China’s Encryption Law & Its Key Features

china law

China’s National People’s Congress passed the Encryption Law. Consistent with prior drafts, the Encryption Law defines “encryption” as “technologies, products, or services applying specific transformations to information to effect encryption protection or security authentication” (Article 2).

 

According to DLA Piper, the new encryption classification: encryption products, technologies and services will now be categorized into three tiers: “core”, “ordinary” and “commercial”. The first two tiers will be used to protect “state secrets”, and so will be more heavily regulated than the latter (i.e., state-monitored security assessments and audits may take place during the development, implementation and maintenance of such technologies; and it appears that only local PRC vendors may be entitled to sell and provide such technologies). It is anticipated that most businesses will only be dealing with “commercial” encryption, but organizations will need to check this is the case.

Key features of China’s encryption law for foreign companies

  • Foreign companies can participate. The law requires local governments not to discriminate against foreign-funded players and encourages cooperation on commercial encryption.
  • Local authorities are to include encryption in economic and social development plans and fiscal budgets. While the law does not state specific amounts, it could help local encryption startups.
  • Commercial encryption services must pass checks and obtain certifications if they involve national security and public interest.
  • Those that fail to use commercial encryption in accordance with this law and refuse to correct their actions will be fined between RMB 100,000 and RMB 1 million.

 

Under the new law, commercial encryption is no longer considered a state secret. This is a significant change from the current regulatory position and lays the foundation for liberalizing the production, sale and use of commercial encryption.

To ensure compliance, China will set up a system to “test and authenticate” commercial encryption products to ensure they comply with technical specifications and regulations, with the Office of State Commercial Cryptography Administration (OSCCA) charged with conducting inspections.

China regularly conducts mass surveillance on digital conversations and can force companies to both store data locally as well as turn it over on request. It likewise has the power to shut down services or entire products in response to security incidents.

Share with friends:

Understanding China’s Encryption Law

Encryption is a way of scrambling data so that only authorized parties can understand the information. In technical terms, it is the process of converting plaintext to ciphertext. To be effective, a cipher includes a variable as part of the algorithm. The variable, which is called a key, is what makes a cipher’s output unique. Encryption is essential for ensured and trusted delivery of sensitive information.

Data once readily accessible to law enforcement is now encrypted, protecting consumers’ data from hackers and criminals. China’s Standing Committee of the National People’s Congress (NPC) on July 5, 2019 published a new of draft Encryption Law (“the draft Law”) for public comment. The draft Law, if enacted as drafted, would bring significant new changes to China’s commercial encryption regime.

The Encryption Regulations of OSCCA

Poor cyber hygiene and rampant cybercrime have sparked rising awareness of privacy and a demand for personal information security among Chinese citizens. The 2019 Draft supersedes a prior draft issued by China’s State Cryptography Administration and includes important changes with respect to the definition of encryption and the management of commercial encryption.

Encryption technology is regulated by the Office of State Commercial Cryptography Administration (OSCCA), and only OSCCA-approved products are sanctioned for use in China. Overseas enterprises need to report their use of any encryption technology to OSCCA, and to obtain OSCCA approval. Article 11 sets forth that commercial encryption products that are sold or used in business activities, as well as the provision of commercial encryption services are subject to approval of competent authority in accordance with relevant catalogs.

China’s Encryption Law is Divided in 3 Categories

Core– This category of law is intended for systems that store and transmit PRC state secrets.

Common– Similar to core category, the common category is also applicable for the systems that transmit and store PRC state secrets.

Commercial– The category of commercial encryption is intended for businesses and private use. The draft Law confirms that any entity and individual can use commercial encryption to protect network and information security in accordance with laws. Note that this provision would not distinguish domestically produced commercial encryption and foreign-produced commercial encryption, which significantly departs from the existing regime.

China, with it’s draft Encryption Law as well as the State Council decision, is moving away from strict encryption regulations for foreign companies. However, the demands made on foreign and domestic technology companies can be expected to increase over the next several years.

Share with friends: