Encryption is a way of scrambling data so that only authorized parties can understand the information. In technical terms, it is the process of converting plaintext to ciphertext. To be effective, a cipher includes a variable as part of the algorithm. The variable, which is called a key, is what makes a cipher’s output unique. Encryption is essential for ensured and trusted delivery of sensitive information.
Data once readily accessible to law enforcement is now encrypted, protecting consumers’ data from hackers and criminals. China’s Standing Committee of the National People’s Congress (NPC) on July 5, 2019 published a new of draft Encryption Law (“the draft Law”) for public comment. The draft Law, if enacted as drafted, would bring significant new changes to China’s commercial encryption regime.
The Encryption Regulations of OSCCA
Poor cyber hygiene and rampant cybercrime have sparked rising awareness of privacy and a demand for personal information security among Chinese citizens. The 2019 Draft supersedes a prior draft issued by China’s State Cryptography Administration and includes important changes with respect to the definition of encryption and the management of commercial encryption.
Encryption technology is regulated by the Office of State Commercial Cryptography Administration (OSCCA), and only OSCCA-approved products are sanctioned for use in China. Overseas enterprises need to report their use of any encryption technology to OSCCA, and to obtain OSCCA approval. Article 11 sets forth that commercial encryption products that are sold or used in business activities, as well as the provision of commercial encryption services are subject to approval of competent authority in accordance with relevant catalogs.
China’s Encryption Law is Divided in 3 Categories
Core– This category of law is intended for systems that store and transmit PRC state secrets.
Common– Similar to core category, the common category is also applicable for the systems that transmit and store PRC state secrets.
Commercial– The category of commercial encryption is intended for businesses and private use. The draft Law confirms that any entity and individual can use commercial encryption to protect network and information security in accordance with laws. Note that this provision would not distinguish domestically produced commercial encryption and foreign-produced commercial encryption, which significantly departs from the existing regime.
China, with it’s draft Encryption Law as well as the State Council decision, is moving away from strict encryption regulations for foreign companies. However, the demands made on foreign and domestic technology companies can be expected to increase over the next several years.