Outsourcing: China overview

A Q&A guide to outsourcing in China.

This Q&A guide gives a high level overview of legal and regulatory requirements on different types of outsourcing; commonly used legal structures; procurement processes; formalities required for transferring or leasing assets; data protection issues; customer remedies and protections; contracting parties' remedies; dispute resolution; and the tax issues arising on an outsourcing.

To compare answers across multiple jurisdictions, visit the Outsourcing Country Q&A tool.

This Q&A is part of the multi-jurisdictional guide to outsourcing. For a full list of jurisdictional Q&As, visit www.practicallaw.com/outsourcing-mjg.

For the rules relating to transferring employees, visit Transferring employees on an outsourcing in China: overview.

Gordon Milner, Jingxiao Fang and Eric Dickinson, Morrison & Foerster
Contents

Regulation and requirements

National regulations

 
1. To what extent does national law specifically regulate outsourcing transactions?

Outsourcing in the People's Republic of China (PRC) is subject to an overlapping and potentially inconsistent set of industry and activity-specific regulatory regimes. Typically, the relevant written regulations are drafted in very high-level language which gives the supervising authorities substantial flexibility on implementing the regulations.

The only regulations relating generally to outsourcings are the Several Provisions for the Protection of Information in Undertaking International Service Outsourcing by Domestic Enterprises (Information Provisions) enacted by the Ministry of Commerce (MOFCOM), which came into effect on 1 February 2010. The Information Provisions require that outsourcing suppliers take effective measures to ensure the protection and confidentiality of certain types of data provided in connection with an outsourcing. However, the Information Provisions are narrow in scope and do not appear to provide for an overarching or comprehensive framework to regulate outsourcing in the PRC (see Question 10).

Sectoral regulations

2. What additional regulations may be relevant for the following types of outsourcing?

Financial services

PRC law does not regulate the outsourcing of financial services by foreign companies. However, a foreign company's home-country laws can apply.

For PRC-regulated financial services businesses, the following regulations can apply.

Banks. The China Banking Regulatory Commission (CBRC) has issued guidelines addressing the outsourcing of a bank's IT and business functions. The guidelines set requirements on the following:

  • The scope of the functions that can be outsourced.

  • The necessary disclosures to customers and the CBRC.

  • The extent of due diligence and contractual protections the bank must obtain from the supplier.

  • Data security measures.

Banks generally cannot outsource core business functions such as credit or debit card issuance or marketing functions.

Insurance companies. Any proposed outsourcing of a business or IT function by an insurance company can be considered an "important matter" under regulations issued by the China Insurance Regulatory Commission (CIRC), and must therefore be reported to CIRC in advance. Currently, insurers cannot transfer policyholders' personal data or allow third parties to process this data without prior consent from the policyholder, and it is expected that CIRC will soon issue additional regulations on the outsourcing of an insurer's IT functions.

Securities companies. The China Securities Regulation Commission (CSRC) has issued regulations on the outsourcing of IT functions by funds and securities companies.

Business process

There are no regulations specific to business process outsourcing.

IT

Regulation of the IT sector can be considered in terms of the following activities.

Import and export of technology. The Administrative Regulations of Technology Import and Export (Technology Regulations) and Administrative Procedures of Technology Import and Export Contracts Registration (Technology Registration Procedures) require that all contracts involving the import or export of technology be subject to the supervision of MOFCOM or its local counterpart. The Technology Regulations define a technology import to include cross-border transfer of technology into the PRC by means of trade, investment or economic technological co-operation. The following contracts can be viewed as technology import contracts and therefore subject to the supervision of MOFCOM or its local counterpart (Circular Concerning the Strengthening of Administration of Sale and Payment of Foreign Exchange in Connection with Technology Import Contracts):

  • Patent transfer contracts.

  • Contracts regarding transfers of patent application rights.

  • Patent licence contracts.

  • Trade secret licence/transfer contracts.

  • Computer software licence contracts.

  • Contracts regarding trade mark licence/transfer that involve patent or trade secret licence.

  • Technical services contracts.

  • Technical consulting contracts.

  • Contracts regarding co-operative design, research and development, and production.

The Technology Regulations classify imported technology into three categories:

  • Unrestricted.

  • Restricted.

  • Prohibited.

MOFCOM is responsible for identifying which technologies are restricted and prohibited. A compilation of technologies that have been categorised in this way can be found in the Catalogue of Technologies Prohibited and Restricted from Import. Items not listed in this catalogue are normally considered unrestricted and are therefore only subject to filing and registration requirements.

Registration of unrestricted technology contracts with MOFCOM is not a condition precedent for validity, but failure to register this kind of contract can result in a variety of practical problems since, without the registration, the PRC transferee may be unable to complete relevant foreign exchange, banking, taxation and customs procedures related to the use of the technology. In particular, this has the effect of preventing the transferee from making any payments to foreign technology providers, such as licensors, that may be required under this kind of contract.

More critically, failure to register the contract can limit the foreign party's ability to enforce the contract in the PRC. Contracts for the import of restricted technology, on the other hand, are invalid under PRC law until approved by MOFCOM.

