Trapped behind the firewall

Foreign VPN services disrupted in China: a change in law or a change in enforcement?

shutterstock_94472311 small size

In January 2015, a number of virtual private network (VPN) companies located outside of the People’s Republic of China (PRC or China) that serve customers within China reported major disruptions of service. These disruptions, reportedly the result of an upgrade to China’s censorship system stemming from safety concerns, have affected many companies and individuals in China who use VPNs to visit websites outside the country—including websites that are important for their businesses and investments in China—which are censored by the Great Chinese Firewall. Sherry Gong and Nolan Shaw of law firm Hogan Lovells explain how this troubling situation has arisen and caution that it could have implications on China’s future development.

Following the recent tightening of Internet control measures, a Ministry of Industry and Information Technology (MIIT) official explained in a public statement that only companies acting in accordance with Chinese law are protected under Chinese law, implying that the delivery of services by companies acting outside of the parameters of Chinese law, as many if not all foreign VPNs apparently do, remain vulnerable to disruption and interference.

China regulates the Internet, including commercial VPN services, through a telecoms licensing system which for the most part is closed to foreign investors, despite heavy interest and demand for foreign technology and services. This telecoms licensing system is set forth in the 2000 PRC Telecommunications Regulations and the 2003 Circular of the Ministry of Information Industry on Readjustment of the ‘Classified Catalogue of Telecommunications Services’.  Under this system, commercial VPN services are classified as a value-added telecoms (VATS) service, requiring a VATS licence.

According to the 2002 Provisions on the Administration of Foreign-Invested Telecom Enterprises (Amended), in theory foreign investors can obtain a VATS licence to provide commercial VPN services in China through the establishment of a Sino-foreign joint venture (JV) enterprise, with a maximum foreign equity ratio of 50 per cent.  In practice, however, this licence is generally not open to foreign investors at all.[1]

This licensing regime is generally limited to engagement in telecom activities or telecom-related activities within the PRC.  While a number of factors can be at play in deciding whether a VATS service is occurring within the PRC, a good rule of thumb seems to be the location of the servers involved. Generally speaking, servers located in China are within the MIIT’s regulatory reach, and those located outside of China are not.

So the physical location of the server is important from a jurisdictional perspective but, as we know, the World Wide Web is known for crossing geographical borders and it is on this cross-border basis that foreign companies have offered VPN services to customers within China. Yes, there are some practical difficulties to the cross-border model—for example, payments for services must usually be paid in foreign (i.e. non-Chinese) currency, which is inconvenient for some consumers within China—but over the past few years this model has generally worked.

That does not mean that the MIIT does not regulate cross-border Internet activity. In fact it does, or at least tries to, by regulating the international Internet infrastructure gateways that link the Chinese Internet with the rest of the world. Under the 2002 Measures for the Administration of International Communications Gateway Exchanges, international gateways in and out of China are heavily regulated and only state-approved, state-invested actors may operate the switches, which they must do in conformity with the MIIT’s laws and policies. Setup of virtual networks for the purpose of operating telecoms services via the international Internet gateways (this would include foreign VPN service providers operating on a cross-border basis) must be reported to the MIIT for approval.  And, on a related note, setup of VPNs for internal use via the international Internet gateways must be record-filed with the MIIT, although it is not clear whether the recording requirement for internal use of VPNs has been strictly enforced in practice.

Thus commercial VPN service providers are subject to MIIT licensing/approval whether they operate on a domestic basis or a cross-border basis and those that do not secure such licensing/approvals run a constant risk that the Chinese authorities will use their self-asserted rights of ‘cyber-security sovereignty’ to shut down their services. Recent shutdowns, therefore, are not due to a change in the law but rather result from a change in the level of enforcement, perhaps due to advances in the government’s technological capabilities in identifying and blocking VPN traffic.

There has been legislative activity in other aspects of cyber-security, however, including the publication of draft cyber-security review rules, which require foreign companies selling phones and tablets to build ‘back doors’ into their products and to provide source code to the government. Additionally there is the publication of a draft anti-terrorism law, which calls on companies to store all data related to Chinese users on servers in China.

From a security perspective these laws may be viewed by the government as being a benefit, or even necessary to some degree. But they may also have a further detrimental effect on the business environment and foreign investment in China, which has already been adversely impacted by existing Internet restrictions. Many businesses and individuals traditionally used VPNs as a work around but following the government clamp down at the beginning of 2015, the foreign-invested business community has reported increased difficulty in doing business. A recent European Chamber member survey[2] revealed that:

  • 86% of respondents reported a negative effect on their business as a result of certain websites and online tools being blocked, a 15% increase compared to June 2014;
  • 80% of respondents have recorded a worsening business impact as a result of the recent further tightening of Internet controls beginning in early 2015; and
  • 13% of respondents have recently deferred R&D investment or have become unwilling to set up R&D operations in China since Internet restrictions were tightened in early 2015.

Given China’s interest in sustaining economic growth and its recent indications elsewhere that it intends to improve its business environment for foreign investment, it will be interesting to observe how the PRC Government will balance its concerns for cyber-security against its continued economic development.

Hogan Lovells is a global legal practice with over 2,800 lawyers in more than 40 offices including three offices in Greater China, five offices in the rest of Asia, and 17 offices in Europe. The Beijing, Shanghai and Hong Kong offices provide a full range of services covering antitrust/competition law, banking and finance, corporate and contracts, dispute resolution, government and regulatory, intellectual property, media and technology, projects, engineering and construction, real estate, and restructuring and insolvency.

[1] An exception to this may be for Sino-foreign JVs established in the China (Shanghai) Pilot Free Trade Zone. The new policies there may make foreign participation in providing IP-VPN services in China a reality.

[2] Internet Restrictions Increasingly Harmful to Business, Say European Companies in China, European Union Chamber of Commerce in China, 12th February, 2015, http://www.europeanchamber.com.cn/en/press-releases/2235/internet_restrictions_increasingly_harmful_to_business_says_european_companies_in_china.