Dealing with Regulatory Ambiguity in China - Encryption Software

Welcome everyone to another edition of my China Tech Law Newsletter. I'm going to put together a series of short posts (well at least compared to earlier ones!) showing examples of some ambiguities in commercial laws here. And how we try to make sense of things as best we can for our Western clients who are used to clarity. First example is on the topic of encryption regulations as they first developed in China.

Before getting into it, some context. As a lawyer working on cross-border China trade and investment, you tend to be a jack of all trades.?I was a junior M&A lawyer when I left New York for Beijing.?We were specialized - our corporate department back in the States did either M&A deals or IPOs.?And generally as a lawyer, you did one or the other, but rarely both.?We also had the benefit of other specialized practice groups at the firm.?As issues came up on our deal, if there was an employment law question, ask Larry on floor 19.?If there was an IP question, ask Jim on floor 20.?If there was a lease question, ask Joe on floor 21.?If there was a regulatory issue, ask Amanda on floor 22.?And so forth.

When I went to Beijing at a different international firm, it was totally the opposite. There was no way we could each specialize.?But that’s also what made it fresh and interesting.??Each lawyer in the office had to be familiar with a range of issues. There was simply no one else to refer our clients' questions to.

So the versatility this requires extends to how research is done here as well and dealing with ambiguity.?Let me give an example.?China is very sensitive about encryption technology, especially foreign-developed encryption technology.?You can probably use your imagination as to why that is the case.?

From time to time, we would get requests from clients looking to use or sell foreign-developed encryption technology.?China historically had strict rules limiting the use, sale, distribution, research, and development of products whose “core function” is encryption (more on “core function” later).?Foreign produced encryption products would only be allowed to be distributed to foreign invested companies in China - domestic PRC companies being prohibited from purchasing or using foreign produced encryption products.

The key regulator of encryption products in China?has been the Office of State?Commercial Code Administration (known as OSSCA).?At the time of the research I'm going to describe, a decade ago, there were only about 10 people at the agency as a small subdivision of the Ministry of Commerce.

A threshold question for each client was always whether the product would be considered an?"encryption product" by the relevant PRC authorities in the first place.??More often than not, based on the broad definition and the default position of the regulators to be cautious and overly inclusive, we had to lean towards the conclusion that the product was or could be considered an “encryption product.” But that's not where the analysis ended (more on that later).

Our clients were used to places like the US, where regulations would have pages on pages of defined terms and legislative history from Congress showing what the drafters intended to do, along with judicial case law to help interpret the meaning of key words in the law. In China there is none of that.?

In fact, for a regulation about encryption products in China, the words “encryption products” were never actually defined.?No threshold technical requirements (e.g. as to algorithm type or strength) were published by OSCCA.?(Cue image of our client metaphorically scratching their head, turned with one eye squinting upon reading our email to them.)

As you can guess, the potential range?of products therefore caught within the scope of the encryption rules was very broad. To be a bit more balanced, the technology at least to China was still relatively new and evolving and any definition could take away discretion on interpretation (discretion by regulators has always been in vogue here). The definition of encryption product would also risk becoming obsolete if too precise.?But still, no definition?

Have no fear, though, we did have something.?We had a speech.?Yes, a speech which was given (and actually published) by someone affiliated with that small agency clarifying that only 'special purpose hardware and software, the?core function?of which are?encryption and decoding' are regulated by the relevant encryption rules. Run of the mill wireless telephones, windows software and internet browser software did not fall?within the scope of the encryption rules.

So we had “core function” to work with.?What would we do to get more clarification??Call that 10 person office of course! But here comes the punchline of the story.?

When we called, we would get Ms. Zhang on the phone one day who would give us an answer to our questions (well maybe not an answer but at least something helpful).?As an aside, I'm still amazed they pick up the phone at these places and at least try to answer your questions sometimes!

OK so after talking with Ms. Zhang, we’d huddle up and then think of a follow-up question we forgot to ask.?We’d call the line again the next day and sitting next to Ms. Zhang and picking up the call instead would be Mr. Liu.?You got it, Mr. Liu would proceed to give us a completely different answer and disavow everything Ms. Zhang had said.?

Okay I’m exaggerating, but only just a bit.?(Cue image of our lawyer metaphorically scratching their head, turned with one eye squinting upon hanging up the phone with Mr. Liu).?Its worth noting here, this experience was obviously by no means unique to our firm or the specific issues and client questions we had to answer.?This was the reality of any law firm working with Chinese regulations.

Of course, similar to all research we did, we had to consider that the 10 person encryption office was supremely understaffed for the enforcement job at hand.?And having those pesty law firms constantly calling their hotline ate into their bandwidth too!?So here is where typically we would have an offline conversation with the client telling them that there was a lot of discretion here but the enforcement risks at the moment were not particularly great for their product. Certainly, we had to be mindful of the risk tolerance for our client as a major, publicly traded multinational technology company with other products for sale in China, but we had to also make clear the reality that enforcement was not likely and the business upside case should be considered.

In cases like these, beyond the regulations you also have to look at what other companies are doing.?There is an argument (very persuasive especially at HQ!) for strength in numbers and hiding in the crowd.?There is always the chance of arbitrary enforcement against some companies instead of others (perhaps because of something else they did “wrong”) unrelated to the issue of here, encryption products.

So this process may look different from how research is done in say the US, but this is definitely still research.?The process is usually something like this:

(1)?Pull from the relevant regulations

(2)?Consider from our own experience what we’ve seen with similar clients

(3)?Supplement by researching for industry commentators in the field. [Side note: Universities and their professors have an outsized influence on drafting of regulations.]

(4)?Look for similarly situated companies and their licenses and policies to the extent publicly available

(5)?Call the regulators

(6)?Apply our own judgments from practical experience to any remaining ambiguities, including understanding of history, language, culture, and most importantly - an understanding of macro policy goals of the regulators.

(7)?Recommendations

Part of my role that is the most fun throughout, but especially towards the end of this process, is then taking what we’ve put together and going through it one more time to think about what kind of assumptions our client has based on their experience back in Europe or the US and tweaking the advice to account for that.?And at the same time thinking through some of the nuances we are used to from working here and NOT assuming that the client has that same starting point as us when reading the advice.?

For example, a hit list of issues (in no particular order) we should not assume that our client knows about:

(1) That the RMB is not a freely convertible currency.?This fact tends to impact directly or indirectly so many different things our clients try to do here.

(2)?That you cannot terminate employees at will.?

(3) That a company has a defined business scope and cannot operate outside that.?

(4) That many licenses are open to foreign-owned companies but practically speaking are not available.?

(5) That trademarks are basically first come, first serve at the registration office regardless of what your brand has been doing outside of China for years.?

(6) That declaring a dividend or taking money out in general takes a lot of time.?

(7) That a foreign legal award cannot be easily enforced in China, if at all.?

Basically breaking it down to points which can be lost in translation and filling in those gaps.?That is truly the fun part of the work. As you can see, pulling the relevant language from regulations is the easy part. There is a lot of value add after that as there is never a clear “right” answer to the age-old question we get from our clients, “is this legal”? And that value add is what makes my work so different from what I started to do back in New York all those years ago.

OK, that's all for another edition of my China Tech Law Newsletter. In a future edition I'll try to cover encryption regulations as they stand now. Be on the lookout for other examples of how to deal with legal ambiguity in China coming up soon.

Don't forget to subscribe here if you haven't already, and feel free to reach out to me to connect on Linkedin. Even though Linkedin makes me put my default setting to "Follow Me" in order to publish this newsletter in Creator Mode, you can still click on more options to reach out and connect instead. Please do! And see you again in 14 days.