Home > Legal articles > Trends – China moves away from strict encryption regulations for foreign companies
China’s State Council has issued a decision for the removal of approval barriers that currently limit foreign-invested companies from producing, distributing and using encryption products in China. This decision is part of a bigger change in China’s encryption policy, which could provide foreign companies with a more level playing field in the use, production and distribution of encryption products in China.
China’s encryption policy developments
Foreign governmental bodies and private sector trade organisations have long pushed for reform of China’s encryption regime. Currently, entities need the approval of the State Cryptography Administration (SCA) for the production, distribution and use of commercial encryption products in China. In practice, foreign-based companies are only able to obtain approval for the use of commercial encryption products, effectively prohibiting foreign companies from manufacturing or distributing encryption products in China. This also leaves foreign companies no choice but to rely on Chinese manufactured encryption products.
This has been changing since the SCA released its first draft of China’s new Encryption Law in April 2017. The draft, which seeks to unify the regulatory framework of cryptography, overlaps with China’s recently-implemented Cybersecurity Law, as it requires national security review for the use of encryption products by operators of Critical Information Infrastructure if this use has the potential to affect China’s national security. A month after publication of the draft Encryption Law, NXP Semiconductors, as the first and currently only foreign-based semiconductor company, obtained SCA approval to develop and produce cryptography products in China, signalling a slow shift in China’s encryption policy.
On 29 September 2017, China’s State Council issued a decision that removes the approval requirements for the production, distribution and use of encryption products. Soon afterwards, on 12 October 2017, the SCA released a notice instructing the implementation of the State Council decision at a local level. These developments may have significant implications for foreign businesses active in the production, distribution or use of commercial encryption products.
Decision on removing a batch of administrative approval requirements
The State Council decision removes the approval restriction for the production, distribution and use of commercial encryption products. Foreign users of encryption products in particular could benefit from this decision, as it removes their obligation to apply for a user permit. While both domestic and foreign manufacturers no longer require production approval, they will still need to obtain a product certificate in order to start manufacturing. Similarly, distributors no longer need to obtain approval before they start distribution, but can only distribute products for which they have obtained a product certificate. The decision and the notice illustrate a shift towards the regulation of encryption products themselves, rather than its manufacturing and supply chain, and demonstrate China’s move towards a more level playing field for foreign companies. However, this still depends on the implementation of cryptography administration by local bureaus.
One approval requirement which remains after the State Council decision is the import permit for products listed under the 2013 Catalogue of Encryption Products and Equipment Subject to Import Management (First Batch), as listed below. Products not on this Catalogue will no longer require approval:
Products listed on the 2013 Catalogue of Encryption Products and Equipment Subject to Import Management (First Batch):
Assessment
China, with its draft Encryption Law as well as the State Council decision, is moving away from strict encryption regulations for foreign companies. For the first time, a foreign-based company obtained SCA approval for the development and manufacturing of encryption products in China. Entities, both domestic and foreign, no longer require approval for the production, distribution or use of certain commercial encryption products. Instead, the SCA seems to redirect its focus towards the regulation of encryption products by setting national standards. This could indicate a more level playing field for foreign manufacturers and distributors of commercial encryption products.
17 December 2020
EU Parliament approves new collective redress mechanisms for consumers
17 December 2020
Digital Services Act and Digital Markets Act: Commission flexes its muscles
16 November 2020
Fake online reviews – back as area of enforcement by competition authorities
15 October 2020
16 July 2020
Landmark ruling on validity of personal data transfer mechanisms
15 July 2020
17 December 2019
16 December 2019
Our IAPP panel on convergence of data-related enforcement in digital age – key insights
14 November 2019
Dutch DPA announces three-year enforcement focus on commercial use of data and AI
15 October 2019
New Whistleblower Directive introduces obligations for companies and EU member states
De Brauw Blackstone Westbroek
Claude Debussylaan 80
1082 MD Amsterdam
The Netherlands
P.O. Box 75084
1070 AB Amsterdam
The Netherlands