In the People’s Republic of China (“PRC”), there is no single regulatory regime that governs software. Instead, software is subject to a wide range of PRC laws and regulations that cover various aspects of software protection, development, distribution, and use. Aside from general and widely applicable laws such as the PRC Civil Code and the PRC Criminal Law, as well as their judicial interpretations, a collection of laws governs more specific aspects of software, including:

The PRC Copyright Law and its rules for implementation are the primary laws that govern software in China. This law grants exclusive rights to the software’s copyright holder to reproduce, modify, and distribute the software. It also provides for civil and criminal penalties for copyright infringement.

The PRC Regulations on Computer Software Protection (“Software Regulations”) provide guidelines for the protection of software copyrights in China, including protection for software copyrights, software licensing, prohibition of piracy and illegal reproduction, and liabilities for violations. In terms of software use, the Software Regulations stipulate that software copyright owners have the exclusive right to reproduce, modify, distribute, and license their software. Unauthorized use of software in any form is prohibited. Any individual or organization that reproduces, modifies, or distributes software without permission from the copyright owner is subject to administrative or criminal penalties. Administrative penalties include ordering the cessation of infringement, confiscation of illegal gains, and fines. Criminal penalties may include imprisonment and fines.

In China, proprietary software rights are a bundle of rights that are under the protection of the PRC Copyright Law and its rules for implementation, as well as the Software Regulations. The proprietary rights include the rights for reproduction, modification, distribution, and transmission through information networks (a way to distribute software through the Internet that allows the public to obtain the software at a time and place they choose). No party may exercise the above rights without the consent of the copyright owner.

The essence of this issue is the copyright attribution for the commissioned work. Pursuant to the Software Regulations, when a piece of software is developed for a customer on commission, the copyright ownership shall be agreed upon in a written contract between the customer and the developer. In the absence of an explicit agreement in a written contract, the developer shall enjoy the copyright.

There is no specific law on harm/liability arising from software/computer systems, but some general rules such as the PRC Product Quality Law and the PRC Consumer Protection Law (“Consumer Protection Law”) specify the liabilities for damages caused by defective products. If product defects cause personal injuries or property damage, victims may claim compensation from either the producers or sellers. If the producer is liable and the seller has paid compensation, the seller may recover their losses from the producer and vice versa. A developer may bear such liability if the software causes harm to the customer.

The PRC Criminal Law also criminalizes the misuse of computer systems. A person may face fines or imprisonment if such person illegally invades, controls, or sabotages a computer system or illegally collects data from the computer system, or provides tools that are used to carry out such illegal activities.

According to the PRC Telecommunications Regulations (“Telecoms Regulations”), cloud technology providers must obtain a license from the Ministry of Industry and Information Technology (“MIIT”). Cloud technology is specifically listed in the Classification Catalog of Telecommunications Services (“Catalog”) within the category of Internet resource collaborative (IRC) services, itself a sub-category of Internet data centre (IDC) VATS activities.

Other major obligations for cloud technology providers include the rules concerning the collection and use of personal information (“PI”), including, inter alia, the PRC Cybersecurity Law and the PRC Personal Information Protection Law (“PIPL”), as well as a number of regulations and national standards, such as the Information Security Technology – Personal Information Security Specification as well as the Information Security Technology – Guideline for Personal Information Protection within Information Systems for Public and Commercial Services.

The PRC Cybersecurity Law and the PIPL require cloud technology providers to obtain consent from data subjects for the collection and use of their PI, impose requirements on some operators to undergo security assessment procedures prior to an overseas transfer, and follow general principles such as “legitimacy, rightfulness and necessity” for the collection and use of PI.

The PRC Data Security Law provides an overarching and broadly defined legislative framework for data security in the PRC and runs in parallel with the PRC Cybersecurity Law and the PIPL.

The Consumer Protection Law sets similar requirements for the collection of consumer information by business operators. Other high-level laws, including the PRC Civil Code and the PRC Criminal Law, provide general privacy protections.

