On 10 January 2019, the Cyberspace Administration of China (“CAC”) of the People’s Republic of China (“PRC”) issued the Administrative Provisions for Managing Blockchain Information Services (“Provisions”) which will take effect on 15 February 2019. The Provisions aim inter alia to safeguard national security and the public interest and to promote the development of blockchain technology and related services (Article 1).
It is the very first time the PRC government has outlined the legal framework to regulate the blockchain information services and lay down the relevant penalties for non-compliance.
Who are subject to the Provisions ?
Pursuant to Article 2, blockchain information services provided within the PRC territory shall comply with the Provisions. “Blockchain information services” is widely defined as the provision of information services to the public via Internet or Applications etc using blockchain technology. A blockchain information service provider (“Service Provider”) is defined as any entity or node that provides blockchain information services to the public, as well as any organization / institution that gives technical support to the Service Provider; and a blockchain information service user (“User”) means any corporation or individual which uses the blockchain information services.
Based on the above definitions, a Service Provider which is an overseas enterprise may also be subject to the requirements set out in the Provisions so long as it provides blockchain information services to residents within the PRC territory.
Key compliance issues under the Provisions
The key requirements under the Provisions are set out as follows :-
1. Information Security
Article 5 provides that Service Providers are responsible for data security management and shall set up a comprehensive system for user registration, data review, emergency response and security protection.
2. User Registration and Verification
Users are required to register with their real identities before using any blockchain information services. According to Article 8, Service Providers shall authenticate the Users’ organization codes (for corporate users), identity card numbers (for individual users), mobile numbers and/or other real identities submitted for the purpose of registration. For any User whose identity cannot be authenticated, Service Providers are barred from providing the services to such User.
3. Safety Assessment
Article 9 requires that before launching any new online products, applications and functions, Service Providers should submit them to CAC for safety assessment.
4. Filing and Display Requirement
Article 11 states that within 10 working days of the commencement of the blockchain information services, Service Providers are required to complete the filings requirement via the CAC Blockchain Information Services Filing System (“Filing System”) by submitting information (“Filing Information”) such as name, categories, modes and application of its services, and the location of the server, etc. Thereafter, Service Providers shall also file any changes made in the service such as product offered or website within 5 working days from the date of change. For termination of the blockchain information services, Service Providers are required to deregister such services 30 working days prior to the proposed termination date.
Further, Service Providers are required to display the filing registration number in a conspicuous position of the websites, applications, etc. (Article 13).
Following Article 14, CAC will conduct inspection on Filing Information from time to time. Service Providers are then required to make the necessary filings via the Filing System within the stipulated timeframe.
5. Data Retention and Report of Alleged Breach
In accordance with Articles 16 and 17, Service Providers shall take appropriate actions such as warnings, restriction of services and/or closure of the accounts of any User who has posted illegal information. Service Providers shall also back up any publication and entries made by such User and retain the backup for at least 6 months, and if necessary, provide the backup data to the authorities for investigation.
6. Complaint channel
Article 18 requires Service Providers to fully cooperate with the authorities to carry out any inspection by providing the necessary technical support and assistance. Also, Service Providers shall set up a user-friendly channel for the public to lodge complaints and shall promptly deal with the complaints.
Penalty for non-compliance of the Provisions
In the event of any non-compliance of the Provisions, CAC will issue a warning to the Service Provider concerned and order it to rectify such non-compliance within a given period of time. The Service Provider may be ordered to suspend service or operation before rectification is complete and may be fined for RMB5,000 to RMB30,000. The Service Provider may also be prosecuted depending on the circumstances.
As stated above, the Provisions will become effective shortly on 15 February 2019. For any Service Providers who has commenced operation within the PRC before the announcement of the Provisions, there is a grace period of only 20 working days after 15 February 2019 to fulfil the relevant compliance requirements. Any existing Service Providers or potential Service Providers should carefully review the Provisions and take steps to comply with the requirements in a timely manner so as to minimize any disruption or interference to their operation or services. It is yet to be seen how enforcement of the Provisions can be taken against blockchain information service providers who are incorporated overseas with no actual presence within the PRC territory and their servers set up outside the PRC.
If you have any questions on the above or other issues relating to regulatory and compliance matters in China, our experienced lawyers in the China Business Department will be happy to assist.