China Cybersecurity And Data Protection: China Publishes First Law On Encryption.
Legal News & Analysis - Asia Pacific - China - Cybersecurity - Regulatory & Compliance
13 November, 2019
The new Encryption Law, China’s first national law on encryption, was published on 26 October and will come into force on 1 January 2020. It broadens the current regulatory scope of encryption, liberalises commercial encryption at national-law level and proposes a market-oriented regulatory regime for the commercial encryption industry.
Foreign and foreign-invested enterprises are given equal treatment and rights in accessing the commercial encryption market and using commercial encryption in China. Some key concepts under the new law still require further clarification which will hopefully be addressed in future implementing regulations. In this e-bulletin, we highlight the key provisions of the new law.
The regulation of encryption in China dates back to 1999, when the State Council published the Administrative Regulation on Commercial Encryption. Under the regulation, encryption is considered state secret and subject to special control measures which cover research in and the production, sale, use and safekeeping of, commercial encryption.
Further supplementary regulations were published in 2005 and 2007, for example to provide that only licensed entities be permitted to produce and sell encryption products. The regulations also provided that the import and export of commercial encryption products must be approved; entities be prohibited from using commercial encryption products that are not approved by the State Cryptography Administration (SCA), which regulates encryption in China; foreign-invested enterprises must obtain approval before they can use foreign-produced encryption products; and foreign organisations and individuals must obtain approval before they can use encryption products in China.
The rapid development of the internet and information technology over the past twenty years has brought with it the widespread use of encryption technology in all aspects of life and business. The rigid restrictions under the regulations have become outdated and given rise to a number of practical issues. In 2017, the State Council amended the regulations to abolish the license requirement for producing and selling commercial encryption products and the approval requirements for the use of foreign encryption products by foreign-invested enterprises and the use of encryption products by foreign entities and individuals in China. To implement the State Council’s decision, the SCA abolished the regulations on restricting the sale and use of commercial encryption product and revised the others to relax its control on market entry by entities researching and producing commercial encryption products.
The patchwork of lower-level regulations makes the law on encryption difficult to navigate and adapt to the changing business environment. The new Encryption Law is a complete revamp of the current regulatory regime.
HIGHLIGHTS OF KEY PROVISIONS
I. Broadened regulatory scope
Regulation of non-commercial encryption
The current regulatory regime built on the commercial encryption regulation only governs commercial encryption used to encrypt information unrelated to state secrets. The Encryption Law introduces new concepts of core encryption and ordinary encryption, which are used to encrypt state secrets of different secrecy levels and are themselves state secrets.
As such, core and ordinary encryption receive high-level protection and scrutiny by the SCA, and the entities engaged in researching, producing, servicing, testing, equipping, using and destroying core and ordinary encryption are subject to strict security obligations.
State secrets are governed by the State Secret Protection Law. A group of authorised entities can generate and guard state secrets and only a specified group of persons have access. Most commercial entities will not be authorised to create or access state secrets.
Encryption services covered
Under the new Encryption Law, encryption is defined as the technology, products or services that are used to encrypt or certify information with certain methodology. This definition extends the scope to include encryption services which are not caught by the current regulatory definition, which limits the scope to technology and products used to encrypt or certify information not related to state secrets.
II. Liberalisation of commercial encryption
Under the new law, commercial encryption is no longer considered a state secret. This is a significant change from the current regulatory position and lays the foundation for liberalising the production, sale and use of commercial encryption. The Encryption Law purports to a establish a “unified, open, competitive and orderly market system of commercial encryption and encourage and promote the development of the commercial encryption industry”. The government now appears to be taking a more market-oriented approach to regulating commercial encryption compared to its restrictive approach 20 years ago.
According to the SCA, the new law will switch the regulatory focus from market entry pre-approval to post-market entry supervision which will reduce the number of permits and required approvals. This approach provides the legal basis, at the national law level, to remove the entry barriers for producing and selling commercial encryption products and the restrictions on the use of foreign encryption products by foreign-invested companies and the use of encryption products by foreign persons.
However, the Encryption Law maintains control over the export and import of certain commercial encryption concerning national security, pubic interest or China’s international obligations. The Ministry of Commerce, SCA and General Administration of Customs will publish a list of commercial encryption subject to export and import restrictions. The new law makes clear that commercial encryption used by consumer products is not subject to the export and import regime.
Under the current regulations, the SCA also imposes certain restrictions on commercial encryption, including requiring certificates for commercial encryption product models, the keeping of sales records of commercial encryption products, and permits for the import of encryption products and equipment by foreign-invested companies and foreign organisations and individuals. It is unclear whether these requirements will continue after the new law takes effect.
