Network connection and VPN - What MNCs need to learn for legally connecting headquarters, subsidiaries, branches and employees within or outside China?

By Sven-Michael Werner, Tiantian Ke

12-2020

A growing number of multi-national corporations ("MNCs") with multiple outlets or office locations across China will encounter a common issue of how to find a fast, secure and reliable way to share information and resources between subsidiaries and headquarters overseas through networks. Moreover, traveling employees or those who work from home (in particular, taking into account the recent COVID-19 outbreak which resulted in lockdown and office closing situations) demand a similarly secure and reliable solution to connect to their business's computer network from remote locations.

Nevertheless, the legal status of VPN for network connection in China seems to be obscure, accompanied with comparatively pro-active enforcement actions taken against illegal VPN for cross-border network connection. Particularly, Beijing Public Security Bureau ("PSB") has recently announced illegal VPN crackdowns as one of its 2020 special projects[1].

To help navigate businesses through this dilemma, this paper will introduce the legal framework and practice on how to legally achieve MNC's network connections for internal business purposes i) between its foreign headquarter and its Chinese subsidiaries/branches and ii) within China, such as for domestic subsidiaries/branches network connection, and for employees' remote network connection.

The legal status of VPN for network connection

The VPN technology per se is not illegal under the current legal regime in China. Nevertheless, telecom services for commercial purposes, which are categorised as basic telecoms service ("BTS") or value-added telecoms service ("VATS"), if carried out on the basis of VPN, are required under Chinese Telecommunications Regulations and its implementing rules [2] to apply for relevant administrative permits, including:

• Category I BTS: International data telecommunications services;
• Category II BTS: Fixed-network domestic data communications services;
• Category I VATS: Domestic Internet protocol virtual private network services.

Requirements for applying for a specific license vary depending on the nature of the telecom service carried out, inter alia, whether it is for providing a cross-border or domestic connection.

On the other hand, a MNC is not required to apply for the above permits to achieve its network connection through telecom services provided by a licensed ISP if its envisaged activities satisfy the non-commercial test.

a. VPN for cross-border network connection

The VPN service for cross-border connection in China is a highly regulated telecommunication service for international internet channel access under Chinese Telecommunications Regulations, which requires special administrative permits (e.g. Category I BTS: International data telecommunications services) from the China Ministry of Industry and Information Technology ("MIIT"). Businesses are prohibited to self-establish or lease private circuits (including VPN) without obtaining approval from the telecommunications regulatory authorities [3].

In addition, the MIIT requires the VPN service with regard to international private circuits to only be used by the users for their internal official business exclusively and not be used to connect with domestic and foreign data centres or business platforms for carrying out any public commercial telecom business operations [4].

Therefore, MNCs considering the use of cross-border private network connections should engage with BTS-licensed telecom operators [5] either to rent directly

i) within China, international private circuits (including VPNs) provided by the said licensed telecom operators, or
ii) from overseas international private circuits (including VPNs) provided by the said licensed telecom operators, or commission an overseas operator to do so.

When establishing internal office networks through such private circuits, MNCs can entrust qualified third parties (including enterprises with business licenses including domestic IP-VPN, fixed network domestic data transmission, etc.) to provide outsourcing services such as system integration, maintenance escrow, etc., but such third parties are prohibited to engage in international private circuit (including VPN) resources rental or sale business [6].

Businesses should maintain restrictive internal network access policies, and stay tune and vigilant for relevant rules and enforcement action trends so as to avoid potential business disruptions to network access or connections in the future.

b. VPN for domestic network connection

Similarly to cross-border connections, VPN for domestic connection services, primarily including site-to-site VPN (for domestic subsidiaries/branches network connection) and remote-access VPN (for employees' remote network connection), are regulated under the Telecommunications Regulations.

Site-to-site VPNs are generally subject to the IP-VPN regulations in China. Under the Classified Catalogue of Telecommunications Services, "domestic Internet virtual private network service (IP-VPN)" refers to

"services provided by an operator by using its own or leased Internet network resources, through TCP/IP protocol, to customize the Internet closed user network for domestic users. Internet virtual private network is mainly established through IP tunnel and other TCP/IP-based technology, which provides a certain degree of security and confidentiality. Private network can achieve encrypted transparent packet transmission."

