China lowers national security IT ‘trade barrier’

A certification scheme that threatened to ban many software and hardware products from China has been curtailed. The scheme, which holds IT vendors to controversial national standards, will be limited to public procurement only, a government agency has said.

The requirement, which applies to 13 product types, was due to come into effect this month. But in a formal notice issued late last month, the government announced that its introduction would be postponed until May 2010. The Shanghai office of Pinsent Masons, the law firm behind OUT-LAW.COM, subsequently received confirmation from China's certification agency that the scheme will be restricted to those products being supplied to the government.

Suppliers targeting companies and consumers in China will not need to comply with the China Compulsory Certification (CCC) scheme, according to the Certification and Accreditation Administration (CNCA).

The announcement in 2007 that the CCC scheme would apply to "information security" products provoked strong criticism from IT trade bodies. The scheme applied to 13 product areas, including firewalls, secure routers, operating systems, backup and recovery tools and anti-spam software. Without the mandatory certification, China indicated that "no products shall be allowed to be put into the market within the territory of China".

Certification requires factory visits, product testing in government-approved laboratories and adherence to a series of national security standards. The scheduling of the process suggests that certification of a product could take 100 days or more.

European trade body EICTA, whose members include Cisco, Dell, Fujitsu, Microsoft, Apple, Oracle and Intel, accused China of erecting "unnecessary obstacles to international trade." EICTA said that the government had failed to articulate any legitimate policy objective by introducing the measures.

"There is no other country in the world that relies on national security standards and related conformity assessments because there are global standards already in use today," it said in a position paper published last June.

"China's proposed Regulations depart from internationally accepted standards and norms," said the paper. "No country has ever regulated the sale or importation of computer security products for the commercial market in the manner proposed by the Chinese regulations."

Following the criticisms from EICTA and others, the CNCA announced that the CCC scheme would be delayed. It issued a formal notice of adjustment on 29th April – but that notice was ambiguous, according to technology lawyers in the Hong Kong and Shanghai offices of Pinsent Masons.

"The one-year delay gave some breathing space to vendors, but what wasn’t clear was the scope," said Hong Kong lawyer Stephanie Wong. "It was widely assumed that the scheme would apply just as widely as before. But there was a single sentence in the notice that hinted at a restriction in scope. We've now had confirmation from CNCA that the scheme will be scaled back drastically, meaning it applies only to public procurement. Clearly that will be a great relief for suppliers."

"There is no indication that this is only a temporary retreat," she said. "That brings the scheme more in line with common international practice, limiting the scope of compulsory information security product evaluations to certain areas of government procurement, such as national security systems."

William Soileau, a lawyer in Shanghai, said that some of the measure's original uncertainty remains for those products that are subject to government procurement.

"We still don't have a clear picture of which products are covered and which ones are not, because the definitions are vague. We don't know what disclosures will be expected of vendors, or how their trade secrets will be protected during the third party testing procedures," he said.

"To the extent that their products do not comply with China's national standards, IT suppliers engaged in government supply will be forced to develop China-specific designs and products compliant with the CCC Procedure," said Soileau.

OUT-LAW.COM is part of international law firm Pinsent Masons.