The PRC Measures for Cybersecurity Review provides that any Critical Information Infrastructure Operators (“CIIO”) seeking to procure any network product or service that affects or may affect national security needs to undergo a “cybersecurity review”. Some cloud services products, such as high-performance computers or servers, mass storage equipment, large databases or applications, and network security equipment, are specifically included in the scope of network products that are subject to the PRC Measures for Cybersecurity Review. Therefore, any CIIO procuring such cloud products or services that may affect national security must go through a process that may include applying for a cybersecurity review by the Cybersecurity Review Office (“CRO”), an initial review by the CRO, and potentially a “special review” by the CRO if its members cannot reach an agreement after the initial review.

Software vendors typically do limit their liability, and such limitation is typically the contract price that the software vendor receives. However, under certain circumstances, liability limitations may not be legally effective. For example, when a software vendor provides a license to a consumer and the consumer can only choose to agree or disagree with the terms of service without negotiating with the software provider, the liability limitation clauses in the terms of service may be deemed invalid. In addition, according to the PRC Civil Code, liability for a) property damage due to intentional or gross negligence or b) personal injury cannot be limited.

Confidentiality breaches, breaches of applicable laws, regulatory fines, and wilful or deliberate breaches are typically excluded from liability limitations. In addition, personal injuries are excluded from liability limitations.

Source code escrow/depository is common in the open-source software community. For non-open-source software, if the software vendor authorizes the customer to use the software, they usually do not provide the source code to the customer nor use source code escrow services, and we have only seen a few of such cases recently (typically involving heavily negotiated arrangements between a licensor and licensee for cross-border co-development projects of ultra-significant commercial value). If the customer requires the source code, the vendor may require the customer to make a substantial payment before delivering the source code.

According to the PRC Export Control Law, China prohibits or restricts the export of certain software. According to the Regulations on the Administration of Technology Import and Export of the PRC, software that is prohibited from export cannot be exported, and software that is subject to export restrictions can be exported with the approval of the competent authority, which currently is the Ministry of Commerce (“MOFCOM”). According to the Catalog of Technologies Prohibited or Restricted from Export (“Export Control Catalog”), encryption and decryption software is export-prohibited. The following software is export-restricted: casting-related software, ship sonar docking software, satellite image processing software, large-scale computer software, basic software security-enhancing technology, and mapping-related software.

Although  not specifically focused on software export prohibitions/restrictions, it is worth noting that in December 2023, MOFCOM and the Chinese Ministry of Science and Technology (“MOST”) jointly amended the Export Control Catalog to delete six prohibited items and 28 restricted items, but also added one new prohibited item, i.e., human cell cloning and gene editing technology, as well as three new restricted items, i.e., technology for utilizing hybrid advantages in crops, bulk material handling and conveying technology, and laser radar systems, among other changes to the existing items listed in the Export Control Catalog.

There are no specific PRC laws or regulations that regulate IT outsourcing transactions.

According to the PRC Patent Law, unless otherwise agreed by an employer and  employee, any invention created by an employee during their course of employment, or through taking advantage of the employer’s materials or technical resources, will be considered a work made for hire and such invention will belong to the employer, and the employer shall provide bonus compensation to the inventor for their work in addition to the inventor’s regular salary.

China’s telecommunications industry is heavily regulated. The principal laws governing telecommunications include the Telecoms Regulations, the Catalog, Administrative Measures for the Licensing of Telecommunications Business (“Telecoms Measures”), and Administrative Provisions on Foreign-Invested Telecommunications Enterprises (“FITE Provisions”).

The Telecoms Regulations are the primary law governing telecommunications services in China and set out general guidelines for activities related to telecommunications services. The Telecoms Regulations categorize telecom services as either “basic telecommunications services” (“BTS”) or “value-added telecommunications services” (“VATS”), and different licenses are required to operate each type of service. A comprehensive list of BTS and VATS can be found in the Catalog, which provides the specific descriptions and features of each type of telecommunications service.

