Navigating the Chinese internet landscape poses significant challenges for foreign businesses. The country’s strict internet controls and complex cybersecurity regulations make it notoriously difficult. We look at how companies can develop an effective data security and compliance strategy for doing business in China.
China’s cyberspace environment is a notoriously difficult area for foreign businesses to navigate, due to the country’s strict internet controls and complex cybersecurity regulations.
Finding the right internet service provider (ISP), getting an internet content provider (ICP) license, setting up a website, and handling VPNs are all crucial to your operation’s feasibility in the China's market. Understanding the relevant laws governing how devices, software, and networks are regulated is equally vital.
The Cyberspace Administration of China and other regulators sometimes take strict actions against entities that fail to comply with relevant regulations, so being conscious of your legal liabilities is essential for making sure daily operations run smoothly.
Regulations and policies
China’s cybersecurity law
The Cybersecurity Law of the People’s Republic of China, commonly referred to as the Chinese Cybersecurity Law was enacted by the National People’s Congress to increase data protection, data localization, and cybersecurity, evidently in the interest of national security. The law is part of a wider series of laws passed by the Chinese government to strengthen national security legislation.
This law requires network operators to store select data within China and allows Chinese authorities to conduct spot-checks on a company’s network operations.
The law has several key provisions:
- It created the principle of cyberspace sovereignty.
- It defined the security obligations of internet products and service providers.
- It detailed the security obligations of internet service providers.
- It further refined rules surrounding personal information protection.
- It established a security system for key information infrastructure.
- It instituted rules for the transnational transmission of data from critical information infrastructures.
The cybersecurity law applies to network operators and businesses in critical sectors. The Cybersecurity Law specifies two primary categories that businesses need to be aware of:
- The first is network operators, which according to the law includes entities that require internet access for business purposes, including ownership of or provision of services that require the leading obligation for network users to maintain security measures.
- The second type is critical information infrastructure operators (CII Operators) and owners and managers of networks. These users have more serious responsibilities, including stricter controls on data collection and storage. More tightly regulated cross-border data transfer and data localization rules are among the sensitive compliance issues for these entities.
To transfer data abroad, those subject to restrictions must undertake a security review, proof of commercial need for the data, and finally gain clearance for the transfer of data. Without clearance, all data generated within China must remain within China.
Penalties for not complying with the Cybersecurity Law include:
- Warnings;
- Demands to make a correction;
- Fines;
- Public announcements of the misconduct;
- Negative national credit recordings;
- Civil liability;
- Closing of websites; and,
- Revocation of the business license, depending on the severity of the infraction.
Internet domain name management measures
The Ministry of Industry and Information Technology has established comprehensive measures to oversee and manage domain name services nationwide, aiming to ensure a secure, stable, and lawful internet domain name environment. The core responsibilities outlined include:
- The creation of domain name management rules and policies.
- The development of an internet domain name system.
- The oversight of domain name root server operators and domain name registration entities.
Additionally, these measures emphasize the importance of network and information security within the domain name system, protecting users' personal information and facilitating international coordination regarding domain names.
To establish a domain name root server or a domain name root-server-running body, applicants must adhere to the corresponding Internet development plans and the requirements for the safe and stable operation of the domain name system.
Entities looking to manage domain name registrations must:
- Operate within legal and regulatory frameworks;
- Possess credible records;
- Have the necessary infrastructure;
- Security measures; and,
- Plans for long-term service and identity verification.
These requirements ensure that organizations are equipped to manage top-level domain names effectively and securely.
The application process for establishing domain name services involves submitting detailed documentation to the Ministry of Industry and Information Technology or local telecommunications management departments, depending on the type of service. These documents must outline:
- The applicant's operational capabilities;
- Security measures;
- Materials certifying the reputation of the applying work unit;
- Materials certifying the effective management of domain name services; and,
- And commitment to lawful and honest business practices.
