China (PRC)
Sharon Shi

Sharon Shi

By Sharon Shi, Senior Partner and William Shen, Counsel at AllBright Law Offices

More and more foreign-invested enterprises in China are using VPN (Virtual Private Network) technology to connect to corporate servers remotely and securely. However, in addition to its encrypted communication function, the more important reason for the widespread use of VPN’s in China is that cross-border networking can be achieved by VPN technology. In this article, “VPN” specifically refers to the VPN for cross-border networking.

China has strengthened its supervision on using VPN’s in recent years. In May 2019, a company was fined for using illegal “proxy software” to visit overseas websites, which triggered intense discussion on the Internet. We have noticed that many foreign-invested enterprises have practical needs, such as collaborating and exchanging data with offices across the world, but they know very little on how to use VPN’s in compliance with regulatory policies in China. It is quite common for foreign-invested enterprises to privately rent or build an illegal VPN. In this article we hope to provide some suggestions for foreign-invested enterprises on how to use VPN’s in compliance with the law.

 

William Shen

William Shen

General introduction to VPN technology

A Virtual Private Network, or VPN, is an encrypted connection from device to network through the Internet. Such an encrypted connection helps to ensure the safe transmission of sensitive data. VPN’s use the tunnel protocol to achieve sender authentication, message confidentiality and accuracy and other functions. It prevents unauthorsed people from eavesdropping on the traffic and allows the user to execute work remotely. Today, VPN technology is widely used in corporate business.

 

Regulatory status

In January 2017, the Ministry of Industry and Information Technology (hereinafter referred to as "MIIT") issued the Notice of the Ministry of Industry and Information Technology on Cleaning up and Standardizing the Internet Network Access Service Market (Gong Xin Bu Xin Guan Han [2017] No.32) (hereinafter referred to as the “Notice”). The Notice clarifies that, without the approval of the MIIT, no enterprise shall set up or rent dedicated lines or other channels (including a VPN) to operate cross-border business. When leasing international dedicated lines to users, authorised basic telecommunication enterprises are required to establish user profiles centrally and make it clear to users that such international dedicated lines are for their internal office work use only, and such lines shall not be used to connect to domestic or foreign data centres or business platforms to operate telecommunication business.

Officials of the MIIT also clarified that the regulatory attitude and principles are: when building cross-border network connection through dedicated lines for internal office work, international trading companies and multinational companies are allowed to rent such lines from authorised telecommunication business operators who have set up international communications gateway exchanges in accordance with the law.

 

VPN using compliance

For foreign-invested enterprises in China, the key to legally using VPN’s is to find and choose a legitimate authorised service provider who must be an operator qualified for international communication business or an authorised basic telecommunications business operator equipped with international communication gateway exchanges. Currently in China, only VPN services provided by authorised basic telecommunication business operators are legal, while those provided by other enterprises or overseas companies are not.

It should be noted that the VPN service provided by authorised basic telecommunication business operators can only be used within that enterprise. Some authorised basic telecommunication business operators require that the servers connected to a VPN shall not have public IP addresses or shall not be subleased or used for business operation purposes. In addition, in accordance with the relevant provisions of Administrative Measures for International Communication Gateway Exchanges, even for internal use, setting up a VPN through the international internet gateway shall be filed with the MIIT.

 

Compliance suggestions

In summary, foreign-invested enterprises shall use VPN’s in compliance with regulatory policies, and verify the operational qualification of a VPN vendor before purchasing or renting it from a telecommunication business operator.  A qualified authorised basic telecommunication business operator for international communications business should be also equipped with international communication gateway exchanges.

Foreign-invested enterprises shall establish a VPN using a compliance system or protocol. The use of VPN’s should be strictly restricted to internal systems, i.e. the VPN used shall be for internal use only and shall not be used to connect to domestic or foreign data centres or business platforms to operate a telecommunications business.

Foreign-invested enterprises shall establish corresponding IT access manuals, monitor the access logs regularly and impose severe punishment on illegal access behavior while using a VPN.  Additionally, foreign-invested enterprises shall also carry out training on the VPN using compliance to enhance employees’ awareness of the risks of using VPN’s illegally and the serious consequences of doing so. For more complicated situations or specific questions, professional advice should be sought.

