On October 26 of 2019, the Cryptography Law of People’s Republic of China was officially adopted by China’s top legislature and promulgated by President Xi Jinping to take effect as of January 1, 2020 (the “Cryptography Law”). After over two years of evolution by means of public comments and consultations since the draft Cryptography Law was first introduced for public comment in early 2017, the Cryptography Law addresses key requirements in relation to cryptography categorization, usage, accreditation, import and export, cryptography administration and legal liabilities. In this update, we address key issues in relation to such requirements under the Cryptography Law.
Definition of “cryptography” and Categorization
Under the Cryptography Law, “cryptography” refers to the technologies, products and services which are utilized to encrypt or authenticate information and is categorized as “core cryptography”, “ordinary cryptography” and “commercial cryptography”. “Core cryptography” and “ordinary cryptography” are utilized to encrypt state secret. “Commercial cryptography” is utilized to encrypt non-state secret. Individuals, enterprises and any other legal entities may freely utilize “commercial cryptography” in compliance with relevant laws and regulations for the security of their cyberspace and information.
It is our observation that a demarcation shall be drawn between state secret and non-state secret for the avoidance of misusing cryptography and its consequential legal liabilities. It is likely that certain state secret may come into possession of a business organization during its operation. It is advisable clear internal guidelines and policies be implemented for handling and encrypting such information collected, generated, transmitted and/or disclosed by the organization.
Compulsory use of Core Cryptography and Ordinary Cryptography on State Secret
Pursuant to Article 14 of the Cryptography Law, “core cryptography” or “ordinary cryptography” shall be utilized for wired or wireless transmission, storage and processing of state secrets. In accordance with PRC Law on Safeguarding State Secret, state secret shall be categorized into three classes, namely, from Class A (top classified state secret), Class B (classified state secret) to Class C (generally classified state secret). “Core cryptography” can be utilized to encrypt all of the three classes of state secrets while “ordinary cryptography” can only be utilized to encrypt Class B and Class C state secrets.
In addition, entities who are engaged in research & development, manufacturing, sales, servicing, import & export of core and ordinary cryptography products are imposed the responsibilities to set up internal management procedures and take confidentiality measures to ensure the safety of core and ordinary cryptography.
CII Operators’ Responsibilities
Pursuant to Article 27 of the Cryptography Law, critical information infrastructure (CII) operators are mandatorily required to use commercial cryptography products or services to encrypt their information. CII operators shall perform security assessment of their commercial cryptography by themselves or accreditation agency. Where the purchase of commercial cryptography products or services by CII operators could affect national security, CII operators are required to carry out national security examination prior to proceeding with purchasing such commercial cryptography products.
This requirement is consistent with the provisions under the Cybersecurity Law, which stipulates that CII operators who purchase network products and services (such as commercial cryptography products and services) which may have impact on national security should go through the national security check by the office of the Central Cyberspace Affairs Commission and relevant departments of the State Council. Under the Cybersecurity Law, CII operators are further required to enter into security and confidentiality agreement with sellers of network products and services.
The Cryptography Law is basically silent and not setting out clear guideline on the use of commercial cryptography devices and technologies by business entities and individuals that are non-CII operators. However, in an earlier legislation governing commercial cryptography, the Commercial Cryptography Regulations of 1999 which is still effective after the promulgation of the Cryptography Law, it is noteworthy that business entity or individual must use commercial cryptography products authenticated by State Cryptography Administration (the “SCA”). Self-developed or foreign cryptography products are prohibited from being used prior to authentication by SCA.
We bring to your attention that any commercial cryptography products used within PRC shall be authenticated by SCA. Otherwise, the user of such unauthenticated commercial cryptography products might be penalized by competent authorities.
Commercial Cryptography Operators and Accreditation
Pursuant to the Cryptography Law, commercial cryptography operators refer to entities engaged in research & development, manufacturing, sales, servicing, import & export of commercial cryptography products (the “Commercial Cryptography Operators”). Compared with the Commercial Cryptography Regulations of 1999, the Cryptography Law removed the licensing requirements for entering into commercial cryptography market. According to Cryptography Law, the Commercial Cryptography Operators may elect to voluntarily apply for accreditation by recognized agency.
However, if certain commercial cryptography products are related to national security, national economy and people’s livelihood, or public interest, Commercial Cryptography Operators are mandatorily required for accreditation. As we understand, such accreditation requirement echoes the requirements under Cybersecurity Law which provides that the CAC will work with relevant department of the State Council to formulate and release a catalogue of “critical network equipment and special-purpose cybersecurity products” and security certification and security test should be carried out on these equipment and products.
Import and Export of Commercial Cryptography
In accordance with Article 28 of the Cryptography Law, commercial cryptography with integrated encryption function concerning national security or public interest of PRC shall be subject to import permit administration by Ministry of Commerce and SCA. Commercial cryptography products concerning national security or public interest of PRC or in relation to which PRC State obligation will be borne shall be subject to export control. Roasters of import permit and export control of commercial cryptography are to be compiled and issued jointly by Ministry of Commerce, SCA and PRC Customs. Apart from the foregoing, consumer-grade commercial cryptography products are exempted from import permit or export control.
Protection of Technology in Cryptography Products and Services
To relieve Commercial Cryptography Operators’ concern about leakage of business secrets during examination, approval, and filing of commercial cryptography products, the Cryptography Law explicitly prohibits the forced disclosure of source codes and other proprietary cryptography-related information by Commercial Cryptography Operators. Administration authorities and the staff thereof are required to keep strictly confidential trade secrets and personal privacy obtained during the performance of their duties. Illegal disclosure or provision to others are strictly prohibited.
It is noteworthy as expressly provided in the Cryptography Law that foreign Commercial Cryptography Operators are not required to transfer their technology during their direct investment or other cooperation with PRC counterparts as an effort to encourage Sino-foreign cooperation in developing encryption technology and to prohibit forced transfer of encryption technology by using administrative powers.
Violation of Cryptography Law may incur administrative liabilities such as warnings, orders to corrections and fines. Criminal liabilities may arise when certain violation triggers incrimination factors. Key violations that may incur liabilities under the Cryptography Law include (1) eavesdropping encrypted information, trespassing cryptography systems or other trespassing activities; (2) failure to adopt “core cryptography” or “ordinary cryptography” when required under the Cryptography Law; (3) leakage of “core cryptography” or “ordinary cryptography”; and (4) other violations by Commercial Cryptography Operators, CII Operators, importer or exporter of cryptography products, services or technologies.
 State secrets are not itemized or named under applicable laws but differentiated by the havoc of leakage and statutory period of confidentiality.
 Scope of CII operators is defined under Article 18 of Rules of Safeguarding Critical Information Infrastructure for public comments on July 10, 2017.