To date, no laws or regulations that specifically regulate the metaverse have been enacted in the People’s Republic of China (PRC). However, metaverse platform providers and participants should pay attention to laws and regulations regarding the PRC telecoms regime, virtual property, personal information (PI) and other data, and intellectual property (IP), including the following:

• the PRC Telecommunications Regulations, the PRC Administrative Measures for the Licensing of Telecommunications Business and the PRC Classification Catalog of Telecommunication Services set out myriad restrictions and requirements on telecoms services in China;
• the PRC Copyright Law, the PRC Trademark Law and the PRC Anti-Unfair Competition Law (AUCL) are key pieces of legislation concerning IP rights in China;
• the PRC Civil Code came into effect on 1 January 2021 and covers a wide range of parties' private rights; Article 127 clearly imparts legal status to virtual property, just the same as any object of civil rights; and

• the various laws of the cybersecurity regime, beginning with the PRC Cybersecurity Law of 2017 and most recently including the PRC Data Security Law and the PRC Personal Information Protection Law (PIPL), set out numerous rules for the collection, transfer and other processing of various kinds of data.

Each of the above areas of law is further specified by national and local regulations and rules, although still not addressing the metaverse specifically.

The metaverse is specifically addressed, however, in development plans of several large cities, including Beijing, Shanghai and Chongqing, in order to attract investments from metaverse companies. Furthermore, in April 2022, an industry association – the Shenzhen Information Service Industry Blockchain Association – released two documents with specifications of terms and technical requirements for their respective areas: “Metaverse Identity Authentication System Based on Blockchain Technology” and “Metaverse Payment Clearing System Based on Blockchain Technology”.

PRC Telecoms Regime

Depending on the business model and the telecoms resources to be used for the metaverse, PRC telecoms regulatory requirements might be triggered. The internet and telecoms sectors in the PRC are subject to a comparatively rigid licensing regime, which might be applicable to companies offering services to PRC customers via an onshore model (with servers, data and other facilities/resources within China).

In particular, if an entity offering services via an onshore model would like to engage in activities that fall under the definition of “basic telecoms services” or “value-added telecoms services”, then it will first need to obtain the relevant licences according to the Catalog of Telecommunications Businesses, issued and regularly amended by the Ministry of Industry and Information Technology (MIIT). As examples, depending on the business model and product features to be implemented, engaging in metaverse activities may require an Internet Content Provider (ICP) licence or a Service Provider (SP) licence (if the services are provided through mobile networks), at least one of which is a prerequisite for metaverse platform operators to provide services falling into any one of the following sub-categories:

• Information Publishing Platform and Delivery Services, which usually refer to online services provided by a platform disseminating content in the form of text, video or applications;
• Information Community Platform Services, which usually refer to online services provided by platforms that allow users to exchange information;
• Information Search Services, which usually refer to online services provided by search engines such as Baidu and Bing;
• Information Instant Interaction Services, which usually refer to online services that allow users to exchange information instantly through a service provider’s product; and
• Information Protection and Process Services, which usually refer to online services relating to anti-virus functions and information protection services.

Some of the activities (eg, certain basic telecoms services) can only be provided by state-owned entities, while others need at least 50% or 51% local Chinese shareholding (eg, services falling under the requirement for an ICP licence), and some are completely open to any kind of investment – with more and more falling under this last category every year.

IP Protection

The metaverse has created an emerging environment that revolutionised the traditional application of the internet, and is creating a virtual society reflective of the physical world. User-generated content makes infringement of IP more common. Metaverse participants usually create scenes in the virtual world based on their preferences in the real world, transferring, copying and linking trade marks, signs, designs and other copyrights or works protected under IP law into the virtual world. These activities likely implicate IP protection laws, as the PRC Copyright Law and PRC Trademark Law are quite clear that the author and trade mark registrant enjoy the exclusive right of any given copyright or trade mark, and there are currently no exceptions or special provisions that would clearly apply to metaverse activities.

In late 2022, draft amendments to the AUCL were released and included the new concept of “commercial data”, which is defined as data that is lawfully collected by business operators, has commercial value and employs corresponding technical management measures. The draft amendments would impose additional requirements for business operators processing “commercial data” and prohibit certain related conduct, such as disrupting technical management measures of other business operators, breaching relevant contracts, agreements or protocols, acting contrary to the principle of good faith, etc.

Protection of Virtual Property

Although China does not have any laws or regulations that specifically address the protection of virtual property and assets, Article 127 of the PRC Civil Code has been widely understood and interpreted as providing that rights to virtual property and assets have been officially recognised as legal property rights and are thus subject to protection under the civil law regime, just like physical property rights. However, Article 127 further provides that the protection of virtual property and assets is still subject to further, more detailed regulations.