A key feature of the PRC technology transfer regime is that the Technology Regulations provide that a transferee of technology not only has the right by law to make improvements to that technology, but the transferee also becomes the owner of the rights to such improvements it makes within the term of the relevant agreement. This creates important issues in an outsourcing transaction when a PRC supplier expects to further develop or modify an imported technology.

The Technology Regulations also prohibit a foreign transferor from imposing various mandatory requirements in a technology import contract which cannot be disclaimed. Technology import contracts cannot contain provisions that:

  • Require the transferee to accept ancillary conditions that are not indispensable to the technology import, including purchase of unnecessary technology, raw materials, products, equipment or service.

  • Require the transferee to pay royalties for, or assume corresponding obligations with respect to, expired or invalidated patents.

  • Restrict the transferee from improving the imported technology provided by the transferor or using the improved technology.

  • Restrict the transferee from obtaining technology from other sources that are similar to, or compete with, that provided by the transferor.

  • Unreasonably restrict the transferee from freely choosing channels or sources for purchasing its raw materials, spare parts, products or equipment.

  • Unreasonably restrict the production volume, production types or sale prices of the transferee's products.

  • Unreasonably restrict the export channels of the products made by the transferee by using the imported technology.

A foreign transferor is also required to warrant that it is the lawful owner of the imported technology, or has the right to assign or license the technology, and that the imported technology, documents and information provided are:

  • Complete.

  • Free of error.

  • Effective.

  • Able to attain the objectives stated in the contract.

These Technology Regulations potentially affect many facets of an outsourcing transaction involving a supplier in the PRC, as well as any transfers by the supplier to the customer outside of the PRC. Each element of an outsourcing transaction must be considered in light of the potential application of the Technology Regulations.

Any technology contract that a customer enters into with a PRC supplier, including its own subsidiaries, is subject to the Technology Regulations. Therefore, in structuring the transfer or licensing of any technology into PRC, the customer must require the supplier to properly register the contracts and, if necessary, receive approval from MOFCOM or its local counterpart.

Many of the types of technology represented in an outsourcing transaction fall within the "unrestricted" category with respect to the Technology Regulations and therefore would only be subject to a registration requirement. In practical terms this means that any technology contract is valid on execution, but that until it is properly registered, there can be a level of uncertainty regarding the enforceability of the customer's rights against the supplier in the PRC.

Although the Technology Regulations clearly cover software licensing agreements, to date MOFCOM's position on mass-market software has been that it does not need to be registered. However, since there is no published regulation that exempts mass-market software, application of the registration requirements is subject to MOFCOM's discretion. A customer entering into an outsourcing contract with a PRC supplier that includes the license or sub-license of software may wish to take steps now to revise the licensing agreements that it uses to anticipate the Technology Regulations in the event it does become necessary to register the software.

Since the Technology Regulations grant rights to improvements to the party that undertakes them, any assignment or licensing agreements must ensure that any improvements are assigned or licensed back.

In addition, while it can be possible for an import of technology to be only subject to registration requirements, subsequent export of improvements made to it can be subject to approval requirements depending on the nature, scope and quantity of improvements made. Therefore it is important, before entering into the outsourcing arrangement, to get confirmation on both the import and export status of the technology in question.

Import and export of encryption technology. The import, sale and use of data encryption technology is subject to the regulatory control of the Office of State Commercial Code Administration (OSCCA) under a series of legislation centred around the Commercial Encryption Administrative Regulations promulgated by the State Council in 1999 (collectively, the Encryption Regulations).

The Encryption Regulations do not define encryption technology; however, an OSCCA official stated during a speech in March 2000 that:

  • Technologies which include "special purpose hardware and software, the core functions of which are encryption and decoding" can be deemed encryption technology under the Encryption Regulations.

  • The following is not generally considered encryption technology:

    • wireless telephones;

    • Windows (and Mac OS) software;

    • internet browser software.

In practice, OSCCA has substantially adopted these guidelines. However, there is an absence of an objective standard, and therefore there will always be some risk that a product containing encryption functionality may be deemed to constitute an encryption product by the PRC authorities.

The distribution, sale, and use of foreign developed encryption technology is generally prohibited within the PRC (Encryption Regulations). Data encryption technology products are developed and sold in the PRC almost exclusively by domestic-owned companies approved by OSCCA. Foreign encryption technology can be imported, but only by certain classes of legal persons and under certain circumstances (and with prior OSCCA approval). Application of the Encryption Regulations varies depending on how a company uses foreign developed encryption technology as part of its PRC operations.

Software export. For outsourcings involving software development, the export of this software is governed by the Measures for the Administration of Software Exports and their Statistics (Software Regulations). The relevant software contracts must be registered with the authorities before exporting the software (Software Regulations).

Telecommunications

The telecommunications sector is highly regulated. Companies that seek to offer telecommunications services (an extremely broad term, which includes many activities such as the operation of data centres, hosting services, call centres, or software-as-a-service (SaaS) facilities) require permits under the PRC Telecommunications Regulations that are typically not available to wholly foreign-owned entities. However, complex but well tested nominee structures have evolved in the market to enable the provision of certain types of telecommunications services with the tacit approval of the authorities.

Public sector

The Government Procurement Law (GPL) is the primary legislation for public sector outsourcings. While the GPL encourages government procurement to occur by way of public tender, the GPL also permits:

  • Private tenders.

