Nowadays, cryptography is becoming more and more popular for many companies who want to protect their data. Due to the relevance of these technologies both for the economy and for national security, China has been gradually introducing a system of legislative measures in the field of encryption. The purpose of this article is to provide a brief overview of the PRC’s cryptography authorities, their regulations and their impact on the use of various software and hardware products by foreign companies operating in China.

Old but gold: Legal regulations on encryption

Currently, there are several legislative acts in China that regulate the use of cryptography products. One of them is the “Administrative Rules for the Commercial Use of Encryption” decree of the State Council of the People’s Republic of China of October 7, 1999. The decree highlights the development and production of cryptography products, briefly outlines the general provisions of the document, shows the goals of its adoption, and introduces the main definitions.

According to “Administrative Rules for the Commercial Use of Encryption” decree, encryption products are any products and technologies used by entities or individuals for cryptography protection or security certification information, not containing state secrets. Only hardware or software with an encryption algorithm as its main function falls within the scope of the law. The products that people use every day (cordless phones, standard operating systems and browsers) are not included in this list.

Who is responsible for?

The OSCCA (the Office of State Commercial Cryptography Administration), or State Cryptography Administration (SCA), specifically set up to ensure the enforcement of cryptography related legal requirements, controls encryption technologies in China. Only the OSCCA has the right to license the use of any encryption products. Can foreign companies use encryption technologies in China?

Yes, they can. However, foreign companies using encryption products must report their usage to the OSCCA and obtain its approval. To get permission to use encryption technologies, an organization or an individual must fill out a special registration form and submit it to the local cryptography authority. This local authority checks within 5 days the compliance of the presented information and transfer the application to the central unit of the Office of State Commercial Cryptography Administration. Consideration of the application takes about 20 days from the date of its submission, then a final decision is made. If the OSCCA approves a usage of cryptography products, it issues a special approval. The permit is valid for three years from the date of entry into force.

Is it possible to import and use foreign-produced encryption products?

If the necessary encryption products need to be imported to the territory of the PRC from abroad, the organization or individual has to get an import permit from the local SCA. The products that need an approval are:

  • Electrostatic photosensitive multi-functional integrated encryption fax machine (which can be connected to automatic data processing equipment or a network)
  • Other multi-functional integrated encryption fax machine (with at least one of the two functions of printing or copying)
  • Encrypted telephones
  • Optical communication encryption router
  • Non-optical communication encryption router
  • Password machines, password cards (excluding smart cards for digital TV, Bluetooth modules, dongles used for intellectual property protection purposes)

However, the use of foreign cryptography products is prohibited throughout the country. The company can buy hardware or software only from Chinese companies licensed to sell.

But there are some exceptions: For example, this rule does not apply to diplomatic missions of countries accredited in China. Enterprises invested from abroad, such as sino-foreign joint ventures, also can use foreign encryption technologies, if these products are needed exclusively for the organization itself or are necessary for communication with their branches abroad. These kind of organizations need to provide information that the use of encryption products will not interfere with information security of individuals and entities, and with China’s national security as well.

To sell or not to sell, that is the question

If any company or individual intends to sell cryptography products, they also need to get an approval from the OSCCA. The agency website contains a complete list of organizations authorized to sell programs for encrypted messaging. Going through that list, you will quickly realize that the choice of cryptography products that you can purchase in China is very limited. It includes:

  • Hardware token including Public Key Infrastructure, One Time Password, and its supporting system
  • Hardware security machine/card
  • Security IC chip
  • Digital signature and verification system
  • ATM/POS support system
  • Password keypad
  • Documentation management system
  • Key management system

Also, every vendor is Chinese. This means that it is pretty much impossible for foreign companies and their Chinese affiliates to get a license to sell encryption products. In practice, only Chinese organizations receive permission to produce, sell or conduct research in this area.

Legal liabilities:  be careful with the risks

If an entity during the production process does not follow measures to ensure the confidentiality of encryption products; without permission demonstrates the technologies used in the product; transfers or hands over the product for repair to another organization that has not received a license, the OSCCA has the right to issue a warning, and send an order to immediately end the violations and pay fines. When it amounts to a crime, whoever violates the law will be subject to criminal liabilities.

Time for improvements

The measures discussed above hindered the access to the Chinese market of foreign or foreign-funded companies, since the Office of State Commercial Cryptography Administration has full control over commercial data encryption. However, on April 13, 2017 the OSCCA published the initial draft of an Encryption Law that significantly changed the regulation regime for encryption products. Two years later, on July 5, 2019, China’s Standing Committee of the National People’s Congress published a new draft Encryption Law for public comment. According to these drafts, the Committee removed approval requirements for the production, sale, and use of commercial encryption products (now entities and individuals need a permission for products only) and introduced three different categories:

  • “Core” encryption and “ordinary” encryption – to protect information that amounts “state secrets”
  • “Commercial” encryption – to protect information that not constituting “state secrets”.

The new Draft Law allows any entity or individual to use commercial encryption to secure their information complying with laws and regulations. And it is worth to mention that this new provision does not differentiate Chinese-produced commercial encryption and foreign-produced commercial encryption, that gives a chance for foreign companies to use and market their own encryption technologies while operating in the PRC.  For example, on May 2017 the OSCCA for the first time gave a permission to Dutch semiconductor manufacturer NXP to develop and produce cryptography products. This case can be seen as a crucial point for liberalization of China’s encryption regime.

Conclusion

The PRC’s approach to encryption is significantly different from international practice, since the Chinese government monitors both state and commercial information security applications. Hence a number of limitations exist regarding the use of commercial encryption. Practice shows that, in actual fact, it is impossible for foreign companies to get a license for selling their own encryption products into the Chinese market. Moreover, foreign businesses have due reason for concerns about the risk of industrial espionage and intellectual property theft because of the limited number of encryption products, that they can obtain and that these products produced by Chinese vendors. But the draft Law of 2019, if enacted as drafted, would no doubt demonstrate significant changes in the current encryption regime, including imports and exports.  There is  hope that this new Encryption Law will reduce the regulatory burden for using encrypted products in China – a development that foreign companies will welcome.

However, the Draft Law is not finalized, and some important factors for foreign companies still need to be clarified. We at Ecovis Beijing will keep monitoring these developments in relation to the Draft Encryption Law in order to help our clients with cryptography-related technologies operating in China.

More on this topic you can read our articles:

Ecovis Tech-Tips: Data Protection Through Encryption

Ecovis Tech-Tips: Virtual Private Networking

About ECOVIS Beijing

Ecovis Beijing is the trusted tax and legal advisor to several embassies and official institutions in China. We are specialized in advising mid-sized international companies and focused on tax and legal advisory, accounting and auditing. We frequently publish articles on new regulations and recent developments in China and Germany on our website.

With our monthly newsletter we will keep you informed about newly published articles and upcoming events. Do you have a question we can help you with? We will quickly find the right contact person to answer it. Call us (+86-10-65616609) or send us an e-mail to service@ecovis-beijing.com.