China passes new Cryptography Law

Background

A new law, the Cryptography Law, was announced on October 26, 2019 and will take effect on January 1, 2020, after years of lobbying and public debate. In December 2014, the State Cryptography Administrative Bureau (the SCAB) established a working group to begin the drafting of the Cryptography Law. In October 2016, a draft was formed. From April to May 2017, the draft was published for comments. The SCAB submitted the draft to the State Council for review in June 2017. The draft was approved by the Executive Meetings of the State Council on June 10, 2019, and officially released on October 26.

Scope

According to the Cryptography Law, cryptography will be categorized into three groups: core cryptography, common cryptography, and commercial cryptography. Core cryptography and common cryptography are handled by the state and are used to secure state secret information, whilst commercial cryptography can be developed and applied for profit and are used to secure information other than state secrets. Given that foreign invested entities (FIEs) are unlikely to process state secrets, their development and use of cryptography is very likely to be limited to commercial cryptography. The Cryptography Law sets out a few requirements for the import, sale and use of commercial cryptographic products/services.

The scope of cryptographic products/services might seem confusing since their definition is not clearly provided in the Cryptography Law. Nevertheless, according to the Issues Relating To Commercial Cryptography (关于商用密码管理的有关问题) notice, issued by the State Cryptography Administrative Committee (the now SCAB) in 2000, these are limited to hardware and software with encryption and decryption operations as the core functions. Others such as mobile phones, office software and browser software are not within this scope, even though these products sometimes have encryption function.

Generally loosened control

According to the Cryptography Law, commercial cryptography-practicing entities are generally not required to go through the onerous approval procedures for the research and development, production, use and import anymore (though some exceptions apply, see below). Rather, they are now only encouraged to voluntarily accept the testing and certification of commercial cryptographic products/services. FIEs also benefit from this loosened attitude – the Cryptography Law stipulates that all business entities, including FIEs, should be treated equally in research, production, sales, service, import and export of commercial cryptography, and that administrations and its employees shall not force transfer of commercial cryptography technologies.

Requirements for commercial cryptography related to national security

Those commercial cryptographic products that are related to national security, national economy and people's livelihood, or public interest, shall be listed in the Catalogue of Critical Network Equipment and Network Security Products (the Catalogue). Commercial cryptographic products listed in the Catalogue shall pass the security certification conducted by qualified institutions or meet the requirements of security inspection before being sold or provided, in line with the requirements set out in the Cybersecurity Law.

The import and export of commercial cryptography relating to national security or public interest shall also be subject to approval. This means that, if not related to national security or public interest, FIEs’ use of cryptographic technologies for purposes such as intra-group communication and communication with their clients does not require approval or filing. The Cryptography Law also specifies that commercial cryptography applied to consumer products is not subject to the import licensing and export control system.

Requirements for commercial cryptography used by CII operators

For critical information infrastructure (CII) operators that are required by law, administrative regulation or relevant provision to use commercial cryptography to secure the CII, they shall conduct security assessment of the commercial cryptography applications they use, either by itself or by an entrusted third party. Such assessment shall be connected with the security inspection assessment of CII and the evaluation for multi-level protection of cybersecurity.

Further, the Cryptography Law provides that if CII operators’ procurement of network products and services relating to commercial cryptography may potentially affect national security, then a national security review led by CAC shall be conducted in accordance with the Cybersecurity Law. It is worth noting that the last draft of the Cryptography Law imposed this national security review requirement on both CII operators and state organs, whilst the finalised law deleted state organ from this provision. This can mean that state agencies’ use of cryptography products/services may be subject to procedures other than the security review led by CAC.

Confidentiality responsibilities

In order to address FIEs’ concerns on their commercial secrets being leaked due to the certification/inspection and approval procedure, the Cryptography Law also sets a series of provisions to ensure the confidentiality of such information. According to the Cryptography Law, commercial cryptography testing and certification institutions are required to keep confidential any state secret or trade secret that comes to its knowledge during commercial cryptography testing and certification, and cryptographic administrative authorities shall strictly keep confidential any trade secret or personal privacy that comes to its knowledge as well.

Further, the Cryptography Law forbids cryptographic administrative authorities to require any commercial cryptography-practicing entity or commercial cryptography testing and certification institution to disclose cryptography-related exclusive information such as source code to them.

Implications

The new Cryptography Law certainly sends out positive signals for FIEs – the equal treatment for FIE and other entities, the protection of their trade secrets, the loosened process in importing commercial cryptographic technologies, etc., all making it more convenient for FIEs to develop and use commercial cryptographic technologies in China.

Another feature of this new Cryptography Law is that it echoes the requirements set out in the Cybersecurity Law in several places, for instance, the security certification and security inspection system, the network security review, the security inspection assessment of CII, and the evaluation for multi-level protection of cybersecurity. Enterprises are advised to read the provisions in the Cryptography Law in conjunction with the Cybersecurity Law and its implementing measures.

Further, it is worth noting that the Cryptography Law is still evolving. For example, the list of commercial cryptography under import licensing is yet to be published. Therefore, it is suggested that enterprises keep a close eye on this issue.