In a court case in which two parties had reached a series of agreements regarding the purchase of Bitcoin mining services, the Beijing Third Intermediate People’s Court ruled that such agreements were void and hence unenforceable, as they mainly concerned Bitcoin mining, which is explicitly and strictly prohibited by PRC law. However, in another case (published as a “Typical Case”), the specialised Hangzhou Internet Court ruled that Bitcoin should generally be deemed a commodity, and therefore should be protected by the relevant laws and regulations regarding personal property. The conclusion was also supported by the Shanghai High People’s Court in its comments in another case with a similar factual background.

Regulation of Data and Personal Information

There are no PRC rules on data privacy that relate to the metaverse explicitly. However, an operator – and possibly a user – of the metaverse may be subject to various other PRC laws and regulations relating to data protection and privacy.

In particular, due to the massive volume of PI that they might possess or collect, metaverse platform providers are likely to be subject to numerous rules under the PIPL, including the requirement to obtain consent before processing PI from users (except in certain situations permitted by law) and disclosing the intended use, purpose, means, scope and rules of the processing. Special requirements apply to transferring PI outside the PRC, especially large volumes of PI.

Metaverse platform providers and participants such as PCCW Limited and ZTE who engage in multiple industries including “critical information infrastructure” could be deemed Critical Information Infrastructure Operators (CIIOs) and therefore subject to more strict obligations under the cybersecurity regime. For example, for some such operators of the metaverse, the offshore transfer of PI or other information constituting “Important Data” collected within mainland China may be subject to even more stringent requirements or even absolute prohibitions. The draft amendments to the AUCL would introduce another category of data, “commercial data”, with a range of attached rights and responsibilities.

The PRC Data Security Law imposes data security and privacy obligations on entities and individuals carrying out data activities. It also introduces a data classification and hierarchical protection system based on the importance of data in terms of economic and social development, as well as the degree of harm that would be caused to national security, public interests or the legitimate rights and interests of individuals or organisations if such data were to be tampered with, destroyed, leaked or illegally acquired or used. Appropriate protective measures are required to be taken for each category of data. For example, a processor of “Important Data” must designate personnel and a management body responsible for data security, carry out risk assessments for its data processing activities, and file risk assessment reports with the Cyberspace Administration of China (CAC).

A particularly hot topic that has been gathering steam for a few years is facial recognition technology. Cases started cropping up around 2019, such as that of Guo Bing v Hangzhou Wildlife World Co., Ltd., in which the court ruled that the customer has the right to reject a service provider’s requirement to collect and use facial features.

Litigation over such matters has mushroomed recently, since the Supreme People’s Court released the Provisions of the Supreme People's Court on Several Issues concerning the Application of Law in the Trial of Civil Cases involving the Processing of Personal Information Using Facial Recognition Technology in July 2021. In the case of Gucheng v Tianjin Branch of Lanzhou Chengguan Property Management Co., Ltd., a resident living in an apartment complex refused to provide facial information to the management company as the method of unlocking the complex’s entryway. In 2022, the First Intermediate People’s Court of Tianjin Municipality supported that the resident has the right to refuse to provide facial information, and the company must provide other methods to unlock the entryway.

Laws and Regulations

While digital economies can generally be said to be subject to a wide range of laws, the following are especially pertinent in the PRC:

• the PRC E-Commerce Law, which came into effect on 1 January 2019 and is the first law regulating processes relating specifically to digital commerce;
• the regulations of the PRC telecoms industry, as detailed in 1.1 Laws and Regulations;
• the PRC Electronic Signatures Law, which was revised and took effect on 23 April 2019, and is another key law governing electronic transactions;
• the AUCL, most recently revised in 2019, and the PRC Anti-Monopoly Law, most recently revised in 2022, are widely regarded as playing an essential role in the regulation of the digital economy – anti-monopoly authorities in particular are increasingly targeting technology giants that have huge market shares in e-commerce and the digital economy even more fundamentally; and
• the laws and regulations of the cybersecurity regime, as detailed in 1.1 Laws and Regulations, especially as they pertain to “Important Data” (eg, sensitive financial data) and CIIOs.

E-Commerce

The PRC E-Commerce Law defines an e-commerce operator as any natural person, legal person or unincorporated association that carries out business activities through information networks such as the internet to sell commodities or offer services, including operators of e-commerce platforms, business operators on e-commerce platforms, and other e-commerce operators that sell commodities or offer services on websites they develop themselves or through other network services. Importantly, this definition could extend to individuals who conduct business activities such as selling second-hand commodities or providing procurement services through Taobao.com or JD.com.

The PRC E-Commerce Law includes a large number of rules covering a wide range of conduct, even addressing customer comments, which the law prohibits operators from removing or modifying. For example, one of the largest platforms for individual customers buying and selling second-hand luxury goods in China, Secoo, was investigated by the Beijing Xicheng Branch of the State Administration for Market Regulation and fined RMB50,000 for deleting one negative review from its platform.