Following the Telecoms Regulations, the Telecoms Measures provide additional clarification on the requirements for obtaining telecoms licenses, and the FITE Provisions governs foreign investment in telecoms business in China.

The principle Chinese SSO is the Standardization Administration of China (“SAC”), which is currently a division of the State Administration of Market Regulation (“SAMR”). The SAC establishes and maintains various National Technology Standardization Committees (“TCs”). According to Measures for the Administration of National Standards, the TCs established by the SAC shall be responsible for proposing draft voluntary standards and compulsory national standards as needed.

As one of the important contributors to international technical standards, China has born direct witness to the impacts of technical standards in the market. The main influences played by technical standards include: (1) reducing market entry barriers by lowering technical obstacles for new product development, thereby facilitating easer market entry for new entrants; (2) enhancing user acceptance, given that compatibility with other devices increases demand and user adoption of a new technology; and (3) reducing costs, as standardization often allows for the reuse of existing technologies and components, thereby lowering R&D and production expenses.

The following recommendations relating to SEPs should be considered and are typically covered when negotiating agreements:

• Disclosure: Exhaustive and accurate disclosure of the SEPs involved in the agreement usually form an essential basis of the representations and warranties (and case-specific carve outs) of such agreements, in order to ensure transparency and avoid future disputes.
• Licensing Terms: The licensing terms, including the term/duration, fee arrangement, territory, scope, and cross-licensing, etc., are typical commercial terms that form the focus of commercial negotiations.
• Patent Infringement Risk: It is also important to have a full and accurate assessment of the risks of patent infringement arising from the use of SEPs, as well as to properly mitigate such risks and allocate any damages resulting from such risks via contractual arrangements.
• Patent Dispute Resolution: Mechanisms for the resolution of patent disputes, such as arbitration or mediation, are also typical topics of negotiation.

There are multiple government authorities responsible for data protection regulation. The most important ones, among others, are the CAC, the MIIT, the SAMR, and Ministry of Public Security (“MPS”). The CAC is the leading government authority overseeing data protection administration, and other administrators have the authority to enforce data protection regulations in their respective fields.

Data protection is a general term that covers a wide range of subjects and activities. Data is defined by the Data Security Law of the People’s Republic of China (Data Security Law) as any record of information in electronic or other form. The three principal laws that govern data protection are the Cybersecurity Law, the Data Security Law, and the PIPL. Other laws and regulations related to data protection include, but are not limited to, the PRC Civil Code, the PRC Criminal Law, and the E-Commerce Law.

The Cybersecurity Law, which went into effect on 1 June 2017, marked China’s first overarching national legislation specifically dealing with data protection. It was enacted to safeguard national cybersecurity and ensure the orderly operation of cyberspace. The Cybersecurity Law aims to address various cybersecurity concerns, including critical information infrastructure, data protection, privacy, etc.

On 1 September 2021, the Data Security Law was enacted to further address the data protection issues laid out in the Cybersecurity Law. The Data Security Law focuses on data processing activities happening within the territory of the PRC. Under the Data Security Law, data processing refers to data collection, storage, transmission, provision, and disclosure.

The PIPL, which became effective on 1 November 2021, specifically governs PI protection. The PIPL runs in parallel with the Cybersecurity Law and Data Security Law and further reinforces China’s personal-information protection legal regime.

On 1 June 2023, the Measures on Standard Contracts for the Outbound Cross-Border Transfer of Personal Information (“SC Measures”) were enacted and requirement to use the Standard Contract for the Outbound Cross-Border Transfer of Personal Information (“Standard Contract”) came into effect.

Barring certain exceptions (see below), a PI handler will be subject to the SC Measures if it transfers PI out of China based on contractual arrangements, unless such PI handler has already completed a PI protection certification from a qualified certification institution designated by the CAC. However, and also subject to the aforementioned exceptions, PI handlers that meet any of the threshold requirements for the mandatory application of the Data Export Security Assessment Measures (“SA Measures”) remain subject to the CAC-led security assessment regime for their cross-border data transfers and are not permitted to engage in such transfers under the Standard Contract regime. The SA Measures are mandatory for PI handlers that transfer PI outside of China when the PI handler:

• is a CIIO;
• has processed the PI of at least one million individuals;
• has exported the PI of at least 100,000 individuals to overseas parties on a cumulative basis since 1 January of the preceding year; or
• has exported the sensitive PI of at least 10,000 individuals on a cumulative basis to overseas parties since 1 January of the preceding year.

