The law requires that all state secrets be stored and transmitted using “core and common” encryption, and that institutions working on cryptography have to establish “management systems” that guarantee the security of that encryption. Those managers won’t be allowed to ask private encryption developers to turn over “exclusive” info like source code, though, and any business secrets they do get will have to be kept confidential.
China’s new measure will allow and encourage commercial development and uses of encryption. However, the development, sales and use of it “must not harm the state security and public interests.” People who fail to report security risks they spot, or who offer cryptographic systems that “are not examined authenticated,” will also be punished. The country’s existing cybersecurity laws are already set to punish the use of encryption deemed to threaten the state, but there once again appears to be an asterisk next to the encryption endorsement — you can’t design something that might challenge the regime.
As it is, the law may offer only superficial protection in light of existing rules. China regularly conducts mass surveillance on digital conversations, and can force companies to both store data locally as well as turn it over on request. It likewise has the power to shut down services or entire products in response to security incidents. There’s little to stop China from obtaining data that isn’t completely encrypted, and it can block or otherwise retaliate against those services that do shield info from prying eyes.