China's booming technology, media and communications (TMC) sector provides great market opportunities for cloud computing and related services. Its size, coupled with the fact that it is still fast growing, means that it simply cannot be ignored. However, as with many other aspects of this market, the regulatory environment in China is far from easy.

For some time, cloud services in general remained unregulated in China. In fact, it was not even possible to find the term explicitly addressed under the related telecommunications business classification catalogue (Telecoms Catalogue), formulated by the Ministry of Industry and Information Technology (MIIT). Cloud services can be equated to the service model of 'Infrastructure as a Service' (laaS), since they require an Internet Data Centre (IDC) licence, as they provide facilities tor data storage/computing and access management. However, under the Telecoms Catalogue for service models of 'Platform as a Service' (PaaS) and 'Software as a Service' (SaaS) it had been difficult to tell exactly which service licence(s) would be required. It is very important to note, though, that just because this was not explicitly addressed, does not necessarily mean there were no restrictions on providing cloud services in China. On the contrary, in China this usually means you do not have a sound legal basis for launching operations.

All this creates uncertainty and complexities for a service operator- in particular a foreign one trying to structure its cloud computing business. Some clarity was achieved in 2016, when the MIIT updated the Telecom Catalogue, introducing a new category, "internet resources collaboration services" as part of IDC services. This is a very general description supposed to cover all types of cloud-based services, however, there is still some ambiguity (and sometimes flexibility, based on past experience dealing with the MIIT) that can be applied when trying to determine whether a specific cloud service case falls into this scope.

On 24 November 2016, the MIIT presented to the public the draft Notice on Regulating the Operation Behaviours in the Cloud Service Market (Draft Circular) for consultation. Although its intention is to better regulate the market, unfortunately, it serves mainly to make the picture foggy again. Its stated purpose is to improve the market environment, regulate administration and promote the healthy development of the internet industry, but it aims to introduce many new regulatory requirements and constraints which will have a substantial impact on existing business models, in particular those of foreign players. Below are some key issues.

Market Access

The Draft Circular defines the term "cloud services" to be any internet resource collaboration service that is part of an IDC service under the Telecoms Catalogue. In other words, the use, via the internet or other networks, of equipment and resources constructed on data centres to provide customers with services that include: data storage; a development environment for internet applications; and the deployment of internet applications and operation management to users by way of easily accessible, use-on-demand, easily expanded and/or collaborative sharing. This definition could theoretically include all cloud-based business models (laaS, PaaS and SaaS), ranging from consumer applications to enterprise and Internet of Things applications. Since an IDC service is classified as a class one, value-added telecommunications service (VATS), which is still subject to a foreign investment access restriction (i.e. a foreign stake of not more than 50 per cent), full or majority foreign participation in the Chinese cloud service market is likely to become impossible due to the widened definition of "cloud services" if the Draft Circular is adopted in its current form.

In the past, outsourcing parts of the business to a qualified local partner holding the required VATS licence, was a practical way to circumvent licence requirements. Some foreign players used this approach to expand their global offering to the Chinese market. However, the Draft Circular will close the door on this model by explicitly prohibiting a qualified Chinese partner from, for example:

  • sub-licensing or assigning in a disguised form its VATS licence to its foreign partner, or providing resources, a location or facilities that enable such a partner's illegal operation;
  • enabling its foreign partner to conclude a service contract directly with cloud service customers;
  • delivering services to customers using only the trademark and brand name of the foreign partner; or
  • illegally providing users' personal information and network data to the foreign partner.

Obviously these cooperation models are viewed as 'too aggressive' by the MIIT. Since they have been practised in the past, the Draft Circular will now deliver a heavy blow to those international players that have already entered the Chinese market via these routes. They may have to switch to form a 50:50 joint venture (JV) with a local partner to apply for the required VATS licence and adopt a co-branding approach, which will certainly have negative implications on their business. Also to be noted is that the JV route currently remains a theoretical possibility - it does not necessarily guarantee the granting of a VATS licence for cloud businesses, not to mention the complicated procedural and implications.

Data Protection

With cyber security becoming a top priority of the Chinese Government, the Draft Circular also sets out the following obligations for cloud service operators:

  • their cloud service platforms must be constructed within the territory of China, and connection to overseas networks must go through MIIT-approved internet gateways. Connection to the outside via dedicated lines (in Chinese) or VPNs is not allowed (see our articles on data localisation and VPNs);
  • in addition to abiding by the general data protection rules (e.g. collection consent, data security, right to be forgotten), service facilities and data storage must remain within China for services that target Chinese users. Any cross-border data transmission and management must follow statutory requirements.

A version of this article first appeared in