III. Regulation of commercial encryption entities
The regulation of commercial encryption under the new Encryption Law focuses on commercial encryption entities in the encryption industry, which are defined as entities engaged in research in, and the production, sale, service and export and import of, commercial encryption, rather than entities using commercial encryption. As such, commercial encryption entities should not include any entities that simply use commercial encryption to encrypt information.
The new law proposes establishing a system of commercial encryption standards and encourages their internationalisation. Commercial encryption entities must comply with the mandatory standards and are encouraged to adopt recommended standards.
The new law also proposes a commercial encryption certification system and encourages commercial encryption entities to obtain voluntary certification.
It is worth noting that the Encryption Law expressly requires equal treatment of foreign-invested commercial encryption entities, and prohibits forced transfer of commercial encryption technology by government bodies or officials. This is in line with the principles established in the Foreign Investment Law.
The Encryption Law steps up supervision of commercial encryption entities by proposing an information platform for commercial encryption supervision linked to the social credit system. However, the SCA is prohibited from requesting disclosure encryption-related information, such as source code, and is obligated to keep confidential any commercial secret and personal privacy that come to its knowledge.
IV. Interplay with cybersecurity law
The Encryption Law also introduces concepts contained in the Cyber Security Law. Certain commercial encryption products (which relate to national security, China’s economy or public interest matters) will be included in the list of key network equipment and network security products. These will need to be certified by qualified institutions before they can be sold or made available to the market. Additionally, commercial encryption services must be certified if they use key network equipment and network security products.
Critical information infrastructure operators must use commercial encryption to protect infrastructure where required by law and must carry out a security assessment of the commercial encryption. Procurement of network products and services relating to commercial encryption is subject to national security review.
The theft of encrypted information or illegal intrusion of an encrypted system are also subject to penalties under the Cyber Security Law.
I. Key concepts still to be clarified
Core, ordinary or commercial encryption?
The new Encryption Law divides encryptions into three categories, namely core, ordinary and commercial encryption. It defines the concepts based on the different purposes for which the encryptions can be used, namely state secrets and other information. However, the purpose alone is insufficient to determine the specific category, which could lead to confusion in practice. More detailed guidelines are needed to delineate the boundaries of the different encryption types.
Scope of commercial encryption entity
The definition of commercial encryption entity appears to cover entities engaged in encryption business and exclude entities that simply use encryption provided by commercial encryption entities to encrypt information. It should be noted that in the era of the internet of things, encryption is widely used in many different types of equipment and devices to protect information being stored and transmitted. It is still not entirely clear whether the definition will extend to a manufacturer of a device with an information encryption function. Our view is that if the encryption function is incidental to and is used to serve the primary function of the device, then the manufacturer should not be considered a commercial encryption entity. However, the SCA should clarify this point in future regulations.
Commercial encryption used by consumer products is carved out from the export and import controls over commercial encryption. However, the specific scope of “consumer products” requires further clarification.
II. Effect on existing regulations
The new Encryption Law does not deal with the continuing status of the current commercial encryption regulation and the sprawling regulations published under it (as amended by series of notices and decisions). A number of the provisions in the current regulatory regime are incompatible with the Encryption Law.
As discussed above, previous regulations have removed major market entry licensing requirements and restrictions on the use of commercial encryption by foreign and foreign-invested entities. Under the new law, the SCA will maintain certain restrictions on commercial encryption. The SCA should publish implementing rules to deal with the inconsistencies and the effect of the new law on the current regulations.
III. Implications for foreign-invested commercial encryption entities
The requirement for the equal treatment of foreign-invested enterprises provides the legal grounds for protecting their market entry and operations. The prohibition on forced technology transfers and disclosures of source codes will inevitably enhance the protection of foreign-invested commercial encryption entities’ intellectual property.
It should be noted that the restrictions and obligations applicable to all commercial encryption entities must still be followed, such as certificate for commercial encryption product model, export and import controls, mandatory national standards and certification for key network equipment and network security products.
IV. Implications for foreign and foreign-invested users of commercial encryption
As the existing regulations have already removed the approval requirement for the use of foreign commercial encryption by foreign-invested enterprises and foreign persons in China, the restrictions on the use of commercial encryption will not change significantly with the enactment of the new Encryption Law. The import of commercial encryption product will continue to require a permit.
In addition to the existing requirements, under the new law, foreign and foreign-invested enterprises using commercial encryption in China will need to ensure that:
For further information, please contact:
Karen Ip, Partner, Herbert Smith Freehills