Discriminatory pricing using big data is also regulated by the PRC E-Commerce Law, which prohibits schemes that customise the display of search results of products and services based on consumers’ interests, preferences, habits and other personal characteristics.

Although such practices are prohibited by the PRC E-Commerce Law, individual customers generally lack sufficient resources and capabilities to prove that any online platform adopts discriminatory pricing based on algorithms, which results in online platforms rarely being penalised for such conduct. As an example, in litigation where Ctrip (one of the largest online travel agencies in China) was allegedly collecting PI from a user and raised the accommodation price for the user based on analysis of her data, the court ruled that Ctrip infringed upon the user’s information rights but remained silent on whether and how Ctrip conducted price customisation based on data analysis. It is challenging under the current legal regime for customers to successfully persuade the court or administrative authorities that the price is different as a result of algorithms based on personal data collected from customers.

PRC Telecoms Requirement on E-commerce

Which telecoms licences and rules will apply to an e-commerce participant will depend on its business and model. Typical licences include those for Electronic Data Interchange (EDI) and ICP. The former is needed for platforms featuring third-party sellers (ie, individuals or entities running online stores on the platform), while the need for the latter depends on whether such platforms enable other services that might fall into sub-categories of information services under the question.

Interestingly, foreign investment in an ICP licence holder is capped at 50%, whereas there is no restriction on foreign shareholding for an EDI licence holder. That said, an e-commerce business featuring the sale of products manufactured or procured by the operator itself generally does not need an ICP (or EDI) licence (although a so-called “ICP filing” is generally required).

Other key rules generally applicable to parties using a website or other online platform to sell their own or third parties’ goods or services include requirements that e-commerce platform operators have adequate funds (RMB10 million minimum for national level and RMB1 million for provincial level), specialised personnel and a reputation for long-term service. Foreign and foreign-related telecoms enterprises (FITEs) in China are subject to the same registered capital requirements. In 2022, it was confirmed that FITEs are no longer required to have a “record of good performance and operating experience” prior to being established in China.

Unfair Competition

The current AUCL expressly restricts network-based anti-competitive conduct, but only based on high-level provisions. However, the AUCL is currently undergoing another revision process, with the public comment period having closed at the end of 2022. The draft amendments aim to improve anti-competition rules for the digital economy, with several newly added provisions, including Article 4 as a basic guideline and Articles 15, 17, 18 and 19 targeting anti-competitive conduct in the area of digital economy specifically.

In the version of the AUCL currently in effect, Article 12 prohibits acts impeding or disrupting the normal operation of network products or services, specifically including:

• inserting a link or forcing a URL redirection in a network product or service legally provided by another business operator without the consent of that business operator;
• misleading, deceiving or compelling users into modifying, closing or uninstalling a network product or service legally provided by another business operator; and
• implementing in bad faith an incompatibility with a network product or service legally provided by another business operator.

In the draft amendments of the AUCL, Article 4 would function as a fundamental cornerstone prohibiting business operators from using data and algorithms, technology, capital strength or platform rules to engage in unfair competition practices. More specific to the digital economy, unfair competition activities explicitly prohibited by the draft amendments include:

• disrupting the order of fair competition in the market by influencing user choices by using big data collected from users and algorithms to process it;
• violating industry practices or technical specifications to hinder access to other network products or services;
• acquiring commercial data of other operators in an improper way; and
• customising prices for different users based on analysis of their preferences and other characteristics by using algorithms.

Data and Privacy Protection

Subject to the specific data stored or processed during digital economy activities, service providers could be required to comply with various obligations under the PRC Cybersecurity Law, the PRC Data Security Law and/or the PRC Critical Information Infrastructure Regulations, such as local data hosting and offshore data transfer restrictions (see 1.1 Laws and Regulations). Ultimately, in some circumstances, CIIOs with offshore components (eg, servers hosted outside China, or networks between PRC subsidiaries and foreign parent companies) might have to restructure entities or operations to comply with these laws and regulations.

Under the PIPL and other regulations (such as the PRC Measures for Cybersecurity Review), an e-commerce platform that processes large volumes of PI or operates a certain type of business will be subject to enhanced requirements for PI protection, including:

• completing cybersecurity review if processing PI of one million or more individuals and applying to go public outside China;
• establishing an independent body mainly composed of external members to supervise protection of PI;
• ceasing the provision of any service to any product or service provider operating on the e-commerce platform who commits a serious violation of any law or administrative regulation in the processing of PI; and
• publishing a social responsibility report concerning PI protection on a regular basis and accepting supervision from the public.

The PRC Consumer Protection Law sets similar requirements for the collection of consumer information by business operators. Other high-level laws provide general privacy protections, such as the PRC Tort Law, the PRC Civil Code and the PRC Criminal Law. Draft amendments to the AUCL would introduce a new category of data, “commercial data”, with new attached rights and responsibilities (as set out in 1.1 Laws and Regulations).