Furthermore, the measures prohibit the unauthorized distortion of domain name resolution information and mandate compliance with national security and emergency directives, underscoring the critical role of telecommunications management bodies in maintaining the domain name system's integrity.
Finally, establishing credit record structures for domain name service entities facilitates monitoring compliance with these regulations, reinforcing the measures' overarching goal of creating a secure, stable, and law-abiding domain name ecosystem.
Chinese Internet Domain Name System
- Internet domain names in China are versatile and inclusive, accommodating a diverse range of characters and symbols.
- Domain names can include letters (A-Z, a-z), numbers (0-9), dashes (-), and Chinese characters, offering a wide spectrum for online representation.
- All domain levels use the dot (.) as a standard connector, while Chinese language domain names can use either dots or the Chinese period (。) for linguistic preferences.
- The system includes top-level domains like ".CN" and ".中国," along with English and Chinese language top-level domains such as “政务” [.gov] and ".公益" [.org] for Party and Government entities and nonprofit institutions.
- This approach enhances organization and accessibility of online resources for government and nonprofit activities, with information available through designated URLs.
- Under ".CN," the domain name structure is divided into 'category domains' (nine types for specific sectors like government, nonprofits, education, and commerce) and 'administrative region domains' (34 types for provinces, autonomous regions, municipalities, and special administrative regions).
- This classification ensures a clear, organized digital presence for various sectors and a localized online identity for administrative divisions.
- Registering second-level domain names under ".CN" and ".中国" is straightforward, emphasizing China's commitment to a cohesive and accessible internet environment for a representative online community.
Data security law
The Data Security Law of the People's Republic of China (PRC) offers a comprehensive framework to regulate data handling, ensure data security, and promote the digital economy. This law defines "data" broadly, covering any record of information regardless of its form, and addresses the full spectrum of data handling activities, including:
- Collection,
- Storage,
- Processing, and
- Transmission.
It emphasizes the importance of employing necessary measures to safeguard data and ensure its lawful use, reflecting a commitment to maintaining a robust state of data security. Key provisions of the law focus on:
- Protection of rights and interests focuses on safeguarding the rights and interests of individuals and organizations in data, promoting lawful and effective use, and ensuring the free and orderly flow of data.
- The state's role in data management highlights the state's responsibility to protect data rights, advance a big data strategy, and foster international cooperation on data security governance to leverage data in the digital economy.
- Standard-setting responsibilities mandate a collaborative approach involving government departments, enterprises, and research bodies for drafting and revising standards on data development, use, and security to foster innovation and address data security challenges.
- National core data management introduces stringent management systems for data critical to national security and public interest. It implements export controls on sensitive data to balance national security and international data flow.
- Data collection guidelines set clear guidelines for lawful data collection, prohibit illegal data acquisition methods and mandate compliance with laws and regulations.
- Data transaction intermediary services specify obligations for these services, including verifying data sources and the identities of transaction parties.
- International cooperation facilitates data exchange with foreign judicial or law enforcement agencies under specific conditions, aligning with PRC laws and international agreements.
- Regulation of state organs regulates state organs' data collection and use to protect personal privacy and confidential information, including strict approval procedures for outsourcing government affairs systems.
- Empowerment of regulatory bodies authorizes regulatory bodies to address security risks in data handling and holds state organs accountable for data security obligations.
- Civil liabilities establish that violations causing harm to others will result in civil liabilities, reinforcing accountability and the protection of stakeholders' interests in the digital ecosystem.
Personal information protection law
China's Personal Information Protection Law (PIPL) has significantly evolved, setting stringent guidelines for the handling and transfer of personal and sensitive information within and beyond its borders. This law aligns with international data protection standards like the GDPR, emphasizing consent, transparency, and security in data processing. It categorizes personal information broadly and introduces specific protections for sensitive data, including financial and biometric data, mandating explicit consent and robust security measures for handling such information. Organizations operating in China must navigate these regulations carefully, ensuring compliance to avoid severe penalties.
