China’s New Blockchain Regulations Cast a Wide Net
On 10 January 2019, the Cyberspace Administration of China (CAC) released China’s first blockchain regulations, which take effect on 15 February 2019. The Administrative Regulations on Blockchain Information Services provide, for the first time, definitions of “blockchain information service”, “blockchain information service providers” and “blockchain information service users”, and clarify corresponding regulatory requirements at the national level.
Scope of the Regulations
A “blockchain information service” is defined as a public information service which is based on blockchain technologies or systems, and which delivers information to the public via websites or applications. The new blockchain regulations apply to all individuals or entities providing such services in China. In essence, blockchain is a distributed record-keeping system, and in theory, all blockchain systems provide information services. Therefore, it appears that all blockchain service providers in China must follow the requirements set out by the blockchain regulations.
The blockchain regulations define “blockchain information service providers” to include subjects or nodes that provide blockchain information services to the public, and organisations or institutions that provide technical support to blockchain information service subjects. Considering blockchain’s decentralised nature, node providers could also be regarded as blockchain information service providers under this definition, and therefore the range of subjects affected by the blockchain regulation could be huge. For example, a person who installed and ran the Bitcoin wallet application on his or her computer may be subject to the regulations. Further expanding the scope of the regulation, technical support institutions are also defined as blockchain information service providers.
From a practical perspective, this expanded definition seems to deviate from the purpose of the regulations, so regulators are expected to provide clarification regarding the definition of blockchain service providers and the strength of the regulatory requirements.
“Blockchain information service users” refers to organisations or individuals using a blockchain information service. These subjects will be regulated by the blockchain regulations in areas such as real-name authentications.
Under the blockchain regulations, the CAC will undertake state-level supervisory and law enforcement obligations for blockchain information services. Municipal (provincial) offices of cyberspace security (local and municipal branches of the CAC) will undertake the same obligations for blockchain information services at the regional level.
The regulations require blockchain service providers to submit certain information to CAC’s registration system, including the service provider’s name, type and form of service, area of application, server addresses, etc. The blockchain regulations also require service providers to conduct security evaluations before national and provincial cyberspace security offices when developing new products, applications and functions.
Because blockchain information services are a type of internet information services, CAC will not be the only regulatory authority to supervise blockchain information services. For example, the Ministry of Industry and Information Technology (MIIT) is in charge of security assessments for new technologies and operations related to the internet, and the Ministry of Public Security and local public security authorities supervise and inspect certain types of internet information services as well. Thus these regulators’ supervisory authority could also apply to blockchain information services. Various government authorities, including CAC, MIIT and the Ministry of Public Security, as well as correspondent municipal branches, will need to effectively coordinate with one another and allocate duties for supervising blockchain information services.
The blockchain regulations require service providers to take broad compliance measures, including the following:
Establishing and perfecting management systems which cover information security management, user registration, information review and security protection
Developing instant and emergency plans for prohibited information, as well as technical conditions correspondent to its service
Maintaining convenient reporting and complaint systems
Recording content posted by blockchain service users and relevant logs, and retaining them for at least six months
The blockchain regulations require blockchain service users to conduct real-name authentication, which means that users should provide authentication information based on the organisation’s certificate or the individual’s personal ID number, or mobile phones. Blockchain information service providers cannot provide blockchain information services to users if they do not provide real-name authentication. This requirement is targeted not only to users of blockchain information services, but also to blockchain information service providers.
Blockchain information service providers and users that do not comply with the blockchain regulations could face penalties or correspondent legal liabilities, including warning, suspension of operation for correction, fines, website closure, revocation of licenses and even criminal liabilities under certain circumstances. For example, blockchain information service operators may receive warnings from law enforcement authorities and/or a fine of up to RMB 30,000 for failure to establish and perfect management practices such as user registration, information review and security protection; evaluate new products, new applications or new functions; cooperate with supervisory and inspection authorities; or establish reporting systems. If such illegal conduct violates criminal law, operators could even face criminal liabilities.
Entities that fail to apply real-name authentication systems or to effectively take actions against illegal information may face fines of up to RMB 500,000, as well as other penalties such as website closure or revocation of licenses. Directly responsible individuals of noncompliant operators could also be fined up to RMB 100,000.
Given the broad scope of the new law, blockchain service providers should conduct an internal assessment of their operations to identify any potential compliance risks before the blockchain regulations become effective on 15 February 2019.