New Chinese Cryptography Law in force as of 1 January 2020
China’s Cryptography Law (the “Law”) has become effective on 1 January 2020. The Law comes amidst the switched approach about regulating the cryptography sector and the further developed cyber security and data protection regime of China.
Unlike the stringent controls imposed on the whole life circle of commercial cipher code products by the Regulations on Administration of Commercial Cipher Codes (the “Regulations), the rule in the highest legal hierarchy before the Law was promulgated, the Law adopts a multi-layered supervision approach by putting cipher codes in three categories in accordance with the significance of the information they are intended to protect: core cryptography, ordinary cryptography and commercial cryptography.
Where a cryptography product or a cryptography technology qualifies as a state secret, the companies or institutions regarding said products or technologies need to comply with the Law of the PRC on Protecting State Secrets (“State Secrets Protection Law”) with very strict supervision. The violation of the State Secrets Protection Law may lead to criminal liabilities.
The following table summarizes the major regulatory differences of the three kinds of cryptographies.
Notably, the Law will reshuffle the regulatory landscape of the commercial cryptography product market. The main points are highlighted below:
- National treatment to all market players
• All market players including foreign-funded companies operating in various sub-sectors of commercial cryptography such as the R&D, manufacturing, sales, after market and import and export will enjoy non-discriminatory and fair treatment by the supervisory agencies.
• Government forced technology transfer is clearly prohibited. - Testing & certification
• Testing and certification are encouraged but shall be carried out on voluntary basis in normal cases.
• Testing and certification are mandatory requirements where the commercial cryptography product concern national security, national economy and people’s livelihood, and public interests and therefore are put in the catalog of critical network equipment and special network security products by the authority. - Pre-conditions for becoming a product/service provider of critical information infrastructure operators (CIIOs)
• Will be subject to security assessment conducted by CIIOs or their delegated testing institutions in normal cases.
• Will be subject to national security review conducted by the cyberspace authority, the state cryptography administration and other relevant authorities in cases where national security is at stake. - Import & export
• Commercial cryptography used in consumer goods: not subject to import and export control.
• Commercial cryptography related to national security or public interests and with encrypted protection functions: subject to import licensing.
• Commercial cryptography related to national security, public interests or international obligations assumed by China: subject to export control.