China’s National People’s Congress passed the Encryption Law. Consistent with prior drafts, the Encryption Law defines “encryption” as “technologies, products, or services applying specific transformations to information to effect encryption protection or security authentication” (Article 2).
According to DLA Piper, the new encryption classification: encryption products, technologies and services will now be categorized into three tiers: “core”, “ordinary” and “commercial”. The first two tiers will be used to protect “state secrets”, and so will be more heavily regulated than the latter (i.e., state-monitored security assessments and audits may take place during the development, implementation and maintenance of such technologies; and it appears that only local PRC vendors may be entitled to sell and provide such technologies). It is anticipated that most businesses will only be dealing with “commercial” encryption, but organizations will need to check this is the case.
Key features of China’s encryption law for foreign companies–
- Foreign companies can participate. The law requires local governments not to discriminate against foreign-funded players and encourages cooperation on commercial encryption.
- Local authorities are to include encryption in economic and social development plans and fiscal budgets. While the law does not state specific amounts, it could help local encryption startups.
- Commercial encryption services must pass checks and obtain certifications if they involve national security and public interest.
- Those that fail to use commercial encryption in accordance with this law and refuse to correct their actions will be fined between RMB 100,000 and RMB 1 million.
Under the new law, commercial encryption is no longer considered a state secret. This is a significant change from the current regulatory position and lays the foundation for liberalizing the production, sale and use of commercial encryption.
To ensure compliance, China will set up a system to “test and authenticate” commercial encryption products to ensure they comply with technical specifications and regulations, with the Office of State Commercial Cryptography Administration (OSCCA) charged with conducting inspections.
China regularly conducts mass surveillance on digital conversations and can force companies to both store data locally as well as turn it over on request. It likewise has the power to shut down services or entire products in response to security incidents.