China: Navigating China: New China encryption law passed

The new PRC Encryption Law will come into force on 1 January 2020. It will bring fundamental changes to the sale, import and use of encryption technologies in China by foreign and domestic organizations. The changes specifically bring out the following:

  • Broader scope: the new law now governs encryption products, technologies and services, aligning more with the PRC Cybersecurity Law. This contrasts with the previous regulatory focus just on encryption products.
  • New encryption classification: encryption products, technologies and services will now be categorized into three tiers: “core”, “ordinary” and “commercial”. The first two tiers will be used to protect “state secrets”, and so will be more heavily regulated than the latter (i.e., state-monitored security assessments and audits may take place during the development, implementation and maintenance of such technologies; and it appears that only local PRC vendors may be entitled to sell and provide such technologies). It is anticipated that most businesses will only be dealing with “commercial” encryption, but organizations will need to check this is the case.
  • Import and licensing: the existing regulatory licensing regime for import of certain encryption products will be replaced. Instead, import and export controls will only apply to certain encryption products/technologies (i.e., only where the import or export may impact national security or the public interest) but not those for general use. This will make it easier for businesses looking to procure and deploy encryption in China.
  • Security requirements: encryption products, technologies and services must comply with new technical security standards that are to be published by the regulators. It is hoped that these will address the topical issues of decryption keys.
  • Use by CIIOs: organizations designated as critical information infrastructure operators (CIIOs) that use commercial encryption may be subject to procurement restrictions (i.e., limited to certified products, technologies and services that are approved by the regulators), and must conduct a prior security assessment before deploying them. A national security review by the regulators may be required if the CIIO is purchasing or using commercial encryption that may impact national security.

It is anticipated that guidance on the practical steps needed to comply with the above will be published in due course.

To discuss any questions or what this could mean for your organization, please contact the authors, Scott Thiel, Carolyn Bigg, Lauren Hurcombe, Venus Cheung