Laws and Regulations

There are no laws, and only a few regulations, in the PRC specifically addressing cloud and edge computing, but cloud and edge computing service providers are subject to various general bodies of legislation and regulation, including:

• the PRC Telecommunications Regulations and related regulations, such as the PRC Administrative Measures for the Licensing of Telecommunications Business and the PRC Administrative Measures for Internet Information Services;
• the PRC Cybersecurity Law and related laws and regulations forming the framework for governing data security and privacy protection in China;
• the PRC Cryptography Law;
• the Measures for Security Evaluation for Cloud Computing Services; and
• the Circular on Regulating the Market Operations of Cloud Services (Draft for Comments).

The Standardisation Administration of China (SAC; also known as TC260) also publishes numerous non-binding, recommended standards relating to cloud and edge computing, covering topics ranging from security guidance to data centre requirements and file service application interfaces.

PRC Telecoms Regulations

Depending on the business model and features of cloud computing services, engaging in cloud services within China may trigger value-added telecoms licensing requirements. Cloud services might implicate the requirements for an “internet data centre” (IDC) or “internet resource collaborative” (IRC) licence. An IDC/IRC licence essentially allows a company to directly provide server hosting or cloud storage solutions, as well as other related business activities. Foreign shareholding in any holder of an IDC/IRC licence is completely prohibited (with the exception of qualified service providers under the Mainland and Hong Kong Closer Economic Partnership Arrangement Agreement on Services Trade, who can own up to 50%).

Circular on Regulating the Market Operations of Cloud Services (Draft)

On 24 November 2016, the MIIT released a draft of a new circular for regulating cloud services, with the following key points, which are at least to some extent already enforced in regulatory practice.

• In any co-operation between a local cloud service provider (who holds a relevant telecoms licence) and a foreign partner, the former is prohibited from:
1. transferring or lending (explicitly or “in disguised form”) any telecoms licence to the partner, or providing any resource, site, facility, etc, for the purpose of assisting any unlawful conduct of the partner;
2. allowing the partner to directly conclude a contract with a user;
3. providing users with services by using the trade mark and brand of the partner only; and
4. illegally providing a partner with network data or user PI.
• Cloud services providers may not independently establish a virtual private network (VPN) or other special connection to the internet, except as authorised by the MIIT.
• When providing services for domestic users, an operator of cloud services must locate service facilities and network data within China and abide by the relevant state provisions for cross-border operations, facility maintenance and data flows.

Special Regulatory Reviews for Cloud and Edge Computing

The PRC Measures for Cybersecurity Review provides that any CIIO seeking to procure any network product or service that affects or may affect national security needs to undergo a so-called “cybersecurity review”. Some cloud and edge computing products and services – such as high-performance computers or servers, mass storage equipment, large databases or applications, and network security equipment – are specifically included in the scope of network products that are subject to the PRC Measures for Cybersecurity Review. Therefore, any CIIO procuring such cloud and edge computing products or services, or others that may affect national security, will need to go through a process that may include an application for cybersecurity review being submitted to the Cybersecurity Review Office (CRO), an initial review by the CRO, and potentially a “special review” by the CRO if no agreement can be reached by CRO members after the initial review.

Non-CIIOs are unlikely to need to go through a cybersecurity review for procuring cloud or edge computing products or services, although there is a broad catch-all provision that may require any network operator or data handler whose processing activities might impact state security to undergo a cybersecurity review (and any party processing PI of one million or more individuals and applying to go public outside China will need to conduct a review, as detailed in 2.1 Key Challenges).

The Measures for Security Evaluation for Cloud Computing Services provide that cloud computing service providers supplying the Communist Party of China, government agencies or any CIIO may complete a security evaluation of each of their cloud computing platforms providing such services. The evaluation result can be used as a reference to support a supplier’s bid for procurement contracts. As of November 2022, 63 cloud computing service providers had passed this security evaluation, including cloud computing service providers for more than half of China’s provincial governments. The evaluation may cover the following:

• the credit and operation status of the cloud service supplier;
• the stability of the cloud service supplier's personnel;
• the security of the technologies, products and service supply chains of the cloud platforms;
• the security management capability of the cloud service supplier and the security protection of the cloud platforms;
• the feasibility and convenience of customer data migration; and
• the business continuity of the cloud service supplier.

Higher Scrutiny Over Cloud and Edge Computing Services Provided for Financial Entities

Cloud and edge computing services provided in financial areas are likely to constitute a “fintech product” and therefore be subject to additional requirements under the PRC Certification Rules for Fintech Products. Regulations promulgated by The People's Bank of China (PBOC) impose even more requirements on cloud and edge computing services providers, including the “Financial Application of Specification of Cloud Computing Technology-Technical Architectures, Security Technical Requirements, and Disaster Recovery”, which sets out a required standardisation for cloud computing services in the financial area and specifies requirements from the perspective of the establishment of basic structures, technical security, risk assessment and risk management.

