Cloud service providers’ key compliance issues

From both commercial and technological standpoints, cloud-based computing services (commonly referred to as cloud services) are often seen to be comprised of public cloud and private cloud services. Public cloud services can be further divided into three categories: Software-as-a-Service (SaaS); Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). As cloud service businesses continue to rapidly develop, related service providers are also growing. This article provides a brief analysis of compliance issues affecting cloud service providers.

OPERATING PERMITS

According to the Circular on Regulating the Market Operations of Cloud Services (Draft for Public Comment) issued by the Ministry of Industry and Information Technology (MIIT) in November 2016, “cloud service” refers to the internet resources collaboration services (IRCS) business, which falls under the scope of the Internet Data Centre (IDC) business.

In the 2015 Classification Catalogue of Telecommunications Services, the IRCS business refers to services that utilize equipment and resources dependent upon data centres to provide users with services such as data storage, internet application development environments, internet application deployment, and operation management.

Therefore, many IaaS/PaaS/SaaS services will be regarded as IRCS businesses once the circular on cloud services is officially promulgated. At that time, the providers of these services will not be able to legally provide cloud services until they obtain a value-added telecommunication service permit for IDC business, i.e., an IDC permit.

IDC BUSINESS THRESHOLD

Pursuant to the Circular on Further Standardizing the Market Access for Businesses Concerning Internet Data Centres and Internet Service Providers, and the Implementing Rules on Further Standardizing the Market Access for Businesses Concerning Internet Data Centres and Internet Service Providers (the IDC market access circular and rules) issued in 2012 by the MIIT, the application for, and legal possession of, an IDC permit is required to meet relevant requirements on funding, personnel (special personnel for network and information security, full-time network and information security management personnel, and emergency contacts), premises (self-owned or leased computer rooms), facilities (such as switching equipment and routing equipment), and other requirements.

Therefore, as the IDC business scope now extends to cloud services, the entry requirements for cloud service providers will also increase, which will have a great impact on the cloud computing service industry.

SECURITY SYSTEMS

Pursuant to the IDC market access circular and rules, IDC permit holders should build relevant network and information security management systems. Such systems should have technical capacities including basic data management, access log management, illegal websites and illegal information detection and disposal, and should also accept the supervision and inspection of competent departments regarding network security work.

In addition, provisions concerning network and information security (e.g., network data and user information protection) in the Decision of the NPC Standing Committee on Strengthening Network Information Protection, the Cyber Security Law, the National Security Law and other applicable laws and
regulations are also applicable to cloud service providers.

REGULATORY ROLE

Cloud service providers often possess internet access resources such as network infrastructure, IP addresses and bandwidth, while a large number of their customers are telecoms operators, such as internet information service providers. According to applicable law, these resources can only be provided to licensed units or individuals. Therefore, cloud service providers actually function to a certain extent as regulators for reviewing their customers’ qualifications before providing services and access resources. In this regard, the circular on cloud services specifies that cloud service providers should fulfil their management responsibilities for users who access their services, including by: going through filing procedures; monitoring whether the users carry out business by using the network facilities and resources as agreed with the providers; strengthening management of user publications; and coordinating security reviews as required by relevant regulators.

In practice, some cloud service providers fail to fulfil their regulatory role to review and supervise, allowing some of their customers who are not properly licensed to provide services to end users. This type of non-compliance poses significant legal risk to cloud service providers.

OTHER REQUIREMENTS

Cloud services providers are also facing other critical operational compliance requirements. For example, the circular on cloud services requires that when providing cloud services to domestic users, service facilities and network data should be placed or stored within the PRC. Likewise, all cross-border operations and maintenance, as well as data flow, must comply with applicable national regulations.

In summary, as the relevant laws and regulations surrounding this sector continue to take final form, cloud service providers will face a number of operational compliance requirements. The authors recommend that these providers consult with legal counsel in a timely manner to ensure that their business operations are fully compliant.

Ben Chai and Cloud Li are associates at DaHui Lawyers