On July 5, 2019, the People's Republic of China Cryptography Law (Draft) (the Cryptography Law) was issued by the Standing Committee of the National People's Congress, along with an invitation for submissions to be made as part of a public consultation.
The draft Cryptography Law lays down a number of general requirements in relation to cryptography classification, usage, promotion, and protection. It also introduces specific requirements for certain Critical Information Infrastructure (CII) operators to use cryptography products or services. In the draft Cryptography Law, 'cryptography' refers to products, technologies, and services which are used to encrypt or authenticate certain information and is divided into core cryptography, ordinary cryptography, and commercial cryptography. Correspondingly, the draft Cryptography Law has the following three major components
- core cryptography and ordinary cryptography
- commercial cryptography
- legal liabilities.
In this update, we address key issues in relation to these three components.
To achieve unity with other laws in regards of state secrets and cyber security, the draft Cryptography Law implicitly draws on Law of the People's Republic of China on Protecting State Secrets and Cyber Security Law of the People's Republic of China.
- core cryptography and ordinary cryptography
Under the draft Cryptography Law, core cryptography and ordinary cryptography shall be used to protect state secrets. The highest level of protected information is top secret for core cryptography and secret for ordinary cryptography.
The cryptography management department shall guide, supervise, and inspect those who operate under the core and ordinary cryptography category. It shall also establish a collaborative mechanism, which will have responsibility for security monitoring and warning systems, major events consultations, and emergency responses. Whenever the cryptography users find that the security of core and ordinary cryptography might be compromised, they shall take effective countermeasures and report the incident to the cryptography management department in a timely manner.
Under this section of the draft Cryptography Law, commercial cryptography can be used to protect information that does not amount to state secrets. Citizens, legal persons, and other organisations can use this level of cryptography to protect network and information security. The state promotes a testing and certification system for commercial cryptography and encourages its users to voluntarily undertake such testing and certification.
In addition, the draft Cryptography Law specifically requires that certain regulated CII operators should
- use commercial cryptography products or services to protect the CII operated by them
- perform the security assessment on the commercial cryptography used by them
- where the purchase of commercial cryptography products or services by CII operators or governmental institutions could affect national security, carry out the national security examination procedure before proceeding with the purchase.
Violation of the Cryptography Law or other relevant laws and regulations may incur administrative liabilities such as warnings, orders to make corrections, and fines. When the violation amounts to a crime, whoever violates the Cryptography Law will be subject to criminal liabilities.
Our observations
Once implemented, the draft Cryptography Law will no doubt have an impact on the commercial cryptography products or services purchased by CII operators. However, we find that the draft Cryptography Law is long on principles and short on implementing measures. As a result, some significant areas will require clarification. For example, key issues, such as which CII operators (which is in itself undefined) should use commercial cryptography products or services to protect their CII system and perform the security assessment on the commercial cryptography used by them, still need to be clarified.
It is noteworthy that the State Cryptography Administration released the PRC Cryptography Law (Draft for Comments) (the draft for comments) on April 13, 2017. After extensively soliciting public opinions, the Ministry of Justice and State Cryptography Administration reviewed and modified the draft for comments and submitted the draft Cryptography Law to the Standing Committee of the National People's Congress. In the draft for comments, the sales or usage of commercial cryptography products and the institutions engaged in commercial cryptography services were subject to the permission of the national cryptography management departments. This is no longer required by the draft Cryptography Law.
Given that the Cryptography Law is still in draft form, it may be subject to further modification before it is finalised. As a legal team specialising on PRC data compliance, we will keep monitoring changes in relation to the draft Cryptography Law and issue updates if necessary.