With respect to financial personal data and information generated, transmitted and stored during the course of financial cloud and edge computing services, the PBOC and the China Financial Standardisation Technical Committee provide more requirements, primarily through the PRC Personal Financial Information Protection Technical Specification, which adopts a broad definition of personal financial information and specifies measures required during the life cycle of such information.

Data and Privacy Protection

Cloud and edge computing service providers must generally comply with the requirements of the cybersecurity regime in respect of the collection, use, transfer and other processing of PI and certain other kinds of data. Key requirements on parties, including cloud and edge computing service providers, include obtaining consent from data subjects for the collection and further uses of their PI, undergoing so-called “security assessment” procedures prior to overseas data transfers in certain circumstances, and such further general principles as “legitimacy, rightfulness and necessity” in the collection and use of PI (see also 1.1 Laws and Regulations and 2.1 Key Challenges).

Laws and Regulations

Artificial intelligence

There are no PRC laws specifically pertaining to the creation, development or use of artificial intelligence (AI), but there are some policies and a few regulations. To incentivise the AI industry, China has formulated a number of broad and aspirational plans, such as the New Generation Artificial Intelligence Development Plan in 2017. At the national level, China also promulgated some policies specifically to guide the regulation of AI.

The Ministry of Science and Technology (MOST) issued the Ethical Norms for New Generation Artificial Intelligence in September 2021, which provide ethical norms covering the protection of personal data, human responsibility and human control of the AI. The CAC issued the PRC Internet Information Service Algorithmic Recommendation Administration Provisions, which govern market entities that use algorithmic recommendation programs, and mandate them to notify users of such use and provide the users an opt-out.

At the local government level, for example, the Shenzhen government issued the Provisions on Promoting the Artificial Intelligence Industry in the Shenzhen Special Economic Zone (“Shenzhen AI Provisions”) in September 2022, which is the first city-level guideline aimed at facilitating the AI industry. Most of the content of the Shenzhen AI Provisions is simply declaratory (eg, the Shenzhen government will formulate a separate risk classification and management standards for AI-related business activities, and if such activities are categorised as low risk, then the market entities can conduct trials even under no specific local and national norms). The Shenzhen AI Provisions also call for the exploration of specialised insurance to be provided to AI products and services.

Also in September 2022, Shanghai passed provincial regulation regarding the AI industry: the Shanghai Provisions on Promoting the Development of the AI Industry (“Shanghai AI Provisions”), effective from 1 October 2022. The Shanghai AI Provisions call for management systems based on grading and “sandbox” supervision. Such management intends to leave space and flexibility for the AI industry to develop. In particular, the Shanghai AI Provisions stipulate that minor violations of laws during the development of the AI industry can be tolerated without administrative punishment, subject to specific lists of such minor violations formulated by provincial departments. However, the Shanghai AI Provisions also specify ethical norms for AI development as bottom lines.

As the operation of AI tends to be based on large data sets, service providers obtaining such data will be subject to the requirements of the cybersecurity and privacy protection frameworks. In addition to the rules and requirements detailed in 1.1 Laws and Regulations, 2.1 Key Challenges and 3.1 Highly Regulated Industries and Data Protection, AI may be more likely to trigger stricter ones due to the processing of so-called “sensitive personal information”. For example, biological characteristics (eg, fingerprints, faces, voices, gaits) are not allowed to be used as the sole method for personal ID verification; when they are used, the data processor is required to conduct a risk assessment on the necessity and safety of the use, and is prohibited from requesting the natural person to agree on facial information processing as a precondition to using products or services where the facial information is not necessary for their provision.

With respect to the ownership of IP rights, under Article 9 of the PRC Copyright Law, only natural persons, legal persons or organisations may obtain copyrights. As a result, AI may carry out activities such as editing photographs or even composing music or poetry, but it cannot obtain rights or thus protection as a copyright owner under current PRC law. Similarly, the PRC Patent Law stipulates that a patentee should be either an entity or a natural person. Thus, AI itself cannot be considered entitled to patent rights for its inventions.

In a case between Tencent and an online financial information provider, in which they disputed the copyrights of an AI-created article, the People’s Court of Nanshan District of Shenzhen confirmed that AI is not qualified for IP rights, but the IP rights of creations and inventions by AI are protected: such IP rights belong to the entity or natural person who developed the AI.

Big data

In addition to the requirements and other rules of the cybersecurity and privacy regimes, big data processing is subject to another special framework: foreign investment restrictions. Most notably, the operation of “Internet Data Centres” (IDCs) – including the businesses of providing major data storage and analyses services – is off limits to foreign and foreign-invested parties. As an example, even the Apple iCloud service in mainland China (which formerly operated via an offshore service provider) is currently operated by Guizhou-Cloud Big Data Industry Development Company, as the holder of an IDC permit.

A company engaging in business related to big data within certain industry sectors might be subject to additional regulatory requirements. For example:

• all health-related data must be stored on a secure and trusted server in China;
• hospital authorisation is a precondition to collecting and processing such data (even anonymised); and
• a security assessment is required before transferring such data offshore.

