Call for Comments on Cryptography Law of the People’s Republic of China (Draft)

On July 5, 2019, the National People’s Congress (NPC) issued a public consultation on the Cryptography Law (Draft). According to Article 1 of the draft law, cryptography is de

fined as “the altering of information related to products, technology and services to ensure encrypted protection or secure authentication”. The main functions of cryptography are: encryption protection and security authentication.

The draft law includes five chapters: General Provisions of Cryptography Law, Core Cryptography and Common Cryptography, Commercial Cryptography, Legal liability, and Supplementary Provisions. In this draft, cryptography is divided into Core, Common, and Commercial Cryptography.

The draft puts forward the principle of cryptography classification protection: Core Cryptography and Common Cryptography are used to protect the state’s secret information. Information under the protection of Core Cryptography is classified as top-secret, while information under the protection of Common Cryptography is confidential. Both top -secret information and confidential information are subject to the strict and unified administration of the cryptography authorities, but only Commercial Cryptography is used to protect information that is not part of state secrets.

The management system of Core and Common Cryptography include: Article 14, the usage requirements of Core and Common Cryptography when transmitting, storing, and processing state secret information; Article 15, the safety management system and confidentiality measures of the Core and Common Cryptography; Article 16 and 17, the working system and collaboration mechanism of the relevant cryptography administration departments; Article 19, the inspection-free right of Core and Common Cryptography related items and personnel; Article 20, the supervision and confidential review system of Core and Common Cryptography related staff.

The system of Commercial Cryptography includes: Article 22, 23 and 24, establishment of Commercial Cryptography standards system; Article 25, establishment of Commercial Cryptography testing and certification system; Article 26, mandatory testing and certification system for Commercial Cryptography products and services that relate to the critical network equipment and specialized network security products; Article 27, the use of Commercial Cryptography to ensure appropriate protection of the critical information infrastructure and the security assessment on Commercial Cryptography application; Article 28, the import licensing system and the export control system for Commercial Cryptography which involve national security and social and public interest, or adhere to China’s international commitments.