On December 2, 2020, China’s Ministry of Commerce (“MOFCOM”), State Cryptography Agency (“SCA”), and the General Administration of Customs (“Customs”) jointly issued three documents (here) related to import and export of commercial encryption items:

  • List of Commercial Encryption Subject to Import Licensing Requirement (“Import List”);
  • List of Commercial Encryption Subject to Export Control (“Export List”); and
  • Procedural Rules on [Applications for] Licenses for the Import and Export of Commercial Encryption (“Procedural Rules”).

The issuance of these lists and procedural rules marks a key step forward implementing both the commercial encryption import and export framework established under the Encryption Law, which took effect on January 1, 2020, and the export control regime under the new Export Control Law, which took effect on December 1, 2020.  (Our previous client alert on the Encryption Law can be found here, and our alert on the Export Control Law can be found here.)  The consolidation of previously separate regulatory frameworks under the commercial encryption rules and export control rules could also show a future trend of implementing a more unified system to control the import and export of sensitive data and technologies to and from China.

Under Article 28 of the Encryption Law, importers must obtain a license if the imported commercial encryption item “may impact national security or the public interest” and “provides an encryption protection function.”  The law itself is silent on which agency issues a license, but the law specifically calls for MOFCOM, SCA, and Customs to publish a list of commercial encryption items that fall within the scope of the abovementioned framework.  The release of the Import List specifically addresses this requirement and clarifies what categories of commercial encryption may be subject to the import licensing requirements.

At the same time, under the new Export Control Law, agencies such as MOFCOM must impose export controls on items that are related to the “maintenance of China’s national security and national interests” or the performance of China’s international obligations.  This Export List is the first control list ever issued under the new Export Control Law.  Moreover, commercial encryption items listed in the Import List and Export List are designated as “dual-use items and technologies,” and the importer and exporter of any such items must submit an application to MOFCOM in order to obtain a license.

We explain below the items included in the Import and Export Lists and the procedural steps to obtain a license.

Import and Export List

The Import List includes only four types of commercial encryption hardware:

  • encrypted phones;
  • encrypted fax machines;
  • crypto machines (including crypto cards) [i.e., machines with main function to perform cryptographic computing]; and
  • encryption VPN hardware devices.

The Export List covers a broader range of commercial encryption items:

  • Systems, devices, and components, including:
    • security chips;
    • crypto cards;
    • encryption VPN hardware devices;
    • products for cryptographic key management;
    • security devices used for special purposes (e.g., devices that are used in sectors such as electricity, tax, public security, and financial services and that satisfying certain technical specifications);
    • quantum encryption devices; and
    • devices used to analyze encryption technologies, products, or systems.
  • Devices specifically designed for testing, inspection, and manufacturing of the seven types of items mentioned in the bullet point above.
  • Software specifically designed or improved for the R&D, manufacturing, and use of the commercial encryption items listed in the two bullet points above.
  • Technologies specifically designed or improved for the R&D, manufacturing, and use of the commercial encryption items listed above.

Procedural Requirements for Obtaining the License

Importers and exporters of the commercial encryption items listed on the Import List and Export List must submit an application to MOFCOM through MOFCOM’s provincial branches and provide the following materials to apply for a license:

  • Dual-Use Items and Technologies Import and Export Application Form;
  • IDs of the legal representative, the person mainly responsible for the management, and the person responsible for the application;
  • explanation of the encryption technologies;
  • descriptions of the end user and purpose; and
  • other materials required by MOFCOM.

Upon receipt of the above application materials, MOFCOM and SCA will review and make a decision based on the procedural requirements described in the Regulations on the Management of Import and Export Licenses for Dual-use Items and Technologies, issued by MOFCOM and Custom issued in 2005.  If the application is approved, MOFCOM will issue the Import License or the Export License to the applicant.  The importer or exporter provides the license to Customs when going through Customs procedures.

Violation of the import and export restrictions may be subject to administrative penalties or criminal liability, if such violation constitutes a crime.