The PRC E-Commerce Law was promulgated by the Standing Committee of the National People's Congress on 31 August 2018 and came into effect on 1 January 2019. The PRC E-Commerce Law is the main legal basis for governing the conduct of business online activities in the People's Republic of China (PRC).

In addition, many regulations and notices regulating online businesses are sector-specific. The following laws, regulations, measures and notices are relevant to online businesses:

The sector-specific nature of how online businesses are regulated means that the legislative power is spread among various government authorities in China. This is in addition to the National People's Congress and its Standing Committee, the State Council and the Supreme People's Court, which all have legislative power.

Government authorities which are frequently involved in promulgating regulations, administrative measures and notices relating to, and regulating online businesses include the:

The most important step for a foreign company is to consider whether the online business conducted in China will be subject to any foreign investment restrictions. The restrictions can take the form of a complete prohibition (for example, operating and publishing online games) or a cap on the equity interest which a foreign company can hold in the PRC operating company. In addition, there may be a requirement that the state must hold a majority interest in the PRC operating company.

The six documents regulating foreign investments are:

Foreign investments are classified into three categories: "encouraged", "restricted" and "prohibited". The latter two categories, which are known as the Negative List for Access of Foreign Investments, are the most relevant in considering if a foreign company can conduct the online business concerned in China. The catalogue only sets out the different classifications. It is therefore still necessary to consider other specific regulations and laws to determine the exact restrictions and requirements which a foreign company must adhere to.

The key impact of the foreign investment restrictions is that a foreign company may not be able to simply acquire an existing online business in China which has been operating as a PRC domestic company.

A domestic PRC company (that is a company owned by PRC citizens or domestic PRC companies) is not subject to foreign investment restrictions. However, such company will still be subject to restrictions which require the majority interest of the relevant operating company to be owned by the state.

The foreign investment requirements and restrictions, together with other licensing requirements, will dictate the vehicle which a foreign company must set up in China to conduct the online business.

In most cases, a foreign company that is subject to foreign ownership restrictions must set up a joint venture entity with its PRC partner. The joint venture entity will then hold all the required licences to conduct the online business. If a foreign company wishes to acquire an existing business, it may need to "convert" the existing PRC domestic company into a joint venture company.

There is generally no legal requirement under PRC law for a company to set up a corporate presence in China before services and products can be offered through an online business to people or businesses in China.

Many online businesses serving users and customers in China do so remotely. There are often factors other than legal requirements that determine if a presence (such as a corporate vehicle or a representative office) should be set up in China. Such factors can include tax, employment local billings and foreign exchange control.

Under the PRC E-commerce Law, digital business operators, especially e-commerce operators, must register as market participants and fulfil their tax obligations.

It is also important to determine whether the proposed online business requires specific operating permits or approvals or may be subject to any registration or recordal requirements.

A new online business can engage a website developer and internet service provider to develop and host the website. An existing business can also consider "localising" its existing website if the website is to be hosted in China to ensure that the website will comply with PRC legal requirements. For example, PRC law requires certain information to be set out in a website (see Question 35).

An online business usually contracts with the following third parties:

There are no specific laws and regulations that set explicit requirements on the design of websites or apps. However, the MIIT has launched a campaign to make websites and apps more suitable for older and disabled people, and some agencies have also recently issued specifications.

The following are relevant for older people's access:

Accessibility standards for disabled people include:

In addition, Article 74 of the PRC Minors Protection Law sets out requirements for game, live stream, social media network providers and online education network providers to protect the physical and mental health of minors. This contains requirements regarding website and app functionality and content management.

Businesses generally enter into app development agreements with software companies (app developers). Agreements should include:

In China, apps are distributed through local app stores operated principally by four groups of providers:

Businesses enter into:

If the app is a game, it must be approved by relevant regulatory authorities, such as National Press and Publication Administration, before it can be published or distributed in China.

Generally, the laws applicable to offline contracting, such as the PRC Civil Code, also apply to internet or online contracting. This means that, generally, if PRC law permits the governing law to be a system of law other than PRC law for offline contracts, that governing law can also be used for online or electronic contracting.

