What are the key regulatory changes that have impacted the tech legal industry in China in the past year?
- Potential signals for cross-border data flows: on 28 September 2023, China issued the regulations on standardising and promoting cross-border data flows (draft for solicitation of opinions). It raises the threshold for triggering data export security assessments and standard contract filings and grants the right for pilot free-trade zones to formulate negative lists independently.
- Increasing stringency in AIGC Regulation: both the interim measures for the management of generative artificial intelligence services and the measures for ethical review of science and technology (trial) came into effect in 2023. These regulations impose supervisory requirements on aspects such as content security, prohibition of discrimination, personal information, algorithm compliance, and technological ethics for AIGC technologies.
- Inclusion of data assets in accounting: in 2023, the ‘Interim Provisions on Accounting Treatment of Enterprise Data Resources and the Guiding Opinions on Enhancing the Management of Data Assets’ were published in China, providing both directional ideology and practical accounting guidelines for evaluating data resources and managing data assets.
What are the typical legal challenges faced by multinational tech companies when establishing and maintaining a presence in China?
- Regulatory and approval compliance: multinational tech companies are required to comply with laws and regulations such as the Foreign Investment Law to complete registration, establishment, or restructure organisation forms. Based on their business activities, they need to obtain relevant industry licences and operational qualifications, such as the value-added telecommunications business operation licence.
- Network and data security compliance: multinational tech companies must strictly adhere to Chinese laws and regulations related to network and data security, including the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. They should implement technical and managerial measures to ensure the security of cyber and data.
- Technology import and export control compliance: if the Chinese subsidiaries of multinational corporations provide technical services, such as tech research and development, to overseas companies, they will be subject to China’s export control laws and regulations. In certain scenarios, they need to undergo relevant reviews and approval processes to obtain the necessary permits.
- Other legal challenges: this includes challenges with intellectual property protection, antitrust regulations, regulations against unfair competition, operational compliance related to corporate governance, and other specific industry legal requirements. Examples include compliance in cross-border e commerce advertising and marketing, and algorithm record filing for artificial intelligence technology.
How do current Chinese laws and regulations impact tech companies, particularly in areas like data privacy, cybersecurity, and intellectual property?
- Data privacy: the PRC Data Security Law establishes a system for the classification and grading protection of data, requiring data processors to take necessary compliance measures. Enterprises in specific industries may need to pay attention to unique data protection requirements. For instance, important data processed by automotive data processors and medical big data are required to be stored locally.
- Cyber security: as network operators, tech companies need to implement measures to ensure cyber security. This includes completing MPLS, establishing internal security management systems and operating procedures, storing important data within the country and other obligations for fulfilling the responsibilities as the main body of network security.
- Intellectual property protection: multinational tech companies need to clarify the ownership of technological achievements. They should proactively conduct prior intellectual property protection through protecting trade secrets, filing patents, registering trademarks, and copyright registration. Additionally, companies should actively engage in post-event intellectual property rights protection.
What are the challenges for Chinese tech companies in complying with international technology laws and regulations, especially in markets like the EU and the US?
- Export control risk: some countries control investments in high-tech fields such as semiconductors and the internet through foreign investment reviews. Chinese companies need to fully understand the review mechanisms of each country and evaluate national security risks when going global.
- Intellectual property compliance risks: the United States has issued several export control laws and regulations restricting China’s access to relevant technologies. When Chinese tech companies use third-party technologies in overseas markets, they must ensure that they have obtained legal authorisation. Moreover, they should also actively register their intellectual property in accordance with local policy requirements overseas.
- Cyber and data security compliance risks: Chinese tech companies need to build internal compliance frameworks based on local data protection systems overseas, such as ‘customised’ authorisation and consent mechanisms, data principal rights response mechanisms, children’s personal information protection systems, etc. If there is a need for cross-border transmission of overseas users’ personal information, GDPR requires data controllers to take appropriate safeguard measures, such as signing the SCC.
- Other legal challenges: such as tariff barriers imposed by other countries on Chinese products or technologies, and other trade restrictions or sanctions that Chinese companies in specific fields may face.
What are the key considerations for foreign SaaS providers looking to enter the China tech market, and how can legal counsel assist them in this process?
The key consideration is obtaining necessary operational qualifications for providing SaaS services in China. If a foreign SaaS provider intends to conduct value-added telecommunications services via offering SaaS products in China, it is required to obtain the corresponding value-added telecommunications business operation licence based on the nature of its business. Meanwhile, regulations such as the administration measures for foreign-invested telecommunications enterprises and the special management measures for foreign investment access (negative list) in China impose restrictions on the foreign capital proportion for certain value-added telecommunications businesses. Foreign SaaS providers need to assess and choose suitable operational model for entering Chinese market based on actual commercial needs.
Legal advisors will consider the business type, shareholding structure, shareholder experience, personnel arrangements, and other factors for foreign SaaS providers to propose suitable operational models. Relevant options may include direct application by the overseas entity, application by an onshore entity controlled by the overseas entity through the VIE structure, or collaboration agreements between overseas entities and onshore entities that have obtained operational licences.
How effective is the enforcement of intellectual property rights in China, and what steps can tech companies take to protect their IP?
