China has curtailed its plan to ban many software and hardware products from import, according to lawyers at Pinsent Masons, which is continuing to follow the government’s announcement.
Under the government’s current plan, the scheme, which holds IT vendors to controversial national standards, will be limited to public procurement only, the firm said in its Out-Law.com law blog.
The announcement in 2007 that the CCC scheme would apply to "information security" products provoked strong criticism from IT trade bodies. The scheme applied to 13 product areas, including firewalls, secure routers, operating systems, backup and recovery tools and anti-spam software. Without the mandatory certification, China indicated that “no products shall be allowed to be put into the market within the territory of China.”
Certification requires factory visits, product testing in government-approved laboratories and adherence to a series of national security standards, said Pinsent Masons lawyers. The scheduling of the process suggests that certification of a product could take 100 days or more.
Following the criticisms from European trade body EICTA and others, the CNCA announced that the CCC scheme would be delayed. It issued a formal notice of adjustment on 29th April – but that notice was ambiguous, according to technology lawyers in the Hong Kong and Shanghai offices of Pinsent Masons.
“The one-year delay gave some breathing space to vendors, but what wasn’t clear was the scope,” said Stephanie Wong, a lawyer in Pinsent Masons’ Hong Kong office. “It was widely assumed that the scheme would apply just as widely as before. But there was a single sentence in the notice that hinted at a restriction in scope. We’ve now had confirmation from CNCA that the scheme will be scaled back drastically, meaning it applies only to public procurement. Clearly that will be a great relief for suppliers.”
Wong said that there is no indication that this is only a temporary retreat. “That brings the scheme more in line with common international practice, limiting the scope of compulsory information security product evaluations to certain areas of government procurement, such as national security systems.”
William Soileau, a Shanghai-based lawyer with the firm, said some of the measure’s original uncertainty remains for those products that are subject to government procurement. “We still don’t have a clear picture of which products are covered and which ones are not, because the definitions are vague. We don’t know what disclosures will be expected of vendors, or how their trade secrets will be protected during the third party testing procedures,” he said.
