Search This Section
1 Nov 2019
On 26 October 2019, the Standing Committee of the National People’s Congress officially promulgated the Encryption Law of the People’s Republic of China (《中华人民共和国密码法》) (“Encryption Law”), to take effect on 1 January 2020. Over three years in the making, the Encryption Law contains a collection of general principles aimed at overhauling and greatly simplifying the complicated and burdensome PRC regulatory framework applicable to the manufacture, sale, import, export and use of commercial encryption products (“CEPs”) in China. While further details and specifics will be provided in supplemental and reinforcing regulations, the 11 provisions contained in the Encryption Law already represent wide-sweeping liberalization efforts and welcome news for companies that seek to make, sell or use CEPs in China, including most significantly foreign-invested enterprises (“FIEs”). This newsletter sets forth some of the most important changes to the PRC regime applicable to CEPs under the new Encryption Law.
1. Relaxation of Licensing and Certification Requirements
Under the existing regulatory regime, if any party wishes to sell or use a CEP manufactured in China, the CEP must have a specific product certificate issued by the Office of Security Commercial Code Administration (“OSCCA”). Furthermore, the use of CEPs manufactured outside China is permitted only to FIEs and foreign individuals (sale and other distribution of imported CEPs are entirely prohibited), and such use is typically subject to applicable import license requirements issued by OSCCA. Additionally, the export of CEPs is subject to export license requirements issued by OSCCA.
Under the new Encryption Law, the previous certification and licensing system will be replaced with a more flexible and streamlined regime. Specifically:
2. Synchronization with the PRC Cybersecurity Law
One of the difficulties under the old CEP regulatory regime was that, ever since the landmark promulgation of the Cybersecurity Law of the People’s Republic of China (“CSL”),  network operators that utilize CEPs in their China business had been under conflicting or gap-prone and ambiguous obligations between these two bodies of PRC law. In particular, the CSL makes specific reference to encryption products and services as a type of so-called “network products and services” falling under its regulations, but the scope and detailed application of those regulations for such products has been a source of confusion.
The Encryption Law seeks to make sense of the intersection of the CSL and the PRC regulatory regime applicable to CEPs, in part by clarifying the following:
Additionally, especially important for foreign investors, the Encryption Law also follows the foreign investment protection rules and trends under the Foreign Investment Law, including by prohibiting PRC regulators from disclosing propriety information and trade secrets related to CEPs, and prohibiting regulators from forcing the transfer of commercial cryptography technologies.
While the above changes are still rather general at this stage and will be subject to the detailed specifics of implementing regulations and further regulatory guidance, even in its current form, the Encryption Law embodies a major change of attitude and important liberalization effort with respect to these important commercial technologies. It may be expected to boost or accelerate the advance of technologies and businesses related to cryptography, such as blockchain technologies. As the importance of cybersecurity and data protection continues to amplify across global markets, the Encryption Law will also help PRC and foreign companies alike in their mission to better protect information and data, and to adopt the international best practices in encryption and cybersecurity.
 The main currently effective regulation concerning CEPis the Regulation of Commercial Encryption Codes (《商用密码管理条例》), promulgated by the State Council and effective as of 7 October 1999, which was amended by several circulars issued by the Office of Security Commercial Code Administration in 2017.
 The OSCCA, an office under the State Cryptography Administration (“SCA”), regulates the production, importation, exportation, distribution and use of CEPs in China.
 According to the Encryption Law, the Ministry of Commerce, the SCA and the General Administration of Customs will jointly be responsible for formulating and issuing a commercial cryptography import licensing list and an export control list.
 The Cybersecurity Law of the People’s Republic of China (《中华人民共和国网络安全法》) promulgated by the Standing Committee of the National People's Congress on 7 November 2016, which is still in the process of being unrolled pursuant to various implementing regulations.
 The Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security, Certification and Accreditation Administration and the Cyberspace Administration of China jointly issued the First Batch of Key Network Equipment and Network Security Special Equipment in 2017, which includes routers, switches, rack servers, programmable logic controllers, firewalls (hardware), web application firewalls, intrusion detection system, etc.
 The MIIT released a draft of its Implementation Measures on Key Network Equipment Safety Assessment on 5 June 2019, in order to provide specifics on procedures and requirements applicable to security assessments under the CSL.
 Specifically, Article 31 of the CSL defines CII to include: “…infrastructure used for public communications, information services, energy, transport, water conservancy, finance, public services, e-government affairs, and other important industries and fields and other key information infrastructure that will result in serious damage to the national security, national economy, and people’s livelihood and public interests if they are destroyed, there are lost functions or they are subject to data leakage.”