A new law taking effect on the first day of the New Year will apply sweeping new rules to data encryption.
China’s Encryption Law (link in Chinese) will regulate all kinds of encryption used in the country and follows hot on the heels of the Dec. 1 implementation of China’s Multi-Level Protection Scheme 2.0, a cybersecurity law that expanded on the types of IT systems requiring government inspection.
The new encryption rules separate the technology into so-called core and common cryptography, used for state secrets, and commercial cryptography, used for everything else. Under the law, encryption technology relevant to national security, people’s livelihoods and the public interest should be inspected before it can be sold or made available.
Such technologies, along with products offering “added secrecy,” may be subject to import permits or export controls.
Restrictions on foreign technology could affect dozens of protocols and solutions that foreign companies may want to deploy, according to Danny O'Brien, director of strategy at the San Francisco-based digital rights group Electronic Frontier Foundation (EFF). He said similar U.S. efforts to ban the export of encryption products proved futile because they reduced overall security of communication for many.
To ensure compliance, China will set up a system to “test and authenticate” commercial encryption products to ensure they comply with technical specifications and regulations, with the Office of State Commercial Cryptography Administration (OSCCA) charged with conducting inspections. The agency must set up centralized monitoring, whose findings will be linked to China's forthcoming social credit system, though the measure’s text did not provide additional details.
“We encourage users of commercial encryption to willingly accept testing and authentication to improve market competitiveness,” the law reads.
The text calls back to elements found in the corporate version of the social credit system, piloted in at least a dozen Chinese cities, which—much like its version aimed at private citizens—scores trustworthiness based on a person or organization’s actions.
In September, the European Union Chamber of Commerce in China raised concerns over what it described as an “enormous” amount of data the system required from businesses, including “hidden sensitive data points.”
Neither the EU Chamber nor U.S. chambers in China provided comment on the encryption law in response to Caixin inquiries by publication time.
Addressing IP infringement concerns from foreign businesses, the encryption law says that organizations doing testing must not disclose state or commercial secrets. It also bans all levels of government from discriminating against and forcing tech transfers from foreign encryption companies.
Violations of the encryption law carry civil liabilities.
The law also contains language encouraging cryptography research and development. President Xi Jinping in October urged the country to develop and innovate in blockchain technologies, which use advanced encryption to provide the basis for cryptocurrencies and business applications involving transaction tracking.
Contact reporter Dave Yin (firstname.lastname@example.org)