In the past three weeks, China’s State Council and the State Cryptography Administration (“SCA”) issued two documents that reveal a major change in the regulatory regime governing commercial encryption products in China, potentially paving the way for the draft Encryption Law to establish a uniformed encryption regime. This development and its practical implications will be important to multinationals that manufacture, distribute, or use commercial encryption products in China.

On September 29, 2017, the State Council released the Decision on Removing a Batch of Administrative Approval Requirements (the “State Council Decision”) (official Chinese version available here), which removed some approval requirements for the manufacturing, sale, and use of commercial encryption products. On October 12, 2017, the SCA further released a notice (“Notice”) to instruct local Bureaus of Cryptography Administration (“BCA”) on the plan to implement the State Council Decision. (The official Chinese version can be found here.)

The State Council Decision and the Notice reveals a major change in the regulatory regime governing commercial encryption products in China, potentially paving the way for an Encryption Law that would establish a uniform encryption regime. (Our previous alert describing the draft Encryption Law can be found here.)

With the removal of the approval requirements imposed on entities that are manufacturing, distributing, and using commercial encryption products in China, the regime shifted away from regulating entities in the supply chain towards focusing on regulating the encryption products themselves, which potentially can provide a more level playing field for foreign (i.e., non- Chinese) companies manufacturing such products. This shift is largely aligned with the approach proposed by the draft Encryption Law and will reduce the burden currently imposed on users, including foreign-invested entities and foreign individuals located in China, that have had to apply for permits for their use of foreign-produced commercial encryption products.

Although the term “encryption product” has never been clearly defined, one of the regulations, the Administrative Rules on the Use of Commercial Encryption Products, provided a broad definition of “commercial encryption product,” which included “encryption technologies and products used for encryption protection or security certification information, not involving state secrets.” Some of the commonly used encryption products, such as Virtual Private Network (VPN) software, have been viewed as some as “commercial encryption products” and are subject to these regulations.

Key pieces of the existing regime include:

    • Approval of Manufacturers. Under the existing regulations, only manufacturers that are approved by SCA are allowed to manufacture commercial encryption products in China. Approved manufacturers must not manufacture unapproved encryption products. In practice, no foreign-invested companies have obtained SCA approval to manufacture commercial encryption products in China.
    • Approval of Distributors. Similar to manufacturers, only distributors that are approved by SCA can distribute commercial encryption products in China. Without such a license, any entity or individual may not sell commercial encryption products in China. Again, no foreign-invested companies have obtained such approval in the past.
    • Approval of Commercial Encryption Products. The existing regulations also require SCA approval for specific encryption products. Manufacturers must obtain a Product Model Certificate of Commercial Encryption Products before they can produce such products.

As a general rule, entities and individuals must use approved encryption products manufactured by approved manufacturers and distributed by approved distributors. The use of pre-approved domestic encryption products by either foreign or domestic entities or individuals does not require additional approval from SCA.

    • Import and Use Permits for Foreign-invested Entities and Individuals. For foreign entities (including foreign-invested entities) and individuals, the regulations offer an exception: such entities and individuals can apply to SCA to use foreign-produced commercial encryption products if they have a legitimate business need to do so, provided that the use of such products “would not be harmful to information security, the legitimate rights of other individuals and organizations, as well as China’s national security.”

If a foreign entity or individual would like to use a foreign-produced encryption hardware, it must apply for both a use permit and an import permit. If the foreign-produced product is software, no import permit is needed, but a use permit is still required.

The State Council Decision removed approval requirements for manufacturers and distributors of commercial encryption products, as well as the use permit requirement for foreign entities (including foreign-invested entities, such as Chinese subsidiaries of non-Chinese companies) and foreign individuals located in China.

The remaining approval requirements focus on: (i) the approval for commercial encryption products themselves to ensure the quality of the commercial encryption products; and (ii) the import permit requirement for the limited types of foreign-produced encryption hardware listed in a catalogue issued by the SCA and China’s General Administration of Customs.

The use of foreign-produced encryption software such as VPN software or off-the-shelf products that are not included in the catalogue will no longer be subject to any approval requirements.

SCA will, however, redirect its efforts, among other enforcement goals, towards:

  •  promoting national standards for encryption products;
  • improving the review process for the Product Model Certificate of Commercial Encryption Products;
  • controlling end users (and end-uses) for imported encryption hardware that is subject to the approval requirement; and
  • establishing a “blacklist” to name entities not in compliance with the encryption rules.

Given the rapidly evolving regulatory regime, multinationals that plan to manufacture, distribute, or use commercial encryption products in China should closely follow the developments.

Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.