The China Cyber Security Law and the new China eCommerce Law. Both have great impact on international companies already active or looking to start in China eCommerce. Especially for China eCommerce cloud hosting solutions, data storage and protection it will be challenging for companies to ensure legal compliance.
Violators could receive fines up to 2 million RMB and even have their business license revoked. Therefore, international brands and companies already look for localized China eCommerce cloud hosting solutions.
This is especially necessary since many international brands use internationally oriented cloud eCommerce hosting providers. Global eCommerce hosting solutions such as Salesforce Commerce Cloud, Shopify Plus or Adobe Commerce Cloud Commerce (formerly known as Magento Cloud) host overseas. Under the new laws, there might be legal implications if international companies use these platforms in China.
China eCommerce Cloud Hosting: Who Needs to Read this Article
To help you prepare, we provide an overview of challenges and solutions you will face. These tips and info apply to companies who:
1. Already have a website adapted to the Chinese market in terms of language, international payment methods etc. but are hosted overseas
2. Already developed and launched a Chinese localized eCommerce website, which is hosted in China, but need to transfer data to the overseas headquarters for global management
3. Want to setup and launch a Chinese localized eCommerce website and host in Mainland China
If you are starting in China eCommerce, it is important to carefully choose a hosting solution. If you already are active on the market as in situation 1 but you turn out not to be fully compliant, your website could be blocked for Chinese access.
Thus, for those in situation 1 and 3, you might face the following challenges.
Compliance Challenge 1: Applying for an ICP Bei’an
All sites hosted on a Mainland China server must have an ICP Bei’an by law. However, for setting up a store on Tmall or JD.com, you do not need an ICP Bei’an.
ICP Bei’an is the process of obtaining a business Internet Content Provider registration number that allows you to host your website on a Mainland Chinese server. When applying for an ICP Bei’an, besides a Chinese domain and local hosting, you also need a business license.
Besides legal compliance, you need an ICP Bei’an for Baidu Pay-Per-Click campaigns and other marketing tools, like WeChat and Alipay integration.
If your website does not have an ICP Bei’an, your hosting provider will not allow your website to be accessible. Furthermore, if your website is live without an ICP Bei’an, you may get blocked, face harsh fines or even a permanent online blackout in China.
Be aware that according to the new China eCommerce Law, it is mandatory for any eCommerce brand website to have the ICP Bei’an and other relevant certifications clearly shown on the website. Authorities can fine up to 500.000 RMB for any violations.
*Relevant clauses of the new China eCommerce Law: 15, 76, 81
Compliance Challenge 2: Before the ICP Bei’an – Domain Registration and Website Hosting
To obtain the ICP Bei’an, you first need to register a Chinese domain and ensure that your website is hosted in Mainland China.
Only after setting up these things can you practically and legally move on to the development stage. Even more importantly, you need both to apply for an ICP Bei’an. For this reason, it is also crucial that the domain registration applicant’s name is the same as the one filing for the ICP Bei’an. Forgetting to do this will complicate the process and result in serious delays.
Compliance Challenge 3: Overseas User Data Storage
Many international companies host overseas, so it would seem natural to store personal user data abroad. However, if website and cloud are not hosted in Mainland China, such transfer of information could constitute a cross-border data transfer. Furthermore, authorities will likely see transfer of personal information to a cloud as a ‘use’ of personal information which requires explicit consent.
The Cyber Security Law requires local storage for all data collected in China. If there are specific reasons that make it necessary to have overseas data storage, you need to pass a safety assessment by the Cyberspace Administration of China (CAC). For any violations, the penalty could be as high as 500.000 RMB and in serious cases your business license might be invoked.
Companies still have until December 31, 2018 to ensure compliance with the cross-border data flow requirements as stated above.
*Relevant clauses of the China Cyber Security Law (in Chinese): 37, 66
Compliance Challenge 4: 3-year Transaction Data Storage
The new China eCommerce law requires that eCommerce operators record and store the platform’s product, service and transaction data. They also need to ensure its completeness, security and usability. All data should be traceable for at least 3 years. Under serious circumstances, authorities may impose a fine of 500.000 RMB.
This of course increases the burden on enterprises’ IT technology and data storage. So companies might have to improve key aspects such as server deployment, software security and IT manpower.
Additionally, in recent years companies are increasingly using the cloud to host and store data. Outsourcing data storage to third parties can lower the burden on one’s own operations. Moreover, companies can easier comply with the law and avoid legal risks through these professional data security and cloud hosting services.
*Relevant clauses of the China eCommerce Law (in Chinese): 31, 80
Compliance Challenge 5: User Privacy And Information Security
Under the new China eCommerce law, whenever a company collects data and uses this information it should clearly state its purpose, method and scope. Additionally, it must obtain consent of the user. Other website policies such as cookies and privacy policies require the same.
Of course, companies cannot disclose, falsify or damage any of the personal data they collect. Companies also need to guarantee user data security. Individuals also have the right to request changes or deletion of their data.
Violation of this rule will result in confiscation of any illegally obtained gains. Furthermore, authorities may impose a fine between 2 to 10 times as much as the amount of the illegal gains. Should there be no illegal gains, the highest fine could be 1 million RMB. If authorities find the circumstances serious enough, they can revoke the business license.
*Relevant clauses of the China Cyber Security Law (in Chinese): 41, 42, 43, 44, 64
Compliance Challenge 6: Other Relevant Clauses from the China Cyber Security Law
Article 38 of the China Cyber Security Law requires enterprises to conduct annual assessments of their network safety and risks. Companies can choose themselves if they do this internally or want to hire a cybersecurity agency. Furthermore, it is the company’s responsibility to send the assessments and any possible improvements to relevant government departments.
Article 34 states that companies need to appoint special security and safety management supervisors (and conduct security background checks on them). Furthermore, there should be a system in place for recovery and backup of important directories and databases.
Article 21 stipulates technical measures that companies should implement to monitor and record their network operations and security incidents. Additionally, regulations stipulate that relevant network logs should be saved for at least six months. Lastly, data needs to be classified and encrypted wherever necessary.
For any violations of the above, you may face a fine ranging from 10.000 to 1 million RMB.
Naturally, companies can hire an experienced and professional third party for the security assessment, server operation and maintenance, disaster recovery systems and backups. Not only does this reduce the number of IT staff required, which saves a lot of labor costs, it also allows the existing staff to focus on other IT tasks.
*Relevant clauses of the China Cyber Security Law (in Chinese): 21, 34, 38, 59
China eCommerce Cloud Hosting: The Best Solution
The Chinese legal framework is quite strict, so connecting with an experienced and professional third party China hosting provider will further guarantee legal compliance.
Are you launching an eCommerce website and looking for a reliable China eCommerce cloud hosting solution? On our service platform, we include a decade of hosting experience to assure your application runs fast, stable and secure.
By controlling the process of software development and hosting architecture, we guarantee a smooth and seamless user experience for your target group; globally or in China.
See also: What is Chinese PIPL law and why it should matter to youWhat is Chinese PIPL (Personal Information Protection Law), who does it apply to, what are the main concepts, what are the penalties in the new privacy law. Compliance checklist.What is Chinese PIPL law and why it should matter to you