  • Single-source procurement.

  • Competitive negotiations.

  • Other methods approved by the Ministry of Finance.

The GPL expressly favours procuring onshore goods and services. In special circumstances foreign suppliers are allowed to directly participate in the state procurement process.

 
3. What further legal or regulatory requirements (formal or informal) are there concerning outsourcing in any industry sector?

Financial services

Banks. Under the Guidelines on the Management of Outsourcing Risks of Banking Institutions (the Risk Guidelines) issued by the CBRC, banks must conduct due diligence on their suppliers for the following:

  • Management capability and industry reputation (including engagements with other institutions).

  • Financial stability.

  • Company culture.

  • Technical skills and service quality.

  • Emergency response capacity.

  • Familiarity to the banking industry.

  • The affiliate relationship, if any, among the suppliers (if more than one).

The outsourcing contract must address the following matters:

  • Scope and standards of the outsourcing service.

  • Confidentiality and data security.

  • Continuity of services.

  • Audit and inspection.

  • Dispute resolution.

  • Interim arrangements on termination.

  • Liability allocation.

A supplier must covenant to do the following (which must be reflected in the contract):

  • Provide service reports on a regular basis.

  • Promptly report any emergency or service failure.

  • Co-operate with the customer during the CBRC's inspection process.

In addition, banks must conduct full-scale audits and evaluations of the outsourcing services on a regular basis, and must report any events that have or will have a material adverse effect on its business, customer data security or reputation to the local branch of the CRBC.

Under the Guidelines on the Information Technology Risk Management of Commercial Banks (the Commercial Bank Guidelines) issued by the CBRC, commercial banks must submit written reports to the CBRC or its local branches in connection with particular types of outsourcing (for example, data centre operations or IT infrastructure design/operation).

In connection with the outsourcing of the development of software used in online banking systems, under the General Specification of Information Security for Internet Banking System issued by the People's Bank of China (PBOC), financial institutions such as commercial banks must observe certain obligations, including:

  • Strictly controlling the subcontracting of software development works by outsourcing suppliers.

  • Obliging outsourcing suppliers to isolate the financial institution's customer data from that of any other client, and to return or destroy all of the financial institution's customer data in the suppliers' possession upon termination of the outsourcing contract.

  • Requiring outsourcing suppliers to conduct information security risk assessments at least once a year and provide assessment reports.

  • Requiring outsourcing suppliers to engage external auditors to conduct security audits on a regular basis; and

  • Entering into intellectual property protection and confidentiality agreements with outsourcing suppliers, which prohibit the suppliers from publicising the design or key technologies utilised in the security functions of the online banking system.

Insurance companies (including insured assets management companies). According to the Provisional Guidelines on Security Management of Information System of Insurance Companies (the Information System Guidelines) issued by CIRC, insurance companies must evaluate the following aspects of each supplier:

  • Financial condition.

  • Technical ability.

  • Security protection qualifications.

  • Risk control capability.

  • Credit records.

A supplier must also meet the following criteria (Guidelines for the Administration of Information System Disaster Recovery in the Insurance Industry):

  • It must be a legal person duly registered within the territory of the PRC.

  • It must have over three years of experience in providing disaster recovery services and have provided such services for at least three customers.

  • Its infrastructure, service quality guarantee system, and information security management system must be certified by the relevant authorities.

The Information System Guidelines require that the outsourcing contract addresses the following matters:

  • Scope of outsourcing services.

  • Confidentiality and security.

  • Intellectual property rights.

  • Business continuity.

  • Dispute resolution.

  • Interim arrangements upon termination.

  • Liability allocation.

The Information System Guidelines require insurance companies to submit written reports to CIRC in connection with particular types of outsourcing (for example, data centre operation or information technology infrastructure design/operation). They also grant CIRC the right to conduct on-site inspections, to request any relevant information, and to require the parties to redress any noncompliance with the Information System Guidelines.

Securities companies. According to the Provisions on the Administration of Information Management Platform of Sales of Shares in Securities Investment Funds, a "seller of fund shares" can outsource systems integration, application development, operations maintenance, equipment custody, network communications, technical advice and other professional services to suppliers having proper qualifications (detailed in the Provisions). A customer must report to CSRC regarding the appointment and change of the outsourcing supplier.

Business process

There are no regulations specific to business process outsourcing.

IT

There are no additional requirements concerning outsourcing (see Question 2, IT).

Telecommunications

Under the Provisions on Management and Supervision of Telecommunications Network Operation issued by the Ministry of Industry and Information Technology (MIIT), when outsourcing basic telecom service repair work for telecoms equipment and transportation networks, basic telecommunication service providers must:

  • Conduct due diligence on the supplier’s qualifications, including the supplier’s capacity to maintain and administer network operation on a regular basis.

  • Execute confidentiality contracts with the supplier.

  • Preserve all service records, whether created internally or provided by the supplier.

Public sector

Under the Security Review Procedures on Application for Information Security System Certification by Information and Technology Outsourcing Service Institutions for Government Departments issued by the MIIT, suppliers of outsourcing services for government authorities can apply for an information security management system certification. During the supplier selection process, government authorities are encouraged to give preference to suppliers who have this certification.

