The PRC Encryption Law was passed on October 26, 2019 and comes into force on January 1, 2020.
The law provides the regulatory framework for the use of encryption technologies and products in China, offering systematic guidance for information protection in various industrial sectors.
The scope of the new Encryption Law is as follows.
- “Encryption” is defined as “technologies, products, or services which utilise specific transformations with respect to the information to effect encryption protection or security authentication”.
- The encryption is classified into three categories: core encryption, ordinary encryption, and commercial encryption. “Core” encryption and “ordinary” encryption are used for the protection of information constituting “state secrets,” while commercial encryption is used to protect information that is not considered a state secret. In addition, core encryption and ordinary encryption are themselves considered as state secrets, and will be subject to strict regulation by the State Cryptography Administration (SCA). Encryption users must also take measures to keep confidential any trade secret collected in the use of encryption technology.
- Commercial encryption does not constitute a state secret and entities and individuals can use commercial encryption to protect network and information security in accordance with laws in China.
Prior to this new Encryption Law, commercial encryption was primarily governed by the Administrative Measures on the Commercial Encryption and its ancillary regulations, under which research and development, production, import and the use of commercial encryption products was subject to strict approval and licensing requirements.
In practice, SCA had abolished most administrative approvals and licensing requirements prior to the Encryption Law. The new law further loosens the regulation on commercial encryption by introducing the so-called “double voluntariness” principle. Under the principle, foreign invested enterprises are entitled to the rights equal to their domestic counterparts, and governmental agencies are prohibited from forcing the mandatory transfer of commercial encryption technology. Furthermore, inspection and certification for the use of commercial encryption products is set on a voluntary basis unless such products involve national security, national economy and livelihood and/or social welfare and/or public interests, thus removing the licensing and approval requirements.
Whilst the Encryption Law generally loosens the regulation for commercial encryption, there are still certain mandatory requirements to be complied with, which can be summarised as follows:
- encryption products must pass the compliance certification requirements of the certification authority if such products (for example, those falling within the catalogue for critical network equipment and dedicated cybersecurity products) involve national security, national economy and livelihood and/or social welfare and/or public interests;
- where encryption products are used to protect critical information infrastructure (“CII” as defined under the PRC Cybersecurity Law), a security assessment should be conducted by itself or by a professional encryption inspection institution. Where use of such encryption products may have an impact upon national security, it is also subject to a national security review.
- an import licence is still required if the encryption products to be imported involve national security or public interests and are featured with an encryption protection function.
Likewise, if any encryption product to be exported involves national security, public interests or China’s international obligations, it is subject to an export control.
A list of products subject to such licence or export is to be issued by SCA together with other applicable governmental authorities.
It should also be noted that the Office of the CPC Central Committee for Cybersecurity and Informationization and other relevant departments have been working to standardize the requirements for critical network equipment and dedicated cybersecurity products. In this regard, draft national standards have been issued to seek public comments. Enterprises are therefore advised to watch for developments on such national standards, on which, we will also produce updates in due course.
Osborne Clarke comment
The Encryption Law is a significant step for the development of PRC encryption industry as well as any other industry where encrypted information protection is important. As the law by nature generally lays foundation for the regulatory framework, we expect to see more detailed implementation rules issued in the future, including the list of products subject to the import licence and export control, the national standards for critical network equipment and dedicated cybersecurity products.