Beijing tightens grip on China tech with proposal for cybersecurity reviews on all foreign public listings
- Platform operators that have collected personal information from at least 1 million users must apply for a review by the Cybersecurity Review Office
- The draft regulations also cover data security risks involving foreign powers, with reviews assessing the risks of data being transferred abroad illegally
Technology platform companies that possess the personal data of at least 1 million users must apply for a review by the Cybersecurity Review Office, a group backed by 12 powerful Chinese ministries, if they plan an IPO in a foreign market, according to a draft of the updated version of Beijing’s Measures for Cybersecurity Review published on Saturday, which is open for feedback until July 25.
The draft does not specify if it exempts or covers Hong Kong - the world’s favourite IPO destination in seven of the past 12 years - although the city is usually not considered a “foreign” market under Chinese regulations.
The draft is mainly aimed at listings in the US, said You Yunting, senior partner at Shanghai Debund Law Firm.
“The Chinese government has been hoping to strengthen supervision of Chinese companies listed overseas for some time … but since the start of the China-US trade war, data has become a focus of the power play between the two sides,” You said. “Didi’s US listing was only the fuse that lit the supervision, but even without the Didi incident, the Chinese government would still have taken the initiative.”
The draft regulations also cover data security risks involving foreign powers, with reviews assessing the risks of data being transferred abroad illegally, or being stolen, leaked and destroyed.
Reviews will also consider the national security risks of critical information infrastructure: whether critical and personal data is being affected, controlled, or maliciously used by foreign governments after a foreign listing, according to the draft.
The current regulations, issued in April and effective from June 2020, require that critical information infrastructure operators go through a cybersecurity review if they acquire network products or services that may threaten national security.
The Cyber Security Review Office has already announced probes into Didi, truck-hailing apps Yunmanman and Huochebang, as well as a recruiting app operated by Boss Zhipin, all on national security grounds.