The Cryptography Law of China (the Law), which came into force on 1 January 2020, aims to ensure network and information security, preserve national security and protect the interests of individuals and organisations in China, including by prohibiting the trespass of protected systems, theft of cryptographic information and illegal use of cryptography that compromise national security or the public interest. The Law also promotes the growth of the cryptography industry by directing the Chinese government to strengthen the talent pool and support research programs. The State Cryptography Administration shall be responsible for the management of the Law.
The Law defines “cryptography” as technologies, products and services that perform security authentication or utilise specified transformation methods to encrypt information.
The Law classifies cryptography into three categories: core cryptography, common cryptography and commercial cryptography.
Core and common cryptography refer to cryptography that is used to protect top secret and secret state secret information, respectively.
The Law requires core and common cryptography work bodies – entities engaged in research, production, service, testing, furnishing, use or destruction of core and common cryptography – to:
Commercial cryptography refers to cryptography for protecting non-state secret information. In using commercial cryptography, national security, public interest or other people’s lawful rights must not be endangered.
The Law establishes a principle of non-discrimination to give equal treatment to all units that research, produce, sell, service, import or export commercial cryptography – i.e., commercial cryptography units (including foreign investment enterprises) and prohibits administrative organs from forcing the transfer of commercial cryptography technology through administrative measures.
Under the Law:
Failure to comply with the Law may result in sanctions or pecuniary penalties. For example, failure to take immediate response measures or report the discovery of data leaks relating to core or common cryptography may lead to sanctions or punishments for the managers and personnel responsible. In addition, selling or providing uncertified commercial cryptography products or services may lead to pecuniary penalties of up to three times the unlawful gains, or between RMB30,000 to RMB100,000 for cases without unlawful gains.
Disclaimer: This article is for general information only and does not constitute legal advice.