Overview of the Legislation
On October 26th ,2019, the Standing Committee of the National People’s Congress of China approved <Cryptography Law of the People’s Republic of China> (hereinafter referred to as “Cryptography Law”), which, will come into effect on January 1st, 2020. Prior to the approval of the Cryptography Law, there was only one existing administrative regulation in the field of cryptography control——<Regulation of Commercial Encryption Codes> (hereinafter referred to as “ Commercial Encryption Codes”) which was issued in 1999. Therefore, Cryptography Law is regarded as the 1st comprehensive law in the field of cryptography control.
Cryptography law classifies cryptography for the first time into 3 levels, which are core cryptography, ordinary cryptography and commercial cryptography. Core cryptography and ordinary cryptography shall be regarded as national secrets and shall be controlled strictly and uniformly by cryptography management departments, while commercial cryptography is used to protect information that is not a national secret.
Main Content of Commercial Cryptography
Firstly, Cryptography confirms the cancellation of the licensing requirements for market access of commercial cryptography business and further liberalizes the market. In particular:
- Enterprises with foreign investment shall be granted national treatment in the field of commercial cryptography, and may equally carry out activities such as scientific research, production, sales, service, import and export of commercial cryptography;
- The commercial codes used for mass consumer products are not subject to the import license and export control system;
- The administrative examination and approval of the development, production, import and use of commercial cryptography products shall be abolished, and the security assessment and certification of commercial cryptography products shall be carried out only in the fields related to national security, national economy and people’s livelihood, and social and public interests.
Secondly, the Cryptography Law has established the commercial cryptography detection and authentication system through Article 25 and Article 26 respectively. Enterprises using commercial cryptography can accept the commercial cryptography detection and authentication voluntarily; Commercial cryptography products involving national security, the national economy and people’s livelihood, and social and public interests shall be listed in the <Network critical equipment and network security specific product catalog> (Updated Regularly), and shall be sold or provided only after the compulsory testing certification of qualified institutions. At the same time, if the commercial cryptography service is involved with key network equipment and special network security products, the commercial cryptography authentication agency shall also verify the qualification of the commercial cryptography service.
Thirdly, the key information infrastructure operators are obliged to evaluate and review the security of commercial cryptography applications. For operators of critical information infrastructure, those who use commercial cryptography for protection shall carry out a security assessment of commercial cryptography application by themselves or by a commercial cryptography detection agency. Those who purchase network products and services involving commercial cryptography that may affect national security shall pass the national security review.
Therefore, the key information infrastructure operators shall perform the relevant security assessment and national security review obligations to carry out their activities related to commercial cryptography. In practice, many enterprises have already assessed their application of commercial cryptography according to the <Basic Requirement of GM/T 0054-2018 Information System Cryptography Application>.
Impact on Foreign-Investment Enterprises
The promulgation and implementation of Cryptography Law is generally good news for enterprises involved with commercial cryptography, especially foreign-investment enterprises, principally in the following ways:
- Imported mass consumer products (such as various electronic products with communicating functions) including cryptography components and technologies, may no longer need tedious password authentication processes, which facilitates the simultaneous listing of products in the Chinese market;
- Outbound cryptography components and technologies used by foreign-investment enterprises for the purpose of internal communication within the group or with their business partners, no longer need troublesome approval and record keeping formalities so that they can be used freely;
- A foreign enterprise which possesses the ability to research & develop cryptography technology can enter into the China market with a Chinese partner or alone.
In any case, it is vital for enterprises to keep a close eye on the subsequent development of Cryptography Law and its relevant regulations in order to carry out the compliance solutions towards it.