China’s Cryptography Law (the “Law”) has become effective on 1 January 2020. The Law comes amidst the switched approach about regulating the cryptography sector and the further developed cyber security and data protection regime of China.
Unlike the stringent controls imposed on the whole life circle of commercial cipher code products by the Regulations on Administration of Commercial Cipher Codes (the “Regulations), the rule in the highest legal hierarchy before the Law was promulgated, the Law adopts a multi-layered supervision approach by putting cipher codes in three categories in accordance with the significance of the information they are intended to protect: core cryptography, ordinary cryptography and commercial cryptography.
Where a cryptography product or a cryptography technology qualifies as a state secret, the companies or institutions regarding said products or technologies need to comply with the Law of the PRC on Protecting State Secrets (“State Secrets Protection Law”) with very strict supervision. The violation of the State Secrets Protection Law may lead to criminal liabilities.
The following table summarizes the major regulatory differences of the three kinds of cryptographies.
|Cryptography technology as state secret||Cryptography as state secret||Protected Information||Supervision|
|Core cryptography||Yes||Yes||Top-secret, secret and confidential state secret information||Strict supervision throughout life circle|
|Ordinary cryptography||Yes||Yes||Secret and confidential state secret information||Strict supervision throughout life circle|
|Commercial cryptography||Yes||Unlikely||Non state secret information||Relaxed market entry + differentiated post-entry supervision|
Notably, the Law will reshuffle the regulatory landscape of the commercial cryptography product market. The main points are highlighted below:
- National treatment to all market players
• All market players including foreign-funded companies operating in various sub-sectors of commercial cryptography such as the R&D, manufacturing, sales, after market and import and export will enjoy non-discriminatory and fair treatment by the supervisory agencies.
• Government forced technology transfer is clearly prohibited.
- Testing & certification
• Testing and certification are encouraged but shall be carried out on voluntary basis in normal cases.
• Testing and certification are mandatory requirements where the commercial cryptography product concern national security, national economy and people’s livelihood, and public interests and therefore are put in the catalog of critical network equipment and special network security products by the authority.
- Pre-conditions for becoming a product/service provider of critical information infrastructure operators (CIIOs)
• Will be subject to security assessment conducted by CIIOs or their delegated testing institutions in normal cases.
• Will be subject to national security review conducted by the cyberspace authority, the state cryptography administration and other relevant authorities in cases where national security is at stake.
- Import & export
• Commercial cryptography used in consumer goods: not subject to import and export control.
• Commercial cryptography related to national security or public interests and with encrypted protection functions: subject to import licensing.
• Commercial cryptography related to national security, public interests or international obligations assumed by China: subject to export control.
Autor/in des Blogbeitrags
Regulatory Compliance Senior Manager, Rui Bai Law Firm (A member of the PwC global network of firms)
Tel.: +86 (10) 8540 4602