Information and Communication Technology (ICT) EU SME Topics

China’s laws and regulations in the field of cyberspace have apply to all entities and individuals operating from within mainland China. EU firms with legal presence in the country have to fulfil all the obligations mandated by China’s legal framework. At the same time, existing laws and regulations have an extraterritorial reach, which applies to overseas entities based abroad in case:

• Data processing activities outside the territory of China might be detrimental to the China’s national security, public interest or rights of its citizens and organisations (Data Security Law, Art. 2).
• Entities outside the territory of China yet processing the personal information of natural persons located within China with the aim of: providing products and services to natural persons located in China, analysing or assessing their conduct, or under any other circumstances as provided by any law regulation (PIPL, Art. 3.2).

Hence, EU SMEs falling under this scope will need to comply with Chinese laws and regulations even without a legal presence in China. A dedicated entity or representative must be appointed in China by overseas PI processors. China has established a robust framework for punishing or retaliating such cases, including the Anti-Espionage Law, the Foreign Trade Law, and Anti-Foreign Sanctions Law.

Despite this, in such cases, monitoring non-compliant cases and enforceability outside the territory of China will be challenging. But future operations within mainland China will certainly be affected.

All websites and mobile apps that want to legally operate and provide online services in mainland China, must obtain an ICP License (Internet Content Provider License). The ICP license ensures compliance with Chinese internet regulations and facilitates smoother operations for businesses targeting Chinese consumers or offering services in China; websites or apps operating without an ICP license may be blocked by Chinese internet service providers, making them inaccessible within mainland China.

There are two types of ICP licenses:

• ICP Filing (ICP备案): This is the most common one, required for non-commercial websites (e.g. company websites) and free apps. Completing this filing is relatively straightforward.
• ICP Commercial License (ICP许可证): This is required for websites and mobile apps offering commercial activities, such as e-commerce, value-added telecom services, or in-app purchases. Obtaining such licenses is extremely hard.

Both ICP filing and ICP commercial license require the company to be a legal entity in mainland China. Companies without legal representation in mainland China cannot host a website in mainland China, unless they partner with local partners. While being a joint venture or wholly foreign-owned enterprise (see FAQ “What types of companies can I establish in China?”) is generally sufficient for ICP filing, for the ICP commercial license it is generally required that the applicant is a Chinese domestic entity. In such cases, EU entities will need to work with a local partner.

At the same time, if a website is stored outside mainland China (e.g. Hong Kong or in the EU), companies may choose not to obtain the ICP license. However, such websites will face slower loading speeds and restricted access within mainland China, impacting user experience.

Over the past few years, China’s central government regulators have established a robust framework for cybersecurity, data security and personal information protection. These stipulate a number of requirements and obligations for any entity operating in China; as well as for foreign entities, even if without legal representation in China, but providing certain products or collecting data in China (see FAQ “Do I need to comply with China’s cybersecurity laws?”).

A central part of the framework relates to cross-border data transfers. The requirements and procedures are summarised as follows:

• Personal information (PI):
  • If the PI to be transferred abroad, in one calendar year, do not exceed 100k individuals, or do not exceed 10k sensitive PI, then it can be transferred freely
  • If the PI to be transferred abroad, in one calendar year, exceeds 100k individuals, but do not exceed 1 million individuals, data processors must sign with the offshore receiver, and submit to Chinese authorities, Standard Contract Clauses; if the data processor and the offshore receiver belong to the same business group, a certification might be obtained.
  • If the PI to be transferred abroad, in one calendar year, exceed 1 million individuals and/or 10k sensitive PI, a security assessment must be conducted with Chinese cybersecurity regulators prior to the cross-border transfer. The process is extremely long and complex

If the personal information is anonymised, without the possibility to restore it to its original state, then it is not subject to cross-border transfer restrictions (unless it is classified as “important data” – see below).

• Data:
  • Important data, namely data that, if tampered with, leaked, compromised, or illegally acquired or used, may cause harm to China’s national security or public interest. It can be transferred overseas only after a security assessment has been concluded with Chinese cybersecurity regulators. The process is extremely long and complex
  • Generic data, namely any data that is not important.

China has issued a number of standards for the identification of important data. These include general principles, as well as guidelines for specific sectors. Essentially, operators will be notified by relevant authorities in case the data processed by them is considered important data. Detailed “negative lists” are also being published by Chinese Free Trade Zones to regulate cross-border data transfers from their jurisdictions.

In practice, the impact on EU SMEs is, so far, more limited compared to large multinational corporations and research institutions. Exceptions can be found in case EU SMEs have active R&D operations within China, and operate in highly strategic sectors (e.g. semiconductors, mining, etc.) and/or sectors where massive amount of personal information is collected (e.g. life sciences, automotive)

Finally, it must be noted that remote access, from abroad, to a document hosted in China is also considered as cross-border data transfer, even if there is no transfer per se.

The EU SME Centre has developed a solid amount of materials and knowledge in the field. For more details, please reach out to us via the Ask the expert service.

Chinese laws and regulations require that, for certain IT/software products, several additional requirements and obligations may apply, including the obtainment of relevant certifications. These may include, for instance:

• Certification for critical network equipment and network security product, if the product is included in China’s Catalogue of Critical Network Equipment and Network Security Products (网络关键设备和网络安全专用产品目录). The Catalogue currently includes 4 critical network equipment and 34 network security products such as web application firewalls, intrusion prevention and detection systems, information exchange products, security database systems, etc.)
• Certification for information security products, for 13 types of information security products, largely matching those in for critical network equipment and network security products but with a stronger focus on security. In fact, in most cases the two certifications can be applied for and obtained at the same time.
• Mandatory cybersecurity review, if a software is to be used by critical information infrastructure operators (CIIOs), entities operating networks with higher level of security, as well as network platform operators with 1+ million users and/or planning to list on foreign markets. The review is conducted based on the provisions of the Cybersecurity Review Measures.
• Certification for commercial cryptography products, for products with encryption functions (even if encryption is not the core function of the product).