China passes new cryptography law

Background

A new law in China, the Cryptography Law, was announced on October 26, 2019, and will take effect on January 1, 2020, after years of lobbying and public debate. In December 2014, the State Cryptography Administrative Bureau (the SCAB) established a working group to begin the drafting of the Cryptography Law. In October 2016, a draft of the new law was formulated. From April to May 2017, the draft was published for comments. In June 2017, the draft was submitted by SCAB to the State Council for review. The draft was then approved by the Executive Meetings of the State Council on June 10, 2019 and officially released on October 26.

Scope

According to the Cryptography Law, cryptography will be categorized into three groups: core cryptography, common cryptography and commercial cryptography. Core cryptography and common cryptography are handled by the state and are used to secure state secret information, while commercial cryptography can be developed and applied for profit and are used to secure information other than state secrets. Given that foreign-invested entities (FIEs) are unlikely to be processing state secrets, their development and use of cryptography will likely be limited to the “commercial cryptography” category. The Cryptography Law has also set out some requirements for the import, sale and use of commercial cryptographic products/services.

The scope of “commercial cryptographic products/services” might seem confusing as these terms are not clearly defined in the Cryptography Law. On the other hand, according to the Issues Relating To Commercial Cryptography (关于商用密码管理的有关问题) notice, issued by the State Cryptography Administrative Committee (now SCAB) in 2000, the scope of these terms should be limited to hardware and software with encryption and decryption operations as the core functions. Other products such as mobile phones, office software and browser software are not within this scope, even though these products may sometimes have an encryption function.

Control of commercial cryptography generally loosened

Under the new Cryptography Law, commercial cryptography practicing entities are no longer required to go through the onerous approval procedures for their research and development, production, use and import of commercial cryptography (except in certain prescribed circumstances, as noted in paragraph 3 below). Instead, they are now encouraged to accept testing and certification of their commercial cryptographic products/services on a voluntary basis only. FIEs will also benefit from the loosened approach under the new regime; in particular, the Cryptography Law stipulates that all business entities, including FIEs, should be treated equally in research, production, sales, service, import and export of commercial cryptography, and that administrations and their employees shall not force the transfer of commercial cryptography technologies.

Requirements for commercial cryptography related to national security

Commercial cryptographic products which are related to national security, national economy and people's livelihood, or public interest shall be listed in the Catalogue of Critical Network Equipment and Network Security Products (the Catalogue). Commercial cryptographic products listed in the Catalogue shall pass the security certification conducted by qualified institutions or meet the requirements of security inspection before being sold or provided, in line with the requirements set out in the Cybersecurity Law. In addition, the import and export of commercial cryptography relating to national security or public interest shall be subject to approval.

The limited scope of the above restrictions also means that, so long as it is not related to national security or public interest, the use of cryptographic technologies by FIEs for purposes such as intra-group communications or communications with clients may fall outside these restrictions (and hence, would not require the corresponding approval or filing). The Cryptography Law also specifies that commercial cryptography applied to consumer products is not subject to the import licensing and export control system.

Requirements for commercial cryptography used by CII operators

Critical information infrastructure (CII) operators that are required by law, administrative regulation or other relevant provisions to use commercial cryptography to secure the CII shall conduct security assessment of the commercial cryptography applications they use, either by itself or by an entrusted third party. Such assessment shall be connected with the security inspection assessment of CII and the evaluation for multi-level protection of cybersecurity.

Further, the Cryptography Law provides that if a CII operator’s procurement of network products and services relating to commercial cryptography may potentially affect national security, then a national security review led by the CAC shall be conducted in accordance with the Cybersecurity Law. It is worth noting that while the last draft of the Cryptography Law imposed this national security review requirement on both the CII operators and the state organs, the finalized law has removed the state organs from this provision. This could mean that state agencies’ use of cryptography products/services may be subject to procedures other than the security review led by the CAC.

Confidentiality responsibilities

To address FIEs’ concerns about their commercial secrets being leaked during the certification/inspection and approval process, the Cryptography Law also sets out a series of provisions to help ensure the confidentiality of such information. According to the Cryptography Law, commercial cryptography testing and certification institutions must keep confidential any state or trade secret that comes to their knowledge during commercial cryptography testing and certification, and cryptographic administrative authorities must keep strictly confidential any trade secret or personal privacy that comes to their knowledge as well.

Further, under the Cryptography Law, cryptographic administrative authorities are forbidden from requiring commercial cryptography practicing entities or commercial cryptography testing and certification institutions to disclose any cryptography-related exclusive information (such as source code) to them.

Implications

The new Cryptography Law is certainly sending positive signals to FIEs – the equal treatment of FIEs and other entities, the protection of FIEs’ trade secrets, the loosened regulatory process in importing commercial cryptographic technologies, etc., will all make it more convenient for FIEs to develop and use their commercial cryptographic technologies in China.

Another notable feature of the Cryptography Law is that it echoes the requirements set out in the Cybersecurity Law in several aspects, for instance, the security certification and security inspection system, the network security review, the security inspection assessment of CII and the evaluation for multi-level protection of cybersecurity. Enterprises are advised to read the provisions in the Cryptography Law in conjunction with the Cybersecurity Law and its implementing measures.

Lastly, it should be noted that the Cryptography Law is still evolving – for example, the list of commercial cryptography under the import licensing system is yet to be published. Enterprises are therefore suggested to keep a close watch on this new law and its developments.