A new cybersecurity regulation that came into effect this week requires any Chinese company possessing data on more than 1 million consumers to go through a cybersecurity review before filing an initial public offering in a “foreign” market. The clause was added to fix a loophole exposed by the listing of Didi Chuxing on the New York Stock Exchange. As the Post reported earlier, the listing of the Chinese ride-hailing giant, which has amassed a huge amount of data on mainland consumer habits and road traffic, happened without a final go-ahead from China’s cyberspace regulator, angering many in Beijing. The new regulation, however, had one ambiguity. There is debate among lawyers, analysts and experts over whether listings in Hong Kong, which is not a foreign market, should be subject to the same cybersecurity reviews as listings in New York or London. China’s cybersecurity rule is response to US audit inspection, analyst says The updated regulation, which was signed off by 13 different ministerial bodies, does not mention Hong Kong in its text, including Article VII that requires a pre-IPO review for businesses holding data of more than 1 million Chinese users. To clarify the situation, the Cyberspace Administration of China (CAC), which has not been involved in the screening of IPOs in the past, last week published two “expert opinions” on its website – from two individuals working for state institutions – which argued that public listings in Hong Kong should be subject to the same cybersecurity review. It is understandable that, after the Didi case, the CAC is trying to plug all loopholes, but it would be a big leap to infer from the regulation’s current text that the review has to apply to Hong Kong IPOs as well. Interestingly, other regulators, including the China Securities Regulatory Commission, have largely stayed mute on the issue. The cyberspace administration is fully aware it should not overstep into other regulators’ turf without proper justification, which is why it quickly denied a rumour that it would seek the power to review funding and investment activities of listed Chinese tech firms. Given the CAC’s central role in regulating the country’s internet sector, Chinese tech companies will always rush to entertain its demands, even if they are only hinted at. In reality, the companies that have sought IPOs in Hong Kong since last summer have tried different ways to notify the cyberspace administration and to obtain its consent. But it still would be better for the relevant authorities to elaborate on the details of cybersecurity reviews of Hong Kong IPOs to reduce any unnecessary uncertainty in the public listing process.