China Revises Proposals on Regulation of Commercial Encryption
In the past three weeks, China’s State Council and the State Cryptography Administration (“SCA”) issued two documents that reveal a major change in the regulatory regime governing commercial encryption products in China, potentially paving the way for the draft Encryption Law to establish a uniformed encryption regime. This development and its practical implications will be important to multinationals that manufacture, distribute, or use commercial encryption products in China.
On September 29, 2017, the State Council released the Decision on Removing a Batch of Administrative Approval Requirements (the “State Council Decision”), which removed some approval requirements for the manufacturing, sale, and use of commercial encryption products. On October 12, 2017, the SCA further released a notice (“Notice”) to instruct local Bureaus of Cryptography Administration (“BCA”) on the plan to implement the State Council Decision.
The State Council Decision and the Notice reveals a major change in the regulatory regime governing commercial encryption products in China, potentially paving the way for an Encryption Law that would establish a uniform encryption regime.
With the removal of the approval requirements imposed on entities that are manufacturing, distributing, and using commercial encryption products in China, the regime shifted away from regulating entities in the supply chain towards focusing on regulating the encryption products themselves, which potentially can provide a more level playing field for foreign (i.e., non- Chinese) companies manufacturing such products. This shift is largely aligned with the approach proposed by the draft Encryption Law and will reduce the burden currently imposed on users, including foreign-invested entities and foreign individuals located in China, that have had to apply for permits for their use of foreign-produced commercial encryption products.
Although the term “encryption product” has never been clearly defined, one of the regulations, the Administrative Rules on the Use of Commercial Encryption Products, provided a broad definition of “commercial encryption product,” which included “encryption technologies and products used for encryption protection or security certification information, not involving state secrets.” Some of the commonly used encryption products, such as Virtual Private Network (VPN) software, have been viewed by some as “commercial encryption products” and are subject to these regulations.
Key pieces of the existing regime include:
Approval of Manufacturers. Under the existing regulations, only manufacturers that are approved by SCA are allowed to manufacture commercial encryption products in China. Approved manufacturers must not manufacture unapproved encryption products. In practice, no foreign-invested companies have obtained SCA approval to manufacture commercial encryption products in China.
Approval of Distributors. Similar to manufacturers, only distributors that are approved by SCA can distribute commercial encryption products in China. Without such a license, no entity or individual may sell commercial encryption products in China. Again, no foreign-invested companies have obtained such approval in the past.
Approval of Commercial Encryption Products. The existing regulations also require SCA approval for specific encryption products. Manufacturers must obtain a Product Model Certificate of Commercial Encryption Products before they can produce such products. As a general rule, entities and individuals must use approved encryption products manufactured by approved manufacturers and distributed by approved distributors. The use of pre-approved domestic encryption products by either foreign or domestic entities or individuals does not require additional approval from SCA.
Import and Use Permits for Foreign-invested Entities and Individuals. For foreign entities (including foreign-invested entities) and individuals, the regulations offer an exception: such entities and individuals can apply to SCA to use foreign-produced commercial encryption products if they have a legitimate business need to do so, provided that the use of such products “would not be harmful to information security, the legitimate rights of other individuals and organizations, as well as China’s national security.” If a foreign entity or individual would like to use foreign-produced encryption hardware, it must apply for both a use permit and an import permit. If the foreign-produced product is software, no import permit is needed, but a use permit is still required.
The State Council Decision removed approval requirements for manufacturers and distributors of commercial encryption products, as well as the use permit requirement for foreign entities (including foreign-invested entities, such as Chinese subsidiaries of non-Chinese companies) and foreign individuals located in China.
The remaining approval requirements focus on: (i) the approval for commercial encryption products themselves to ensure the quality of the commercial encryption products; and (ii) the import permit requirement for the limited types of foreign-produced encryption hardware listed in a catalog issued by the SCA and China’s General Administration of Customs.
The use of foreign-produced encryption software such as VPN software or off-the-shelf products that are not included in the catalog will no longer be subject to any approval requirements.
SCA will, however, redirect its efforts, among other enforcement goals, towards:
promoting national standards for encryption products;
improving the review process for the Product Model Certificate of Commercial Encryption Products;
controlling end users (and end-uses) for imported encryption hardware that is subject to the approval requirement; and
establishing a “blacklist” to name entities not in compliance with the encryption rules.
Given the rapidly evolving regulatory regime, multinationals that plan to manufacture, distribute, or use commercial encryption products in China should closely follow the developments.