 

For further information please contact the authors:

Sharon Shi, Senior Partner
E: sharonshi@allbrightlaw.com

William Shen, Counsel
E: william.shen@allbrightlaw.com

W: https://www.allbrightlaw.com

Related Articles by Firm
Foreign Banks Allowed to Operate in Myanmar
After more than 50 years of banning, the Central Bank of Myanmar has issued the first final licenses allowing four foreign banks to operate in Myanmar.
Tanzanian Draft National Energy Policy of 2015
Highlights on the ongoing and upcoming industry developments with focus on the transition of the energy sector since the introduction of the Big Results Now! campaign
Mineral Rights Available in Tanzania
Overview of the mineral rights available in Tanzania, with specific focus on the various categories of mineral rights
The Legal Framework of the Aviation Sector in Tanzania
As attention turns to Tanzania’s trade and energy opportunities, the spotlight has fallen upon the nation’s infrastructure. This update focuses on the capabilities and issues of the Tanzanian aviation sector.
Oil price volatility - Offshore oil storage
Are there any legal concerns with tankers being used for floating storage?
Oil price volatility - risks and opportunities in 2015
While many companies can weather the oil price slide and volatility, some industry players face a real risk of insolvency.
India: Union Budget 2015
A bullet-point overview of changes in Direct Tax, Indirect Tax and Goods and Service Tax in India in light of Finance Minister Arun Jaitley’s first full-year Budget…
Prohibition against transfer of personal data outside Hong Kong
Section 33 of the Personal Data (Privacy) Ordinance (PDPO) prohibits the transfer of personal data to places outside Hong Kong, except in circumstances specified in the PDPO.
Security of payment under FIDIC contracts: more secure, for now
The High Court of Singapore recently handed down an important judgment in relation to the enforceability of Dispute Adjudication Board (DAB) decisions under the FIDIC forms of contract.
Insurance Laws (Amendment) Bill passed as Ordinance in India
The long-awaited Insurance Laws (Amendment) Bill has become a provisional law in India. The Bill amends the Insurance Act (1938), the General Insurance Business (Naturalisation) Act (1972), and the Insurance Regulatory and Development Act (1999).
SICC: now open for business
On Monday 5 January 2015, the Singapore International Commercial Court ("SICC") was officially opened...
Myanmar insurance update
Clyde & Co partner Michael Horn recently visited Myanmar's commercial capital Yangon and reports on the current state of the insurance market...
Launch of the online mining cadastre transactional portal
Plus, a summary of the key mineral rights available in Tanzania; and, a look at the manner in which mineral rights can be transferred.
Restrictions imposed on holders of mineral rights
This briefing looks at some of the restrictions imposed on holders of mineral rights in Tanzania by the Mining Act 2010
Draft local content policy for the oil & gas industry in Tanzania
The first draft of the long-awaited local content policy for the oil & gas industry in Tanzania has now been published by the Ministry of Energy and Minerals ...
Tanzania: Revocation of mining licences
The Tanzanian government recently announced the cancellation of a total of 174 mining licences. This mining update examines the key continuing obligations imposed by the Mining Act upon mining licence holders.
Mining Development Agreements
In this month’s mining briefing we look at Mining Development Agreements (MDAs) and the role that they play in the mining sector in Tanzania.
The Tanzanian railway system: current legal framework
The railway system of mainland Tanzania has a total track length of 3,676 kilometers (km) with two separate networks, run by two separate organisations ...
Related Articles
Data Privacy in Malaysia
DFDL’s William Greenlee sets out the data protection regulatory framework in Malaysia and its recent developments ...
Cross-border transfer of personal financial information in China
Jingtian & Gongcheng partners Yuan Lizhi, Hu Ke and associate Wang Beining take us through the details of the regulatory framework ...
Amendments to three data privacy laws in Korea and the implications
By Kwang-Wook Lee, Helen H. Hwang, Chulgun Lim and Keun Woo Lee of Yoon & Yang ...
Related Articles by Jurisdiction
IP & TMT Special Report
ASIAN-MENA COUNSEL's latest IP & TMT Special Report, (Vol 11 Issue 6) features a presentation by Lee International IP & Law Group, co-hosted by ASIAN-MENA COUNSEL, on Brand Protection Strategies for Korea. In a concurrent open discussion with special In-House Community guests, ...
The thing about … Jeanette Chan
Recently, Asian-mena Counsel’s Patrick Dransfield photographed Jeanette Chan, managing partner of the China practice and head of the Asia communications and technology practice at Paul, Weiss, and asked her a series of questions on behalf of the In-House Community ...
IP & TMT
Our IP & TMT Report includes Anjie Law Firm's article 'China makes detailed liability rules available for social media' and the 'WWE v. Reshma' case study, courtesy of Anand & Anand. We also get insights from ...
Latest Articles
Data Privacy in Malaysia
DFDL’s William Greenlee sets out the data protection regulatory framework in Malaysia and its recent developments ...
Cross-border transfer of personal financial information in China
Jingtian & Gongcheng partners Yuan Lizhi, Hu Ke and associate Wang Beining take us through the details of the regulatory framework ...
Amendments to three data privacy laws in Korea and the implications
By Kwang-Wook Lee, Helen H. Hwang, Chulgun Lim and Keun Woo Lee of Yoon & Yang ...