My Take | Why China should clarify requirements for cybersecurity review of Hong Kong IPOs

A new cybersecurity regulation that came into effect this week requires any Chinese company possessing data on more than 1 million consumers to go through a cybersecurity review before filing an initial public offering in a “foreign” market.

The clause was added to fix a loophole exposed by the listing of Didi Chuxing on the New York Stock Exchange. As the Post reported earlier, the listing of the Chinese ride-hailing giant, which has amassed a huge amount of data on mainland consumer habits and road traffic, happened without a final go-ahead from China’s cyberspace regulator, angering many in Beijing.

The new regulation, however, had one ambiguity. There is debate among lawyers, analysts and experts over whether listings in Hong Kong, which is not a foreign market, should be subject to the same cybersecurity reviews as listings in New York or London.

The updated regulation, which was signed off by 13 different ministerial bodies, does not mention Hong Kong in its text, including Article VII that requires a pre-IPO review for businesses holding data of more than 1 million Chinese users.

To clarify the situation, the Cyberspace Administration of China (CAC), which has not been involved in the screening of IPOs in the past, last week published two “expert opinions” on its website – from two individuals working for state institutions – which argued that public listings in Hong Kong should be subject to the same cybersecurity review.

It is understandable that, after the Didi case, the CAC is trying to plug all loopholes, but it would be a big leap to infer from the regulation’s current text that the review has to apply to Hong Kong IPOs as well.

Interestingly, other regulators, including the China Securities Regulatory Commission, have largely stayed mute on the issue.