On October 26, 2019, China enacted a landmark Encryption Law, which will take effect on January 1, 2020.  The Encryption Law significantly reshapes the regulatory landscape for commercial encryption, including foreign-made commercial encryption products, but leaves many questions to be answered in future implementing regulations.  In this blog post, we provide a few highlights of the new Encryption Law as enacted.

Definition and Classification of Encryption

Consistent with prior drafts, the Encryption Law defines “encryption” as “technologies, products, or services applying specific transformations to information to effect encryption protection or security authentication” (Article 2).

The Encryption Law classifies encryption into three categories: core encryption, ordinary encryption, and commercial encryption (Article 6).  “Core” encryption and “ordinary” encryption are used for the protection of information constituting “state secrets,” while commercial encryption is used to protect information that is not considered state secrets.  Furthermore, core encryption and ordinary encryption — but not commercial encryption — are themselves considered state secrets, and will be subject to strict regulation by the State Cryptography Administration (“SCA”) (Article 7).

Commercial Encryption

Use of Commercial Encryption

The Encryption Law states that commercial encryption is not a state secret and that entities and individuals can use commercial encryption to protect network and information security in accordance with laws in China (Article 8), including mandatory national standards and published technical standards (Article 24). However, since the Law does not precisely define commercial encryption, it remains unclear what technology will fall within scope of this term and thus be subject to the Encryption Law. (According to a Q&A of the Encryption Law released by the Cyberspace Administration of China (“CAC”), the government plans to issue more catalogs to clarify the scope of commercial encryption products and services.)

The language in the new Encryption Law seems to remove most of the prior restrictions on the use of foreign-produced commercial encryption products, although such products (and related services) may still be subject to import and export control requirements, testing and certification requirements (under limited circumstances) and national security review requirements.  The head of SCA also indicated in an article that regulators will soon update previous regulations so the Encryption Law can be fully implemented.

Import and Export Control Requirements

The Encryption Law establishes an import licensing and export control framework that governs (i) the import of commercial encryption that “may impact national security or the public interest” and “provide an encryption protection function,” and (ii) the export of commercial encryption that “may impact national security or the public interest” or is required by China’s international obligations.  These requirements will not apply to commercial encryption used in “products for consumption by the general population.”  The Encryption Law does not define this term, leaving unclear how this important exemption would work in practice. The list of commercial encryption in scope of this framework will be published by the Ministry of Commerce in conjunction with the SCA and the General Administration of Customs at an unspecified later date (Article 28).

Testing and Certification of Commercial Encryption Products and Services

Similar to the Cybersecurity Law, the Encryption Law encourages organizations and enterprises to voluntarily apply to qualified testing and certification agencies for the testing and certification of their commercial encryption products (Article 25).  The final version of the Encryption Law also adds a provision to impose strict confidentiality obligations on testing and certification agencies, preventing them from disclosing state secrets and trade secrets obtained during the certification process (Article 25). Note that the Encryption Law makes it clear that such testing and certification will follow the framework established by the Cybersecurity Law (Article 23) and there should be no duplicative or repetitive testing or certification requirements.

Security Assessment and National Security Review

The Encryption Law also imposes the following specific obligations on the operators of Critical Information Infrastructure (“CII”).

  • Security Assessment. CII operators that are required to adopt commercial encryption for security purposes (in order to comply with other laws and regulations) are required to carry out a security assessment on their use of commercial encryption. Such security assessment can be conducted either by the CII operator themselves or by external testing agencies (Article 27).
  • National Security Review. If the procurement and use of commercial encryption products and services may impact national security, CII operators must apply for a national security review led by the CAC and SCA (Article 27). Again, such a review should follow the process established by the Cybersecurity Law (see Covington’s previous blogpost describing this process here).

Note that the above security assessment and national security review requirements apply to CII operators (i.e., users of commercial encryption) rather than manufacturers or providers of commercial products or services, which are different from the testing and certification requirements.

Enforcement and Penalties

The Encryption Law empowers the SCA and other government agencies to enforce the rules through day-to-day supervision and random inspections.  In addition, the government plans to link this enforcement mechanism with China’s social credit system (Article 31), although the Encryption Law does not clarify how the two systems will interact.  Article 31 of the Encryption Law strictly prohibits the SCA and other government agencies from forcing entities using commercial encryption for certain purposes to disclose the source code or other relevant proprietary information.  SCA and other government agencies are also required to keep confidential the trade secrets and privacy information obtained when performing their duties.

The final section of the Encryption Law includes several provisions specifying penalties for non-compliance.  These include the issuance of warnings for certain kinds of violations, as well as fines of up to RMB 1,000,000 (about USD 145,000) for entities and up to RMB 100,000 (about USD 14,500) for individuals.

Unanswered Questions

The Encryption Law outlines a new regulatory framework but leaves unanswered numerous questions that we typically receive from clients on encryption issues in China, such as the scope of the term “commercial encryption” and measures that companies can take to protect their technology during the testing and certification process. We anticipate that some of these questions may be answered in future implementing regulations.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Photo of Eric Carlson Eric Carlson

Eric Carlson has nearly two decades of experience advising clients operating in China and other jurisdictions in Asia on compliance and investigations matters, particularly in the areas of corruption/FCPA/fraud and export controls/sanctions.

Having lived in China for more than a decade, he has

Eric Carlson has nearly two decades of experience advising clients operating in China and other jurisdictions in Asia on compliance and investigations matters, particularly in the areas of corruption/FCPA/fraud and export controls/sanctions.

Having lived in China for more than a decade, he has deep experience leading highly sensitive investigations in China and other jurisdictions in Asia, including investigations presenting complex legal, political, and reputational risks. He speaks Mandarin and Cantonese and has led more than four hundred witness interviews in Chinese in 24 provinces in China, and conducted dozens of trainings in Chinese. He is a Certified Fraud Examiner.

Eric also counsels clients on the compliance risks of proposed transactions, conducts compliance due diligence as part of mergers, acquisitions, and joint ventures, assists companies in updating and strengthening their internal compliance programs and tailoring them to the unique features of Asian markets, and developing and presenting tailored compliance training in Chinese and English. Eric has advised scores of companies and organizations representing nearly every major industry.

Eric is a regular speaker on China-related compliance issues. He has been quoted in publications such as The Wall Street JournalThe Economist, The Financial Times, Global Investigations Review, Compliance Week, FCPA Report, The Corporate Treasurer, Commercial Dispute Resolution, China Business Law Journal, and Economy and Nation Weekly and was a contributing editor to the FCPA Blog. Chambers notes that Eric has “much more than just a conversational grasp of the language, but the ability to conduct interviews on specific subject matter details and get to the root of the issues.” Chambers further notes that “his language skills are very impressive” and that he provides “great advice that is grounded in reality,” adding: “They know the industry and their advice is very risk-based and balanced.” One client noted to Chambers: “They have strong regional coverage both in terms of footprint as well as language skills. If I have a compliance investigation in region with a tight timeframe, I know they can get it done. They take a more realistic approach to scoping investigations.” Other clients noted to Chambers that Eric is “really brilliant” and “an expert in this field.” According to one client surveyed by Chambers, “he is particularly adept at ‘right sizing’ the scope of an investigation to get at the key issues without incurring unnecessary operational or financial burden. He is also incredibly responsive to client communications.”