The legal landscape for cross-border data transfer (CBDT) remains dynamic, with the new regulations easing the requirements for data export by adjusting thresholds triggering security assessments or the need for standard contracts or PI protection certification. Notably, it increases thresholds for security assessments, such as transferring non-sensitive personal information (PI) offshore from 100,000 to 1 million individuals' PI, and shortens the period for cumulative PI assessment. It adjusts thresholds for standard contracts or PI protection certification, with requirements now based on cumulative PI transferred since January 1 of the current year.
However, organizations must stay vigilant, adapting to ongoing regulatory changes and preparing for future compliance requirements. This includes:
- Understanding the CBDT activities;
- Engaging in security assessments when required; and,
- Fulfilling documentation and filing procedures stipulated by the Cyberspace Administration of China (CAC).
To remain compliant with PIPL, organizations must conduct Personal Information Protection Impact Assessments (PIPIAs), especially when dealing with sensitive information or engaging in activities that significantly affect individuals. They must also adhere to data localization requirements and navigate the complexities of transferring personal information across borders with due diligence.
Critical information infrastructure security protection regulations
The regulations define critical information infrastructure as essential network and information systems within key sectors like:
- Telecommunications;
- Energy;
- Transportation;
- Water resources;
- Finance;
- Public services;
- E-government; and,
- National defense.
These systems' loss, malfunction, or breach could significantly impact national security, the economy, and public well-being. Designated departments are tasked with securing and protecting this infrastructure, developing identification criteria that consider the system's importance, potential harm from compromises, and its influence on other sectors.
Infrastructure operators must report to the State Council public security department in major cybersecurity incidents or threats. For particularly severe incidents or threats, the relevant department must escalate the report to the national cybersecurity and State Council public security departments, ensuring a coordinated response to protect national interests and public safety.
Internet providers and connection speeds
There are three telecom and Internet Service Providers (ISPs) in China: China Unicom, China Telecom, and China Mobile. They are all state-owned entities (SOEs) and each of them acts essentially as a monopoly within their respective markets.
Connection speeds tend to vary according to location. China has three submarine optic fibre entry/exit points for all internet traffic. They are located in Qingdao, Shanghai, and Shantou.
Since there are only three entry/exit points for international internet access, this creates a bottleneck for all users within China connecting to foreign-hosted sites. To avoid low connection speeds, it is ideal to operate with the highest speed provider in your location.
Generally speaking, China Telecom is the most reliable ISP for international internet access in south China, China Unicom in the north, and China Mobile in central/eastern China.
Infrastructure setup options
Option 1: Hosting with an ICP-Licensed domain within China
Choosing to host your domain within China, under the aegis of the Chinese Ministry of Industry and Information Technology, caters specifically to businesses aiming to serve Chinese customers directly from within the country. This route offers distinct advantages:
- Flexibility: You have the option to mirror your existing site or create a new one specifically for your Chinese audience, tailoring your approach to fit your business model and service offerings.
- Optimized performance: Hosting in mainland China means your services are physically closer to your audience, ensuring faster load times and smoother user experiences. A local CDN can further enhance this, placing your content on equal footing with top-tier Chinese websites.
- Reduced censorship risks: A valid ICP license minimizes the chances of your content being blocked by the Great Firewall, provided you adhere to local content regulations.
However, the ICP license requirement is exclusively available to companies that can navigate the complexities of obtaining an ICP license in China. This option is highly recommended for businesses prioritizing minimal latency and peak performance and those willing to undertake the process of acquiring an ICP license.
Option 2: Enhancing your current hosting with a China CDN
For companies not keen on overhauling their infrastructure, integrating a China-based CDN with your existing hosting setup offers a way to enjoy many benefits of local hosting without the heavy lifting:
- Lowered blocking risks: Caching content within China reduces the likelihood of being blocked by the Great Firewall, though it's not a foolproof circumvention method.
