On October 26, 2019, China enacted a landmark Encryption Law, which will take effect on January 1, 2020. The Encryption Law significantly reshapes the regulatory landscape for commercial encryption, including foreign-made commercial encryption products, but leaves many questions to be answered in future implementing regulations. In this blog post, we provide a few highlights of the new Encryption Law as enacted.
Definition and Classification of Encryption
Consistent with prior drafts, the Encryption Law defines “encryption” as “technologies, products, or services applying specific transformations to information to effect encryption protection or security authentication” (Article 2).
The Encryption Law classifies encryption into three categories: core encryption, ordinary encryption, and commercial encryption (Article 6). “Core” encryption and “ordinary” encryption are used for the protection of information constituting “state secrets,” while commercial encryption is used to protect information that is not considered state secrets. Furthermore, core encryption and ordinary encryption — but not commercial encryption — are themselves considered state secrets, and will be subject to strict regulation by the State Cryptography Administration (“SCA”) (Article 7).
Use of Commercial Encryption
The Encryption Law states that commercial encryption is not a state secret and that entities and individuals can use commercial encryption to protect network and information security in accordance with laws in China (Article 8), including mandatory national standards and published technical standards (Article 24). However, since the Law does not precisely define commercial encryption, it remains unclear what technology will fall within scope of this term and thus be subject to the Encryption Law. (According to a Q&A of the Encryption Law released by the Cyberspace Administration of China (“CAC”), the government plans to issue more catalogs to clarify the scope of commercial encryption products and services.)
The language in the new Encryption Law seems to remove most of the prior restrictions on the use of foreign-produced commercial encryption products, although such products (and related services) may still be subject to import and export control requirements, testing and certification requirements (under limited circumstances) and national security review requirements. The head of SCA also indicated in an article that regulators will soon update previous regulations so the Encryption Law can be fully implemented.
Import and Export Control Requirements
The Encryption Law establishes an import licensing and export control framework that governs (i) the import of commercial encryption that “may impact national security or the public interest” and “provide an encryption protection function,” and (ii) the export of commercial encryption that “may impact national security or the public interest” or is required by China’s international obligations. These requirements will not apply to commercial encryption used in “products for consumption by the general population.” The Encryption Law does not define this term, leaving unclear how this important exemption would work in practice. The list of commercial encryption in scope of this framework will be published by the Ministry of Commerce in conjunction with the SCA and the General Administration of Customs at an unspecified later date (Article 28).
Testing and Certification of Commercial Encryption Products and Services
Similar to the Cybersecurity Law, the Encryption Law encourages organizations and enterprises to voluntarily apply to qualified testing and certification agencies for the testing and certification of their commercial encryption products (Article 25). The final version of the Encryption Law also adds a provision to impose strict confidentiality obligations on testing and certification agencies, preventing them from disclosing state secrets and trade secrets obtained during the certification process (Article 25). Note that the Encryption Law makes it clear that such testing and certification will follow the framework established by the Cybersecurity Law (Article 23) and there should be no duplicative or repetitive testing or certification requirements.
Security Assessment and National Security Review
The Encryption Law also imposes the following specific obligations on the operators of Critical Information Infrastructure (“CII”).
- Security Assessment. CII operators that are required to adopt commercial encryption for security purposes (in order to comply with other laws and regulations) are required to carry out a security assessment on their use of commercial encryption. Such security assessment can be conducted either by the CII operator themselves or by external testing agencies (Article 27).
- National Security Review. If the procurement and use of commercial encryption products and services may impact national security, CII operators must apply for a national security review led by the CAC and SCA (Article 27). Again, such a review should follow the process established by the Cybersecurity Law (see Covington’s previous blogpost describing this process here).
Note that the above security assessment and national security review requirements apply to CII operators (i.e., users of commercial encryption) rather than manufacturers or providers of commercial products or services, which are different from the testing and certification requirements.
Enforcement and Penalties
The Encryption Law empowers the SCA and other government agencies to enforce the rules through day-to-day supervision and random inspections. In addition, the government plans to link this enforcement mechanism with China’s social credit system (Article 31), although the Encryption Law does not clarify how the two systems will interact. Article 31 of the Encryption Law strictly prohibits the SCA and other government agencies from forcing entities using commercial encryption for certain purposes to disclose the source code or other relevant proprietary information. SCA and other government agencies are also required to keep confidential the trade secrets and privacy information obtained when performing their duties.
The final section of the Encryption Law includes several provisions specifying penalties for non-compliance. These include the issuance of warnings for certain kinds of violations, as well as fines of up to RMB 1,000,000 (about USD 145,000) for entities and up to RMB 100,000 (about USD 14,500) for individuals.
The Encryption Law outlines a new regulatory framework but leaves unanswered numerous questions that we typically receive from clients on encryption issues in China, such as the scope of the term “commercial encryption” and measures that companies can take to protect their technology during the testing and certification process. We anticipate that some of these questions may be answered in future implementing regulations.