Skip to main content

Encryption law in China

China’s rules on encryption: what foreign companies need to know

Cyber security is an increasing concern for many companies, who are turning to encryption technology to protect the contents of their communications.

For businesses operating in China, however, there are restrictions on the import and use of encryption technology, as well as on the research and development, production, sale and export of such technology.

Foreign businesses, therefore, need to be aware of the Chinese law's prohibitions and approval requirements relating to encryption products.

Using encryption technology in China

Encryption technology is regulated by the Office of State Commercial Cryptography Administration (OSCCA), and only OSCCA-approved products are sanctioned for use in China.

Under Chinese law, encryption products cover any products or technologies used for encryption protection or security certification of information that does not involve state secrets.

Only hardware and software products with encryption as their core function fall within the scope of regulated products – items such as wireless telephones, standard computer operating systems and internet browsers are not included.

Foreign companies are required to report their use of any encryption technology to OSCCA, and to obtain OSCCA approval.

Sale of encryption products

OSCCA also requires any company or individual selling encryption products in China to first obtain approval.

On OSCCA’s website, only a handful of companies are listed as having permission to sell encrypted email and messaging systems, and as a result the choice of encryption products lawfully available to buy and use in China is limited.

This scarcity is compounded by the fact that no foreign encryption technology is allowed to be sold in China, even by OSCCA-approved retailers. This effectively bars foreign participation in the domestic encryption products market, and shields domestic companies from overseas competition.

Foreign businesses are also unable to sell domestically produced encryption products in China. The European Commission Directorate-General for Trade has observed that foreign or foreign-owned companies face significant barriers to obtain OSCCA approval to sell encryption products, and in practice only Chinese or Chinese-owned companies are eligible to sell, produce, license and carry out research and development into encryption technology in the country.

Importing encryption technology into China

The OSCCA works with China's General Administration of Customs to check the import of encryption technology into China. 

Foreign investment enterprises (FIEs) such as Sino-foreign joint ventures are specifically permitted to import and use encryption products manufactured abroad, provided they are solely for their own business use and necessary for overseas communications.

FIEs must first apply for an importation permit and OSCCA approval to use the encryption products in China.

Among OSCCA’s non-exhaustive list of products that require permits for use in China are encrypted telephones and encrypted fax machines.

The use of encrypted mobile instant messaging applications could potentially therefore require an import permit and approval for use from OSCCA.

Changes to the regulations

Foreign governmental bodies and private sector trade organisations, including the European Union Chamber of Commerce in China, have pushed for changes to China's encryption regulations that would make its easier for foreign companies to legally import, sell and use foreign-developed encryption products in China and to take advantage of the increasing demand for and use of encryption products.

Since 2009, the main Chinese regulation governing encryption technology has reportedly been scheduled for revision in light of the technological developments that have taken place.

In the meantime, foreign companies need to ensure that they use only OSCCA-approved encryption technology and report their use to OSCCA. Failure to do so could result in warnings from OSCCA and confiscation of the technology.

Where companies sell encryption technology without approval, fines of up to three times the unlawful turnover may be imposed.