The SC Measures expressly prohibit PI handlers from splitting the volume of PI across different operating entities to avoid meeting the thresholds and circumvent the security assessment obligations.

PI handlers that qualify for the Standard Contract regime under the SC Measures must execute Standard Contracts with the overseas recipients of PI transferred out of China, and such contracts must include terms that strictly comply with the terms set out in the Standard Contract. Covered PI handlers must refrain from carrying out any cross-border data transfers of PI before their Standard Contracts with corresponding overseas recipients take effect.

Pursuant to the SC Measures, PI handlers must file a Standard Contract for a cross-border transfer of PI, as well as a PI protection impact assessment (“PIPIA”) report, to their provincial branch of the CAC within 10 business days of such Standard Contract taking effect.

Furthermore, in situations where there are changes to the cross-border data transfer activities between a PI handler and an overseas recipient during the term of their Standard Contract (such as any changes to the purpose, scope, storage period, or storage location of any PI, or any changes to the relevant PI regulations of the country or region that the overseas recipient is located in that would impact the interest of data subjects), the SC Measures affirmatively require PI handlers to:

• carry out a fresh PIPIA and prepare an updated PIPIA report;
• execute a new Standard Contract or a supplementary contract that covers such changes; and
• file both the updated PIPIA report and new Standard Contract or supplemental contract to the relevant provincial branch of the CAC.

Qualifying all the above, on 22 March 2024, the CAC issued the Provisions on Facilitating and Regulating Cross-Border Data Transfer, which exempt PI handlers from both the security assessment and Standard Contract requirements in the following circumstances:

• PI exporting that is necessary for the conclusion or performance of a contract to which the PI subject is a party, such as cross-border shopping, delivery, payments, bank account opening, ticket and hotel bookings, visa applications, examination services, etc.;
• Exporting PI of employees for purposes of implementing HR management according to employment policies and collective labor contracts;
• Exporting PI for purposes of protecting individuals’ life, health, or property security in emergency situations;
• Exporting non-sensitive-PI of no more than 100,000 individuals (on a cumulative basis) by a data handler who is not a CIIO since January 1 of the current year;
• Exporting PI that is collected or generated outside mainland China (provided no “important data” or PI collected/generated in mainland China is included in the data export); and

With this facilitating regulation, many cross-border data transfers involved in various daily operations of multinational companies, including transferring PI of China employees or of customers, vendors, and other business associates, will not be subject to any security assessment, Standard Contract, or PI protection certification requirements. Furthermore, the threshold amount of data subjects whose PI can be exported before triggering the requirement to go through the security assessment procedure has been raised, from 100,000 to one million, and the period for counting the amount has been shortened, i.e., data handlers can now transfer PI of up to (but not including) one million data subjects within the period starting from January 1 of the current year (rather than starting from the preceding year) before being required to undertake a security assessment (but through a standard contract or PI protection certification if the threshold reaches 100,000).

The regulation also may facilitate the transfer of certain other kinds of data, in certain circumstances, such as exporting non-PI data that is collected or generated during international trade, cross-border shipping, academic cooperation, cross-border manufacturing and marketing, and certain other as-yet unspecified activities, unless such data is recognized as “important data” (or as some other, more specialized, kinds of data, e.g., state secrets).

Sanctions for violating data protection laws in China are divided into civil and criminal penalties.

For civil penalties, in accordance with the PIPL, severe mishandling of PI may lead to penalties of up to RMB 50 million or 5% of the previous year’s annual business revenue, along with potential operation suspension, corrective measures, and the revocation of relevant permits and licenses. Individuals directly responsible may face fines ranging from RMB 100,000 to RMB 1 million. Similarly, under the Data Security Law, failure to notify the relevant authorities in the event of a data breach can result in administrative fines of up to RMB 2 million, while the illegal export of essential data can result in fines of up to RMB 10 million.

