CBL’s Introduction
China treats IT intrusions and unlicensed VPN-style international line services as crimes that escalate to felonies once certain thresholds are crossed. Managers and directly responsible staff face personal liability when offenses are committed in a company’s name, and facilitators that provide hosting, connectivity, or payments are charged as joint offenders. The rules, translated by CBL into American English using the User Centered Translation approach, map the offense elements and numbers to plain English so businesses can measure risk and prevent potential arrests and fines.

Contents

• License Oversight, Resource Compliance, and Administrative Requirements (¶ 2)
• Policy Support, Compliance Reviews, and Enforcement (¶ 3)
• Governance, Work Plans, and Reporting (¶ 4)

Improving and Regulating the Internet Services Market

China MIIT Telecoms Regulatory Circular No. 32 (2017)

1. Purpose and Mandate

Investigate and take action against unlawful business practices in the Chinese Internet data center (IDC), Internet Service Provider (ISP), and Content Distribution Network (CDN) markets, including unlicensed operations, activities outside authorized services or service regions, and unauthorized resource transfers, ensure each business entity fulfills its obligations, improve operating license administration and access to resources, and enhance network and information security oversight to ensure a fair and orderly market and stable industry growth.

2. Focus

(a) Improving license administration and investigations of unlawful practices

1. Each telecommunications administrative agency shall oversee entities providing IDC, ISP, and CDN services within its jurisdiction and address the following unlawful practices:

(1) Operating without a license. A local business providing IDC, ISP, CDN, or other services without the required telecommunications operating license.

(2) Operating beyond authorized areas. A licensed business sets up IDC server rooms, installs servers, or operates ISP services outside the areas designated in its telecommunications operating license.

(3) Operating beyond the permitted business activities. A licensed business provides IDC, ISP, CDN, or other services beyond the extent of activities permitted in its telecommunications operating license.

(4) Unauthorized transfer or lease of operating license. A licensed business leases, transfers or otherwise provides its operating license or associated resources to an unlicensed entity that engages in unlawful telecommunications operations, including in the form of technical collaborations or otherwise.

2. Any entity that held an IDC operating license before the implementation of the China Telecommunications Service Classification Catalog (2015 Edition) and provided network services or CDN services shall provide a written commitment to fulfill the operating license requirements by the end of 2017 and obtain the telecommunication operating license from the original issuing office before the end of 2017.

Effective April 1, 2017, any entity that fails to submit the required commitment by the deadline must operate strictly within the permitted activities authorized under its business license, and shall not provide any unauthorized telecommunications services.

Beginning January 1, 2018, any entity that has not obtained the appropriate telecommunications operating license by the deadline shall not be permitted to operate.

(b) Strict resource administration to prevent unlawful use

Each telecommunications company and network service provider must conduct a comprehensive internal compliance review of network infrastructure and network access resource use, including IP addresses and bandwidth, to effectively correct the following issues:

1. Ineffective management of network access resources. A telecommunications company shall improve network resource management by reviewing lessee eligibility and usage, and deny service to any entity or individual lacking the required telecommunications operating license for network infrastructure or access resources, including IP addresses and bandwidth, for IDC, ISP, or CDN operations.

2. Unauthorized construction or use of unauthorized resources. IDC, ISP, and CDN providers must not construct telecommunications facilities without authorization or use network infrastructure or network access resources, including IP addresses and bandwidth, provided by any entity or individual lacking the required telecommunications operating license.

3. Repeated subleasing. IDC and ISP companies in China must not sublease IP addresses, bandwidth, or other acquired network access resources to any other entity for use in IDC and ISP operations.

4. Unauthorized international operations. Entities are prohibited from constructing or leasing dedicated lines, including virtual private networks (VPNs), for international business without prior authorization from the appropriate telecommunications regulator. Telecommunications companies shall maintain user records for all international dedicated lines leased to users and must clearly inform users that such lines are for exclusive internal use only. Users must not use these lines to connect to domestic or international data centers or business platforms for telecommunications operations.

(c) Implementing requirements and consolidation of basic administration

Improve the administration of funding, staffing, locations, facilities, technical policies, and information security management, and enhance oversight before, during and after implementation pursuant to Standardizing Market Access for Internet Data Centers (IDC) and Internet Service Providers (ISP), China MIIT Telecoms Regulatory Circular No. 552 (2012) (the “Circular”).

1. Any entity that obtained an IDC or ISP license before December 1, 2012, shall comply with Circular requirements for funding, staffing, location, facilities, technical policies, and information security management, establish appropriate systems, complete the required review, and complete system integration.

Any entity that fails to meet the requirements by March 31, 2017, shall submit a written commitment to the original issuing office to fulfill the requirements, complete the required review, and complete system integration by the end of 2017. The telecommunications regulator shall mandate corrective action for any entity that fails to submit a commitment by the deadline or that fails to comply with its commitment and complete the required system integration and review.