- Improved performance: A CDN ensures quicker access and data transfer for users in China, handling traffic spikes and scaling as needed to maintain service quality.
Drawbacks include:
- The physical distance of your origin server from China means geographical constraints limit performance improvements.
- Setting up a CDN in China necessitates obtaining an ICP license, a potential stumbling block for ineligible companies.
This option suits organizations that qualify for an ICP license and prefer not to significantly modify their current infrastructure but wish to host content closer to China for better performance.
Option 3: Utilizing a mirror server near mainland China
Setting up a mirror server close to mainland China presents a viable alternative for those concerned about the distance to their origin server. This setup can significantly boost your service's uptime and speed without the need for an ICP license, especially when paired with a local CDN.
Advantages include:
- Being geographically closer to your audience means faster load times and a better overall user experience.
- You might not need an ICP license unless you choose to host some content on a CDN within mainland China.
Despite improvements in latency and uptime, the risk of GFW blocking remains if the mirror server is outside China. This setup is particularly appealing for companies looking to improve their service's performance and reliability for Chinese users without committing to full hosting within China.
Getting an ICP license in China
An ICP license is provided by the Ministry of Industry and Information Technology (MIIT). The license allows you to host your site from within China, which means network speeds will be faster and more reliable than the equivalent site hosted abroad. You must have a physical presence in China to apply for this license.
Outsourcing this process to an experienced consultant is advisable as the ICP license application procedure can be convoluted and time-consuming. Also, business operations conducted under the ICP license must accord to PRC laws – which strictly regulate cyberspace – and so thorough due diligence is highly recommended before even beginning the application process.
Setting up a website in China
For accessing websites and web services within China, domestically hosted sites tend to be more reliable than sites hosted outside of China.
This is partly due to the bottlenecks noted above. However, there are other factors that may cause slow speeds besides the quality of the provider, such as poorly optimized images, poorly written code, low-quality hosting (whether inside or outside of mainland China), or using services blocked in China (such as Google, Facebook, etc.), which can all contribute to a poor user experience.
To register a website in China, you will need the following registration documents:
- Business license for company/ID for individual;
- Internet content provider/ICP license; and
- Application for a ‘.cn’ domain (some names are blocked if deemed inappropriate).
The above three points are listed in the order in which they should be executed. If you do not intend to host your website from within China, the following section on getting an ICP license can be ignored.
What is ‘The Great Firewall’?
Many websites and online services in China are blocked by the internet censorship system popularly known as ‘The Great Firewall’.
These include Google, Gmail, Facebook, YouTube, Twitter, Instagram, WhatsApp, Reddit, and many foreign news websites, such as the New York Times, the Washington Post, Bloomberg, the Wall Street Journal, and the South China Morning Post. Some foreign services are not formally blocked but occasionally do not work properly because of the Great Firewall, especially if they are reliant on tools, plugins, and other services that are blocked.
Detailed lists of blocked sites and services are available through a quick Baidu search.
The concern here is to determine that none of your business’s core functions is predicated on any one of those services whose use is blocked in China. Even if a business operating in China does not have a website, many need to use cloud services for intra-company communications and social media services for marketing, which may be blocked in China.
New entrants to China are advised to undertake a comprehensive audit of their exposure to the Great Firewall in the early stages of their market entry studies.
Making use of VPNs (Virtual private networks)
Navigating issues related to the Great Firewall of China effectively requires the strategic use of Virtual Private Networks (VPNs), a common tool in the country's digital landscape which nonetheless exists within a complex legal framework. Despite the country's stringent restrictions on VPN services and the blocking of many VPN providers, it remains legal for consumers to use VPNs that are operational within China.
The Chinese government officially prohibits the use of any VPNs that have not received government approval. For a VPN to be approved, it must grant the government backdoor access, compromising the security of the service.