For criminal penalties, under PRC criminal law, the maximum criminal penalty for violating data protection laws and regulations is a fixed term imprisonment of not less than three years but not more than seven years and a fine. Entities that violate such laws will be fined, and the responsible individuals may face imprisonment.

Contracts that have no connection with overseas entities do not refer to foreign data protection regimes. If one of the contracting parties is from overseas, the contract will involve other data protection regimes’ considerations. The PIPL and the SCC share many similarities with other external data protection regimes, such as the EU’s GDPR and SCC. Therefore, compliance with China’s PIPL and SCC provisions to some extent also aligns with certain requirements of other jurisdictions’ data protection regimes.

The CAC primarily regulates Artificial Intelligence (AI) services, although other authorities, such as the MIIT, the MPS, and others may also get involved depending on the product features and market practices of the AI services.

The Ministry of Science and Technology (“MOST”) issued the Ethical Norms for New Generation Artificial Intelligence in September 2021, which provides basic ethical norms that must be followed during the development of AI technology, including:

• improve the benefits for human beings;
• promote fairness and justice;
• protect privacy;
• ensure that human beings have the choice to accept or decline services provided by AI;
• ensure that humans are ultimately responsible for decisions made by AI; and
• enrich the pool of ethical knowledge related to AI.

The CAC issued the PRC Internet Information Service Algorithmic Recommendation Administration Provisions, which governs market entities that use algorithmic recommendation programs, and mandates such entities to inform users that the recommendations are made through algorithms and allow users to opt-out.

In July 2023, the CAC, alongside six other government departments, jointly released the Interim Measures for the Administration of Generative Artificial Intelligence Services (Generative AI Measures), which was formally implemented on 15 August 2023.

The Generative AI Measures sets out the obligations of generative AI services providers, such as data compliance and PI protection, security assessment, algorithm filing, and liabilities for violation.

Any entity, organization or individual that provides services that generate any text, images, audio, videos, or other content to the general public in mainland China using “generative AI technology”, whether through APIs or other means, (“Generative AI Services”) will be subject to the Generative AI Measures. “Generative AI technology” is defined to include any models and relevant technology that can generate text, images, audio, videos, or other content. However, anyone researching, developing, and using generative AI technology without offering Generative AI Services to the general public in China will not fall within the scope of the Generative AI Measures.

Entities established outside of China are also covered. The CAC, in conjunction with other PRC regulators, will take necessary technical and other measures against Generative AI Services that are provided to users in China from the offshore level (i.e., via servers and data hosted outside of China) that violate the Generative AI Measures or other PRC laws and regulations. In practice, we expect this will most often result in non-compliant Generative AI Services being restricted or blocked by China’s Great Firewall, given the difficulty of extraterritorial enforcement against non-PRC entities, which may not have operations or assets within the reach of China’s regulators.

Aligned with China’s longstanding online service/content requirements, Generative AI Services will also be subject to PRC content censorship. Although the means of doing so will differ, the Generative AI Measures will likely require Generative AI Services to adopt measures to self-censor content similar to that censored by online service/content providers in China.

The Generative AI Measures require generative AI service providers to take a number of actions that aim to ensure compliance with the PRC Cybersecurity Law, the Data Security Law, the PIPL, and other PRC laws and regulations, and also require generative AI service providers to:

• Execute service agreements with users.
• Employ measures to prevent minor users from relying on or being addicted to generative AI services.
• Label content that is generated through “deep synthesis” services.
• Report content violations and wrongful activities.
• Provide users with channels to voice complaints.

The Generative AI Measures require that any Generative AI Services with “public opinion properties or the capacity for social mobilization” must go through a security assessment and an algorithm filing.

