China Advances Long-Awaited Overhaul of Commercial Encryption Regime

On 26 October 2019, the Standing Committee of the National People’s Congress officially promulgated the Encryption Law of the People’s Republic of China (《中华人民共和国密码法》) (“Encryption Law”), to take effect on 1 January 2020. Over three years in the making, the Encryption Law contains a collection of general principles aimed at overhauling and greatly simplifying the complicated and burdensome PRC regulatory framework applicable to the manufacture, sale, import, export and use of commercial encryption products (“CEPs”) in China. While further details and specifics will be provided in supplemental and reinforcing regulations, the 11 provisions contained in the Encryption Law already represent wide-sweeping liberalization efforts and welcome news for companies that seek to make, sell or use CEPs in China, including most significantly foreign-invested enterprises (“FIEs”). This newsletter sets forth some of the most important changes to the PRC regime applicable to CEPs under the new Encryption Law.

Relaxation of Licensing and Certification Requirements

Under the existing regulatory regime,[1] if any party wishes to sell or use a CEP manufactured in China, the CEP must have a specific product certificate issued by the Office of Security Commercial Code Administration (“OSCCA”).[2] Furthermore, the use of CEPs manufactured outside China is permitted only to FIEs and foreign individuals (sale and other distribution of imported CEPs are entirely prohibited), and such use is typically subject to applicable import license requirements issued by OSCCA. Additionally, the export of CEPs is subject to export license requirements issued by OSCCA.

Under the new Encryption Law, the previous certification and licensing system will be replaced with a more flexible and streamlined regime. Specifically:

• Liberalization of CEPs: The certificates for domestically manufactured CEPs will no longer be required for CEPs focused on mass consumer purposes and not the encryption or protection of PRC state secrets. Certain CEPs that implicate national security, the PRC economy or PRC public interests will still be required to undergo certain assessment and certification procedures prior to their sale and use.
• Relaxed Imports/Exports: Likewise, CEPs used for mass consumer purposes will no longer be subject to license requirements in connection with their importation and exportation to/from China (although licensing requirements will remain for CEPs that implicate national security, the PRC economy or PRC public interests, which will be identified and included in certain government licensing lists).[3] This development will likely simplify customs/cross-border controls for both selling domestically manufactured CEPs abroad and using (or even selling) foreign CEPs within China. 
• Lifting of Foreign Investment Restrictions: Additionally, while the old regime had placed significantly different restrictions on purely domestic PRC companies vs. FIEs in the commercial encryption industry sector, the Encryption Law places such players on essentially equal footing, allowing FIEs to fully participate in the research and development, manufacturing, sales, services and import/export of CEPs. This change is consistent with the latest developments as reflected in the Foreign Investment Law of the People’s Republic of China (“Foreign Investment Law”), which was promulgated earlier this year and requires equal treatment for FIEs and domestic companies.

Synchronization with the PRC Cybersecurity Law

One of the difficulties under the old CEP regulatory regime was that, ever since the landmark promulgation of the Cybersecurity Law of the People’s Republic of China (“CSL”), [4] network operators that utilize CEPs in their China business had been under conflicting or gap-prone and ambiguous obligations between these two bodies of PRC law. In particular, the CSL makes specific reference to encryption products and services as a type of so-called “network products and services” falling under its regulations, but the scope and detailed application of those regulations for such products has been a source of confusion.

The Encryption Law seeks to make sense of the intersection of the CSL and the PRC regulatory regime applicable to CEPs, in part by clarifying the following:

• Scope/Application of Defined CSL Terms:The Encryption Law specifies that CEPs implicating national security, the PRC economy and PRC public interests form a part of what will be included under the CSL-related terms “Key Network Equipment” and “Network Security Special Equipment”,[5] and that certain security CSL-related assessment and certification procedures will be required for such equipment.[6] Accordingly, these specific types of CEPs may not be sold in the PRC until assessment and certification procedures have been conducted with qualified institutions. Additionally, the Encryption Law makes clear that providers of commercial encryption services that utilize Key Network Equipment and Network Security Special Equipment will also be subject to assessment and certification by such qualified institutions.  
• Specific CII Rules: The Encryption Law also clarifies that operators of “critical information infrastructure” (“CII”)—an important defined term under the CSL that essentially encompasses any business or network activities implicating important/sensitive PRC state interests[7]—must undergo relevant security assessment procedures organized by qualified testing intuitions prior to using any CEPs. To the extent that the CEPs purchased by operators of CII might affect national security, the CEPs might also need to undergo security review procedures organized by the Cyberspace Administration of China, the State Cryptography Administration and other government authorities.

Additionally, especially important for foreign investors, the Encryption Law also follows the foreign investment protection rules and trends under the Foreign Investment Law, including by prohibiting PRC regulators from disclosing propriety information and trade secrets related to CEPs, and prohibiting regulators from forcing the transfer of commercial cryptography technologies.

Conclusion

While the above changes are still rather general at this stage and will be subject to the detailed specifics of implementing regulations and further regulatory guidance, even in its current form, the Encryption Law embodies a major change of attitude and important liberalization effort with respect to these important commercial technologies. It may be expected to boost or accelerate the advance of technologies and businesses related to cryptography, such as blockchain technologies. As the importance of cybersecurity and data protection continues to amplify across global markets, the Encryption Law will also help PRC and foreign companies alike in their mission to better protect information and data, and to adopt the international best practices in encryption and cybersecurity.

[1] The main currently effective regulation concerning CEPis the Regulation of Commercial Encryption Codes (《商用密码管理条例》), promulgated by the State Council and effective as of 7 October 1999, which was amended by several circulars issued by the Office of Security Commercial Code Administration in 2017.

[2] The OSCCA, an office under the State Cryptography Administration (“SCA”), regulates the production, importation, exportation, distribution and use of CEPs in China.

[3] According to the Encryption Law, the Ministry of Commerce, the SCA and the General Administration of Customs will jointly be responsible for formulating and issuing a commercial cryptography import licensing list and an export control list.

[4] The Cybersecurity Law of the People’s Republic of China (《中华人民共和国网络安全法》) promulgated by the Standing Committee of the National People's Congress on 7 November 2016, which is still in the process of being unrolled pursuant to various implementing regulations.

[5] The Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security, Certification and Accreditation Administration and the Cyberspace Administration of China jointly issued the First Batch of Key Network Equipment and Network Security Special Equipment in 2017, which includes routers, switches, rack servers, programmable logic controllers, firewalls (hardware), web application firewalls, intrusion detection system, etc.  

[6] The MIIT released a draft of its Implementation Measures on Key Network Equipment Safety Assessment on 5 June 2019, in order to provide specifics on procedures and requirements applicable to security assessments under the CSL.

[7] Specifically, Article 31 of the CSL defines CII to include: “…infrastructure used for public communications, information services, energy, transport, water conservancy, finance, public services, e-government affairs, and other important industries and fields and other key information infrastructure that will result in serious damage to the national security, national economy, and people’s livelihood and public interests if they are destroyed, there are lost functions or they are subject to data leakage.”