China strengthened the protection of IP rights to facilitate innovation-driven development, with harsher punishments for IP infringements. Data showed that courts throughout China concluded more than 2.19 million IP cases between 2018 and 2022, up 221.1% compared with the previous five-year period. Innovators in China have been given stronger protection over the past five years. To protect their IP in China, tech companies can take several proactive steps:
- Registering IP: companies should register their patents, trademarks, and copyrights in China. Proper documentation can strengthen legal claims in case of infringement.
- Contractual protections: companies should sign robust IP protection clauses in contracts with partners, suppliers, and employees. Non-disclosure agreements (NDAs) and confidentiality clauses can help safeguard trade secrets.
- Due diligence: companies should conduct thorough due diligence when entering into partnerships with partners in China and understand the IP landscape and the potential risks associated with local partners.
- Enforcement actions: companies should be prepared to take legal action if infringement occurs including preparing the legal continence plan and working closely with legal professionals in China who specialise in intellectual property.
What are the legal risks that multinational companies need to focus on when they cooperate with Chinese companies and introduce technology from Chinese companies?
- Intellectual property protection: concerns about the potential counterfeit, theft or infringement of intellectual property, including patents, copyrights, and trade secrets, are significant. Proper contractual safeguards and due diligence are crucial to mitigate these risks.
- Licensing and compliance: multinational companies should ensure that the technology being introduced is properly licenced, and comply with licencing terms and conditions. Failure to adhere to licencing agreements may result in legal disputes and potential termination of the licencing arrangement.
- Export controls and sanctions: multinational companies should thoroughly verify whether the technology is subject to China’s export controls and whether there are any prospective restrictions on exporting the technology to concerned countries or entities. Multinational companies need to comply with China’s technology import and export laws and regulations, such as the Foreign Trade Law, the regulations on the administration of technology import and export and the measures for the administration of registration of the contracts for import or export of technologies, etc.
Can you provide an overview of the current AI law landscape in China, highlighting any recent legislative changes or notable court cases?
China has been actively developing its legal framework for AI. The current AI law landscape in China is predominantly governed by the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, the interim measures for the management of generative artificial intelligence services, the trial measures for ethical review of science and technology (trial), the administrative provisions on deep synthesis in internet-based information services, the administrative provisions on recommendation algorithms in internet-based information services, the Copyright Law and relevant laws and regulations.
Recent legislative change is the effectiveness of the interim measures for the management of generative artificial intelligence services, which is the first specialised legislation targeting AIGC in the world. This regulation applies to any use of generative AI technology to provide generative AI services to the public within the territory of China and sets out compliance obligations for providers of AIGC.
The most notable case recently in China is the first case involving the copyright of AIGC. The Beijing Internet Court held that when people use AI models to generate pictures, they have the copyright of the pictures. However, the court also emphasised that based on the principle of good faith and the need to protect the public’s right to know, the users should prominently mark the AI technology or model it uses.
How is Chinese law adapting to emerging technologies such as AI, blockchain, and IoT, and what should tech companies do to stay ahead in compliance?
China has issued relevant regulations for emerging technologies, and the internet of things, such as the interim measures for the management of generative artificial intelligence services and the regulations on the management of blockchain information services.
To stay ahead in compliance, tech companies should consider the following:
- Monitor regulatory developments: China has been actively issuing policies and guidelines to regulate these technologies. It is crucial for tech companies to keep abreast of updates in relevant regulations and guidelines to ensure full compliance.
- Data protection and cross-border compliance: tech companies should actively build an internal management system for cyber security and data protection, take necessary measures, and fulfil compliance obligations regulated by cybersecurity and data protection laws of China, especially when dealing with data generated by AI, blockchain, and IoT applications.
- AI compliance: tech companies that provide AI services with public opinion attributes or social mobilisation capabilities should conduct security assessments and complete filing procedures. Tech companies should pay attention to the trial measures for ethical review of science and technology (trial) to ensure that scientific and technological activities using personal information data comply with ethical principles and norms.
- Blockchain and IoT regulations: tech companies should understand the regulatory framework for blockchain technologies and IoT. Meanwhile, tech companies engaged in blockchain services and IoT-related businesses also need to fulfil corresponding filing obligations or obtain business licences as proof of business qualifications.
How can generative AI be used within an organisation to improve employee productivity while complying with Chinese regulations?
Here are ways to use generative AI responsibly and effectively and improve employee efficiency: automated search and retrieval of basic information, language translation and communication, implementing AI-based generative chatbots to handle routine customer queries, and use generative AI to automate data analysis and report generation.
To ensure compliance with Chinese regulations while implementing generative AI within an organisation, consider the following:
- Strengthen supplier qualification review and ensure the procurement of legal and compliant AIGC products, services or interfaces.
- Strictly for internal use only and not to be used to provide services directly to the public, including avoiding subletting or lending purchased AIGC services, interfaces and accounts to others.
- Strengthen manual review of content to ensure that the input content and generated content do not contain illegal and inappropriate content.
- Ensure network access methods are lawfully allowed when using VPN or other network access methods to access AIGC products or interfaces of overseas suppliers.