China’s current VPN laws made international headlines in 2023: “Chinese programmer ordered to pay 1m yuan for using virtual private network” (The Guardian). Our translation of the police Regulatory Penalty Letter says a programmer named Ma “used an unapproved international connection to provide internet consulting services to [redacted] Company for 1,058,000 CNY in unlawful income.” Furthermore, the letter also assessed “a 200 CNY fine and confiscation of the 1,058,000 CNY in unlawful income”. It made mention of an “individual independent contractor” agreement, which under Chinese international business law is non-compliant and points to tax evasion. From CBL’s perspective, the businesses implicated had a tragic ignorance of Chinese law that could have been avoided easily.

International business VPNs in China have been increasingly regulated in recent years, but with viable compliance options for most use cases.  In this article, we’ll analyze whether and why VPN use in China may be illegal, and then explain how to use VPNs in China with perfect legal compliance.

Contents

VPNs Can Be Criminal in China If You Disregard the Law

VPNs if Used for Unlawful Business

Cybersecurity Regulation Risks

How to Achieve Regulatory Compliance

VPNs Can Be Criminal in China If You Disregard the Law

Whether using VPN software in China constitutes a crime has been a major question ever since news broke of arrests for using VPNs. Some Chinese lawyers think that it is an offense, whereas corporate law firms think otherwise. A major point of concern is how Chinese criminal law is worded differently from United States statutes. China criminalizes “intrusion” whereas the United States criminalizes “unauthorized access.” Understanding the law to mitigate compliance risks is essential in this respect.

VPN usage falls under criminal statutes and can be analyzed as a legal fact pattern. Various types of VPN use cases could in fact constitute an offense, and usage in China could fall under one of these overlapping offenses: (a) providing programs to achieve intrusion or unlawful control of a computer system; (b) criminal non-compliance with Internet security regulations; or (c) aiding and abetting Internet crimes.

[activecampaign form=6]

VPNs are mainly used in China to circumvent restrictions on blocked websites or software services provided from outside the country. For instance, Chinese internet users are blocked from accessing major international tech company services, such as those offered by Meta (Facebook) and Google without using a VPN. Nonetheless, many Chinese internet users need to use international sites, which has made VPNs essential, with common use cases including scientists doing research or retailers using online advertising. Currently, several solutions are popular in China, namely Shadowsocks, IPFS, Trojan, and Tor.

This environment creates some concerns that VPN usage could implicate criminal law. A common misconception is that there are no rules in Chinese criminal law that directly address VPNs and that VPN usage would amount to a regulatory violation at most. Nevertheless, VPN use could indeed fall under one of the general computer crimes such as unauthorized access or criminal regulatory violations.

There is a genuine issue as to whether providing VPNs could constitute materially facilitating intrusion or unlawful control of a computer system. There have been reported court judgments where providing VPN tunneling software constitutes the offense of materially facilitating intrusion or unlawful control of a computer system.

Section 285 of China’s Criminal Law Act provides that a person commits an offense if they intentionally or knowingly provide programs or tools used to achieve intrusion or unlawful control of a computer system.

Intrusion or unlawful control of a computer system relies on highly specialized technical knowledge beyond what a judge will typically be able to understand. Therefore, the court judgment in a VPN case will generally follow what an expert witness concludes happened. Regardless, judges recognize that there are legal terms of art in the statute, particularly “intrusion” and “unlawful control.” Therefore, the situation is not unlike the field of patents where both technical and legal education are necessary. Likewise, in the case of VPNs under criminal law, a correct judgment can only be reached with an understanding of both the technical domain and a thorough understanding of the statute and its legislative intent.

Providing programs or tools for someone else to gain unauthorized access or unlawful control of a computer system is a crime of facilitation, that is, helping someone commit a cybercrime. Thus, from the perspective of the law, the question of whether the VPN tunneling software itself is a tool used for gaining unauthorized access or illegal control of a computer is dispositive as to the outcome.

Section 2 of the Supreme Court interpretation on Computer Crimes defines “intrusion” and “unlawful control” as follows:

1. Bypassing or penetrating security systems of a computer without authorization or exceeding authorization to gain access to data or functionality;
2. Bypassing or penetrating security systems of a computer without authorization or exceeding authorization to control data or functionality;
3. Any other programs or tools designed to achieve intrusion into or unlawful control of a computer system, or to unlawfully obtain data from a computer system.

The judicial interpretations make clear that the legal terms of art “intrusion” and “unlawful control” refer specifically to the acts of unlawfully obtaining data from a computer or taking control of a computer without authorization. Taking unlawful control of a computer as described in the interpretation will involve taking actions such as injection, spoofing, scrambling, hijacking, or bypassing the system; or obtaining a computer system’s data without authorization.

Congress also stated that its intention under the statute was to cover tools that bypassed login or authentication security systems to obtain data, such as those used to facilitate SIM swap scams.

Based on the above definitions and legislative intent, typical VPN tunneling software (such as Clash) in itself cannot achieve intrusion or unlawful control of a computer. VPN software uses encryption and tunneling to circumvent China’s national firewall, which in itself uses active filtering and active probing of internet traffic. The VPN is not bypassing or penetrating security on the government computer system to achieve an intrusion or unlawful control of the system, nor is it obtaining data from the system. Outside China, no target computer system could fall under the statute. Despite abundant legislative opportunities to create rules about it, there is a scarcity of regulation on the Chinese Great Firewall system.

Thus, most technology lawyers in China currently believe that VPNs do not provide a means to achieve intrusion or unlawful control and, therefore, do not fall under the hacking prohibitions in the China Criminal Law Act.

Providing VPN Tunneling Software Could Constitute a Criminal Business Operation

The China Criminal Law Act at Section 225 provides, “An unlawful business operation is a significant act that violates a law and disrupts market order in one of the following four ways: […] (iv) Other actions that significantly disrupt market order.”

Provision (iv) raises an issue as to whether VPN tunneling software is a business activity that seriously disrupts market order.

Most agree however that VPN tunneling software would not constitute an unlawful business practice that disrupts market order. The Supreme Court interpretations on Telecommunications Cases (2000) provide that providing an international private line or leased line in a way that severely disrupts the telecommunications market constitutes the offense of unlawful business operations.

Under this interpretation, there is a question as to whether the VPN constitutes carrying on unlawful telecommunications operations by providing an international private line or leased line. However, the prohibition in Section 2 limits its scope to incoming and outgoing calls, penalizing businesses that earn a margin on phone services.

Moreover, numerous lawyers throughout China have pointed out that the regulation itself was issued in the year 2000, long before VPN tunneling was commonplace in China. Thus, from the perspective of legislative intent, the rules could not have impliedly contemplated this restriction to ban VPNs.

Thus, a close reading of China’s Criminal Law Act at Section 225(d) in conjunction with telecommunication regulations should lead to the conclusion that there is no intent to criminalize VPN usage in itself.

If a VPN is used to commit illegal activities and is provided to aid and abet the criminal activity, then the VPN provision can fall under aiding and abetting a crime. A good case study of this was how the Shanghai-based company Binance was found to be facilitating money laundering, specifically by encouraging users to use VPNs to circumvent the company’s own geolocation-based financial compliance systems.

The company was forced to leave China and was eventually fined billions in the United States. The VPN usage was introduced as criminal evidence–under United States law. Thus, as with the legal regimes of countries around the world, if a business knowingly provides VPNs to someone who is using them to commit fraud, then they too could be liable. Observe that in the publicized criminal VPN case about the programmer, the VPN was apparently being used in furtherance of an unlawful business operation.

Providing VPN Tunneling Software Could Be Considered Criminal Non-Compliance with Cybersecurity Regulations

The China Criminal Law at Section 286 provides that continued violation following a warning from police or cybersecurity regulators for regulatory noncompliance with cybersecurity requirements constitutes a criminal offense. An important note here is that the statute does not include any service of process requirements for the warning, and Chinese regulatory agencies in many cases use a simple text message or a single phone call to provide notice.

Of important note in China’s legal regime is that politically incorrect speech can constitute a crime. This is much different from the US legal regime, where there is currently some controversy about how the First Amendment protects speech urging political violence that results in specific harm. The approach in China is not too different from the Digital Millennium Copyright Act which imposes some duties on internet service providers.

In addition to criminal liability, non-compliant VPN providers could be subject to aggressive service blocks. This may explain why many users of ExpressVPN and NordVPN in China can never seem to get a connection, whereas Chinese VPN services from much less technically sophisticated companies provide reliable, high-speed services.

Major international companies Mintz and Bain were raided in 2023 over security concerns; therefore, the possibility that compliance over cybersecurity causes a major incident is a realistic concern. (BBC)

These rules imply a business operating in China should not accept the word of local employees that turning a blind eye toward compliance requirements is “normal” and that “everyone is doing it.” Moreover, many lawyers’ opinions that VPNs are “merely” a regulatory law have proven false. Not only does the criminal law provide for penalties, as we have seen above, but police have proven willing to charge aggressive non-compliers. However, a business with basic regulatory compliance knowledge is sure to be well protected from unexpected legal problems.

What Could the “Criminal” Programmer Have Done?

At the start of this article, we linked a news headline about how a Chinese programmer was fined 1 million CNY for using a VPN to work abroad as a programmer for a foreign company. As the above criminal law analysis should make clear, the real reason the programmer was fined was that their use of the VPN was the essential accessory to several business crimes, including criminal tax evasion and unlicensed business operations. The participants probably didn’t read CBL’s translations of China’s foreign investment law and were unaware that an individual programmer in China can be classified as a foreign business and qualify for legal VPN use. This method, involving special purpose vehicles, is a corporate law topic described in CBL’s law summary here.

