On November 2, 2021, Ministry of Commerce of China (“MOFCOM”) officially released the revised Catalogue of Technologies Subject to Import Prohibition and Restriction (“Technology Catalogue”), effective immediately, which identifies, among others, foreign “data encryption technology employing a key length greater than 256 bits” as a technology that requires import permit when transferred to a Chinese party.
This new development may significantly impact multinational corporations’ supply chain operations that involve cross-border transfer of encryption technologies. As of January 2021, the licensable “dual-use” encryption items that require an import license are only limited to the four types of physical encryption devices described by the “Dual-use” Import Control List (“Dual-use List”) published by the export control arm of MOFCOM (known as the Bureau of Industry, Security, Import and Export Control). Essentially, intangible transfer of encryption technology or software is excluded from the scope of import control under China’s “dual-use” import and export control regime.
The inclusion of the abovementioned “encryption technology” in the Technology Catalogue, as opposed to the Dual-use List, is likely to create a complex, bifurcated regulatory framework over foreign encryption items. Encryption technologies with encryption strength exceeding the specified threshold can no longer be freely transferred to a Chinese party.
Imports of physical encryption devices and intangible technologies are expected to be overseen by two different arms of MOFCOM under two separate regulatory schemes, respectively. These two schemes differ significantly in terms of regulatory framework and enforcement mechanism. The control of items under the Technology Catalogue has been relying principally on the banks that are entrusted by China’s foreign exchange authority to approve outward foreign exchange remittance as service fees paid for the intangible transfers. It is unclear how the two regulatory schemes will interact. This bifurcated regulatory framework may create complexity, especially where the supply chain involves cross-border transfers of both tangible and intangible encryption items.
Gaps remain in the implementation of the new licensing requirements. It is unclear whether the “encryption technology” described by the Technology Catalogue should be interpreted as covering encryption software in the first place. It is also unclear whether the import permit would be conditioned upon any specific end-use or end-user restrictions (i.e. China subsidiaries of multinational corporations using the imported encryption items only for intragroup communications) as the old commercial encryption regulations required prior to January 2021.