Privacy & Information Security Law Blog

Recently, the Ministry of Industry and Information Technology of the People’s Republic of China published a draft of the new Notice on Regulating Business Behaviors in the Cloud Service Market (Draft for Public Comments) (the “Draft”) for public comment. The Draft is open for comment until December 24, 2016.

Under the Draft, foreign investors investing in and operating cloud services within China must establish a foreign-invested telecommunications enterprise and obtain a value-added telecommunications business license. In addition, the Draft provides that when establishing technical cooperation with other entities, a cloud service operator must not lease out or transfer its telecommunication business license by any method to its partners, or provide resources, premises or facilities to its partners to facilitate illegal operations. The Draft also prohibits cloud service operators from using dedicated lines or VPNs to connect to an international network.

In addition, the Draft applies certain requirements to cloud service providers which were already applicable to Internet service providers, including that cloud service providers must establish and publish rules regarding their collection and use of personal information, and adopt security safeguards for network data and users’ personal information. In addition, upon a user’s termination of services, cloud service operators are required to cease their collection and use of the user’s personal information. Also, when establishing technical cooperation with other entities, a cloud service operator may not provide users’ personal information or network data to its partners in violation of law.

The Draft also provides that when providing services to residents of China, cloud service operators must host their service facilities and retain network data within the territory of China, and cross-border data transfers must proceed in compliance with relevant regulations. In the event of an information leakage, cloud service operators must promptly inform the users of the leakage, adopt effective remedial measures and report the incident to the administrative authority for the telecommunications sector.

The Draft is not yet in final form and there remains a possibility that the final version may differ substantially from the Draft. No time frame has been announced for the adoption of a final version.