In the event of a violation of the Generative AI Measures, penalties may be incurred pursuant to the Cybersecurity Law, the Data Security Law, PIPL, and the PRC Law on the Progress of Science and Technology. For example, violations of the PI protection provisions of the Generative AI Measures will likely trigger penalties under the PIPL, and may include a warning, an order for rectification, confiscation of illegal gains, and a fine of up to RMB 1 million (among other penalties).

Where other laws or regulations are silent, relevant authorities are still authorized to issue a warning or reprimand, and can order rectification measures to be taken within a specified time limit. If parties fail to adopt such rectification measures, or if the circumstances are especially serious, then a suspension order may be issued.

The Generative AI Measures require Measures require generative AI service providers  to (among other things):

• uphold “Core Socialist Values”, and not generate any content that incites subversion of national sovereignty or the overthrow of China’s socialist system, threatens national security and interests, harms the nation’s image, incites separatism, undermines national unity and social stability, propagates terrorism or extremism, or propagates ethnic hatred;
• adopt effective measures to prevent the generation of content that discriminates on the basis of race, ethnicity, beliefs, nationality, region, gender, age, occupation, or health;
• respect intellectual property rights and commercial ethics, and protect commercial secrets; and
• respect the lawful rights and interests of others, not endanger the physical and psychological well-being of others, and not infringe the rights and interests of others, including their likeness, reputation, honor, etc.

To prevent unlawful content from being generated, almost all of user agreements in use by AI platforms stipulate that AI users may not: (i) induce outputs that violates relevant laws and regulations through their inputs/prompts; (ii) induce outputs that results in “unfriendly dialogue”; and (iii) maliciously counter the filtering mechanisms of such services.

Although the means of doing so will differ among providers, the Generative AI Measures will likely require Generative AI Service Providers to adopt measures to self-censor content, similar to the way that online service/content providers censor certain content in China.

As is mentioned above, the Generative AI Measures also emphasize certain existing obligations of generative AI service providers, such as data compliance and PI protection. In addition to a user agreement, a separate private policy or Pl protection agreement is typically needed to obtain clear consent from users in order to lawfully process their information and to clarify the rights possessed by users with respect to their Pl.

Although the Generative AI Measures require only the provider (and not users) to bear the obligation of labelling certain types of AI-generated content, in some cases, AI service providers (such as ERNIE Bot) prohibit their users from removing or tampering with any AI-generated logos or deep synthetic content warnings involved in their services in the absence of a legal or legitimate basis for such removal/tampering.

AI service providers are also required to provide users with a complaint and reporting mechanism pursuant to the Generative AI Measures, which is typically handled in the AI platform’s user agreements.

Under the Generative AI Measures, by default, users generally hold legitimate rights to the information they input. However, in practice, AI service providers often include provisions in their user agreements granting their own authorization to use relevant user inputs. For example, one well-known Chinese AI service provider utilizes a policy where users who use the company’s AI platform to publish, spread, or share images, text, audio, or other information, must represent that they have the right to such content, and must agree to grant the service provider a worldwide, permanent, irrevocable, and free permission to exercise various rights over such information. These rights include (1) the ability to use, reproduce, modify, adapt, publish, translate, create derivative works, broadcast, perform, and display the information; (2) the right to incorporate the entire or any partial information generated by a user’s AI outputs into other forms of works, media, or technology; and (3) to engage in the commercial development of the user’s uploaded or published information. So far, there has not been any successful challenge to this practice that has been levied by users.

The Generative AI Measures do not specify intellectual property ownership matters related to output content. In practice, some AI service providers prefer not to assert any rights to AI-generated content due to the possibility of infringement of the intellectual property rights of a third party. There are a number of instances where the service providers clearly state in their user agreements that the service providers  do not claim ownership of any output content.

There are no laws that specifically govern blockchain or digital assets, but many regulations and pieces of guidance promote the development of blockchain technologies and seek to avoid potential risks.

