VPN compliance in China
Author: Sharon Shi & William Shen 2021-03-23More and more foreign-invested enterprises in China are using VPN (virtual private network) technology to connect to corporate servers remotely and securely. However, in addition to its encrypted communication function, the more important reason for the widespread use of VPNs in China is that cross-border networking can be achieved by VPN technology. In this article, “VPN” specifically refers to the VPN for cross-border networking.
China has strengthened its supervision on using VPNs in recent years. In May 2019, a company was fined for using illegal “proxy software” to visit overseas websites, which triggered intense discussion on the internet. The authors have noticed that many foreign-invested enterprises have practical needs, such as collaborating and exchanging data with offices across the world, but they know very little about how to use VPNs in compliance with regulatory policies in China.
It is quite common for foreign-invested enterprises to privately rent or build an illegal VPN. In this article, we provide some suggestions for foreign-invested enterprises on how to use VPNs in compliance with the law.
A VPN is an encrypted connection, from device to network, through the internet. Such an encrypted connection helps to ensure the safe transmission of sensitive data. VPNs use the tunnel protocol to achieve sender authentication, message confidentiality and accuracy, and other functions. They prevent unauthorised people from eavesdropping on the traffic, and allow the user to execute work remotely. Today, VPN technology is widely used in corporate business.
Regulatory environment In January 2017, the Ministry of Industry and Information Technology (MIIT) issued the Notice of the Ministry of Industry and Information Technology on Cleaning up and Standardising the Internet Network Access Service Market. The notice clarifies that, without the approval of the MIIT, no enterprise shall set up or rent dedicated lines or other channels (including a VPN) to operate cross-border business. When leasing international dedicated lines to users, basic telecommunications enterprises are required to establish user profiles centrally, and make it clear to users that such international dedicated lines are for their internal office work use only. Such lines shall not be used to connect to domestic or foreign data centres or business platforms to operate telecommunications business. Officials of the MIIT have also clarified that the government’s attitude and principles for VPN regulation are: When building a cross-border network connection through dedicated lines for internal office work, international trading companies and multinational companies are allowed to rent such lines from authorised telecommunication business operators who have set up international communications gateway exchanges in accordance with the law. VPN compliance For foreign-invested enterprises in China, the key to legally using a VPN is to find and choose a legitimate authorised service provider, which must be an operator qualified for international communication business, or an authorised basic telecommunications business operator equipped with international communication gateway exchanges. Currently in China, only VPN services provided by authorised basic telecommunications business operators are legal, while those provided by other enterprises or overseas companies are not. It should be noted that the VPN service provided by authorised basic telecommunications business operators can only be used within that enterprise. Some authorised operators require that the servers connected to a VPN shall not have public IP addresses, or shall not be subleased or used for business operation purposes. In addition, in accordance with the relevant provisions of the Administrative Measures for International Communication Gateway Exchanges, even for internal use, setting up a VPN through the international internet gateway shall be filed with the MIIT. Compliance tips In summary, foreign-invested enterprises shall use VPNs in compliance with regulatory policies, and verify the operational qualification of a VPN vendor before purchasing or renting it from a telecommunications business operator. A qualified authorised basic telecommunications business operator for an international communications business should also obtain a permit for setting up international communication gateway exchanges. Foreign-invested enterprises shall establish a VPN using a compliance system or protocol. The use of VPNs should be strictly restricted to internal use only, and shall not be used to connect to domestic or foreign data centres, or business platforms to operate a telecommunications business. Close attention should be paid to the regulatory trends of various regulatory authorities, and to arranging preventive measures in advance. For example, foreign-invested enterprises shall set up internal blocking gateways to automatically block illegal and sensitive websites, or provide access to essential websites only, taking into account their own cybersecurity needs. Foreign-invested enterprises shall keep network logs according to the requirements of the Cybersecurity Law, establish corresponding IT access manuals, monitor the access logs regularly, and impose severe punishment on illegal access behaviour while using a VPN. Additionally, carrying out training to raise employees’ awareness on the risks of illegal use of a VPN, and serious consequences, is also a good practice. For more complicated situations or specific questions, professional advice should be sought.
