In late October, China passed a cryptography law that goes into effect on January 1, 2020. The law itself is short on specifics but makes a distinction in how Beijing is likely to treat blockchain-related projects serving the state, versus those being pursued for commercial purposes.
The law also comes at a time of heightened expectations of the People’s Bank of China issuing a digital renminbi, of which there has been much speculation and guesswork. The law doesn’t directly address any framework for a digital renminbi, which although a government project would involve private-sector wallets and payments in order to propagate the currency.
Given this situation, DigFin figured whatever clarity exists will have been parsed by the legal industry.
Latham & Watkins’ counsel Simon Hawkins, who leads the firm’s financial regulatory practice for Asia Pacific, and his colleagues compiled the following report for our readers. Thank you, L&W.
The crypto law
The new cryptography law is not specific to (and does not mention) financial services, fintech or digital currencies. The definition of “cryptography” is very broad and, while the introduction of the law is timely in the context of the PBoC digital currency project and other high-level government pronouncements about the potential for using blockchain technology (which inherently relies upon cryptography), there are many other industries in which cryptography is used (e.g., defense, telecoms, military hardware, government I.T. systems, certain consumer software, etc) and the new law provides a framework that would also cover those industries.
The law is a framework. In due course, State cryptography administrations will develop cryptography administration regulations that will supplement the law. In some parts the law is intended to work in conjunction with the existing PRC Cybersecurity Law.
While the law is clearly a significant development and paves the way for specific standards and controls to be applied to cryptography, it is not entirely clear how the law will be applied in the context of the PBoC’s digital currency project. This is partly because it is not immediately apparent whether/how cryptographic technology that is involved with/linked to the PBoC digital currency will be categorized under the new law.
Stricter controls and standards apply to cryptography involving state secrets. There is a question as to whether there will be aspects of the technology underpinning the digital currency that will be state secrets – and, by extension, whether cryptographic solutions to be used in conjunction with the digital currency also will characterized as involving state secrets. Or will it be regarded as purely commercial cryptography, with no state secrets involved.
Even commercial cryptography can become subject to more onerous rules or requirements under the new law if the commercial cryptography involves state security, the national economy and people’s livelihoods, and/or the social public interest.
It is not a stretch to imagine how these triggers could be met if the PBOo digital currency has a high uptake after it is launched.
State versus commercial
The law distinguishes between three types of cryptography: (1) core cryptography, (2) common cryptography and (3) commercial cryptography.
Core cryptography is used to protect top secrets of the State and common cryptography is used to protect confidential secrets of the State.
Commercial cryptography is used to protect information that is not related to, or does not involve, State secrets.
Core and common cryptography are strictly managed by government authorities. The law stipulates that the State’s confidential information must use core and common cryptography for encrypted data protection and security certification.
Commercial cryptography, on the other hand, is for the protection of information not considered State secrets. It can be used by businesses and individuals to enhance the security of information that exists on, or is transmitted through, the internet.
Where does the digital yuan fall?
In the context of the PBoC digital currency project, it is not immediately clear whether wallet providers for the digital currency would fall into the common or commercial categories of cryptography.
Presumably this could depend on whether the protocols on which the digital currency operates are considered to be State secrets, in which case a wallet provider using cryptography to protect the integrity of the wallet could be subject to the higher standards for common cryptography imposed by the new law.
On the other hand, the cryptography used in e-wallets that currently exist for existing stored value/payments platforms in China (i.e., where the wallet reflects a digital version of cash in a bank account) appears more likely to fall into the commercial cryptography category.
And wallet operators?
Critical information infrastructure operators (CIIOs) are treated in a similar way under this law as they are under the Cybersecurity Law.
CIIOs will be required to seek assessment and approval by a government authority when procuring cryptography solutions in certain cases. This is not too dissimilar from the way that CIIOs are impacted under the Cyber Security Law when they process certain personal information – meaning this in some way aligns the requirements for CIIOs in respect of processing personal information and now cybersecurity.
Wallet providers for the PBoC digital currency could, if they achieve sufficient scale, become CIIOs and become subject to the State security review procedure (this could be unpalatable for foreign-invested enterprises that are categorized as CIIOs).
The use of commercial cryptography in the context of “mass consumer systems” is not expected to need an export/import licensing review, suggesting the law is more focused on State secrets and CIIOs, and the use of commercial cryptography for those types of solutions.
However, “mass consumer systems” is not defined in the law so it is not obvious whether wallet providers would be classified as “mass consumer systems” under the law.
What about foreign-invested providers?
Commercial cryptography products involving State security, national economy and people’s livelihood, and social public interests will be included in the catalogue of critical network equipment and dedicated cybersecurity products.
Such products cannot be sold until they have passed the testing and certification conducted by a “qualified agency.” The applicable provisions of the Cybersecurity Law will apply to the testing and certification of such commercial cryptography products.
It is possible that digital currency wallets could be subject to these requirements if they are regarded as commercial cryptography products that involve state security, national economy and people’s livelihood and/or social public interests – and this outcome may be unpalatable for foreign-invested enterprises that develop such products.
Interoperability of wallets – including abroad
Parts of the law focus on and appear to encourage standardization, reflecting perhaps a desire to achieve greater interoperability of systems over time (which is a problem associated with blockchain technology).
The law also specifically mentions that the State promotes participation by enterprises, social groups and educational and scientific research institutions in international standardization activities on commercial cryptography.
Even though the PBoC rhetoric on the digital currency project so far has focused only on its domestic usage, this could be a nod to potential cross-border development of the digital currency in due course (or at least these does appear to be some scope for this under the law).
The law imposes penalties for misconduct. For example, those who discover vulnerabilities in core and common cryptography (i.e., cryptography used for matters involving state secrets) but fail to report it to authorities may be subject to liability and punishment under the law. In addition, persons involved in commercial activities relating to unauthorized cryptography products and services may also be subject to punishment under the law.