 
4. What requirements (formal or informal) are there for regulatory notification or approval of outsourcing transactions in any industry sector?

For financial services, IT and telecommunications, please see Question 2. There are no registration requirements for business process or public sector outsourcing.

 

Legal structures

5. What legal structures are commonly used in an outsourcing?

Prime/sub arrangements

Description of structure. This is the most common structure for large multinational corporation customers. Customers can contract directly with a reputable multinational outsourcing provider, which in turn procures a smaller PRC supplier to perform the actual outsourcing function.

Advantages and disadvantages. The main advantage of this structure is that all contractual arrangements with the customer occur offshore (that is, the outsourcing agreements are between offshore entities, using offshore law). Therefore, the customer does not need to directly deal with PRC technology import/export restrictions, as this is done by the offshore outsourcing provider.

Captive service operations

Description of structure. Under this type of arrangement, the PRC outsourcing business is owned and controlled by the customer. Typical captive service operations occur when the customer purchases the supplier, or when services are provided internally from one group within the customer to another.

Advantages and disadvantages. Advantages include that:

  • The customer maintains control of the supplier and its operations, including resource dedication and technical capabilities.

  • Confidentiality and data security issues are minimised.

  • Issues arising in relation to the Technology Regulations (see Question 2) are generally obviated since the service arrangement is internal.

Disadvantages include:

  • Limited cost cutting ability, since the services remain within the customer group (that is, economies of scale may not be reached).

  • Typically, dedicated suppliers are able to leverage their expertise and experience, which allows them to stay abreast of current regulations and employ the latest technology. These advantages may not be available in a captive service operation.

Conventional agreements

Description of structure. As suppliers in the PRC outsourcing market become more sophisticated, it is also becoming more common for parties to use conventional outsourcing agreements similar to those employed in more developed markets. However, most outsourcing agreements continue to be more simplified.

Advantages and disadvantages. Advantages include that:

  • Suppliers are able to leverage their expertise and experience, which allows them to stay abreast of current regulations and employ the latest technology.

  • Cost reduction is often maximised due to the supplier’s expertise in and focus on outsourcing, in addition to economies of scale.

Disadvantages include that:

  • The customer loses a large degree of control over the outsourced service operation.

  • Confidentiality and data security risks are heightened, especially when valuable or sensitive data will be transferred to the supplier.

 

Procurement processes

6. What procurement processes are used to select a supplier of outsourced services?

When entering into a relationship with a supplier in the PRC, a customer must be aware of the potential for higher transaction costs, arising from:

  • Among other factors, the limited pool of English-speaking workers in the PRC.

  • Higher information costs due to a lack of transparency in the system.

These considerations can also apply to offshoring transactions with a customer's subsidiary in the PRC. Against that background, the procurement processes used to select a supplier of outsourced services are as follows.

Request for proposal

These procedures exist, but are not prevalent in the PRC outsourcing markets. Generally, a customer's internal policies determine whether competitive tendering is required. For example, several large financial institutions require such a procedure.

Invitation to tender

These procedures exist, but are not prevalent in the PRC outsourcing markets.

Due diligence

When establishing an outsourcing relationship with a supplier in the PRC, a customer must conduct thorough due diligence on the supplier's capabilities. There are limited sources of information about companies in the PRC and, depending on the supplier's geographic location, it can be difficult to obtain confirmation from the State Administration of Industry and Commerce (SAIC) about whether a supplier has been incorporated. As there are limited private party business information organisations in the PRC, a customer must independently undertake due diligence on the supplier's:

  • Financial stability.

  • Corporate establishment.

  • Land use rights.

  • Ownership of assets.

  • Compliance with employment requirements.

  • Access to the staff and facilities necessary to do the work.

  • Intention to subcontract the work, if applicable.

If the customer does not have the ability to gather and evaluate the information in-house, there are various companies available that can perform informal investigations on PRC companies.

It is important for a supplier to provide:

  • Official documents showing their due incorporation and licence to engage in business.

  • Any relevant industry-specific licences and qualifications, such as a Certified Software Enterprise certificate, that can provide further evidence of an enterprise satisfying certain minimum requirements with respect to staffing, hardware and experience, particularly if the supplier is providing any of the outsourcing services to the customer directly in the PRC.

When entering into an outsourcing contract with a supplier whose primary assets and operations are in the PRC, it is important to ensure that the contract is validly executed by the legal representative of the PRC entity itself. Even when a company is dealing with its own subsidiary in the PRC, it must recognise that conducting employee background checks is significantly more difficult and, with respect to key personnel, can require special investigations. For extremely sensitive information, it can be worthwhile for a company to require that its subsidiary undertake additional personnel background checks.

Negotiation

There is no standard negotiating process in the PRC market. However, some key recommendations (based on common issues customers encounter during negotiations) include:

  • The customer should ensure it is negotiating with the correct entity (this should be established during the due diligence process).

  • The customer should ensure it is negotiating with the correct individual. Frequently, customers may make concessions to their negotiating counterparty only to learn that the individual with approval authority has not yet been involved negotiations. The result is that the customer has been essentially 'negotiating with itself'.