The PRC E-commerce Law, as the main legislation in PRC regulating conduct of online business activities, sets out the requirements for the conclusion and performance of electronic contracts.

Under the PRC Electronic Signature Law, under prescribed circumstances, electronic data messages can have the same legal effect as an original or a written document.

In addition, businesses which operate an online platform and use standard contracts, such as a user registration agreement, are subject to the Guidelines for Standardizing the Standard Terms of Contracts for Online Trading Platforms. The Guidelines were promulgated by the SAMR in July 2014.

Electronic contracts are performed and concluded subject to the requirements of the PRC Civil Code and the PRC Electronic Signature Law.

The PRC Civil Code generally provides that contracts can be in written, verbal or other forms. The written form stipulated in the PRC Civil Code is defined as "any form that can show the described contents visibly, such as written contractual agreements, letters and electronic messages (including telegrams, telexes, fax, electronic data interchange and e-mails)".

Under the Civil Code, electronic contracts are legally recognised as a written form of contract on the basis that an electronic contract is based on electronic messages.

Where the parties conclude a contract through electronic messages, they may require that a letter of confirmation is signed before the conclusion of the contract. The contract will be considered as signed when the letter of confirmation is duly executed.

To form a valid contract, including electronic contract, offer and acceptance are required. When contracting online, business should particularly consider offer and acceptance and the incorporation of terms.

For a business to have control over the terms of the contract, a website's T&Cs usually state that:

If the recipient has designated a specific system to receive an electronic message, the time when the electronic message enters the system is the time of receipt. If no specific system is designated, the time when the recipient knows or should have known is deemed as the time of its receipt.

Unless the parties agree in this regard otherwise, a contract is concluded electronically when:

The PRC E-commerce Law requires e-commerce operators to:

E-commerce operators must also enable their customers to make any corrections to their orders before they are submitted.

The terms of the contract must be sufficiently brought to the attention of the customer before the contract is made. If not, the standard terms of the business are not successfully incorporated into the contract. In practice, the most effective way is to design the website so that the customer must scroll down to the bottom of the entire set of T&Cs on-screen and click an "I accept" button (or similar) before they can complete the order.

Generally, if click-wrap, browse-wrap and shrink-wrap contracts satisfy the legal requirements for effective contracting under PRC law, including the PRC Civil Code, they will be enforceable under PRC law.

PRC law recognises most contracts that are formed electronically.

However, certain types of contracts cannot, under the PRC Electronic Signature Law, be contracted electronically, for example:

E-commerce platform operators must record and save the information that has been released on their online platform (specifically, details concerning commodities and services and concluded deals) and must ensure the completeness, confidentiality, and availability of such information.

Information about commodities and services and deals concluded must be kept for at least three years from the date the deals are completed. Such information may also contain personal information which is defined very broadly in China.

The PRC Electronic Signature Law allows electronic contracts to be entered into if agreed between the parties, subject to certain exceptions (see Question 8).

Where the parties agree to enter into a contract electronically, the contract can also be kept in electronic form (although this is not a legal requirement) provided that the parties agree and both:

There are many requirements under PRC laws and regulations with regards to document retention. An electronic contract will be deemed to satisfy the requirements for data retention if the following requirements can be met:

In addition, if any information contained in an electronic contract contains Chinese state secrets, the PRC State Secret Law requires such data to be retained and kept in China unless the approval of the National Administration for the Protection of State Secrets is obtained for its transfer outside China.

Similarly, if any information contained in an electronic contract is regarded as personal information or important data gathered and produced by critical information infrastructure operator (CIIO) during their operations within the territory of China, such information must be stored in China. If it is necessary to provide such information and data to overseas parties due to business requirements, a security assessment must be conducted (see Question 16).

There are no official government accreditations for websites in China. However, some accreditations may be of interest to website providers wishing to operate in China, for example:

Remedies available for breach of an electronic contract are the same as those available for breach of any other types of valid offline contracts, such as damages or and specific performance.

