Many of our international clients are concerned about market rumours that the use of virtual private network (VPN) services in China will be further restricted. The main issue is whether the use of VPNs will become illegal, resulting in the blocking of related services.
Generally tightened control
It is true that something is happening in this field. VPN services have proved popular in China, not least because they allow internet users within China to access blocked overseas websites bypassing the 'Great Chinese Firewall'. Many international companies which have globally deployed IT facilities also use VPNs in China to facilitate cross-border data flows and create a seamless and integrated corporate IT environment.
As the Chinese government increasingly prioritises cybersecurity, it has taken a series of actions to strengthen its control in the virtual world (see our article). On the legislative side, the most notable development is the enactment of the new Cyber Security Law in 2016, which came into effect on 1 June 2017.
The industrial watchdog, the Ministry of Industry and Information Technology (MIIT), followed up with a number initiatives, including its Circular on Clearing up and Regulating the Internet Access Service Market (Circular 32) issued on 17 January 2017, to its local branches and various telecommunication operators. According to Circular 32, MIIT will engage in a project to clean up and regulate the internet access service market nationwide by 31 March 2018. In general, Circular 32 stresses that any telecoms business must be conducted in accordance with its licence terms. Sub-licensing, transferring business licences, or offering resources to others under the guise of technical cooperation, are prohibited.
Existing VPN users
As far as VPN services are concerned, Circular 32 explicitly states that:
- Prior approval will be required for cross-border business operations intending to set up their own or leasing private-leased circuits (PLC) including VPNs and other information channels.
- Even if the PLCs are approved, they can only be used to handle internal official business and shall not be used to connect onshore and offshore data centres or business platforms to carry out telecom business operations.
The wording of Circular 32 might appear straightforward but if considered in the context of business realities, it poses a number of questions: does it mean that generally an integrated corporate IT environment connecting China and the rest of the world via VPN now becomes illegal? And does it mean that companies using VPNs will need to obtain approval from MIIT before continuing to use them?
In our view, at least in the context of Circular 32, most companies using VPNs do not need to be overly concerned by either of these issues. First, our reading of Circular 32 indicates that it is targeting those who are offering VPN services including related facilities but not those who are using VPN services. This was confirmed at a press conference on 24 January 2017, by an MIIT spokesman who said specifically that use of VPNs by international companies for their internal business purpose will not be impacted by Circular 32.
For the majority of international companies (which do not offer VPN services), Circular 32 will not impact on the lawfulness of their business operations, however, the potential business impact should not be underestimated given that the supply of some existing VPN services used by international companies may still be impacted. Foreign investment in the Chinese telecoms sector is still subject to many restrictions. Many international companies’ IT solutions are managed from head office outside China using a non-Chinese service provider who might not necessarily hold all the required licences for the Chinese market and is having to operate in conjunction with a local partner. Performance and quality of domestic telecoms services may still fall below expectations, which is another factor driving up demand for better services with involvement of a non-Chinese service provider. These factors increase the 'grey area' in the market, which has already become an open secret.
Non-Chinese telecoms service providers will need to insist on a disclaimer clause carving out potential liability associated with compliance risks in the Chinese market. You should:
- check your existing IT structure, in particular those relating to VPNs, for any supplier side risks;
- review contractual arrangement for your IT solutions to ensure you are legally safe from any potential non-compliance on the supplier side and ensure you have appropriate indemnities if something goes wrong; and
- revisit your internal IT policy to mitigate any potential user side risks e.g. misuse of the sensitive VPN services by employees for purposes not yet allowed by Chinese law.