Finally, a big data service provider may be deemed a CIIO and therefore subject to stricter compliance frameworks (see 3.1 Highly Regulated Industries and Data Protection).

PRC legislators have taken a relatively broad view of the “Internet of things” (IoT) concept. The State Council’s 2013 Guiding Opinions on Promoting the Orderly and Healthy Development of Internet of Things (“IoT Opinions”) describe IoT as technology “based on the intensive integration and comprehensive application of a new generation of information technology”, and designate IoT as an important strategic emerging industry of the country. The IoT Opinion further emphasises the co-ordinated overall development of IoT applications, technologies, industries and standards. In September 2021, the MIIT issued the Guidelines for the Construction of a Fundamental Security Standard system for IoT, aiming to outline the framework for the development and implementation of standards for IoT, including software security, access authentication and data security.

Although China has yet to promulgate any comprehensive legislation on the security and regulation of IoT, recent legislation and regulation on data-related issues – such as the PRC Data Security Law, the PIPL, the Measures for Security Evaluation for Cloud Computing Services and the Measures for Cybersecurity Reviews (see 1.1 Laws and Regulations, 2.1 Key Challenges, 3.1 Highly Regulated Industries and Data Protection and 4.1 Liability, Data Protection, IP and Fundamental Rights) – are all applicable to IoT. For example, the PIPL provides that IoT companies that collect PI must obtain prior consent from the individual, and companies cannot refuse to provide services to individuals that refuse to provide PI, unless the processing of such PI is necessary for providing the product or service.

A number of government departments and regulatory bodies have clearly assumed certain responsibilities over IoT activities. Such government bodies include the MIIT (the key regulator for the telecoms sector and approximately 20 other industries), the CAC (which acts as the main watchdog for information security and content administration), the National Development and Reform Commission, the MOST and the SAC.

There is no single, unified regulatory regime for all components of the audio-visual media industry as a whole in China. Instead, industry sub-sectors are regulated separately through a variety of laws and regulations, with key areas being cable broadcasting, online audio-visual services (including online video-sharing platforms) and over-the-top (OTT) services. In general, the broadcasting or online transmission of audio-visual content is highly regulated, and is off limits to not only foreign but also most domestic investment, in many cases.

Cable Broadcasting

Cable broadcasting is highly regulated in the PRC and is not open to foreign participation or even new domestic market entrants. Currently, a broadcasting television station may only be set up by central or government branches, such as the National Radio and Television Administration or the Ministry of Education. The station’s establishment will also be subject to the central PRC government’s national market plans.

The most central piece of legislation relating to cable broadcasting – ie, offering traditional cable television channels – is the PRC Administrative Regulations for Radio and Television. All cable broadcasters are required to obtain the following two key permits, among others:

• the “Radio and Television Broadcasting Institution Permit”; and
• the “Radio or Television Programme Production Permit”.

PRC law requires applicants for these permits to meet certain requirements, including regarding their location, equipment, technology and personnel, and to complete an application process with the applicable authorities. No application fees are required. As mentioned, however, it is difficult if not impossible in practice for new entities – whether purely domestic or foreign-invested – to obtain either of these permits in China.

Online Audio-Visual Services

Online audio-visual services are primarily regulated through the following:

• the PRC Interim Administrative Provisions on Internet Culture, which is central to the so-called “Internet Culture” sector, regulating online cultural activities;
• the PRC Provisions on the Administration of Private Network and Targeted Communication Audio-visual Program Services; and
• the PRC Administrative Regulations on Internet Audio-Visual Program Services.

To operate an online streaming platform – eg, to provide video on demand services, such as Youku (the Chinese YouTube) – the most important operating permits are the “Internet Culture Business Permit” and the “Internet Audio-Video Broadcasting Permit” (“IAVB Permit”). The IAVB Permit requires an application process to be completed with local and central government authorities, while the application for the Internet Culture Business Permit involves only provincial level government authorities. No application fees are required. An applicant for an IAVB Permit must be controlled or wholly owned by one of China’s state-owned enterprises (SOEs). Neither the Internet Culture Business Permit nor the IAVB Permit may be obtained by an applicant that has any direct or indirect (on a see-through basis) foreign investor, although indirect control structures featuring variable-interest-entity structures established before the requirement that the IAVB Permit must be controlled or wholly owned by SOEs are widely used in this sector.

OTT Services

The most important operating permit for providers of OTT services is the OTT licence. To apply for an OTT licence, a qualified applicant must meet certain requirements, including being controlled by an SOE, along with equipment and personnel requirements. Here too, both local and central government approval are needed. There are no application fees. To date, only 16 OTT licences have been issued, and the regulators have effectively suspended the granting of this licence, with the date of resumption unknown.

