Draft Rule Would Require Security Assessment for Internet-Based New Business in China

The Ministry of Industry and Information Technology of China (MIIT) released the draft of “Measures on Security Assessment for Internet-based New Business” for public comment in early June, and the deadline for submitting the comments is on July 9, 2017. The draft stipulates that “internet-based new business” operated by “telecommunication business operators” shall undergo a “security assessment” before launching new online business with new technologies. The draft Measures defines the “internet-based new business” as (i) the new offering of online telecommunication services based on previously obtained licenses for telecommunications services; or (ii) the experimental kind of new telecommunication services operated via internet with new technologies that are not listed in the official Catalogue of Telecommunication Services Classification (Catalogue).

Internet-related businesses in China have been regulated by MIIT for years. The Catalogue was initially promulgated in 2003 and has since been amended several times as new technologies have developed. The last version of the Catalogue was effective in March 2016 and it has classified “telecommunication services” into two major categories, “basic telecommunication services (Class A)” and “value-added telecommunication services (Class B),” with each of them encompassing around 20 sub-categories. An operating permit from MIIT is required to operate a business that falls within the scope of the Catalogue. Many typical internet services (such as email, search engine, instant message exchange, social network, blog, e-commerce, online payment, IDC, CDN, ISP, etc.) have been covered by Class B under the Catalogue. However, the regulators seem concerned that the Catalogue may not be able to keep up with the dynamic new development of internet technologies. As a result, the draft Measures have been issued to impose a security check in the “grey areas” of previously less regulated new technologies. 

The draft Measures indicated that the “security assessment” shall be conducted either by the telecommunication operators themselves or professional third parties. The details of the security assessment cover protection of personal information of the users, internet privacy and security safeguard, network information security and the management programs dedicated to these areas. Assessment reports shall be filed with MIIT within 45 days after the new business is launched. However, further operating details are lacking about how assessments will be performed, the impact of the assessment results, and how they will interact with the existing environment under which internet privacy and security is governed by the Cybersecurity Office of China. In addition, the first part of the definition regarding what is “internet-based new business” is unclear and confusing. It is expected that the final formal rule will clarify such issues.