The Provisions on Administration of Blockchain-Based Information Services, issued by the CAC on 10 January 2019, set clear procedural guidelines for providers of non-cryptocurrency blockchain-based services within China, including a mandatory filing with the CAC for blockchain service providers, a reporting obligation to the CAC before launching any new products, and a mandatory security assessment requirement for such products.

For blockchain-based assets such as cryptocurrencies, the Chinese government continues to take a hard line against private cryptocurrencies and fundraising. In general, regulators have instituted an outright ban on the issuance of blockchain assets by private issuers and blockchain asset trading platforms cryptocurrencies. No funds are allowed to invest in blockchain assets. The amended Interpretation of the Supreme People’s Court of Several Issues on the Specific Application of Law in the Handling of Criminal Cases about Illegal Fundraising expressly provides that the “trade of virtual currency” as a way of illegal fundraising may be considered a crime under the Criminal Law of the People’s Republic of China. Also, from the perspective of PRC law, most DeFi platforms would require certain types of financial business permits, which are each quite difficult – if not practically impossible – to obtain.

For digital assets such as NFTs, the legal treatment varies based on the specific type of NFT and its features. As a general rule, NFTs designed in ways similar to virtual currencies or crypto-tokens will likely be subject to China’s strict prohibition against the trade of virtual tokens. As mentioned above, China’s Supreme People’s Court expressly criminalized illegal fundraising by way of virtual currency trading, and therefore NFTs that can be traded like crypto-tokens are also likely to face huge legal risks in China. Conversely, NFTs that are designed as mere virtual collectibles and may not be traded as currency (i.e., the NFTs are only virtual items in meta/virtual worlds) are unlikely to be regulated by any fintech-related regulations. The same goes for NFT trading platforms, as their legality under PRC law largely depends on what types of NFTs are traded on them.

The providers of blockchain platforms, services, and digital assets that are considered data processers should follow China’s cybersecurity framework, as detailed in point 16 above, as well as any applicable industry-specific rules and regulations.

The Telecoms Regulations primarily regulate search engines and marketplaces, as detailed in point 13 above. Search engines and marketplaces must also follow the laws and regulations related to data protection in point 18 above. The PRC Consumer Protection Law sets similar requirements for the collection of consumer information by business operators. Other high-level laws provide general privacy protections, such as the PRC Tort Law, the PRC Civil Code, and the PRC Criminal Law. Additionally, search engines and marketplaces fall under the regulation of the Catalog. Interestingly, foreign investment in an ICP licence holder is capped at 50%, whereas there is no restriction on foreign shareholding for an EDI licence holder.

In addition to the aforementioned regulations that govern search engines and marketplaces from a general perspective, there are also a number of industry-specific regulations. For search engines, the Administrative Provisions on Internet Information Search Services promulgated by the CAC in 2016 set out specific requirements for search engines related to data privacy, information security, and advertising. For marketplaces, the PRC E-Commerce Law regulates all aspects of online marketplaces.

The current Anti-Unfair Competition Law (“AUCL”) expressly restricts network-based anti-competitive conduct, but only based on high-level provisions. However, a draft amendment to the Anti-Unfair Competition Law has been included in the Legislative Work Plan of the State Council for the Year 2024, which will be submitted to the Standing Committee of the National People’s Congress for consideration. The public comment period related to this draft amendment previously concluded at the end of 2022. In particular, Article 4 of the draft amendment expressly prohibits business operators from using data and algorithms, technology, capital strength, or platform rules to engage in unfair competition practices.

Under the PIPL and other regulations (such as the PRC Measures for Cybersecurity Review), marketplaces that process large volumes of PI or operate certain types of business are subject to enhanced requirements for PI protection, including:

• completing a cybersecurity review if processing the PI of 1 million or more individuals and applying to be listed publicly outside of China;
• establishing an independent body mainly composed of external members to supervise the protection of PI;
• ceasing the provision of any service to any product provider or service provider operating on the marketplace that commits a serious violation of any law or administrative regulation in the processing of PI; and
• regularly publishing a social responsibility report concerning PI and accepting supervision from the public.

