New regulation on blockchain in China:
Between structuring a welcoming environment and creating entry barriers
Issued on 10 January 2019 and entered in force 15 February 2019, the “Provisions on the administration of blockchain information services” (“区块链信息服务管理规定”) (the “Provisions”) stand as the latest regulatory update drafted by the Cybersecurity Administration of China (the “CAC”) regarding Distributed Ledger Technology, commonly referred as “blockchain”, in the People Republic of China.
Although blockchain has been subject to a strong critic by CAC and People’s Bank of China (Chinese equivalent to Fed) – especially on its financial risks through Initial Coin Offerings, or ICOs – the Provisions might sound the start of integrating this growing technology into the existing cybersecurity legal framework.
Declaring itself competent on blockchain-related matters (article 3), CAC gives welcome precisions on several points, including definition, registration, and security assessment.
Key provision: Obligation to register
Registration prior project launch
A blockchain information service provider is required to perform true identity verification through organisation codes, ID documents or mobile phone number. If a user fails to satisfy the necessary verification, the blockchain operator shall refuse to provide its services (Article 8).
Upon launching its project, a blockchain operator shall consult CAC or its local branch for security assessment (Article 9). It is worth noting that such assessment has yet to be defined.
Following the said assessment by CAC, each blockchain service provider shall register on a yet to be defined “blockchain information service recordation management system” its service provider, service category, service form, application fields, server address and other information (Article 11).
Registration number on project’s website
Upon completion of the registration, the authorities will issue a registration number to be displayed on the website of the blockchain operator (Article 13).
The registration process shall be repeated at each modification of the blockchain project, and prior its termination.
Definition and content control
A “blockchain information services” is defined as information services provided to the public in such forms as Internet websites and application programs based on blockchain technologies or systems.
A “blockchain information service providers” is defined as the subjects or nodes that provide blockchain information services to the public as well as the institutions or organisations that provide technical support to such subjects; and “blockchain information service users” means the organisations or individuals that use blockchain information services (Article 2).
Blockchain information service providers are subject to cybersecurity legal requirements as other data controllers, regarding namely security protection, incident response, information control and user registration (article 5) and protection of social order or public safety, whose meaning might be loosely interpreted (Article 10).
The Provisions set a control obligation on the blockchain service providers regarding the content transiting on their platform. In its information notice, the CAC highlights the risks of blockchain being used for illegal activities, namely the dissemination of illegal information “jeopardising the rights and interests of citizens and organisations”. Therefore, the provider is liable for illegal behaviours of its users and shall prevent them.
Furthermore, a provider shall set up user request channels to handle user complaints in a timely manner.
Penalties and grace period
Violations of provisions shall be subject to a corporate fine (Articles 19, 21, 22).
Effective since February 15, 2019, the Provisions include a grace period of 20 days for existing blockchain service providers to implement the newly passed legal requirements.
Feeling of déjà vu?
Although the system promoted by CAC is only registration and not authorization, the system described appears closely enough linked to the Internet Content Provider (ICP) system in place for websites. The ICP is widely seen in the industry as a regulatory hurdle for foreign internet businesses wishing to expand into the PRC. It seems likely that the Provisions will be used together with other internet-related regulations in the PRC to prevent foreign ventures looking to deploy their blockchain-based solution in the PRC from entering the China market.
To know more, please contact Gregory Louvel (firstname.lastname@example.org).