The enforcement of this regulation primarily targets companies and corporations, not individual users. While there have been instances where Chinese citizens have faced penalties ranging from fines to imprisonment for creating or distributing unauthorized VPNs, with sentences varying from three days to over five years, these measures are applied inconsistently.
The market is flooded with free VPN services; however, caution is advised. These free options often monetize by harvesting user data, posing significant privacy risks. It's crucial to understand that the absence of a monetary cost upfront does not guarantee security or privacy.
VPN connections in China are subject to fluctuations, particularly during politically sensitive periods or anniversaries, when authorities might tighten access to foreign internet resources. These disruptions can manifest as reduced connection speeds or complete service outages, affecting VPN reliability unpredictably.
Given this reality, businesses depending on VPNs for critical operations should develop robust contingency plans to mitigate potential disruptions. All VPN users in China need to anticipate and plan for possible productivity impacts due to service slowdowns or interruptions, ensuring continuity and efficiency in their digital communications and workflows.
ERP systems
ERP systems refer to software that collects and coordinates company data for the automation of business processes. If implemented properly, an ERP system complements the roles of the human staff by subtracting the time spent on rote business processes where human error may occur, allowing them to undertake tasks better suited to analytical thinking and problem-solving.
Increasing efficiency is the main purpose of an ERP system. The provision of oversight and real-time analytics for senior management makes it possible to identify, and potentially prevent, productivity and capital leakages in existing business processes.
ERP systems customized for China offer further benefits. For accounting processes undertaken in China’s jurisdiction, China’s generally accepted accounting principles (GAAP) must be adhered to. Many Western ERP systems and tax software, however, do not offer functionalities for China’s tax and accounting system.
Moreover, ERP systems in China must comply with China’s data regulation framework since such systems often handle sensitive personal data. Chinese cloud-based ERP services, for example, would comply, whereas foreign cloud services would render you responsible for ensuring compliance.
How to create a China internet strategy
Before entering the China's market, foreign investors should undertake comprehensive studies of the IT-related issues they may encounter in the country. Because of the sensitivity of the internet in China – and therefore the intense scrutiny it is given by censors and regulators – a well-thought-out IT strategy can be the difference between success and failure for some companies.
These challenges are compounded for tech companies whose main product is an internet-based service. Many foreign apps that would not immediately appear politically sensitive, like Tinder and Pinterest, have found their services blocked in China.
For many modern businesses, IT infrastructure forms the backbone of the company. Foreign investors establishing a presence in China should accordingly view their IT strategy in the context of their global operations rather than be isolated to China's market.
Industrial internet
China's Industrial Internet stands out in the nation's strategy to spearhead technological advancements and elevate its manufacturing prowess, marking a significant chapter in the Industry 4.0 era. This initiative is enhancing productivity across various economic sectors and opening doors for foreign companies looking to tap into the vast opportunities presented by China's digital transformation. By integrating advanced computing, data analytics, and internet connectivity into industrial operations, China is setting the stage for a revolution in industrial processes.
The expanding scale of China's Industrial Internet is evidenced by its impressive growth and the establishment of 240 influential industrial internet platforms, 28 of which showcase cross-industry and cross-domain capabilities. These platforms serve as hubs for collaboration, data exchange, and innovation. Through policy support and the introduction of new standards, the government's commitment catalyzes the integration of digital technologies across diverse sectors. These efforts are bolstering China's industrial capacity and fostering innovation, promoting job creation, and enhancing operational efficiencies through digital networks.
However, the path forward is dotted with challenges, including the need for continuous technological adaptation and the nuances of navigating a regulatory environment that heavily emphasizes national security along with data protection and privacy. Amidst these challenges, China's openness to foreign investment and its measures to optimize the investment environment present a fertile ground for international companies. By aligning with China's ambitions for digitalization and adhering to local regulations, foreign enterprises have a unique opportunity to contribute to and benefit from the expansion of the Industrial Internet, marking a new era of industrial collaboration and innovation.