While the literal read of regulations regarding respective licensing requirements is generally understood to apply merely to telecom activities as a service (i.e. for commercial purposes), the Chinese telecoms regulator's attitude tends to be more conservative. Previous background consultations with the MIIT suggest that a business could be required to obtain the IP-VPN approval for its own establishment of a domestic network connection between different offices, depending on a case-by-case determination by the regulator on how the network is deployed and connected, and whether it is only for non-commercial purpose.

Namely, MNCs can engage with VATS-licensed ISPs to achieve their China-based domestic network connection. If a MNC intends to establish a domestic network site-to-site connection solution through IP-VPN for its subsidiaries within China for its internal business use, the MIIT, if the non-commercial purpose test is seen as failed, may require the MNC to apply for a Category I VATS license (B13) for providing "domestic Internet protocol virtual private network services". However, if providing solutions for remote network access by travelling employees or those working from home only, the MIIT recognises that it could be deemed as purely internal business purpose (i.e. for non-commercial purpose), thus the VATS licensing requirements will not apply in that case.

In practice, however, less enforcement has been observed against VPN without approval for internal business and non-commercial use, as opposed to the comparatively aggressive clean-up and shut-down enforcement against unauthorised VPN services for cross-border connections.

Further obligations to note for network connections in China

The design of VPN for domestic network connections may involve operating some kind of on-premises services accessible from the internet. If this is the case, the company may be subject to further obligations, including for instance:

• ICP registration to open ports 80, 8080 and 443.

An internet content provider ("ICP") recordal (for non-commercial purpose) or license (for commercial purpose) will be required for those on-premises web servers hosted in China. Upon the recordal with or license from the MIIT, such servers should be further filed with the local PSB. Failing to file such servers and the opening of these ports, the website which is operating on the ports 80, 8080 and 443 will be blocked by the local telecom operators under relevant telecoms and international rules [7].

• Compliance with cyber security and personal information protection requirements under the China's Cyber Security Law ("CSL") and its implementing rules and regulations.

A business which operates a VPN for network connection could be deemed as a network operator8 under the CSL, and therefore maybe subject to legal requirements to, for example:

° implement security protection measures in accordance with the network classification as defined under the multi-level protection scheme ("MLPS");
° assign personnel to be responsible for network security;
° establish and implement security policies and technical security measures;
° have operational guidelines and procedure in place for physical security and cybersecurity management;
° identify user identity, and take attack prevention measures; and
°  monitor cybersecurity status and implement cybersecurity incident management, and retain relevant network logs for no less than 6 months, etc.
 

Observations

In assessing the feasibility of cross-border and domestic network connections for internal business purposes, MNCs should comply with their respective obligations under applicable telecommunications regulations, taking into consideration wider cyber security requirements. As this is a fast-evolving area in China, MNCs should keep monitoring any regulatory development.

 
 

[1] Beijing police launched a campaign to clean up the Internet in 2020, May 2020, http://legal.people.com.cn/n1/2020/0525/c42510-31721665.html.

[2] Circular of the Ministry of Industry and Information Technology on issuing the “Classified Catalogue of Telecommunications Services”, MIIT, 2015; Measures for the Administration of Telecommunication Business Operation Licence, MIIT, 2017, etc.

[3] Interim Administrative Regulations of China on International Networking of Computer Information Networks, State Council, 1996; Measures on the Administration of International Communication Accesses, MIIT, 2002.

[4] Notice on Cleaning Up and Regulating the Internet Access Service Market, MIIT, 2017.

[5] Currently, China Telecom, China Unicom and China Mobile and the only three telecom operators in China who are granted with the required basic telecommunications business licenses to provide the said VPN service for international network connection.

[6] Cross-border Data Communications Services Policy Briefing Session, CAICT, etc., 2018; China's Cross-border Data Telecommunications Industry Self-Regulations, China Data Telecommunications Industry Association, 2018, http://www.caict.ac.cn/xwdt/ynxw/201809/P020180904537920716900.pdf

[7] E.g. see the notice of China Telecom issued in Nov. 2017, http://www.189.cn/sh/sy_ycgg/96550.html.