China SaaS regulations: What they mean for global companies looking to enter China
Written by Chris DeAngelis
08/19/2021
China remains one of the largest untapped markets for many global B2B SaaS/cloud companies. However, there is a lot of confusion among many global executives about whether China SaaS regulations are a blocker entering China. The point of this article is to try to clear up some of that confusion, first by talking about the reality of compliance in China, then by giving some guidance on what types of SaaS companies should consider China – and which shouldn’t – then finish up discussing how to gauge what China SaaS regulations mean to foreign SaaS companies.
Lots of non-compliance going on in China
Without a doubt, many foreign SaaS/cloud companies in China today are technically out of compliance. We raise this not to condone or make light of what could become a serious concern, but as a reality of doing business in China. In many cases, companies setup their China operations before the current regulations took place and by default moved into non-compliance. Others entered either knowing they would be out of compliance and were aware of the risks, and others, frankly, entered without doing the proper diligence. Most companies that are currently in non-compliance are somewhere along the way on a “path to compliance,” which usually correlates with achieving certain business milestones to justify the necessary investment. To be clear about this, the Chinese government probably understands that the transition to full compliance for the industry is the end game, not the current situation, and it will take many years before companies will all be fully compliant. That said, global companies looking to enter China today should take a thorough look at what is expected of them from a regulatory perspective.
Hard restrictions
One area where CEOs and counsel can be very certain of: there are sectors and data practices that the Chinese government has made off-limits for foreign companies. When developing a business plan for China, foreign companies need to start by understanding what business areas and practices are in-line with China’s principles, versus those that can put the company (and its China staff) at serious legal risk.
In the chart below, we’ve broken down three areas where foreign companies face hard restrictions in China:
The first category, “illegal businesses,” is pretty clear: foreign companies that operate in those industries should avoid entering China at this time – there is simply no viable legal path to market entry. The second and third categories are not so straightforward, however. While complicated, foreign companies do usually have options, including partnerships controlled by a Chinese company, licensing, OEM models or sometimes simply making adjustments to the China go-to-market strategy.
The third category is especially delicate for companies because of concerns, sometimes legitimate, that a company may unsuspectedly violate an area that China views as “national security.” There are cases where a cloud company selling a relatively benign solution finds out it is processing sensitive data in a way that violates China’s laws. Additionally, there are other compliance issues to consider, including how to deal with the Great Firewall of China, data security and residency, and how to launch and manage cloud infrastructure.
Should companies really worry about China SaaS regulations?
When companies review their situation, all non-compliance issues are not the same and context matters. For example, touching upon cybersecurity regulations as an example, personal data such as the phone number of a customer who works in a private company is a lot less concerning to the Chinese government than data on a government official. Also, data that is aggregated, analyzed and identifies people and networks is even more problematic.
Another example of knowing the risks: if a SaaS company, for example, is required to have a commercial ICP license, but doesn’t, it will typically be a competitor that will raise a red flag. As such, companies need to understand the business relationship to their competitors (and at what stage their company is “big enough” to pose a competitive threat). The same can be said for dealing with disgruntled employees, who may turn to regulators to try to damage their former employer. These are important variables in understanding and planning compliance strategy in China.
Companies need to understand how non-compliance risks are likely to be flagged and what are the repercussions. For instance, when setting up a cloud in China, the Chinese ISP takes responsibility for what runs on the cloud, and – compared to other markets – they may want to understand more about the details of the foreign company’s business model.
To be as safe – especially in light of more regulatory actions against Chinese tech providers in 2021 – companies in the following situations will want to be as compliant with China SaaS regulations as possible:
- Companies that are selling and handling data of large state-owned entities – these companies will be under the most scrutiny.
- Companies that are famous name brands and will have lots of eyeballs on them as they enter the market.
- Companies whose public website domain is critical to their brand – once a domain is blocked in China, it’s fair to assume it will never be unblocked. That said, most enterprise IT companies can change their domains in a foreign market without significantly hurting their business, so this risk is lowered for those types of companies.
All that said, the good news is that most B2B enterprise SaaS companies can operate in China today without major restrictions. Like all countries, China wants to create jobs and earn tax revenues. Regulators, much like potential industry partners, will generally look for ways to support companies that can add value in China. To date, we haven’t seen any cases where small or midsize SaaS companies operating with just an ICP license have run into issues related to cybersecurity regulations. That’s not to say that as the regulations further evolve there won’t be more stringent mechanisms for enforcement, but typically there will be ample advance awareness in the industry to allow companies to make the needed adjustments.
Trying to solve compliance issues through partners rarely works
When the idea comes up in the board room to give the China market a go, many enterprise IT companies start out idealistically looking to partner with an industry leader such as Alibaba or Tencent, or perhaps work with a valued-added distributor such as Digital China or 21Vianet. On the surface, the concept is reasonable: find a local partner that can host and operate the company’s cloud legally in China, while leveraging their experience and sales channels to build the business.
Unfortunately, while this might work in other markets, the reality is that partnering has proven a difficult path for SaaS companies in China. The nature of SaaS means that IT, operations and strategy are all closely intertwined. SaaS companies that are new to China need to develop sales and marketing strategies, pricing models, build integrations with local partners, and make many other complex decisions. No Chinese company is able or willing to do this on behalf of foreign SaaS company. There are simply too many decisions, investments and engineering work that can only be done by the foreign company.
In the end, the vast majority of SaaS companies enter China – and deal with China SaaS regulations – on their own. When this reality sets in, some decide to skip China altogether, some evaluate their risks and enter in one way or another, and some enter relatively blindly to compliance issues.
Foreign companies need to understand what the regulations MEAN to their business
Of course, at some point, being out of compliance can become a business and/or legal issue for some of these companies, usually once the company has gotten “big enough” to be noticed as we mentioned earlier. In many cases, had they understood how their China operating model was bound to run into regulators at some point, they may have been able to redesign their IT infrastructure differently or perhaps chosen an entirely different business strategy to enter the market. However, by the time a regulator comes knocking on the door (either figuratively or sometimes literally), these companies can face drastic – and expensive – decisions, including having to hand over their business to a local partner or pulling out of the market entirely.
While everything can’t necessarily be predicted (China’s regulations often take years to fully develop and are constantly changing, including on a region-by-region basis), companies need to carefully evaluate and plan around what the likely meaning of the regulations are. The only way to do this is to speak with experts on the ground – including lawyers, service providers, potential customers and other China business experts – that can provide the proper context around what (if anything) that is written in the regulations affects a particular business strategy. Finally, foreign companies need to be flexible in their initial approach to China to avoid going head-to-head with any particular regulation or restriction, and instead look at how the company’s solutions fit into the China market, with China SaaS regulations as a guidepost for how to enter China with the most chance of success. Foreign companies that do this should, in most cases, be much closer to a level of compliance that will allow them to run their China business without regulatory interruption.
Editor’s note: This is the second part of a series of insights for Western SaaS companies seeking to enter or expand in China – covering GTM strategy, compliance, product/infrastructure, business development, and more. Read our first article here and stay tuned for more.