Contractual Partnerships/Licensing

Directly operating an online video channel in the PRC is highly regulated and requires the procurement of operating licences/permits (ie, an Internet Culture Business Permit and an IAVB Permit/OTT licence) that are generally only available to companies with SOEs as (controlling) shareholders. As such, it is more common for content owners outside China to simply license content to domestic entities that hold all required permits – eg, the licensing arrangement between iQiyi and Netflix. Such domestic entities will also ensure that licensed content complies with PRC content/censorship requirements and will potentially self-censor any content as needed.

The PRC Telecommunications Regulations apply to all types of “telecommunications” services. “Telecommunications” is defined broadly as any “act of using wired or wireless electromagnetic or optoelectronic systems to transmit or receive voice, text, data, images, or any other form of information.”

The PRC Telecommunications Regulations categorise telecommunications services as either “basic telecommunications services” (BTS) or “value-added telecommunications services” (VATS), and different operating permits are required to engage in each. BTS include communications services, public data transmission and public network infrastructure, while VATS consist of call centre services, IDC services, CDN services, VPN services and others. A complete list of BTS and VATS can be found in the PRC Catalog of Telecommunications Businesses, as first formulated by the MIIT in 2000 and last updated in 2019.

Therefore, depending on the type of telecommunications services being provided, the telecommunications operator will need to obtain either a “Basic Telecommunications Service Operating Permit” or a “Value-Added Telecommunications Services Operating Permit” prior to bringing a service to market. Setting aside the fact that numerous BTS and several VATS are off limits to foreign and foreign-invested parties, each permit requires a telecommunications services operator to meet different requirements, as follows.

• Basic Telecommunications Service Operating Permit:
1. the operator must be a legally established company that specialises in BTS and in which the state has no less than 51% ownership;
2. a feasibility study and technical plan for the formation of the network must be completed;
3. the operator must have access to funds and specialised personnel commensurate with the business activities to be engaged in;
4. there must be a site and corresponding resources to carry out envisioned business activities;
5. the operator must have the reputation or the capability to provide long-term service to its subscribers;
6. the minimum registered capital for operators engaging in business within a single province is RMB100 million, while the minimum registered capital for operators engaging in business across provinces (including nationwide) is RMB1 billion; and
7. the operator must comply with other conditions specified by the state.
• Value Added Telecommunications Services Operating Permit:

1. the operator must be a legally established company with a minimum domestic shareholding of no less than 50% for most VATS, unless otherwise specified by the state (except for those fully opened up to foreign investment, such as domestic multi-party communications services, call centres and e-commerce services);
2. the operator must have access to funds and specialised personnel commensurate with the proposed business activities;
3. the operator must have the reputation or the capability to provide long-term service to its subscribers;
4. the minimum registered capital for operators engaging in business within a single province is RMB1 million, while the minimum registered capital for operators engaging in business across provinces (including nationwide) is RMB10 million; and
5. the operator must comply with other conditions specified by the state.

The procedure for obtaining the relevant approvals/permits can be complicated and time-consuming, but is increasingly being simplified, especially for foreign and foreign-invested businesses. For example, on 15 October 2020, the MIIT released the Notice on Strengthening Interim and Ex-Post Supervision of Foreign-Invested Telecommunications Enterprises, which confirmed that a separate process for MIIT approval would no longer be required for the establishment of FITEs. Then, on 1 May 2022, the key legal regime governing FITEs – the PRC Administrative Provisions on Foreign-Invested Telecommunications Enterprises – was further amended to remove one of the market entry requirements imposed on FITEs looking to obtain the telecommunication operating permits.

The fundamental legal regime in the PRC governing technology agreements is the “Technology Contracts” chapter of the Civil Code (which entered into effect on 1 January 2021), which sets forth certain requirements for technology contracts, as well as the rights and obligations of the contracting parties. Because trade secrets are usually involved in technology agreements, technology agreements are also often subject to the PRC AUCL and the Provisions of the Supreme People's Court on Several Issues concerning the Application of Law in the Trial of Civil Cases of Trade Secret Infringement. Aside from the general laws and regulations above, technology agreements of computer software are subject to the PRC Copyright Law and the PRC Regulations on Computer Software Protection.

Technology Improvements and Ownership

Provisions dealing with technology improvements and ownership are commonly negotiated in China’s technology agreements. As indicated in Articles 850 and 864 of the Civil Code, a technology transfer agreement or technology licensing agreement may not restrict competition or development of the technology, nor illegally monopolise it. Provisions that restrict improvements to the technology received may be held invalid and unenforceable by a PRC court. However, the risk tends to be deal-specific.

With respect to the ownership of the subsequent improvements using the technology received, Article 875 of the Civil Code mandates that, unless the ownership is explicitly specified, the party who develops such improvements shall be the owner of the improvements, and the improvements may not be shared by other parties. That said, the subsequent improvements will not be automatically granted back to the technology provider. Therefore, a technology provider should carefully draft the relevant clauses to explicitly specify the ownership of any subsequent improvements.

