What are the main concerns about Chinese data protection Regulations for foreign ISPs

Having one of the largest and most lucrative internet user bases globally, internet service providers (ISPs) always seek to enter the Chinese market despite their stringent and protective regulations that prioritize their national security and public interest. In this article, we will outline all the key issues that a foreign ISP must consider when aiming to enter the Chinese market. 

Provide internet service in China 

For a foreign ISP to operate in China, it must partner with a Chinese entity to form a joint venture because, following China’s commitments on trade in service, telecommunication service suppliers are only permitted to establish joint ventures in which the foreign investment is capped at 50%. Afterward, the joint venture needs to obtain its business license and register it with the State Administration for Industry and Commerce to certify its eligibility to operate within mainland China. 

After forming the joint venture with the local partner, the ISP needs to obtain a telecommunication license to provide its services. Telecommunication in China is divided into two categories: basic telecommunication businesses and value-added telecommunication businesses: 

• The first category means businesses that provide public network infrastructure, services for public data transmission, and basic voice telephony services.
• The second category is businesses providing telecommunications and information services using public network infrastructure.

Besides the telecommunication service license, if the company wants to host a website for posting information and doing business online in China, it will need to obtain an Internet Content Provider (ICP) license. There are two types of ICP licenses: 

• The ICP Filing is required for non-commercial sites that are purely informational and not involved in selling goods or services.
• The Commercial ICP license is required for commercial sites which generate revenues. 

Conditions for obtaining these licenses are often challenging for foreign companies, especially when they are unfamiliar with strict Chinese regulations that often leave plenty of room for the competent authorities’ discretion. That’s why the most common practice for foreign companies when they want to enter the Chinese market is to partner with a Chinese telecommunication company that already satisfies all these requirements, such as China Telecom, China Unicom, or China Mobile so that they can provide their service effortlessly. 

Personal data and cyber security requirements

China is known for its proactive approach to preventing external influences in cyberspace and stringent protection over its data privacy. It imposes strong regulations on data privacy and cyber security to prohibit content or incidents that could be detrimental to national security or public interest. 

Following the Cybersecurity Law in 2017, ISPs are required to obtain users’ accurate identity information when signing an agreement or providing a service. ISPs shall not provide relevant services if the users do not provide their real identities. According to the Chinese authority, the real name registration rule ensures a safer Internet and protects public interests and social orders from fake news, fraud, or hysterical rumors that could undermine the stability of the state management system. However, this rule creates complex obligations and huge compliance costs for ISPs since they must implement a system to verify the identification information provided by the users when they use their services/networks. 

In addition to the real name registration rule, the Chinese government takes its security level even further by deploying a set of legal and technological measures known as the Great Firewall. This censorship system blocks all online foreign information sources and platforms that the government considers to contain content that is detrimental to its national security or inappropriate for its population. These websites include Google, Facebook, Instagram, WhatsApp, and many news websites such as the New York Times, the Washington Post, BBC, Le Monde, etc. Therefore, ISPs must be aware of and update the detailed list of blocked sites and services to prevent basing on any of such sites and services.

As the Chinese authority exercises extensive power and control over public data and personal information at a comprehensive, centralized level, it is reasonable that the Chinese authority enforces strict data privacy laws. Regarding China's personal information protection law, Chinese authorities also establish rigid principles, unlike the common trend in personal data protection law in the world. It is compulsory for ISPs who process personal data that reaches the number prescribed by Chinese data protection laws to retain such data within the territory of China. Following China’s data protection laws, ISPs need to verify whether they fall within the conditions required to store their processed data within Chinese territory. Here is a simple chart that summarizes different scenarios: 

‍

‍

Diagram definitions:

CII: Critical Information Infrastructure 

Data volume threshold: Cumulative personal data of over 100,000 individuals or sensitive data of 10,000 individuals. 

Although China’s personal information protection law allows cross-border data transfer, it is quite difficult for ISPs to carry out a cross-border transfer. While other regulations recognize the equivalent level of protection that allows ISPs to transfer data seamlessly, China’s personal information protection laws provide limited transfer mechanisms. If ISPs do not fall within the exemptions, they can only choose among three mechanisms: 

• Pass the security assessment by the Chinese authority; 
• Get certified by a competent organization; 
• Use the standard contractual clauses stipulated by the Chinese authority. 

For more information about the Chinese regulations on cross-border data transfer, feel free to consult my first article on China data privacy law regulation update. 

Complying with all the requirements under Chinese cybersecurity law is also necessary. ISPs need to implement a robust security system to protect their networks from unauthorized access, hacking, or other threats and ensure data availability and confidentiality through backup and data encryption. 

Before approaching the Chinese market, ISPs should conduct comprehensive studies of all the relevant issues that they may encounter. This article summarizes the important issues in the simple chart below: 

‍

Conclusion:

With strict and complex regulations, entering the Chinese market is always a challenge for foreign ISPs. Many relevant issues need to be considered. Specifically, many are left with room for the authorities to interpret themselves, making it even harder for companies to follow. For more information on local compliance, companies can fill in this form to receive a more detailed report. 

‍

Reference links: 

1. Cybersecurity law of China: Link
2. Personal Information Protection Law of China: Link 
3. Internet in China: Top concerns for foreign businesses: Link
4. Navigating the Internet in China: Top Concerns for Foreign Businesses: Link
5. The complete guide to the Great Firewall of China: Link
6. Regulations on Promoting and Regulating the Cross-border Data Flow: Link
7. China's new cross-border data transfer regulations: What you need to know and do: Link
8. Complete Guide on Data Residency and Cross-Border Transfers in China: Link 
9. China’s State Council Passes Key Data Security Regulations: Link
10. Overview of China’s Cybersecurity Law: Link
11. Real-Name Registration Rules and the Fading Digital Anonymity in China: Link
12. Global Data Privacy and Cybersecurity Handbook: Link     

‍