On 26 October, the National People’s Congress of the People’s Republic of China passed the new Chinese Encryption Act (密码法), which will come into force on 1 January 2020. It can be seen as a further addition to the cyber security regime that China has been developing for years and which has gained momentum with the Cyber Security Act. It is intended to regulate the use and administration of encryption technologies and facilitate the development of cryptographic companies.
To this end, the law distinguishes between core, standard and commercial cryptography. Since nuclear and common cryptography are used to protect state secrets, they are not relevant for most foreign companies in China. Commercial cryptography can be legally used by citizens, legal entities and organizations to protect their data and systems.
What is new is that the new law does not explicitly prohibit the use of foreign encryption technologies in China for commercial purposes. Commercial cryptographic products or technologies developed, used, sold, imported or exported by foreign companies are now treated in the same way as domestic products or technologies. As is so often the case with the supposed opening of the Chinese market to foreign companies, it is not clear whether cryptography providers can now get a foot in the door of the Chinese market after they were previously excluded from it.
Cryptographic products sold and used in China must comply with a strict set of standards that are further defined by further regulations. All companies that use commercial cryptography to protect their data are subject to monitoring and evaluation by the State Cryptography Administration, which has the right to check whether cryptographic products and technologies are used in compliance with the law. Whether SCA needs access to the keys during this process, or whether they may request them, is an unregulated issue that leaves a bitter taste behind.
It remains to be seen what further regulations will bring and whether they will reduce the uncertainties. A fact that is unlikely to change even with new regulation: If the Chinese government wants data, it always has the option of obtaining it.
Picture: Pixabay / Paul Henri