The Cyberspace Administration of China recently promulgated the Provisions on the Administration of Blockchain Information Services (the “Administrative Provisions”) to regulate providing information services via blockchain technology. The Provisions primarily pertain to the qualifications of blockchain information service providers the “Information Service Providers”), their security obligations, the recordation administration and their legal responsibilities, all of which came into effect on February 15, 2019. The specifics are provided below:
1. Scope and Qualifications of the Information Service Providers
Pursuant to the Administrative Provisions, blockchain information services refer to the provision of information services to the public through the Internet and applications based on blockchain technology or systems. Blockchain Information Service Providers refer to entities or nodes that provide blockchain information services to the public, as well as institutions or organizations that provide technical support for entities that provide blockchain information services.
Pursuant to the Administrative Provisions, a blockchain Information Service Provider shall possess technical expertise and assets that are appropriate to the services provided. For information that is prohibited by law and administrative regulations, the provider shall be capable of responding to the publication, recording, storage and dissemination of such information in a real-time and contingency basis. Its technical plans shall conform to the relevant national standards.
2. Security Obligations of the Information Service Providers
Pursuant to the Administrative Provisions, the Information Service Providers shall first fulfill its information security responsibilities by establishing systems for user account registration, information auditing, emergency response measures, and security protection.
Secondly, the management rules and platform agreement shall be drafted and disclosed, service agreements shall be entered with users of blockchain information services, where the rights and obligations of the parties are clearly stipulated, and each party is required to comply with the service agreement and the law.
Furthermore, the Information Service Providers shall, in accordance with the provisions of the Cybersecurity Law of the People’s Republic of China, authenticate the real identity information of its users based on the organization code, identity card number or mobile phone number. If the user does not proceed with the real identity authentication process, the Information Service Provider shall not provide services to that user.
If the Information Service Providers develop and launch new products, applications or functions, they should report to the Internet information office of the central government, province, autonomous region or municipality under the direct jurisdiction of the State Council for security assessment.
In addition, the Information Service Providers shall maintain records on information such as content posted by the users and their logs for no less than six months. The records shall be provided to the law enforcement authorities upon inquiry pursuant to law.
3. Recordation Administration over the Information Service Providers
With respect to the recordation administration, the Administrative Provisions require the Information Service Providers to complete the recordation formalities through the Blockchain Information Service Recordation Administration System of the Cyberspace Administration of China within ten working days upon provision of the service. In case of any change to the service project or platform URL, the amendment formalities shall be completed within five working days. If the services are to be terminated, the cancellation formalities shall be completed 30 working days prior to the termination, and proper arrangements shall be made for the termination. Information Service Providers who have completed the recordation shall indicate its recordation number at a conspicuous location on its website, application, etc. through which it provides services.
4. Liabilities for Failure to Comply with the Administrative Provisions
If an Information Service Provider fails to meet its security management responsibilities, fails to possess the relevant technical expertise and assets for the security management, fails to prepare the management rules or platform agreement or fails to sign service agreements with its users, does not conduct safety assessment on new products or new applications, fails to timely complete the amendment registration formalities, fails to display its recordation number, fails to perform security rectification, maintain record backups or provide assistance to inspection conducted by cybersecurity departments, the Internet information office of the central government, province, autonomous region, or municipality under the direct jurisdiction of the State Council shall issue a warning letter demanding suspension of business operations until the matter is timely rectified and. In case of refusal to rectify or if the violation is serious in nature, a fine of RMB 5,000 to RMB 30,000 will be imposed. If there is criminal liability, it shall be prosecuted pursuant to law.
In addition, if the Information Service Provider fails to complete the recordation formalities or provide false recordation information as required, it will receive a notice from the relevant Internet information office to timely rectify the fault. In case of refusal to rectify or if the violation is serious, a warning will be issued along with a fine of RMB 1,000 to RMB 30,000.
If a blockchain information network is used to create, duplicate, publish, and disseminate information prohibited under law and administrative regulations, both the Information Service Providers and the user will be subject to corresponding penalties or prosecution of criminal liability.
Overall, the Administrative Provisions will help in the regulation of blockchain information service activities and promote the healthy development of blockchain technology and related services, while Information Service Providers will also need to have a clear understanding of their compliance obligations to avoid legal trouble.