Long overdue changes? A look at China's proposed revision to its key Internet regulation

Written By

john shi module
John Shi

Partner
China

I am a partner in Bird & Bird's Corporate team and the chief representative of the Beijing office. I have extensive experience in transactional and commercial work across various sectors.

michelle chan module
Michelle Chan

Of Counsel
UK

I'm a technology, telecoms and media lawyer, providing strategic, corporate and commercial advice to major players in the Asia Pacific region. I am based in London and I am Of Counsel in our Corporate & Commercial team.

On 8th January 2021, the Cyberspace Administration of China ("CAC") published a revised draft of "Regulations on Internet Information Service" ("Draft Revised Regulation"). The regulation has only been lightly amended in 2011 ("Current Regulation"). In comparison, substantial changes are being proposed in the Draft Revised Regulation and the number of articles has increased significantly from 27 to 54!

In this Newsletter, we will have a look at some of the key changes proposed to be made in the Draft Revised Regulation.

1. Who will be regulated?

The Current Regulation mainly regulates providers of "internet information services". In the Revised Draft Regulation, new categories of service providers will be subject to regulations:

  • Internet information service providers (ICP)
Whilst internet information service providers will continue to be subject to the regulations, the definition of "internet information services" has been expanded to include certain online services which will unequivocally fall within the definition. These services include, for example, Internet news information services, search engines, instant messaging services, webcasting, online payment, online advertising, online storage, online shopping, online booking, app download. The catch-all phrase "or such other Internet services" included in the definition also leaves room to accommodate new forms of Internet information services as the online world continues to evolve.
  • Internet network/access services providers (INP)
The Draft Revised Regulation introduces this new category of service providers through Article 52. The proposed definition is broad: an entity that provides network access services to internet information service providers will be regarded as an ISP. The definition specifically includes an inexhaustive list of service providers that will be regarded as ISP. This includes IDCs, CDNs and the traditional ISPs.

  • Domain name registry, resolution and other service providers

Certain internet service providers that are neither ICPs or ISPs will also be regulated. These include domain name registration service providers.

  • Notable exemption

Article 53 specifically carves out the regulation of internet information services which are "dedicated for provision through television terminals". Such services will be regulated according to the laws and regulations of television and broadcasts.

2. Who are the key regulators?

Under the Current Regulation, the main regulator appears to be the Ministry of Industry and Information Technology. In practice, the Cyberspace Administration of China, the Ministry of Public Security and other authorities all have regulatory oversight on different aspects of online services in China. The Draft Revised Regulation proposes that there will be three main regulators with the following specific functions and responsibilities:

State internet information department overall planning and coordination of national cybersecurity efforts; oversight management and law enforcement on internet information content. Cyberspace Administration of China 
State council department in charge of telecommunication
management of the Internet industry, market access, market order, and implement supervision of network resources and network information security. Ministry of Industry and Information Technology
State Council departments for public security
internet security oversight to preserve public order and safety on the internet. Ministry of Public Security

In addition to the above three key authorities, the Draft Revised Regulation continues to recognise other authorities which will have power to regulate specific aspect of online services, for example, online game publishing which will also be regulated by the National Press and Publication Administration.

3. Extra-territorial application

For the first time, the Draft Revised Regulation specifically provides that it will apply to any organisation or individual in the PRC that uses domestic and foreign network resources to provide internet information services to domestic users in China. This change provides a much needed legal ground for the regulators to regulate, for example, onshore companies which host their services in servers located outside of China (but the services are for users in China) where the onshore companies hope to circumvent telecom regulatory and licensing controls in China.

4. Broadening scope of prohibited online content

The Draft Revised Regulations seek to include the following new categories of prohibited online content through Article 26:

  • Fabricated or false information that disrupts the financial market or economic order;
  • False information regarding dangers, epidemics or other information which may disrupt social order; and
  • Information that incites illegal assemblies or disrupts social stability and order.
To implement Article 26, Article 16 of the Draft Revised Regulation requires ICPs to establish systems for reviewing published information and to have security personnel in place. These requirements correspond with requirements under existing laws. As such, organizations that are already in compliance with existing law should also be able to fulfil the "new" requirements under Article 16.

5. Real-name verification

The Draft Revised Regulation proposes to put significant statutory obligation on certain internet service providers to carry out "real-name verification". Article 18 provides that such service providers must ensure that the service recipients are the same persons as identified through their identity information and relevant record. Failing to comply with the real-name verification obligation can lead to administrative fine and other sanctions.

6. Record retention

While the Current Regulation imposes a 60-day record retention obligation on all INPs and on certain categories of ICPs, the Draft Revised Regulation extends the record retention requirement to (i) all internet service providers and (ii) for a longer period. Specifically:
  • all identity information must be retained during the term of the service and for at least 2 years after the term ends;
  • ICPs must retain all published information and must keep it for no less than 6 months; and
  • ICPs and INPs must record and retain network log information for at least 6 months (this requirement can also be found in the PRC Cybersecurity Law).

7. Certain online practices prohibited

To tackle certain undesirable online practices, Article 25 of Draft Revised Regulation provides that the following practices are prohibited if they are for profit purpose or to obtain illegal gains:
  • Publishing, or accepting consideration to publish, information known to be false;
  • Providing services to delete, block, replace, or bury information for consideration;
  • Mass resale, registration and provision of online accounts that are used for committing crimes; and
  • Participating in activities such as false clicks, votes, reviews, or transactions.
One thing to be noted is that while the Drafted Revised Regulation does not seek to punish activities that are not for profit purposes or not to obtain legal gains even if they fall within the above listed categories, such activities do not get a free pass as they are still subject to other laws and regulations, such as PRC Civil Code.

8. Safety assessment

The Draft Revised Regulation provides that ICPs must establish a system for security assessments, and when a new internet operation is established, must conduct a security assessment and report the findings to relevant authorities. This "security assessment" requirement is not new: the MIIT released the "Measures for the Administration of Security Assessment of New Internet Services (Draft for Consultation)" back in 2017. The details of security assessment is expected to be elaborated on separate implementation rules.

9. Licensing or filing?

The Current Regulation divides internet information services into two categories: (i) commercial services and (ii) non-commercial services, with the former subject to a licensing regime and the latter subject to a filing/recordal requirement. Whether a specific internet service is of a commercial or non-commercial nature depends on whether consideration is received for the service.

The Draft Revised Regulation no longer uses the term "commercial" and "non-commercial". Instead, whether ICP service is subject to the licensing or recordal requirements will depend on whether the service is a telecom operation. Such distinction no longer hinges on whether the service is "compensatory”, which is in line with spirit of Telecommunication Regulation.

10. Penalties

Chapter V of the Draft Revised Regulation sets out the legal responsibilities of those that are being regulated. Notable points include:
  • Blacklist and prohibition to act for certain period: A blacklist system of ISPs (not INPs) will be established. Organisations and individuals whose licences/recordals have been revoked/cancelled cannot apply for the same licences/recordal for the next 3 years.
  • Personal liability: Unlike the Current Regulation which is generally silent on imposing legal liabilities on directly responsible persons of service providers, the Draft Revised Regulation specifically provides in multiple articles that potential legal liabilities can be imposed on persons directly responsible for the ICPs or INPs. This is consistent with the legislative trend to "pierce the corporate veil" and hold the individuals "behind the scene" responsible.

Our observations

Although the Draft Revised Regulation comes across as a significant overhaul of the current regulatory regime, many of the changes proposed to be introduced by the Revised Draft Regulation simply reflect current practices or changes which relevant authorities have been advocating in the last few years. Nevertheless, the Draft Revised Regulation will likely increase compliance costs and legal risks of non-compliance.

 

Latest insights

More Insights
flower

NEWSFLASH - The UK’s New Consultation on AI and Copyright: Purr-suing Balance?

Dec 19 2024

Read More
laptop phone

EU/UK sanctions regarding Russia and Belarus (16-12-2024)

Dec 19 2024

Read More
Curiosity line blue background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More