  • During negotiations, parties should use a working document in only one language in order to avoid misunderstanding.

  • PRC negotiators are often reluctant to discuss liability and termination issues on the basis that discussions would become too focused on worst-case scenarios and lead to a pessimistic view of the outsourcing relationship. Generally, these types of arguments should be resisted.

  • PRC contract law enforces liquidated damages provisions, which allows for more straightforward compensation schemes (see Question 17).

 

Transferring or leasing assets

Formalities for transfer

7. What formalities are required to transfer assets on an outsourcing?

Immovable property

All land belongs to the government, and can be granted to companies and individuals through land use rights (LURs). LURs are generally transferrable, subject to the conditions attached to a particular LUR. For example, for LURs which have been allocated without consideration being paid, government approval is required before the transfer.

However, companies and individuals can own the title to buildings and fixtures on the land, which is evidenced by certain title certificates issued by the competent PRC authorities.

IP rights and licences

Assignments of copyrights, patents, and computer software must be in writing. Patent assignments must be registered with the authorities to be valid, while registration is voluntary for copyright and computer source code assignments.

For assignments of IP licences, see Question 8, IP rights and licences.

Movable property

It is customary, though not required, to have a written agreement for movable property transfers. Transfer of legal title generally occurs upon delivery.

Key contracts

PRC law regarding the assignment of contracts is consistent with common law principles. Subject to any previously agreed limitation, benefits under a contract can be assigned with notice to the counterparty, and obligations can only be transferred with the counterparty's consent.

Formalities for leasing or licensing

8. What formalities are required to lease or license assets on an outsourcing?

Immovable property

Lease agreements for real property must be:

  • In writing.

  • Stamped by the parties.

  • Registered with the authorities.

Government approval can be required under certain circumstances.

IP rights and licences

Patent and computer software licences must be in writing. Copyright licences must also be in writing because PRC law requires that copyright licences contain specific terms, including the following:

  • The particular rights being licensed.

  • The amount and method of payment.

  • The scope and duration of the licence.

  • Liabilities on breach.

Movable property

There are no specific requirements regarding lease agreements for movable property. However, it is common for these agreements to be in writing.

Key contracts

See Question 7, Key contracts.

 

Transferring employees

9. In what circumstances (if any) are employees transferred by operation of law?

Initial outsourcing

An employee is not transferred by operation of law. Where employees are transferred to the transferee to provide services in relation to the outsourcing, the employees can be transferred either by:

  • Secondment.

  • Entering into a new employment contract with the transferee. In this case, the employment contract with the transferor must be terminated at the expense of either transferee or transferor (as agreed by the parties).

Change of supplier

See above, Initial outsourcing.

Termination

See above, Initial outsourcing.

For more information on transferring employees on an outsourcing, including structuring employee arrangements (including any notice, information and consultation obligations) and calculating redundancy pay, see Transferring employees on an outsourcing in China: overview ( www.practicallaw.com/6-578-6285) .

 

Data protection

10. What legal or regulatory requirements and issues may arise on an outsourcing concerning data protection?

Data protection and data security

General requirements. The PRC lacks a comprehensive legal framework to regulate the use and disclosure of data. While there is currently no national data privacy law, data security protection can be addressed through various laws and regulations with provisions regarding data protection in general or as applicable in specific industry sectors. These laws and regulations include, without limitations:

  • General Principles of the Civil Law of the PRC, passed by the NPC in 1986.

  • Tort Liability Law, passed by the Standing Committee of the NPC on 26 December 2009, which came into effect on 1 July 2010.

  • The Seventh Amendments to the PRC Criminal Law, passed by the Standing Committee of the NPC on 28 February 2009.

  • The amendment to the Law on Resident Identity Cards, passed by the Standing Committee of the NPC on 29 October 2011.

  • Certain industry specific regulations, such as the:

    • Protection of the Safety of Computer Data Systems Regulations, for the protection of personal data of internet users;

    • Tentative Provisions of Administration of Basic Personal Credit Information Database, for the protection of credit information of customers maintained by banks;

    • the Several Regulations on Standardising Market Order for Internet Information Services issued by the MIIT on 29 December 2011.

    • the Decision of Strengthening the Protection of Network Information passed by the Standing Committee of the NPC on 28 December 2012.

    • Regulation on the Administration of Credit Investigation Industry promulgated by the State Council, which became effective on 15 March 2013.

A domestic recipient of data in an outsourcing transaction must comply with these general laws and regulations where applicable.

For outsourcing services provided by a PRC supplier to foreign entities or individuals, the supplier must also consider data security protection requirements under the Information Provisions (see Question 1). Under the Information Provisions, domestic recipients must:

  • Establish an effective internal information protection system, including the implementation of level-to-level administration regarding recording media.

  • Impose confidentiality obligations on its employees to ensure security and confidentiality of any data it receives from the customer in connection with the outsourcing services.

Due to the lack of a national, generally applicable data privacy law in the PRC, it is commonly understood that contractual protection plays a key role to ensure data security in an outsourcing context. The PRC Contract Law, which was brought into effect by the NPC on 1 October 1999, imposes general confidentiality obligations on contracting parties in relation to trade secrets during performance, and after expiration, of a contract.

