Trends – China moves away from strict encryption regulations for foreign companies

China’s encryption policy developments

Foreign governmental bodies and private sector trade organisations have long pushed for reform of China’s encryption regime. Currently, entities need the approval of the State Cryptography Administration (SCA) for the production, distribution and use of commercial encryption products in China. In practice, foreign-based companies are only able to obtain approval for the use of commercial encryption products, effectively prohibiting foreign companies from manufacturing or distributing encryption products in China. This also leaves foreign companies no choice but to rely on Chinese manufactured encryption products.

This has been changing since the SCA released its first draft of China’s new Encryption Law in April 2017. The draft, which seeks to unify the regulatory framework of cryptography, overlaps with China’s recently-implemented Cybersecurity Law, as it requires national security review for the use of encryption products by operators of Critical Information Infrastructure if this use has the potential to affect China’s national security. A month after publication of the draft Encryption Law, NXP Semiconductors, as the first and currently only foreign-based semiconductor company, obtained SCA approval to develop and produce cryptography products in China, signalling a slow shift in China’s encryption policy.

On 29 September 2017, China’s State Council issued a decision that removes the approval requirements for the production, distribution and use of encryption products. Soon afterwards, on 12 October 2017, the SCA released a notice instructing the implementation of the State Council decision at a local level. These developments may have significant implications for foreign businesses active in the production, distribution or use of commercial encryption products.

Decision on removing a batch of administrative approval requirements

The State Council decision removes the approval restriction for the production, distribution and use of commercial encryption products. Foreign users of encryption products in particular could benefit from this decision, as it removes their obligation to apply for a user permit. While both domestic and foreign manufacturers no longer require production approval, they will still need to obtain a product certificate in order to start manufacturing. Similarly, distributors no longer need to obtain approval before they start distribution, but can only distribute products for which they have obtained a product certificate. The decision and the notice illustrate a shift towards the regulation of encryption products themselves, rather than its manufacturing and supply chain, and demonstrate China’s move towards a more level playing field for foreign companies. However, this still depends on the implementation of cryptography administration by local bureaus.

One approval requirement which remains after the State Council decision is the import permit for products listed under the 2013 Catalogue of Encryption Products and Equipment Subject to Import Management (First Batch), as listed below. Products not on this Catalogue will no longer require approval:

Products listed on the 2013 Catalogue of Encryption Products and Equipment Subject to Import Management (First Batch):

• Electrostatic photosensitive multifunctional integrated encryption fax machine (which can be connected to automatic data processing equipment or a network)
• Other multifunctional integrated encryption fax machine (with at least one of the two functions of printing or copying)
• Other encryption fax machine (which can be connected to automatic data processing equipment or a network)
• Encrypted telephones
• Optical communication encryption router
• Non-optical communication encryption Ethernet switch
• Non-optical communication encryption router
• Password machines, password cards (excluding smart cards for digital TV, Bluetooth modules, dongles used for intellectual property protection purposes).

Assessment

China, with its draft Encryption Law as well as the State Council decision, is moving away from strict encryption regulations for foreign companies. For the first time, a foreign-based company obtained SCA approval for the development and manufacturing of encryption products in China. Entities, both domestic and foreign, no longer require approval for the production, distribution or use of certain commercial encryption products. Instead, the SCA seems to redirect its focus towards the regulation of encryption products by setting national standards. This could indicate a more level playing field for foreign manufacturers and distributors of commercial encryption products.