As a jurisdiction, China has a huge “registration emphasis,” which means that, unlike the American IRS, everyone is expected to register their business, payments, and foreign involvement. Additionally, every payment to a person will be separately listed in great detail in the government’s individual income tax app.  Chinese regulators have canceled entire foreign brands in the past, which we describe in our article on trademark trolls here. By failing to register anything and, as the police letter indicates, not paying taxes, the programmer was in violation of quite a lot of laws against unlawful business operations.

The programmer and client could have avoided these problems by adopting an effective legal compliance strategy.

Regulatory Compliance Analysis

China’s regulatory regime around VPNs was only built up in the past five years. In practice, most international companies in China are using VPNs to collaborate and share data, although even leadership and legal counsel for those companies are largely ignorant about VPN compliance. According to comments by lawyers and regulators in this field, the widespread use of VPNs as “shadow IT” solutions means that it’s extremely common for international companies to use VPNs illegally. In this context, shadow IT refers to software used by company employees without enterprise knowledge or approval, often resulting in security risks or, in this case, breaking the law. In this section, we’ll learn about what this new field of law is and how businesses can achieve VPN compliance.

VPN law in China has been evolving a lot in recent years; in 2017, China’s IT regulator issued its Circular on Internet Service Market Regulation, which explicitly prohibited the establishment or leasing of an international private line (including VPN). Additionally, China’s network service providers (NSPs) are now permitted to provide international private lines to customers, but employees are restricted to only using the services for company work.

Achieving compliance with China’s VPN laws is actually relatively straightforward. The easiest way to comply with China VPN law is to select a licensed VPN service. That service can be an entity that has permits to provide international telecommunications, or a network service provider authorized to provide cross-border telecommunication services. Initially, VPN services may only be used legally when obtained from network service providers, and services provided by other companies remain illegal. However, note that China is also planning major internet service liberalization reforms, which you can read about here. Thus, more providers may be available in the future.

Secondly, VPN services purchased from a network service provider should only be used for business purposes. Some network service provider contracts have reportedly included restrictions against using public IP addresses or subletting the VPN connection to others. Nonetheless, a number of private VPN services in China are reportedly using sublet services from major carriers. Additionally, Chinese cross-border telecommunications regulations require a declaration about cross-border VPN usage to be filed with the Ministry of Industry and Information Technology.

Corporate VPN compliance requires getting IT professionals and users to follow rules in a field where it’s normal for local staff and managers alike to normalize non-compliance. Therefore you should have a compliance policy reviewed with legal memoranda in Chinese, and English versions prepared by professional translators and not outsourced to unprofessional workers, like freelancers or in-house staff. Make sure that both local and international collaborators can clearly understand the requirements; if the language sounds awkward, it’s probably misleading. Following the police raid on Bain for data non-compliance, many companies have even opted to use third-party auditors not under the control of local office management.

What should a compliance program involve? The first step for a foreign company to be in compliance with China VPN law is to find a service provider and then verify that they have the permits required to legally provide a VPN service. Network service providers with authorization to provide a private line will also need to obtain approval from the telecommunications import/export bureau.

Then, after getting the legal VPN service, the foreign company should set up a compliant system and network protocol. VPN usage should be tightly controlled so that it is used only for the company’s business purposes; for example, allowing employees to use the VPN to watch politically sensitive news broadcasts could result in a violation being assessed. Secondly, the line should not be used to connect to a data center or platform that provides telecommunications services.

Definitions for “telecommunications” in China are extremely broad and can cover both IaaS and SaaS applications (especially No-Code/Low-Code applications used internally). For example, providing a VPN line to connect to an AI internet browsing service falls under these rules and has been subject to enforcement.

Compared with the United States, regulators in China are very proactive about releasing new regulations and providing detailed explanations about them. For example, we have an article about how new liberalized rules in this space are being planned for a pilot project in 2025. In the meantime, taking a conservative approach to enterprise network access is advised. Consider looking at what kind of information and services employees need access to, and set up network-level blocking for external sites for anything that may pose a compliance risk.

Chinese cybersecurity law requires keeping reasonable network access logs and taking action against staff that use the business network for unlawful purposes. Additionally, note that as described in the above criminal law section, knowingly providing a person with VPN access to carry on illegal activities also constitutes a crime in itself. Compliance training to ensure staff are aware of the risks illegal VPN use poses to the company and the possibility of disciplinary action or termination can add an additional layer of protection.

FURTHER READING

Get authoritative insights about Chinese foreign investment law from official government guidance in translation:

• How Foreign Investment is Regulated
• Investment Information Reports for National Security

For a general overview of this topic, see also CBL’s Foreign Investment FAQ.