E-signatures are recognised under PRC law, specifically, under the PRC Electronic Signature Law, if certain conditions are met. Generally, parties can agree with each other whether to use electronic signatures as part of their contracts, and there is no legal requirement that electronic signatures must be used.

An "electronic signature" is defined under the PRC Electronic Signature Law as "data in electronic form, which is included in or attached to a data message, for purposes of verifying the identity of the signatory and indicating the signatory's acknowledgement of the content of the data message".

Under the PRC Electronic Signature Law, an electronic signature will be regarded as a "reliable electronic signature" if it satisfies the following conditions:

The PRC Electronic Signature Law provides that a reliable electronic signature has the same legal effect as a handwritten signature or a seal/chop.

There is no specific format required for the electronic signature or a reliable electronic signature.

Under the PRC Electronic Signature Law, electronic signatures and reliable electronic signatures do not have the same legal effect as other recognised forms of signature in the following circumstances:

The key legislation with references to protection of personal privacy includes the:

Some of the data protection provisions in the CSL have general application, such as those applying to "network operators". Network operators are defined broadly to include network owners, administrators and network service providers (any entity with an IT system will therefore fall within the definition and therefore must comply with the relevant provisions). These data protection provisions regulate the use and collection of personal information.

The DSL requires certain measures to be taken to safeguard the data and relevant information systems and networks.

The PIPL marked a great step towards a comprehensive personal information protection legal regime in China. Before the enactment of the PIPL, the National Information Security Standardisation Technical Committee released the "Information Security Technology – Personal Information Security Specification" (PI Specification) which provides useful guidance on how the data protection provisions should be complied with by online businesses.

In addition, there are various other provisions in various key PRC laws and regulations that protect an individual's personal information. These statutory provisions are of general application.

Other key PRC regulations contain specific requirements on the collection and use of personal information, including:

In addition, there are also various other regulations and notices in the medical, banking, traveling, education and insurance sectors that impose strict non-disclosure and confidentiality obligations on individuals with access to sensitive information.

For further information on data protection laws in China, see Data Protection in China: Overview.

The definitions of personal information in the CSL and the PIPL are as follows:

The PIPL also clarifies the definition of sensitive personal information, which is:

The DSL proposes three categories of data:

Under the relevant laws and regulations, the collection and use of personal information must be necessary, legal and appropriate. Individuals must be notified of the purposes, methods and scope of the use of the data, and their consent must be obtained before collecting and using such information (PIPL; CSL; Decision of the Standing Committee of the National People's Congress on Strengthening Information Protection on Networks; Rules for Protection of the Personal Information of Telecommunications and Internet Users; PRC Consumer Protection Law).

Consent. The PIPL provides guidance about the form of the consent that must be obtained, including whether the consent must be express or implied.

Further, under the PIPL, in the following cases, "separate consent" must be obtained:

Storage. State agencies, CIIOs or personal information processors (PIPs) whose processing of personal information reaches the threshold amount prescribed by the CAC, must store the personal information within China. CIIOs and PIPs must apply for a security assessment to the CAC if they wish to export personal data that reaches the threshold amount.

Other PIPs that wish to export the data must obtain the individuals' separate consent and meet one of the following conditions:

Under the PIPL, the PIPs can process personal information based on legal obligations and duties. In certain circumstances, based on currently effective laws and regulations, the personal information could be disclosed.

Various government authorities and regulators have powers to access or compel disclosure of information (which may contain personal information). For example:

A data security review system must be established where data handling activities that affect or may affect the national security will undergo a national security review (Article 24, DSL). However, it is not known how the data security review will be conducted.

In addition, important data processors must periodically conduct risk assessments for their data processing activities, and submit a risk assessment report to the relevant competent department.

Under the PIPL, the use of cookies is permitted provided that this is made known to the individuals concerned by a competent privacy notice/notice and a consent for its use (including the purposes of its use) has been obtained.

The key impact on system design is to ensure that if an individual has not consented to the use of any cookie by the digital business's website, no personal information will actually be collected and used by the operator.

Various regulations (see Question 14) impose obligations on companies and internet providers (that collect personal information) to ensure the safekeeping of the data and that no unauthorised disclosure or leakage of personal information takes place.

In particular, the PIPL requires PIPs take the following measures to ensure the compliance of their processing activities with the law, and to prevent any unauthorised access to, leakage of, tampering with, or loss of personal information:

The PRC E-commerce Law sets out the following requirements in this regard:

Service providers and other enterprises and institutions must keep electronic personal information gathered in business activities confidential and not disclose, tamper with, damage, sell or illegally provide such information to any person (CSL; Decision of the Standing Committee of the National People's Congress on Strengthening Information Protection on Networks).

Online merchants and providers of related services must adopt technical and other measures to ensure security of information collected, and to prevent loss or leakage of such information. If any information is lost or may potentially be lost, online merchants and providers of related services must take immediate remedial actions.

The Rules for Protection of the Personal Information of Telecommunications and Internet Users impose specific security requirements on telecom business operators and internet information service providers.

On 26 October 2019, China promulgated the new PRC Cryptography Law. This law took effect on 1 January 2020 and replaces the previous regulations.

The PRC Cryptography Law classifies encryption into three categories:

Under the new PRC Cryptography Law, enterprises are encouraged to voluntarily apply to qualified testing and certification agencies for the testing and certification of their commercial encryption products. The PRC Cryptography Law imposes strict confidentiality obligations on testing and certification agencies, preventing them from disclosing state secrets and trade secrets obtained during the certification process. The previous regime that restricted the use of "foreign manufactured" encryption has now been replaced under the new regime.

Encryption is not a mandatory security measure used to protect personal information for the purposes of complying with the security requirements discussed in Question 18.

The PI Specification provides that encryption should be used when storing sensitive personal information.

There various laws, guidelines and regulations applicable to electronic payments, for example:

The People's Bank of China has promulgated a number of important regulations regulating electronic payments and the related services provided by non-bank entities. The key regulations include the:

These measures define the respective obligations and rights of the parties involved in electronic payment services.

In addition, the PRC E-commerce Law sets out requirements for making electronic payments and to electronic payment service providers. These require electronic payment service providers to:

Websites aimed at children must comply with the rules stipulated in general laws and regulations governing websites.

Under the PRC Law on the Protection of Minors, any organisation or individual is prohibited from selling, leasing or disseminating by any other means to minors any content harmful to them including pornography, violence, homicide, terror or gambling.

The state encourages the research and development of network products conducive to the healthy development of children and new technologies used for preventing minors from overusing network.

Under PRC Law on the Prevention of Juvenile Delinquency, no organisation or individual can sell or lease electronic publications that:

On 22 August 2019, the CAC promulgated the Regulation on Cyber Protection of Children's Personal Information. This specifically regulates children's personal information and sets out additional requirements for network operators when they collect, store, use, transfer or disclose the personal information of children under the age of 14 years. The key requirements under the Regulation relate to notice and consent, assigning a responsible person for protecting the personal information of children, and conducting security assessments, among others.

In addition, the CAC has been working on the Draft Regulations on the Protection of Minors Online and sought comments in 2017 and 2022 respectively. The Draft Regulations provide for the development of online literacy, the regulation of online information content, the protection of personal information and the prevention of online addiction to protect minors.

There is not a specific rule for this scenario. The company undertakes these activities shall follow general rules and regulations regarding customs, tax, consumer protection and so on.

Linking, framing, caching, spidering and the use of metatags are subject to limitations set out by the general protection of IPR under PRC law.

If the link intentionally circumvents any subscription or restriction measures imposed by the original content owner, providing the link may not be permissible if the linking constitutes a breach of a third party's exclusive rights under applicable intellectual property rights' law or the AUCL.

Criminal liability can be imposed if the activities of obtaining the information is defined as illegal and constitutes illegal access to any computer information system data(Article 285, PRC Criminal Law).

Framing may also not be permissible if the website does not disclose the source of the content so that the user thinks that the content is provided by the website itself, and not the content owner.

In addition, if information is extracted from a third party's website, it is also necessary to ensure that the use is not in breach of that website's T&Cs.

General rules and obligation set in the PRC advertising law apply, under which false and misleading statements are prohibited. Certain words which might be harmful and against the public interest, including obscene languageare not allowed in advertisements.

The Administrative Measures for the Internet Domain Names (Domain Name Measures) is the key regulation governing domain name registration services and related activities in China.

The principle of "first come, first served" is followed by service providers for registration of domain names. An applicant for the registration of a domain name must:

After completing the domain name registration, an applicant for the registration of a domain name will become the holder of the relevant domain name.

The Domain Name Measures provide that a domain name cannot contain any "negative content", for example, content which is against the basic principles of the PRC Constitution or which can jeopardize national security or disclose state secrets.

In 2017, the Ministry of Industry and Information Technology issued a notice further regulating the use of domain names by internet service providers. The notice requires that the entity which provides the internet service must be the entity that holds the related domain names.

For corporate entities, the domain name holder can be its shareholders, key officers and senior management personnel. However, this can vary between provinces, for example the Beijing Communications Bureau and the Shanghai Communications Bureau require internet service providers (or their legal representatives) to be the domain name registrant).

In addition, the CNNIC Implementing Rules of Domain Name Registration, based on the Domain Name Measures, regulates and standardises domain name registration services and management, especially as regards the required documents and information for application and registration of domain names.

Domain names themselves do not confer any additional property rights under PRC law. However, certain rights can be developed through usage. A domain name can also be protected as a registered trade mark under the PRC Trade Mark Law.

A registered trade mark must be registered with the PRC Trade Mark Office for it to become a registered trade mark. It is possible to register domain names as trade marks if they meet the requirements for registration (and consequently the registered trade mark can also be subject to invalidation or revocation).

The use of a domain name can give rise to unregistered trade mark rights for the owner and user of the domain name if, over time, it acquires the attributes of a trade mark (that is, it distinguishes the goods or services of one undertaking from those of another undertaking). Use of a domain name by a business can give rise to unregistered trade mark rights and a business can establish a reputation in the domain name. If so, and if a third party misrepresents a connection or affiliation with that domain name and as a result causes or is likely to cause damage to the business, the third party can be liable for passing off.

Generally, a company name cannot include the name of another company. A company name must be in Chinese and cannot use foreign words, the Chinese phonetic alphabet or Arabic numbers. The company can translate its name into a foreign language, in accordance with acceptable principles of written translations. However, there is no legal requirement for such translation to be reported to or approved by the SAMR.

A company name must include the appropriate ending (for example, "Limited" or the equivalent Chinese characters). Company names (and changes to them) must be recorded with the SAMR.

To obtain a business name, the applicant must file certain requisite legal documents, including a duly completed application form for pre-registration of the intended company name with the Administration for Market Regulation (AMR) during the pre-registration of intended company name procedure. The Administration for Market Regulation examines whether the applied names comply with PRC law and issues the Notice on Name Pre-Approval if the names are approved.

On 18 October 2016, SAMR issued its Guiding Opinion on Opening-up Enterprise Name Database and Promoting the Reform of Enterprise Name Registration (Guiding Opinion) to request local AMRs to open their company name databases to the public. An applicant can now check the company names of existing companies in the database to avoid using a duplicate name. This will simplify the company establishment process. Further, SAMR indicated that it aims to abolish the name pre-approval requirement entirely in the near future.

There are no differences between the rules that apply to online transactions and other disputes and offline transactions.

The set of rules used to determine the jurisdiction in China is based on the PRC Civil Procedure Law.

Generally, jurisdiction is established through contractual provisions, which may either:

In a contractual dispute, contracting parties can agree in writing to submit to the jurisdiction of the court at the place which has a connection with the dispute, such as the place of the defendant's or claimant's domicile, the place of the performance or signing of the contract, provided that the agreement does not violate the legal provisions regarding jurisdictions (PRC Civil Procedure Law).

If the PRC courts are selected as the forum to resolve a contractual dispute, an action involving the dispute will come under the jurisdiction of the court where the defendant is domiciled or where the contract is performed.

In addition, for disputes in internet transactions, the Judicial Interpretation on the Application of PRC Civil Procedure Law expressly provides that if:

There are no differences between the rules that apply to internet transactions and other offline transactions. Generally, where both parties are PRC entities and the subject matter concerns China, the contract must be governed by PRC law.

Under PRC law, if a contract involves any foreign element (for example, if one of the contracting parties is a non-PRC company), the parties can agree to any system of laws as the applicable governing law for the contract.

Where the parties have not made a choice, the laws of the habitual residence of the party whose performance of the contractual obligations fully reflect the characteristics of the contract, or other laws with the most significant connection with the contract, will apply and will be the governing law (see PRC Law on Application of Law in Foreign-related Civil Relations).

If a tortious claim involves any foreign elements, under PRC law, the claim can be governed by the laws of the place where the tort is committed.

Where the parties have a common place of habitual residence, the laws of the common place of habitual residence apply.

Where parties reach an agreement in relation to the application of relevant laws for the settlement of the tort on the occurrence of the tort, the provisions of the agreement will apply (see PRC Law on Application of Law in Foreign-related Civil Relations).

According to Art.47 of the PRC Product Quality Law and Art. 39 of the PRC Consumer Protection Law, if a civil dispute over product quality occurs, the parties may settle the dispute through the following approaches apart from bringing the case to a court:

There are no specific ADR services offered to online traders and customers in China. However, there are various dispute resolution options offered to certain aspects of electronic transactions and online business. For example, the China International Economic and Trade Arbitration Commission (CIETAC) has formulated a set of dispute resolution rules for internet domain names. However, arbitration is usually for disputes with very large subject matter.

Therefore, online traders and their customers in China tend to choose dedicated internet courts and resolve the relevant issues through litigations. Besides, sometimes a "meet and confer" will be held by the judge in order to make a settlement between the parties.

The manner in which consumers receive services through an e-commerce platform is not very different from traditional trading practices, so the remedies are not different from those available offline.

Compensatory damage: Consumers, whose legitimate rights and interests are infringed while purchasing or using goods, have the right to claim compensations from the sellers concerned.

Punitive damage: If business operators engaged in fraudulent practice in providing goods or services, or know clearly that the goods or the services have defects while still providing and cause the death or serious damage to health of the consumers or other victims, the victims have the right to require punitive damage.

Other specific performances: cease the violations, restore consumers' reputation, eliminate the bad effects, make apologies and make compensations. For goods or services, consumers can require the business operators to repair, remanufacture, replace, return the goods, make up for the shortage in quantity, return the payment, or compensate for losses and so on.

The two key laws which regulate advertising of goods and services on the internet are:

There are also other industry and sector-specific regulations and notices issued by different ministries and government authorities which have an impact on how advertising activities must be carried out in the relevant sector or industry.

Broadly, the PRC Advertising Law and Interim Measures on Administration of Internet Advertising provide that online advertisements must, for example:

In addition:

Further provisions elaborating on the application of these principles are set out in the two laws.

For products and services which are subject to specific regulations, the PRC Advertising Law and the Interim Measures on Administration of Internet Advertising do not draw any distinction between whether the advertisement is placed online or offline.

For example, the PRC Advertising Law expressly prohibits the:

These restrictions apply equally to online advertising.

The two above laws restrict how adverts can be displayed online, for example, online advertising cannot affect an user's use of the internet and any pop-up or similar form of advert must clearly allow the user to close the advert by a single click. Non-compliance with this article can result in an administrative fine of between RMB5,000 and RMB30,000 (Article 44, PRC Advertising Law).

Online education network products and services targeted at minors must not insert links to online games, or push advertisements or other information irrelevant to teaching.

Two laws governing such texts or emails are the:

There are no specific language requirements for websites targeting China. However, under the PRC Civil Code, the validity of contract can be challenged due to serious misunderstanding or the use of standard terms if the contract terms are written in English or other foreign languages. Accordingly, businesses can avoid such risk by presenting the contract in Chinese to China-based audiences and customers.

PIPs must use clear and easy-to-understand language on their websites (Article 17, PIPL). Considering that Chinese is the only official language in China, websites are advised to prepare legal documents including privacy notices in Chinese.

China adopts the territorial source tax jurisdiction and the resident tax jurisdiction. Profits tax is charged on profits that arise in or are derived from China. Accordingly, whether sales concluded online will be subject to China taxation will depend on whether profits derived from the sales can be regarded as arising in or deriving from China. Meanwhile, the resident tax jurisdiction requires that enterprises which are legally set up in China or set up in accordance with the law of the foreign country (region) whose actual administration institution is in China must be charged for tax.

For enterprise income tax, both resident enterprises and non-resident enterprises must pay enterprise income tax. Resident enterprises must pay enterprise income tax in relation to their income originating both within and outside China. Non-resident enterprises that have set up institutions or establishments in China must pay enterprise income tax in relation to income originating from China obtained by the set up institutions or establishments, and income occurring outside China but having an actual connection with the set up institutions or establishments.

Non-resident enterprises that have not set up institutions or establishments in China, or have set up institutions or establishments but the income obtained by the said enterprises has no actual connection with the set up institutions or establishments, must pay enterprise income tax in relation to their income originating from China.

For VAT taxes, see Question 35.

For individual income tax, any individual who has a domicile within the territory of China or who has no domicile but has stayed in the territory of China for 183 days in one tax year or longer must pay individual income tax for any income obtained in and outside the territory of China according to the PRC Individual Income Tax Law. Any individual who has no domicile and does not stay within the territory of China or who has no domicile but has stayed within the territory of China for less than 183 days in one tax year must pay individual income tax for any income obtained within the territory of China according to the provisions of this law.

Entities and individuals selling goods and providing processing, repairs or maintenance services in China, or importing goods to China, must pay value-added tax (VAT). The Interim Value-Added Tax Regulations of the PRC specify that VAT applies when entities and individuals sell goods and provide processing, repairs or maintenance services in China, or import goods into China.

The term "goods" means tangible moveable goods, including electricity, heat, and gas (Article 2, Implementing Rules for the Interim Regulations of the PRC on Value-added Tax).

The CAC has introduced a series of content management provisions, ranging from account information, content publishing, follow-up comment management and deepfake issues, specifically the following:

A website operator is liable for the content published on the website it operates.

A website operator is under statutory obligations to ensure that the information it provides is lawful and that it will not publish certain types of content (Articles 13 and 15, Administrative Measures on Internet Information Services).

Information is classified into:

(Articles 5, 6 and 7, Provisions on Ecological Governance of Network Information Content).

See Question 40.

As a minimum, a website operator must specify at a prominent place on its website the ICP licence number or the website recordal (beian) number (Article 12, Administrative Measures on Internet Information Services (promulgated by the State Council on 25 September 2000 and amended on 8 January 2011)).

In addition, a website operator must publish the rules for collection and use of personal information of its users on its websites. It must also clearly express the purposes, means and scope of collecting and use of personal information and obtain the consent of the users whose data is gathered.

Depending on the nature of the business of the website and the products and services to be provided under it, the website operator may also need to include additional information. For example, if the business concerns the operation of an online transaction or the provision of a trading platform for goods and services, the website operator must publish standard terms (or links to such terms) concerning the operation of the platform, including:

(Articles 3 and 7, Guidelines for Regulating the Standard Terms of Online Trading Platform Contracts (promulgated by the SAMR on 30 July 2014).)

A website operator must also publish at the appropriate place on the main page of its website information concerning:

(Article 8, Guidelines for Regulating the Standard Terms of Online Trading Platform Contracts.)

It is important to check industry and sector specific regulations and requirements to ensure that the website will include all information required to be provided publicly.

The PRC E-commerce Law further requires operators of e-commerce platforms to:

Based on the PRC Civil Code, where an internet user infringes on an individual's civil rights and interests through the internet, the individual has the right to require the internet service provider to take necessary action, such as deleting the content, screening, severing the links and so on. If the internet service provider fails to take the necessary action, it is jointly and severally liable with the internet user for any additional injury or damage suffered by the individual.

