A growing number of multinational corporations (“MNCs”) with multiple outlets or offices across China will face the common problem of how to find a fast, secure, and reliable way to share information and resources between subsidiaries and overseas head office via networks. Additionally, employees on the go or those working from home (especially given the recent COVID-19 outbreak which has resulted in lockdown and office closure situations) require an equally secure and reliable solution to connect to their company’s computer network from remote locations.
Nonetheless, the legal status of VPN for network connection in China appears to be murky, accompanied by relatively proactive enforcement actions taken against illegal VPNs for cross-border network connection. In particular, the Beijing Public Security Bureau (“PSB”) recently announced the illegal crackdown on VPNs as one of its 2020 special projects..
To help businesses through this dilemma, this document will outline the legal framework and practice on how to legally realize MNC’s network connections for internal business purposes i) between its overseas head office and its Chinese subsidiaries/branches and ii) in China, such as domestic subsidiary/branch network connection and employee remote network connection.
The legal status of VPN for network connection
VPN technology itself is not illegal under the current legal regime in China. Nevertheless, telecommunications services for business purposes, which are classified as basic telecommunications service (“BTS”) or value-added telecommunications service (“VATS”), if provided on the basis of a VPN , are bound by China’s telecommunications regulations and its rule enforcement provisions  request the relevant administrative authorizations, including:
• Category I BTS: International Data Telecommunications Services;
• Category II BTS: national fixed network data communication services;
• VAT Class I: Home Internet Protocol Virtual Private Network Services.
The conditions to be met to apply for a specific license vary according to the nature of the telecommunications service provided, in particular whether it is a matter of providing a cross-border or national connection.
On the other hand, a multinational is not required to apply for the above authorizations to make its connection to the network through telecommunications services provided by a licensed ISP if its intended activities meet the non-commercial criterion. .
a. VPN for cross-border network connection
VPN service for cross-border connection in China is a highly regulated telecommunication service for accessing international Internet channels under China’s telecommunications regulations, which requires special administrative permissions (e.g. Category I BTS: International Services data telecommunications) of the Chinese Ministry of Industry and Information. Technology (“ITI”). Companies are prohibited from setting up or leasing private circuits (including VPN) without obtaining approval from telecommunications regulators .
In addition, MIIT requires that VPN service with respect to international private circuits be used by users only for internal official business exclusively and not be used to connect to domestic and foreign data centers or commercial platforms for the performance of any public commercial telecommunication. Commercial operations .
Therefore, multinationals planning to use cross-border private network connections should engage with BTS licensed telecom operators.  either to rent directly
i) in China, international private circuits (including VPNs) provided by such licensed telecommunications operators, or
ii) from overseas international private circuits (including VPNs) provided by such licensed telecommunications operators, or mandate a foreign operator to do so.
When establishing internal office networks through such private circuits, multinational corporations may entrust qualified third parties (including companies with commercial licenses, including domestic IP-VPN, domestic data transmission over the fixed network, etc.) the provision of outsourcing services such as system integration, maintenance escrow, etc. ., but such third parties are prohibited from engaging in the business of leasing or selling international private circuit resources (including VPN) .
Organizations should maintain restrictive internal network access policies and stay tuned and vigilant to relevant rules and enforcement action trends to avoid potential network access disruptions or connections in the future.
b. VPN for home network connection
As with cross-border connections, VPNs for domestic connection services, mainly including site-to-site VPNs (for connecting to the network of domestic subsidiaries/branches) and dial-up VPNs (for connecting to the network employees), are regulated by the Telecommunications Regulations.
Site-to-site VPNs are generally subject to IP-VPN regulations in China. In the Classified Catalog of Telecommunications Services, “Home Internet Virtual Private Network (IP-VPN) Service” means
“services provided by an operator using its own Internet network resources or leased resources, through the TCP/IP protocol, to customize the closed network of Internet users for home users. The Internet virtual private network is mainly established through a IP tunnel and other TCP/IP network technology, which provides a certain degree of security and privacy.The private network can achieve encrypted transparent packet transmission.
While the literal reading of the regulations regarding the respective licensing requirements is generally understood to apply only to telecommunications-as-a-service (i.e. for commercial purposes) activities, the attitude of the regulator Chinese telecommunications tends to be more conservative. Previous substantive consultations with MIIT suggest that a company may be required to obtain IP-VPN approval for its own establishment of a home network connection between different offices, depending on a case-by-case decision. by the regulator on how the network is deployed and connected, and whether it is solely for non-commercial purposes.
Namely, multinationals can engage with VATS-licensed ISPs to establish their connection to the China-based home network. If a multinational company intends to establish a home network site-to-site connection solution via IP-VPN for its subsidiaries in China for its internal business use, MIIT, if testing for non-commercial purpose is considered as failed, may require the multinational to apply for a Category I (B13) VAT license for the provision of “domestic internet protocol virtual private network services”. However, if remote network access solutions are provided to traveling employees or those who only work from home, MIIT recognizes that this could be considered a purely internal business purpose (i.e. to non-commercial purposes), so the VAT license requirements will not apply in this case.
In practice, however, less enforcement has been seen against unapproved VPNs for internal and non-commercial commercial use, as opposed to relatively aggressive cleanup and shutdown enforcement against rogue VPN services for connections. cross-border.
Other requirements to note for network connections in China
Designing a VPN for home network connections may involve operating some sort of on-premises services that can be accessed from the Internet. If this is the case, the company may be subject to other obligations, in particular:
• ICP registration to open ports 80, 8080 and 443.
An Internet Content Provider (“ICP”) registration (for non-commercial purposes) or license (for commercial purposes) will be required for on-premises web servers hosted in China. Upon registration or licensing of MIIT, these servers must then be filed with the local PSB. If these servers are not deposited and these ports are not opened, the website which operates on ports 80, 8080 and 443 will be blocked by the local telecom operators under the applicable telecom and international rules. .
• Compliance with cybersecurity and personal information protection requirements under the China Cybersecurity Law (“CSL”) and its implementing rules and regulations.
A company that operates a VPN for network connection could be considered a network operator8 under the CSL, and therefore may be subject to legal requirements, for example:
° implement security protection measures in accordance with the network classification as defined under the Multi-Level Protection Scheme (“MLPS”); ° appoint personnel responsible for network security; ° establish and implement security policies and technical security measures;
° have operational guidelines and procedures for the management of physical security and cybersecurity;
° monitor cybersecurity status and implement cybersecurity incident management, and retain relevant network logs for at least 6 months, etc.
When assessing the feasibility of cross-border and domestic network connections for internal business purposes, multinationals should comply with their respective obligations under applicable telecommunications regulations, taking into account broader security requirements. cybersecurity. As this is a rapidly evolving area in China, multinationals should continue to monitor any regulatory developments.