Photo of Eric Carlson

On December 2, 2020, China’s Ministry of Commerce (“MOFCOM”), State Cryptography Agency (“SCA”), and the General Administration of Customs (“Customs”) jointly issued three documents (here) related to import and export of commercial encryption items:

  • List of Commercial Encryption Subject to Import Licensing Requirement (“Import List”);
  • List of Commercial Encryption Subject to Export Control (“Export List”); and
  • Procedural Rules on [Applications for] Licenses for the Import and Export of Commercial Encryption (“Procedural Rules”).

The issuance of these lists and procedural rules marks a key step forward implementing both the commercial encryption import and export framework established under the Encryption Law, which took effect on January 1, 2020, and the export control regime under the new Export Control Law, which took effect on December 1, 2020.  (Our previous client alert on the Encryption Law can be found here, and our alert on the Export Control Law can be found here.)  The consolidation of previously separate regulatory frameworks under the commercial encryption rules and export control rules could also show a future trend of implementing a more unified system to control the import and export of sensitive data and technologies to and from China.


Continue Reading China Publishes Lists and Rules Related to Import and Export of Commercial Encryption

On October 26, 2019, China enacted a landmark Encryption Law, which will take effect on January 1, 2020.  The Encryption Law significantly reshapes the regulatory landscape for commercial encryption, including foreign-made commercial encryption products, but leaves many questions to be answered in future implementing regulations.  In this blog post, we provide a few highlights of the new Encryption Law as enacted.
Continue Reading China Enacts Encryption Law

On July 5, 2019, China’s Standing Committee of the National People’s Congress (NPC) published a new draft Encryption Law (“the draft Law”) for public comment.  The draft Law, if enacted as drafted, would bring significant new changes to China’s commercial encryption regime.

The State Cryptography Administration (“SCA”) previously issued an initial draft of this law for public comment on April 13, 2017 (“the 2017 Draft”) (see Covington’s alert on the previous version here).  After the release of the 2017 draft, the regulatory regime in China for commercial encryption products was revamped significantly (see Covington’s previous alert here).  The State Council removed certain approval requirements for the production, sale, and use of commercial encryption products in late September 2017, and the SCA issued further notices reducing the burden imposed on manufacturers, distributors and users of commercial encryption products.  The draft Law proposes further changes to this revamped regime, including for example introducing different categories of encryption, and establishing license requirements for certain imports and exports, while carving out items in “general use.”

The comment period ends on September 2, 2019.


Continue Reading China Releases Updated Draft Encryption Law for Public Comment

China’s State Administration of Industry and Commerce (“SAIC”) has released for public comment a draft regulation implementing recent amendments to a consumer protection law that would, among other things, supplement existing privacy obligations for businesses operating in China.

The “Regulations on the Implementation of the Law on the Protection of the Rights and Interests of Consumers” (“Draft Implementing Regulations”) implement certain provisions of the Law on the Protection of the Rights and Interests of Consumers (“Consumer Rights Protection Law” or “CRPL”; unofficial English translation by Chinalawtranslate.com available here), which underwent significant revisions in October 2013. The Draft Implementing Regulations reiterate and supplement data privacy and security obligations imposed in the CRPL and in the Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (“CRPL Penalty Measures”; unofficial English translation by Covington available here), which was promulgated in January 2015 and discussed in our previous article here.
Continue Reading China Releases Draft Implementing Regulations for Consumer Rights Protection Law

The Cyberspace Administration of China (“CAC”) has issued new rules regulating apps for smartphone/mobile devices, the Rules on the Management of Mobile App Information Services (“App Rules,” available here, preceded by a Q&A section, all in Chinese), that will come into effect on August 1, 2016. The App Rules are aimed primarily at regulating the rapidly growing app market and addressing corresponding data privacy issues. Among other things, they impose data privacy, cybersecurity, and content monitoring requirements on app and app store providers.
Continue Reading China Issues New Rules for Mobile Apps

This month, China’s National Information Security Standardization Technical Committee (“NISSTC”) organized a meeting to launch a working group tasked with drafting a Personal Information Security Standard (“PIS Standard”). NISSTC is a government committee jointly supervised by the Standardization Administration of China and the Cyberspace Administration of China. In addition to the government agencies, several Chinese research institutions and Internet companies (including Tencent and Alibaba) will also participate in the working group.
Continue Reading China Formulating Standards for Personal Information Security and Data Protection

On December 27, 2015, the Standing Committee of the National People’s Congress (NPC), China’s top legislative body, enacted a Counter-Terrorism Law (see the Chinese version here, and an unofficial English translation here), which took effect on January 1, 2016.  The adoption of this law, a year after the first draft was released for public comment, followed closely the adoption of a new National Security Law and a draft Network Security Law.

The Counter-Terrorism Law reinforces the government’s broad powers to investigate and prevent incidents of terrorism and requires citizens and companies to assist and cooperate with the government in such matters.  The law imposes additional and specific obligations on companies in certain sectors, including those providing telecommunications, Internet, and financial services.  Non-compliance or non-cooperation can lead to significant penalties, including fines on companies and criminal charges or detention for responsible individuals. In some respects, the new law provides greater, higher-level legal authority to pre-existing regulations and practice. In others, it imposes new obligations or makes existing obligations more specific (e.g., penalties).

The law’s broadly-worded requirements create some uncertainty as to their implications for companies’ data protection and security policies.
Continue Reading China Enacts New Counter-Terrorism Law

On August 29, 2015, China’s legislature, the National People’s Congress, amended the Criminal Law, effective November 1, 2015. Among other things, the amendments modify and add several provisions related to data privacy and cybersecurity. We discuss some of these key amendments below.
Continue Reading China Amends Criminal Law Related to Data Privacy and Cybersecurity

On July 6, 2015, China’s National People’s Congress (NPC) released a draft of the Network Security Law  (“Draft Law,” referred to in some press articles as the draft Cybersecurity Law) for public comment.  Comments can be submitted through the NPC website or by mail before August 5, 2015. The release of the Draft Law follows closely on the heels of the new National Security Law that was enacted last week (see Covington blog post here).

This Draft Law, initially reviewed by the NPC in June, would apply broadly to entities or individuals that construct, operate, maintain, and use networks within the territory of China, as well as those who are responsible for supervising and managing network security. A number of the provisions in this Draft Law, if enacted in their current form, are likely to significantly impact information and communications technology (“ICT”) and other companies with business operations or interests in China.

Those that most merit the close attention of companies are those that relate to (1) the “secure” operations of networks and “critical information infrastructure,” and (2) data protection. This post focuses on the latter.
Continue Reading China Releases Draft of New Network Security Law: Implications for Data Privacy & Security

On July 1, 2015, China’s State Administration for Industry and Commerce published a draft of the Interim Measures on Supervision of Internet Advertising (“Draft Internet Advertising Measures”; original Chinese here) for public comment. If adopted as drafted, the Draft Internet Advertising Measures would (1) require advertisements in email and instant messaging to contain conspicuous options for the user to agree to, refuse, or unsubscribe from advertisements; (2) require websites to allow users to block pop-ups for certain repeat visitors; and (3) require advertisements sent via email or instant message to identify the sender and be marked as an advertisement. Public comments on the Draft are due by July 31, 2015. Once finalized, the Draft is expected to come into effect on September 1, 2015.
Continue Reading Draft Regulations in China Preview Stricter Rules on Internet Advertising