If the internet service provider becomes aware that an internet user is infringing on the civil rights and interests of a third party through its internet service but fails to take necessary action, it will become jointly and severally liable with the internet user. What constitutes "necessary action" depends on the specific context.

A website operator, as the platform provider for e-commerce operator, is liable for trade mark infringement if it knows or should have known that the e-commerce operator has committed trade mark infringement but provides its trading platform to such operator regardless (PRC Trade Mark Law; Implementing Regulations of the Trade Mark Law).

In addition, under the CSL, a website operator must "strengthen the management" of the information published by its users, and must:

In relation to infringement of third-party IPR, a website operator commits a copyright infringement act by publishing content on its website without the owner's consent (Article 48, PRC Copyright Law).

However, a website operator will not be regarded as having committed such an infringement act if it can demonstrate to the court that it merely provides "network services" and there is no fault on its part.

For online businesses involving the publication of third-party content, both the author of the content and the website operator may be liable for the infringement, depending on the wrongdoing alleged.

If a website operator knows or ought to know that the use by a user of its website violates the copyright of a third party but fails to take necessary measures to cease the violation, such as deleting the content or disabling the relevant linking, the website operator can be held liable for assisting another to commit an infringing act.

A website operator is taken to know the alleged infringement if it has received a notice from the rights owner and the website operator fails to take necessary action promptly. It is therefore important for a website operator and trader to put in place a proper takedown process which will facilitate rights owners to report any potential infringement of their rights and to take relevant steps to delete or remove the infringing items from its website.

Most ISPs will be required to take down infringing websites, content, or links if they infringe the civil rights of a third party.

Under the Administrative Measures on Internet Information Services, an internet content provider (for example, a website operator) is under a statutory duty to cease transmitting content referred to in Question 38. To ensure that this obligation is complied with, it is common practice for internet content providers to include the statutory obligation in the relevant contracts as a contractual right allowing them to take down the content if they become aware of such content being published on their websites.

However, internet platforms are not allowed to disconnect or take down content at their own discretion. The Draft AUCL (see Question 44) proposes providing that operators must not hinder or disrupt the normal operation of other operators by disconnecting links or stopping services.

The MIIT also held an administrative guidance meeting on blocking web links in 2021, suggesting that they should be "unblocked".

Producers and sellers are subject to liability for products and services under the PRC Civil Code and the PRC Product Quality Law (promulgated on 8 July 2000), although liability for products and services supplied online has not been specifically mentioned in these acts.

Under the PRC Consumer Protection Law, consumers whose legitimate rights and interests are infringed while purchasing goods or receiving services via the online trading platform of a third party have the right to claim compensation from the seller of the goods or the service provider. If the operator of the online trading platform cannot provide the real name, address and effective contact of the seller or the service provider, consumers can claim compensation from the operator of the online trading platform. After compensating the consumers, the operator of the online trading platform can claim compensation from the seller or service provider.

Under the PRC E-commerce Law, an e-commerce platform is jointly liable together with the violating operators on its platform where both:

E-commerce platform operators are liable for any harm to consumers resulting from a failure to:

E-commerce platform operators also bear civil liability if they either:

Under the PIPL, if the network products and services have the function of collecting users' information, network operators must clearly notify their users and obtain their consent. In the case of involving users' personal information, network operators must also comply with the provisions regarding the protection of personal information stipulated in the PIPL and with relevant laws and regulations.

If the operator of an online trading platform knows or should know that the seller or service provider uses its platform to commit acts that have infringed the legitimate rights and interests of customers but fails to take necessary measures, the operator bears joint and severable liability with the seller or the service provider.

There is no specific law that governs insurance for online business. Generally, online businesses require the same type of insurance as other offline businesses operating in the same industry. In addition, online businesses should consider specific insurance policies covering the risks relating to data privacy and network security in the event of a data or security breach.

Several new proposals to amend laws relating to unfair competition law, cybersecurity and data protection regulations are being discussed in China. These include the:

In addition, the National Information Security Standardisation Technical Committee (TC260) and other relevant authorities are also drafting and collecting comments for new national standards regarding data protection and cybersecurity.