Each applicable entity shall complete the development, review, and integration of its cybersecurity management system pursuant to the requirements and deadlines provided in the Effectively Developing and Integrating Cybersecurity Management Systems Circular, the Reporting Cybersecurity Management System Integration for Value-added IDC/ISP Services in China Circular, and the Cybersecurity Management System Use and Operation Administrative Procedures (Trial) (China MIIT Cybersecurity Circular No. 135 (2016)).

Any business entity that fails to meet the requirements by the specified deadline shall fail its annual telecommunications operating license review for 2017.

2. A business entity applying for a new IDC (Internet Data Center) operating license shall set up a process for filing ICP/IP addresses and domain names, resource management platforms, and information security management systems. The business entity shall also comply with IDC server facility and network information security requirements and pass the required assessment.

3. A business entity applying for a new CDN operating license shall set up a process for filing ICP/IP addresses and domain names, resource management platforms, and information security management systems. The business entity must also comply with network information security requirements and pass the required assessment.

4. A licensed IDC entity seeking to expand into new areas or add new server facilities or service locations within its authorized service region shall comply with the IDC server facility operation and network information security requirements specified in this Circular for the new region and shall pass the required assessment.

5. A licensed ISP (including hosting providers), seeking to expand into new regions shall comply with the network information security management requirements specified in this Circular for the new area and shall pass the required assessment.

6. A licensed CDN business seeking to expand into new regions or add bandwidth or service locations within its authorized service regions shall comply with network information security management requirements specified in this Circular the new region and shall pass the required assessment.

3. Protections

(a) Policy guidance and guidance services

Each local telecommunications regulatory department shall publish and explain policies through multiple channels, provide telephone hotlines for reports and inquiries from businesses, and offer guidance to ensure lawful operations. The China Academy of Information and Communications Technology shall provide support during assessments and assist the Ministry and telecommunications regulator in publishing policies and responding to reports and inquiries from businesses.

(b) Comprehensive internal reviews and autonomous compliance

Each network service provider shall conduct a comprehensive internal review of its affiliates, establish standard operating procedures and compliance requirements, and improve regulatory controls over contract enforcement, usage reviews, and liability for violations to prevent unlawful use of resources. Providers shall promptly take corrective action against any violations and hold responsible persons liable.

Each IDC, ISP, and CDN entity shall fulfill their obligations, perform a comprehensive internal review pursuant to this Circular, promptly correct any violations to ensure their licensed operations and use of network facilities and resources are in compliance, improve the development of management systems, and pass the required assessment.

(c) Improving oversight, inspection, and investigation of compliance violations

Each local telecommunications regulatory department shall enhance oversight and inspections of business entity compliance with applicable regulations. The department shall order entities to correct any violations and conduct a legal review of any entity that refuses to comply. An entity found to have committed major violations shall fail the annual license review, have the violation recorded in its credit record, and be denied renewal of its operating license upon expiration. Network service providers shall consider an entity’s compliance record when entering into partnerships or providing services. The Ministry shall conduct oversight and random inspections as necessary in response to petitions, reports and public concerns.

(d) Improving the entity exit system and continuing obligations to users

A business entity that fails to comply with licensing requirements or has violations recorded in its credit record may not accept new customers. The issuing agency shall order the entity to continue performing its obligations to existing users during this period pursuant to the Telecommunications Operating License Administrative Procedures. The issuing agency shall cancel an entity’s IDC or ISP operating license pursuant to Chinese law upon the entity’s request.

(e) Improving credit management and enhancing employee training

Third party organizations are encouraged to analyze and develop a credit assessment system for IDC/ISP/CDN entities and to conduct consolidated assessments of infrastructure, service quality, and network and information security capabilities to guide entities in improving credit records, improving management systems, and standardizing operations. Each local telecommunications regulatory department shall improve skills training for telecommunications employees to continuously enhance professional skills and competencies.

4. Implementation Requirements

(a) Raising awareness and improving organizational stewardship

Standardizing and regulating internet access services are key to improving overall internet industry oversight and administration and play an important role in improving regulation and supporting stable industry growth. All appropriate agencies should exhibit exemplary leadership to effectively provide assurance and implement regulations.

Each telecommunications regulator and network service provider shall perform their obligations, develop work plans in compliance with the requirements of this Circular, define accountability, establish progress milestones and responsibilities, and refine duties to ensure prompt completion of all standardization and remediation work.

(c) Improving communication through regular activity summaries and reports

Each telecommunications regulatory department and network service provider shall improve communication and coordination, provide regularly activity summaries, submit quarterly reports to the Ministry (China Telecommunications Administration), and promptly report any major issues to the Ministry. The Ministry (China Telecommunications Administration) shall establish a reporting system for regular public disclosure of standardization and remediation work.

Ministry of Industry and Information Technology
January 17, 2017
******************
This Circular was translated to American English from the following government publication:
“工业和信息化部关于清理规范互联网网络接入服务市场的通知”
https://www.cac.gov.cn/2017-01/23/c_1120366809.htm