In addition, a customer must also consider adding specific data security safeguards into their contracts, including, without limitation:

  • Allowing the customer to set up effective mechanisms to monitor the supplier's performance of data security obligations.

  • Obligating the supplier to implement back-up plans to deal with unauthorised disclosures.

The supplier can be obligated to disclose the customer's data under limited circumstances, such as government investigations and judicial proceedings.

Mechanisms to ensure compliance. See above.

International standards. PRC law does not require compliance with any international standards in the context of data protection.

Sanctions for non-compliance. Suppliers face various penalties for non-compliance with its data security obligations, depending on the way in which the outsourcing is performed, for example, through the internet and the industrial sector to which the outsourcing relates. PRC outsourcing suppliers may be subject to:

  • Warnings.

  • Rectification orders.

  • Orders to suspend business.

  • Confiscation of illegal income.

  • Penalty fees.

  • Criminal liabilities.

Banking secrecy

General requirements. The People's Bank of China (PBOC) has issued regulations to guide PRC banks on protecting bank account owners' personal credit information. The Tentative Provisions of Administration of Basic Personal Credit Information Database (Credit Provisions), brought into effect by the PBOC on 1 October 2005, is the main bank secrecy law in the PRC. The Credit Provisions set out the requirements for banks and other financial institutions on security measures to protect bank account owners' personal information.

The Notice of the PBOC for Banking Financial Institutions to Better Protect Personal Financial Information requires banks and other financial institutions to establish internal systems to protect personal financial information. In addition, during the outsourcing supplier selection process, financial institutions must evaluate each supplier's ability to protect personal financial information (see Question 2, Financial services: Banks).

For services outsourced by domestic financial institutions, financial institutions must implement effective systems and seek warranties from the supplier in relation to confidentiality of its customers’ information in accordance with the Risk Guidelines. The Risk Guidelines also require financial institutions to ensure that insecurity of customer information is one type of termination event in an outsourcing contract.

Mechanisms to ensure compliance. According to the Commercial Bank Guidelines, banks must adopt the following measures to ensure data protection:

  • Procure that the bank's client information is isolated from other client information held by the supplier.

  • Restrict the supplier's right to access client information to the extent practicable.

  • Procure that suppliers guarantee their employees will adhere to confidentiality requirements.

  • Notify clients about any outsourcing in which their information will be transferred to or processed by a third party supplier.

  • Control subcontracting by suppliers.

  • Procure that once the outsourcing contract is terminated, all client information held by the supplier will be returned or destroyed.

International standards. PRC law does not require compliance with any international standards in the context of banking secrecy.

Sanctions for non-compliance. The PBOC may request commercial banks to rectify any non-compliance with requirements on the establishment of administration systems and procedures for the basic personal credit information database. Failure to rectify such non-compliance within the required period would expose the commercial bank to warnings from the PBOC and a penalty fee of up to RMB30,000. The sanctions for non-compliance with data security obligations may apply to the banks and the official(s) responsible.

Confidentiality of customer data

See above, Data protection and data security and Banking secrecy.

 

Service specification and levels

11. How is the services specification typically drawn up and by whom?

For a fairly standardised services offering, a supplier often has template services specifications, which the parties can complete through negotiation and agreement. In other instances, the customer can produce a first draft.

The finalised services specifications are typically appended as a schedule to the master service agreement.

 
12. How are the service levels and the service credits scheme typically dealt with in the contract documentation?

Service levels and service credit schemes are often addressed in PRC outsourcings, but they are usually less complex than in more developed markets.

Liquidated damages can be subject to reduction if they are more than 130% of the loss incurred by the injured party.

 

Flexibility in volumes purchased

13. What level of flexibility is allowed to adjust the volumes customers purchase?

Under the PRC Contract Law, the parties may adopt contractual mechanisms to adjust purchase volumes.

 

Charging methods and key terms

14. What charging methods are commonly used on an outsourcing?

Charging methods in the PRC are similar to those in more developed outsourcing markets. The most commonly used charging method is with fixed prices. Cost or cost plus methods are especially rare because PRC suppliers are often reluctant to undergo the audits necessary to confirm the reported costs.

 
15. What other key terms are used in relation to costs?

In more advanced markets, parties can incorporate "most favoured customer" provisions (where the supplier cannot offer a lower price to other customers) or other third-party benchmarking provisions into their agreements. This is also possible in the PRC, and is done with greater frequency, but customers must be aware that there are fewer contracts available to be used to create a benchmarking standard.

In many outsourcing agreements the costs for certain items can be subject to fluctuation. Therefore it is advisable for customers to cap these fluctuations through indexation or another limiting function. If the parties agree to use indexation, care must be taken to ascertain which index is most relevant to the outsourcing's particular industry and geographic region(s).

 

Customer remedies and protections

16. If the supplier fails to perform its obligations, what remedies and relief are available to the customer under general law?

Default remedies for breach include compensatory damages and, in limited cases, specific performance.

Many outsourcing arrangements can be characterised as technology contracts (Contract Law). In these cases, the supplier must notify the customer whenever circumstances arise that could hinder or prevent the completion of the development work. The supplier must further act to mitigate all losses.

 
17. What customer protections are typically included in the contract documentation to supplement relief available under general law?