China has many laws and regulations that govern social media. With respect to operating licenses governed by the MIIT, social media platforms fall under the category of Internet information services (i.e., Internet Content Providers or “ICPs”, which fall under Category B25 of the Catalog). Additionally, according to the PRC Interim Administrative Measures on Internet Culture, an internet culture operating license is required if the social media platform provides audio, videos, performances, games, or other cultural products that are transmitted through the Internet.

In terms of data protection and cybersecurity, social media platforms must also follow the regulations set out in point 18 above and the requirements for the cybersecurity review detailed in point 27 above (if applicable).

With respect to the internet content environment, the PRC Administrative Measures for Internet Information Services seeks to “regulate internet information services activity and to promote the healthy and orderly development of internet information services”. The Administrative Regulations on the Internet Audiovisual Program Service also regulate social media content and serve to censor certain kinds of content, as do government agencies such as The National Radio and Television Administration and the CAC. The Advertisement Law and related guidelines (e.g., the Enforcement Guidelines for Absolute Language Enforcement in Advertisement) seek to protect consumers from false information, including information disseminated through advertisements on social media platforms.

China will continue to take the lead on artificial intelligence regulations.

The Generative AI Measures are the latest in a series of AI-focused regulations and policy documents issued by governmental authorities in the PRC. Currently, China is a global leader – ahead of both the US and the EU – in publishing a set of detailed AI regulations, covering deep synthesis, recommendation algorithms, and now, generative AI. We expect to see this trend continue.

Although generative AI services offered to the general public within China will be subject to the Generative AI Measures after 15 August 2023, no new requirements beyond the existing PRC regulatory regime are currently imposed on generative AI services and AI technologies. The Generative AI Measures simply clarify the current applicable requirements under the existing regulatory regime, including data compliance, PI protection, and cybersecurity, as well as content censorship. As this technology continues to develop rapidly, even more comprehensive AI-related laws may be promulgated in the near future. As explained, the draft Artificial Intelligence Law has been explicitly included in the State Council’s 2024 Legislative Work Plan (meaning that the draft legislation is officially in the pipeline to be submitted to the Standing Committee of the National People’s Congress for consideration).

The revised Anti-Unfair Competition Law will likely have major implications for businesses that use algorithms and big data.

The draft Amendment to the Anti-Unfair Competition Law referred to above has also been explicitly included in the Legislative Work Plan of the State Council for the Year 2024. The draft amendments aim to improve anti-competition rules for the digital economy, with several newly added provisions such as Article 4, which would prohibit business operators from using data and algorithms, technology, capital strength, or platform rules to engage in unfair competition practices. More specific to the digital economy, unfair competition activities explicitly prohibited by the draft amendments include:

• using and processing big data collected from users and algorithms to influence user choices, thereby disrupting the order of fair competition in the market;
• violating industry practices or technical specifications to hinder access to other network products or services;
• improperly acquiring commercial data from other operators; and
• using algorithms to customize prices for different users based on an analysis of their preferences and other characteristics.

The Company Law will see major changes that will potentially help foster innovation.

The latest changes to the Company Law officially came into force on 1 July 2024. The key revisions include:

• eliminating the current Company Law’s requirement for a shareholder resolution in certain M&A circumstances and the requirement for a majority of shareholders to consent to a transfer of equity from one shareholder to anyone other than another shareholder;
• an expansion of liability for directors and a requirement that companies with 300 or more employees have an employee-representative director;
• specifying liability and circumstances that would make it possible for shareholders who fail to pay the subscribed registered capital in time and in full to lose their equity in the company; and
• introducing new provisions that allow companies to issue different kinds of shares with different shareholder rights.

In accordance with the above revisions of the Company Law., technology (as well as other) companies should consider numerous changes to their corporate structures and governance. Fortunately, most of the revisions reflect liberalization rather than increased restriction, and would further harmonize PRC company law with international standards and foster innovation in the technology and other industries.

Because there are no laws that specifically require sustainability/net-zero obligations to be incorporated in technology contracts, such provisions do not usually appear in technology contracts.