On January 10th, new blockchain service regulations were published by the Cyberspace Administration of China (CAC). Last year in October, another set of guidelines (referred to below as Oct 2018 Regs) were published which many providers are likely familiar with. The new rules take effect on February 15th, 2019, and there are some changes. Below we explain six important areas of understanding, with insights from the blockchain team at Merits&Tree (Zhide 植德律师事务所) law firm.
1. Purpose and Authority
The first article of the new regulations states that the purpose is to standardize blockchain service activities, protect national security and the interests of people, company proprietors, consumers and organizations. The third article makes it clear that all relevant authorities have a responsibility to execute and enforce these rules. Merits&Tree advises that despite recognizing the potential of blockchain as technological advancement, CAC also sees risks of it being used for bad purposes. These rules are to mitigate these risks.
The second article gives clear definitions on “providers” — anyone using blockchain online as a method to provide information services, and “users” — any individual or organization making use of blockchain services. Zhide says it’s much the same as the Oct 2018 Regs, but a difference emerges in types of companies. Where some used to get around the rules by registering as an offshore entity that makes use of domestic tech providers, they now cannot do this. The definition has been widened to include these entities.
3. Self-Regulation and Supervision
The fourth and eighteenth articles encourage greater self-regulation, urging blockchain providers to follow the laws and accept government supervision and inspection. All within the field need to provide all necessary assistance to authorities, including providing channels for complaints and for reporting of illegal activity. Zhide’s lawyers say that this is all part of fostering a better industry environment and business culture.
4. Security Responsibilities
The fifth, sixth and sixteenth articles detail providers’ responsibilities regarding cybersecurity. Zhide says they are more stringent than the Oct 2018 Regs, so providers and users should take heed. Providers must prove their ability to create a technical environment for proper security – user registrations, approvals, emergency procedures, measures to remove forbidden content and responses to such activity. Providers must report any illegal activity, limiting the function or even deactivating the accounts of users who break these rules, as well as providing all user data to the relevant authority, and storing it themselves for up to 6 months.
5. User Agreements and ID Verification
In the seventh and eighth articles, Zhide informs us, we see quite similar requirements to the Oct 2018 Regs. Blockchain service providers must conduct ID verification for both organizations and individuals, using organization codes, personal IDs, mobile phone numbers and any other official means to confirm users’ identities. No verification means no service. This is a growing trend in many tech sectors, including online media. Providers should ensure these requirements are met efficiently if they want to keep operating.
6. Service Assessment and Filing Requirements
Articles nine, eleven, twelve, thirteen and fourteen discuss the requirements for providers to file information regarding any new services their platform provides. They will then undergo a security assessment. A new service should be filed 10 days prior to going live, and include its name, type, model, a service field, server IP address etc. Any updates or changes to existing services need to be filed 5 days in advance. Notification to remove an existing service needs to be filed 30 days in advance. Upon completion of filing, providers will be given a code, which they must then submit to CAC to get approval/confirmation. This approval must then be displayed visibly on the provider’s platform. Zhide notes that many of these requirements exist within the Oct 2018 Regs, but there has been some shift for “Special Industries” so providers should ensure that they are fully up to date and comply efficiently.
If you are a blockchain provider, it’s important you become aware of the rules quickly and comply with any new requirements. The blockchain is a great new technology and China’s authorities recognize its potential contribution. They are also acutely aware of potential threats, and so providers should follow the guidelines to ensure they aren’t viewed as such a threat.
Even if you are not operating from China, but target Chinese customers these rules are going to affect you.