Common contractual remedies include the following:

  • Liquidated damages.

  • Payment hold-backs.

  • Service credits.

  • Specific performance (which can include obligating the supplier to expend additional resources).

In addition, the customer might be able to obtain a performance guarantee from the supplier's parent company, or be named as a beneficiary to the proceeds of the supplier's insurance.

 

Warranties and indemnities

18. What warranties and/or indemnities are typically included in the contract documentation?

Warranties and indemnities used to protect customers in PRC outsourcings are similar to those employed in more developed markets.

A supplier usually gives the following warranties:

  • The supplier is validly incorporated and duly authorised to enter into the relevant agreement(s).

  • The tender documents of the supplier remain accurate.

  • The services will comply with the agreed specifications.

  • The services contemplated comply with all applicable law and will not infringe any IP.

  • The supplier has all approvals, licences and other authorisations needed to perform under the agreement.

  • The services will be performed by skilled personnel in accordance with best industry practices.

Indemnities often cover the following liabilities:

  • Breach of applicable law.

  • Breach of confidentiality.

  • Infringement of IP rights of third parties.

 
19. What limitations are imposed by national or local law on fitness for purpose and quality of service warranties?

Where a contract does not specify the quality of services, they must be performed in accordance with industry or government standards (Contract Law). If no such standards exist, "customary standards" consistent with the object of the contract apply.

Accordingly, if a supplier is developing a product to the customer's specifications, such as software, then the software must be fit for purpose.

 
20. What provisions may be included in the contractual documentation to protect the customer or supplier regarding any liabilities and obligations arising in connection with outsourcing?

It is generally permitted to include an indemnity in favour of the supplier in respect of termination of the employment of any of the customer's employees within the business function to be outsourced.

Insurance

21. What types of insurance are available in your jurisdiction concerning outsourcing, and to what extent are they available?

The market for insurance in the PRC has developed rapidly in recent years. Insurance coverage for property damage, third-party liability, business interruption and fidelity guarantee are available from a wide variety of PRC-based insurers, including local subsidiaries of global insurance companies. The scope of coverage for these types of insurance is similar to that available outside the PRC.

 

Term and notice period

22. Does national or local law impose any maximum or minimum term on an outsourcing? If so, can the parties vary this by agreement?

PRC law does not impose maximum or minimum terms on outsourcing agreements.

 
23. Does national or local law regulate the length of notice period required (maximum or minimum)? If so, can the parties vary this by agreement?

PRC law does not regulate notification periods in outsourcing agreements.

 

Termination and termination consequences

Events justifying termination

24. What events justify termination of an outsourcing without giving rise to a claim in damages against the terminating party?

Material breach

While it is typical for parties to expressly set out termination rights in an outsourcing agreement, as a matter of PRC law, parties have a right of termination where:

  • An unforeseeable event necessarily makes the objective of the contract unachievable.

  • A party indicates, whether expressly or impliedly, that it will not perform its obligations.

  • A party breaches the agreement or delays its performance to the extent that the objective of the contract is unachievable.

  • A party breaches the agreement or delays its performance, and does not remedy this breach or delay within a reasonable period after being requested to do so by the other party.

Insolvency events

Parties can suspend performance upon receiving evidence demonstrating any of the following:

  • The other party is insolvent.

  • The other party's business has deteriorated substantially.

  • A substantial portion of the other party's assets are being transferred to third parties without consideration.

  • The other party's reputation has been severely damaged.

  • The other party will be unable to perform its obligations.

In the event a party suspends performance due to any of these reasons, it must promptly notify the other party. If the other party provides appropriate assurance that it will perform, then the suspending party must resume performance. However, if the other party fails to provide appropriate assurance within a reasonable time, the suspending party can terminate the contract.

 
25. In what circumstances can the parties exclude or agree additional termination rights?

The parties can agree to exclude various default termination rights where this complies with the:

  • Principle of fairness.

  • Principle of good faith.

  • Laws and administrative regulations under the circumstances.

The parties can also agree to include additional termination rights, usually to add clarity to default law. The outsourcing agreement specifies the types of events which are deemed "material" or "fundamental" breaches.

It is also common for a customer to have the ability to unilaterally terminate at will after a set period of time.

 
26. What remedies are available to the contracting parties?

In general, the remedies available to contracting parties include:

  • Remedies under the PRC Contract Law such as:

    • termination of the contract;

    • compensation;

    • return of the injured party to its original status;

    • specific performance.

  • Remedies under the PRC Tort Liability Law such as:

    • cessation of infringement;

    • return of property;

    • return of the injured party to its original status;

    • compensation;

    • apology.

IP rights and know-how post-termination

27. What implied rights are there for the supplier to continue to use licensed IP rights post-termination? To what extent can the parties exclude or include these by agreement?

PRC law does not provide implied rights for the supplier to continue to use IP rights post-termination (Technology Regulations). However, the supplier can have the right to improvements it has made to any technology IP it had licensed (see Question 2, IT: Import and export of technology).

 
28. To what extent can the customer gain access to the supplier's know-how post-termination and what use can it make of it?

The customer does not have any legal right to the supplier's know-how unless this right is specified in the outsourcing agreement.

