By Sharon Shi, Senior Partner and William Shen, Counsel at AllBright Law Offices
More and more foreign-invested enterprises in China are using VPN (Virtual Private Network) technology to connect to corporate servers remotely and securely. However, in addition to its encrypted communication function, the more important reason for the widespread use of VPN’s in China is that cross-border networking can be achieved by VPN technology. In this article, “VPN” specifically refers to the VPN for cross-border networking.
China has strengthened its supervision on using VPN’s in recent years. In May 2019, a company was fined for using illegal “proxy software” to visit overseas websites, which triggered intense discussion on the Internet. We have noticed that many foreign-invested enterprises have practical needs, such as collaborating and exchanging data with offices across the world, but they know very little on how to use VPN’s in compliance with regulatory policies in China. It is quite common for foreign-invested enterprises to privately rent or build an illegal VPN. In this article we hope to provide some suggestions for foreign-invested enterprises on how to use VPN’s in compliance with the law.
General introduction to VPN technology
A Virtual Private Network, or VPN, is an encrypted connection from device to network through the Internet. Such an encrypted connection helps to ensure the safe transmission of sensitive data. VPN’s use the tunnel protocol to achieve sender authentication, message confidentiality and accuracy and other functions. It prevents unauthorsed people from eavesdropping on the traffic and allows the user to execute work remotely. Today, VPN technology is widely used in corporate business.
In January 2017, the Ministry of Industry and Information Technology (hereinafter referred to as ＂MIIT＂) issued the Notice of the Ministry of Industry and Information Technology on Cleaning up and Standardizing the Internet Network Access Service Market (Gong Xin Bu Xin Guan Han  No.32) (hereinafter referred to as the “Notice”). The Notice clarifies that, without the approval of the MIIT, no enterprise shall set up or rent dedicated lines or other channels (including a VPN) to operate cross-border business. When leasing international dedicated lines to users, authorised basic telecommunication enterprises are required to establish user profiles centrally and make it clear to users that such international dedicated lines are for their internal office work use only, and such lines shall not be used to connect to domestic or foreign data centres or business platforms to operate telecommunication business.
Officials of the MIIT also clarified that the regulatory attitude and principles are: when building cross-border network connection through dedicated lines for internal office work, international trading companies and multinational companies are allowed to rent such lines from authorised telecommunication business operators who have set up international communications gateway exchanges in accordance with the law.
VPN using compliance
For foreign-invested enterprises in China, the key to legally using VPN’s is to find and choose a legitimate authorised service provider who must be an operator qualified for international communication business or an authorised basic telecommunications business operator equipped with international communication gateway exchanges. Currently in China, only VPN services provided by authorised basic telecommunication business operators are legal, while those provided by other enterprises or overseas companies are not.
It should be noted that the VPN service provided by authorised basic telecommunication business operators can only be used within that enterprise. Some authorised basic telecommunication business operators require that the servers connected to a VPN shall not have public IP addresses or shall not be subleased or used for business operation purposes. In addition, in accordance with the relevant provisions of Administrative Measures for International Communication Gateway Exchanges, even for internal use, setting up a VPN through the international internet gateway shall be filed with the MIIT.
In summary, foreign-invested enterprises shall use VPN’s in compliance with regulatory policies, and verify the operational qualification of a VPN vendor before purchasing or renting it from a telecommunication business operator. A qualified authorised basic telecommunication business operator for international communications business should be also equipped with international communication gateway exchanges.
Foreign-invested enterprises shall establish a VPN using a compliance system or protocol. The use of VPN’s should be strictly restricted to internal systems, i.e. the VPN used shall be for internal use only and shall not be used to connect to domestic or foreign data centres or business platforms to operate a telecommunications business.
Foreign-invested enterprises shall establish corresponding IT access manuals, monitor the access logs regularly and impose severe punishment on illegal access behavior while using a VPN. Additionally, foreign-invested enterprises shall also carry out training on the VPN using compliance to enhance employees’ awareness of the risks of using VPN’s illegally and the serious consequences of doing so. For more complicated situations or specific questions, professional advice should be sought.
For further information please contact the authors:
Sharon Shi, Senior Partner
William Shen, Counsel