in order to establish a cloud computing security defensive line from the bottom level to the application top level.

In terms of disaster recovery, it divides the disaster recovery ability of the cloud computing platform into different levels based on the affected scope and the level of impact the suspension of the business will have, and brings up the key index to be reached at each level and the specific technical requirements to be fulfilled.