 

Liability, exclusions and caps

29. What liability can be excluded?

Exclusions of liability are permitted, subject to the following exceptions:

  • Exemption clauses in a contract are void if they exempt the supplier from liability for property losses caused to the customer either wilfully or as a result of gross negligence.

  • In the context of a standard form contract provided by the supplier, a standard clause is void if it:

    • exempts the supplier from liability;

    • increases the liability of the customer; or

    • deprives the customer of a major right.

  • Exemption clauses in a contract are void if they are against the principle of fairness, the principle of good faith or in non-compliance with PRC law.

 
30. Are the parties free to agree a cap on liability? If so, how is this usually fixed?

Liability caps are available under PRC law. Parties usually agree to cap foreseeable losses, and can also cap any loss of profits, revenues, or other types of consequential losses. It is generally advisable for the parties to identify in the agreement the types of losses which are capped and which are uncapped.

 
31. What are the main methods of dispute resolution used?

The primary methods of dispute resolution used in China are civil litigation and binding arbitration. In general, contracting parties can agree on the applicable dispute resolution method in the contract. In a purely domestic agreement, that is, one with no foreign parties, dispute resolution must be through domestic Chinese institutions.

Where a foreign element exists in the contract, the parties may agree to submit the disputes to a foreign court or an international arbitration tribunal. This is provided that any foreign court judgments or arbitration awards are recognized by PRC courts (whether by treaty or otherwise) in order to be enforceable against Chinese parties or assets located in China. In practice, China does not have bilateral enforcement treaties with most countries and as such, foreign judgments are unlikely to be enforceable in China. Conversely, China is a signatory to the New York Arbitration Convention and, as a result, arbitral awards made in any other signatory state are enforceable in China.

 

Tax

32. What are the main tax issues that arise on an outsourcing?

Transfers of assets to the supplier

Assuming the customer is considered a PRC resident business entity, it must pay:

  • 25% of any income gained as result of an asset transfer.

  • Business tax (as applicable).

  • Land VAT, if the transferring assets are real properties.

  • VAT at rates ranging from zero to 17% can also apply for the sale of tangible assets by the customer.

Transfers of employees to the supplier

The supplier can be liable for withholding any income tax payable by a transferred employee once the employee commences employment with the supplier.

VAT or sales tax

In general, to the extent that goods are sold or imported, or certain services (such as processing, repair and replacement) are provided by a supplier in the PRC, the supplier is subject to VAT ranging from 13% to 17% of the sales amount or services fee, as applicable.

Companies engaging in outsourcing services must pay business tax at 5.5%. However, as part of the PRC government's efforts to boost the outsourcing services industry, the income received by enterprises registered in 21 cities in the PRC in connection with provision of outsourcing services to offshore entities are exempted from business tax from 1 July 2010 to 31 December 2013. These cities include Beijing, Tianjin, Dalian, Haerbin, Daqing, Shanghai, Nanjing, Suzhou, Wuxi, Hangzhou, Hefei, Nanchang, Xiamen, Jinan, Wuhan, Changsha, Guangzhou, Shenzhen, Chongqing, Chengdu and Xian.

For the two year period from 1 January 2012 to 31 December 2013, IT outsourcing, technical business process outsourcing and technical knowledge process outsourcing services provided by suppliers registered in Shanghai to offshore customers are exempt from VAT.

Service taxes

See above, VAT or sales tax.

Stamp duty

Depending on the types of services provided in the outsourcing transaction, stamp duty rates range from 0.003% to 1%.

Corporation tax

In general, the domestic supplier (or supplier located offshore but deemed to be a PRC resident entity) is subject to enterprise income tax for any taxable income it gains from the provision of outsourcing services. This tax has a flat rate of 25%.

If qualified as an advanced technology service enterprise in any of the 21 cities mentioned above (see above, VAT or sales tax), that company is entitled to a reduced enterprise income tax rate of 15%, effective from 1 January 2009 to 31 December 2013. To be qualified as advanced technology service enterprise, 50% or more of the company's annual revenue must be derived from revenues gained by performing outsourcing services to offshore entities.

 

Contributor details

Gordon Milner

Morrison & Foerster

T +852 2585 0808
F +852 2585 0800
E gmilner@mofo.com
W www.mofo.com

Professional qualifications. England and Wales, Solicitor; Hong Kong, Solicitor

Areas of practice. Technology and outsourcing, PRC.

Jingxiao Fang

Morrison & Foerster

T +86 10 5909 3399
F +8610 5909 3355
E jfang@mofo.com
W www.mofo.com

Professional qualifications. PRC, Solicitor

Areas of practice. Corporate and technology transactions, PRC.

Eric Dickinson

Morrison & Foerster

T +852 2585 0812
F +852 2585 0800
E edickinson@mofo.com
W www.mofo.com

Professional qualifications. New York, Attorney-at-Law

Areas of practice. Corporate and technology transactions, PRC.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247334874927", "objName" : "Outsourcing China overview", "userID" : "2", "objUrl" : "http://uk.practicallaw.com/cs/Satellite/resource/9-501-5775?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-7fcc06b0:15b1b89b967:5b4a", "analyticsSessionCookie" : "2-7fcc06b0:15b1b89b967:5b4b", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }