China’s rise as a global technology leader and its recent experiences and tensions with the U.S. has transformed its approach to export controls. In this article, export controls are broadly defined to include China’s controls on dual-use technology, encryption, cybersecurity and unreliable entities. The authors are of the view that there has been a shift in China’s approach to export controls since the mid-2010s. In this context, this article seeks to provide a brief overview of the evolution of China’s export control regulations, the current regula�tory construct and implications for companies doing business in and with China.
Export Controls 1.0 - International obligations and Internal Security Interests
International obligations – a focus on controlled items using HS code-based catalogues
It is important to recognise that China is a member of a few non-proliferation regimes – namely: the Non-Proliferation of Nuclear Weapons (NPT), the Biological Weapons Convention (BWC) and the Chemical Weapons Convention (CWC). China is notably not a member of the Wassenaar Arrangement and had previously failed to gain admission to the Missile Technology Control Regime (MTCR). Nevertheless, China has implemented regulations over the years that reflect its international non-proliferation commitments. These can be seen from the various amendments to the dual use goods and technology regime over the years.
Whilst the previous Chinese regulations purport to regulate both the export of dual use technologies in tangible and intangible form, the reality is that the controls were focussed on regulating the export of controlled technologies in tangible form. Given that Customs was the main authority in China responsible for policing the export of goods, many previous versions of the dual use goods and technologies catalogues (Catalogues) had controls that were based on correlated HS codes and did not adopt Wassenaar Arrangement classifications.
This made matters more complex for exporters, as it was difficult to correlate controlled technologies with the HS code-based catalogues – these controls suffered from the weaknesses of trying to fit square pegs into round holes since controlled technology in tangible form did not neatly fit into the HS classifications provided for in the published Catalogues.
Internal security interests
Apart from non-proliferation concerns, China’s export control regime (most notably, the commercial encryption regulations) was aimed at ensuring that foreign encryption was not widely available to the public in China, as easy access to foreign encryption would compro�mise the ability of the Chinese authorities to maintain internal security within China.
It is important to note that, when the Regulations on Administration of Commercial Encryption were first promulgated in 1999, encryption technology was not quite as pervasive in ordinary life. Then, the regulations were primarily aimed at ensuring that: (a) foreign encryption was not available in China – there were strict controls on the import, production and sale of foreign encryption products and technologies in China; and (b) foreign parties did not have access to Chinese encryption.
Integral to the regulations was the “core function” test which is set out in a notice issued by the State Encryption Management Commission (the predecessor of the SCA) in 2000, which was designed as the main tool to ascertain whether a product or technology would fall within the scope of the commercial encryption regime. However, this test had limited effectiveness as it did not provide companies with sufficient guidance on whether a product or technology was subject to these rules.
Further limiting the effectiveness of the commercial encryption regime was the fact that the regulations lacked an effective enforcement mechanism. This made it difficult for China to provide teeth to these regulations, blunting the application of the regulations. For example, whilst Customs and the Administration for Industry and Commerce (now reconstituted as the State Administration for Market Regulation) were the main agencies that dealt with enforcement issues under the commercial encryption regime, these agencies often lacked the familiarity to properly administer the commercial encryption rules.
Additionally, the imprecise and theoretically broad reach of the regulations also led some to believe that there were mechantilistic objectives behind these regulations to limit market access to foreign technology companies in China.
In any case, notwithstanding the historical limitations of the commercial encryption regime, the exponential growth and adoption of technology in everyday living as well as the critical role of encryption technology soon made it clear that the existing regime was inadequate to regulate the use of commercial encryption in China.
Creating China technology standards
Over the past few decades of China’s technology journey, China has, on various occasions, sought to create technology standards that could be controlled and forcibly adopted in China. These included the WLAN Authentication and Privacy Infrastructure (WAPI), Green Dam Youth Escort (Green Dam) and Trusted Cryptography Module (TCM) standards.
Attempts were made to have companies operating in China adopt these technology standards through the use of the Chinese commercial encryption regime, the introduction of standards, or other regulatory mechanisms. However, such attempts to force the adoption of these standards within China would often have little success, largely due to the pushback from foreign technology companies. These foreign technology companies raised potential WTO national treatment breaches and foreign governments were often lobbied to push back against China’s adoption and imposition of the use of such standards.
Drivers for China export control 2.0
The survey of the historical developments above serves to provide some context for the development of China’s export control regime. However, in recent years, the developments in China’s export control regime have increasingly been driven by various new initiatives and challenges, such as the Made in China 2025 policy, cybersecurity concerns and the U.S.-China trade war. We elaborate on some of these drivers for the development of China’s export control regime below.
Made in China 2025
The Made in China 2025 policy was introduced on 8 May 2015 to promote domestic innova�tion and technology advancement in China. At the time of its introduction, certain aspects of the Made in China 2025 policy were aimed at promoting the use of domestic goods and services over those from foreign sources. However, over time, the Made in China 2025 policy has evolved around the following themes, including:
- promoting the development of an indigenous semi-conductor manufacturing industry
- this has been centred around the Central and Western region of China and has the ability to remove China’s reliance on foreign wafer fabricators to supply China’s technology industry;
- promoting (and at times mandating) the adoption of indigenous technology in critical infrastructure and information technology systems to minimise the vulnerability of such systems to intrusion by foreign parties.
These, as will be shown later, form the backdrop to many of the key regulations and features of China’s new export control regime.
Cybersecurity
Since the late-2000s, China started paying more attention to cybersecurity and the protection of critical technology infrastructure from cybersecurity vulnerabilities. This can most prominently be seen from the formation of the Cyberspace Administration of China (CAC) in 2014, which functions as China’s central internet regulator, censor, oversight and control agency. Crucially, the CAC reports directly to the Office of the Central Cybersecurity Affairs Commission, which has the President of China at its helm. This clearly shows the importance that China has placed on cybersecurity.
More recently, the Cybersecurity Law of the People’s Republic of China (Cybersecurity Law) came into effect on 1 June 2017. The Cybersecurity Law defines the roles of different parties in China’s cybersecurity ecosystem, including government bodies, network operators and individual users and places great emphasis on personal information security, network product and service security.
It does this through imposing security requirements upon various network operators, including network owners, network product providers, network service providers and network administrators, with stringent provisions in place for “critical information infrastructure operators” – a specialist group that includes financial institutions such as banks due to the fact that they collect personal information and provide online services.
These special provisions are expected to result in businesses in these industries facing more stringent privacy and cybersecurity requirements, such as additional compliance requirements which enable Chinese government bodies to scrutinise and conduct security assessments on the cross-border data flows of these operators from China to overseas. Should the operators fail to pass the security assessment conducted, personal information and important data would be subject to transfer restrictions and have to be stored within China.
Use of U.S. export control and sanctions regulations on Chinese companies
China’s most recent export control regulations and licensing regimes also seem to have been shaped by the use of U.S.-denied and restricted party designations on Chinese technology companies.
In the last few years, there have been high-profile cases of Chinese telecommunications companies such as ZTE and Huawei being sanctioned by the U.S. due to alleged breaches of U.S. export control and sanctions regulations.
More recently, the latest U.S. sanctions in response to the passing of the Hong Kong National Security Law as well as the human-rights related sanctions aimed at China’s actions in Tibet have also created greater impetus for the development of Chinese mechanisms to counteract U.S. laws and their impact on Chinese companies.
China Export Control 2.0 – key regulations and features
In light of the driving factors above, China’s export control regime has developed from one that was primarily focussed on non-proliferation and internal security concerns into one that aims at counteracting U.S. extraterritorial application of sanctions and export control laws on Chinese companies and persons and developing domestic technology capabilities in areas such as semi-conductor manufacturing and cybersecurity. This resulted in the promulgation of some of the following regulations.
China’s new Export Control Law
China’s new Export Control Law was promulgated in October 2020 following a fairly lengthy passage through the legislative process. Essentially, the Export Control Law consolidates controls over the export of dual use, military and nuclear technologies and notably contains several provisions which reflect the various driving factors described above. A brief summary of the new Export Control Law is provided below, please see our client alerts on China passes new Export Control Law and China Export Control Law – 2020 Draft for a more in-depth discussion of this law.
- National security controls
Apart from consolidating controls over the export of dual use, military and nuclear technologies, the Export Control Law also provides China with the ability to control the export of other goods, technologies and services that China deems necessary for the protection of national security. This includes a mechanism for China to adopt autonomous controls over technologies which China deems to be in its national security interest to control.
With regard to the HS-based catalogues previously used by China, it remains to be seen whether China will move towards international harmonisation and adopt the Wassenaar Arrangement classifications in the catalogue to be issued with the implementing regulations.
The Export Control Law includes deemed export controls. Essentially, these controls prevent the provisions of controlled items by Chinese citizens, legal persons or non-legal person organisations to foreign organisations or individuals. These are in addition to export, re-export, transit and transhipment controls.
The Export Control Law also provides for entity lists which will be maintained for importers and end-users who are designated as denied parties or restricted parties. Exporters are prohibited and restricted from entering into any transactions with parties on these entity lists without approval from the national export control authorities (NECA).
- Extraterritorial application
It is worth noting that the new Export Control Law has provisions which apply extraterritorially, meaning that organisations and individuals outside China may also be liable for Chinese export control breaches.
Another notable development under the Export Control Law is the introduction of a provision regarding reciprocal measures. This provision enables China to take reciprocal measures against specific countries or regions that abuse their domestic export control measures to endanger the security and interests of China.
Encryption Law
The Encryption Law of the People’s Republic of China (Encryption Law) is another landmark law which came into effect on 1 January 2020. The primary aim of the Encryption Law is to update the regulatory framework for the control of encryption to reflect the developments since the Commercial Encryption Regulations were first promulgated in the late 1990s.
The Encryption Law applies to all encryption technologies, products and services regardless of whether they are for commercial or non-commercial purposes and introduces different types of controls, including export controls. Any commercial encryption involving national security, public interest or international obligations will also be covered under the export licensing regime within the Encryption Law.
imilar to the Export Control Law, the Encryption Law will also manage the controlled encryption items via a control list system. A Commercial Encryption Export Control List will be formulated and announced by the Ministry of Commerce (MOFCOM), the State Cryptography Administration (SCA) (also known as the State Encryption Management Bureau) and the General Administration of Customs.
Whilst it remains unclear how the two listing systems will interact, businesses subject to the Encryption Law should be aware of the control measures and requirements under both the Encryption Law and the Export Control Law.
Commercial Encryption
The Regulations on Administration of Commercial Encryption (Draft for Comment) was issued on 21 August 2020 for public comment. It is noteworthy in the draft that the former “core function” test is no longer being used. Instead, there are provisions that provide for the development and adoption of standards.
The inclusion of these provisions suggest that standards formulation will be a key aspect in regulating the development, adoption and use of commercial encryption in China and can be seen as a furtherance of China’s broader international policy goals, such as the Made in China 2025 policy.
Unreliable Entity List
Finally, the Provisions on Unreliable Entity List (Provisions) was promulgated by MOFCOM on 19 September 2020. This regulatory development is significant because it enables China to designate foreign entities as unreliable entities and subject them to sanctions. Such designation will be made if foreign entities carry out actions which result in serious damage to the legitimate rights and interests of Chinese enterprises.
It is widely believed that the Unreliable Entity List regime is China’s response to the U.S. due to the intensified trade war between the two powers as well as the devastating impact of U.S. extraterritorial sanctions regulations on Chinese companies such as ZTE and Huawei.
It is important to note that the current version of the Provisions does not stipulate the type of sanctions that may be imposed upon foreign entities designated as unreliable entities, nor does it stipulate whether there are secondary sanctions (i.e. on third parties that transact with designated entities).
For further discussion on the Unreliable Entity regime, please see our client alert on China’s Unreliable Entity List – An overview and implications for businesses.
Implications for doing business with and within China
In light of the recent developments in China’s export control regulations, doing business with and within China will certainly be more challenging for international businesses. Businesses will need to be aware of these export control regulations and closely monitor any developments that occur. In that regard, we set out below some of the considerations that businesses operating in and with China should keep in mind that result from these developments.
Non-compliance is no longer an option
For a long time, companies operating in China paid little heed to the various export control regulations, often without incurring any sanctions. The new regulations, as well as the constitution of the new regulatory agencies, indicate new resolve by Chinese authorities to regulate this area.
Companies should ensure that they have reviewed the consequences of these regulations on their business activities and should implement the relevant policies and procedures to ensure compliance.
Beware of autonomous controls and deemed export regulations
There are many aspects of the new export control regulations that mirror features that were previously only found in U.S. export controls. Hence, it is important for companies operating in China to note that, apart from the conventional regimes, there may now be China-specific controls for certain types of goods, technologies and services.
Indigenous technology requirements
Businesses operating in China will need to review their technology infrastructure to determine whether they comply with China’s indigenous technology requirements. These may include requirements to procure and adopt Chinese technology for certain parts of their technology infrastructure. Such requirements may also vary based on the type of industry that businesses operate within in China (e.g. critical infrastructure such as banking, power production, etc.).
Screening for Chinese designations
Businesses will also now need to screen for entity designations under China’s various regulations, such as the Provisions on Unreliable Entity List and the Export Control Law. It is unclear whether the screening services which companies currently use screen against China’s various lists. This will be increasingly important as the Chinese designations could also carry secondary sanctions against companies that transact with designated entities.
Participating in industry groups
For companies that deal with controlled technologies, it is important to participate in industry groups that monitor the Chinese developments. Generally, most major technology industry groups will be monitoring such developments. However, there are also specific industry groups that monitor the Chinese developments. Such industry groups will often be able to provide companies with a heads-up on impending developments as well as give a forum to provide feedback to government agencies regarding the impact of these regulations on their business operations in China.
Note interaction with foreign legal regimes
It is important to note that some of these developments are in response to extra-territorial regulations of other countries, most notably the U.S. Therefore, when reviewing these regulations, it is also important to be aware that there may be other regulatory regimes that may require companies to take different courses of action. Companies operating internationally may find themselves in a difficult position of having to pick which regime to comply with. To illustrate, a company may be prohibited from transacting with a Chinese entity under the laws of Country A. However, complying with those laws could potentially result in the company running afoul of the unreliable entities regime and risk being designated under the Chinese list.
Conclusion
China’s export control regimes have changed significantly over the last two decades. China has, in recent times, introduced new regulations to update the nature and scope of controls. Businesses operating in China will need to monitor these regulations and ensure that they adopt measures to comply with these requirements. Likewise, companies that do not operate in China but have significant exposure to China will need to monitor these regulations as they have extraterritorial effect.
Read the WTS Global Customs Newsletter here