Reverse Engineering

Another challenge routinely encountered when entering a technology agreement with a local organisation is reverse engineering, which is defined by PRC law as the acquisition of technical information on a product obtained from any public channel through disassembly, mapping, analysis and other technical means.

The provisions restricting reverse engineering are widely used in China as a seller protection scheme, and there is no law expressly prohibiting the inclusion of “anti-reverse engineering provisions” in a technology agreement. However, as explained just above, the provisions against reverse engineering cannot explicitly restrict competition or development of the technology, nor promote its illegal monopolisation. Therefore, anti-reverse engineering provisions bear some risk of being deemed invalid or unenforceable by a PRC court, and any provisions relevant to anti-reverse engineering should be carefully drafted to mitigate such risk.

Technology Import/Export

Many technology agreements also implicate import/export issues. For cross-border technology transfers, parties should look into the PRC Catalogue of Technologies Prohibited or Restricted from Export and the Catalogue of Technologies Prohibited or Restricted from Import to determine if the technology involved is prohibited or requires pre-approval. Even for technology that is not prohibited or does not require pre-approval, the technology contracts need to be filed with the PRC Ministry of Commerce and relevant authorities.

On the other hand, this is another area that China is gradually opening up. In 2020, several clauses implicating forced transfer of technology were removed from the PRC Regulations on the Administration of Import and Export of Technologies. Moreover, the Foreign Investment Law enacted in 2020 made forced technology transfers and unauthorised disclosure of trade secrets by government officials illegal.

Resale Price Maintenance

Furthermore, technology agreements should be carefully drafted to avoid violating provisions in the PRC Anti-Monopoly Law. For example, the Anti-Monopoly Law strictly prohibits fixing the resale price of a product or service. This restriction can be interpreted to include the scenario of fixing the price of sub-licensing in a technology agreement. Therefore, contracting parties must take care to avoid drafting the technology agreements in such a way that might be deemed to create resale price maintenance, although the most recent amendments to the Anti-Monopoly Law (in 2022) did add a safe harbour.

Laws and Regulations

Trust services and electronic signatures are widely used in China, especially in online commerce. The PRC Law on Electronic Signatures (Electronic Signatures Law) was the first PRC law that systematically set forth the requirements on trust services and electronic signatures. China also issued two other regulations concerning trust services providers:

• the PRC Measures for the Administration of Cipher Codes for Electronic Certification Services; and
• the PRC Measures for the Administration of Electronic Certification Services.

Furthermore, trust services providers must utilise commercial cryptography when providing the relevant services, and therefore are subject to the PRC Cryptography Law. However, China still has no law specifically governing digital identity.

Trust Services

Trust services are highly regulated in China. To become a qualified trust services provider (ie, to provide electronic certification services in China), two permits are required:

• “Permit for Use of Cipher Codes for Electronic Certification Services” (“Cipher Code Permit”); and
• “Permit for Electronic Certification Services” (“Certification Permit”).

The Cipher Code Permit is a prerequisite for the Certification Permit and should be applied for with the competent Cryptography Administration, while the application for the Certification Permit should be completed with the MIIT. In addition, applicants must satisfy several requirements under PRC law, including concerning corporate capacity, technology equipment, technical personnel and registered capital.

Electronic Signatures

The provision of electronic signatures services is a core part of trust services/electronic certification services in China. An “electronic signature” is defined by the PRC Electronic Signatures Law as data in electronic form identifying the signatory and verifying the signatory’s acknowledgement of the content being signed. For an electronic signature to have the same legal effect as a seal or written signature, the following conditions must be met:

• the data generated by the electronic signature is exclusively used and owned by the signatory;
• the data generated by the electronic signature is exclusively controlled by the signatory at the time of signing;
• any alteration to the electronic signature can be discovered after signing; and
• any alteration to the content and form of the electronic data can be discovered after signing.

The PRC Electronic Signatures Law also specifies certain documents that cannot be legally accepted in electronic format and cannot be signed electronically, such as documents concerning personal relations (eg, marriage, adoption and succession), and documents concerning transfers of real estate rights and interests.

Digital Identity Schemes

Digital identity refers to a set of data stored online that can be used to identify a specific individual. Such data ranges from a personal name to an ID card number. Digital identity (which is also called “E-ID card”) is widely used in China. For example, the Chinese government has been promoting digital identity cards since 2018. Under the digital identity card system, each individual’s identity information is stored online and can be used to access various social services, such as healthcare and public transportation, with a smart device.

While China has yet to promulgate any law specifically governing digital identity, the rules of the cybersecurity regime are generally applicable to the digital identity schemes – particularly the rules regarding the confidentiality and safekeeping of individuals’ PI and the protection of privacy (see 1.1 Laws and Regulations, 2.1 Key Challenges and 3.1 Highly Regulated Industries and Data Protection).