Chinese tech giants to face cybersecurity reviews for IPOs in Hong Kong, but rules more lenient than foreign listings
- A draft regulation from the Cyberspace Administration of China clarifies rules for listing in Hong Kong, but keeps them separate from foreign IPOs
- Tech companies seeking overseas IPOs were forced to reassess options this year under cybersecurity review rules for companies with data on 1 million users
China will impose a cybersecurity review on mainland companies seeking initial public offerings in Hong Kong on national security grounds, according to a draft regulation released on Sunday, adding a new layer of oversight for Chinese tech giants from ByteDance to Didi Chuxing if they choose to sell shares in the city.
The Cyberspace Administration of China (CAC), the country’s top cybersecurity authority, released the draft regulation titled “Network Data Security Management Regulations” for public consultation through December 13, with the final version being subject to change. The regulation stipulates that “data-processing entities seeking a listing in Hong Kong that will influence or may influence national security” must apply for a cybersecurity check.
The draft is the first time the Chinese government has clarified that some IPOs in Hong Kong will be subject to a data security screening. New rules earlier this year required such a review for foreign IPOs of some companies, but the rules for Hong Kong were unclear. The new regulation could introduce an additional regulatory layer for listing in the city.
The proposed regulation does not specify criteria to merit national security concerns, but explanatory notes list a wide range of “important data” that could qualify, including unpublished government data, data on key technologies and scientific research, data on the economy and key sectors such as telecoms, finance and energy, as well as data regarding national geography, key infrastructure and genetics.
The draft regulation is designed for the implementation of the country’s three major laws governing data collection and usage: the 2017 Cybersecurity Law, and this year’s Data Security Law and the Personal Information Protection law.
Companies that fail to comply with the review requirement face having their business licenses revoked and a fine of 500,000 yuan to 2 million yuan (US$78,360 to US$313,450).
Why China is tightening control over cybersecurity
However, the new draft regulation puts the Hong Kong listing requirements in a separate clause from those for “foreign IPOs”, and it is less specific, suggesting listing in the special administrative region may still be easier than in foreign markets.
“Being part of the same country, data security is not a concern,” he said. “We have very stringent requirements in terms of personal data privacy protection, so those tech companies coming here will be able to avoid the sudden regulatory shocks that they have seen in the past month.”
The investigations were for “effectively preventing potential national security risks relating to procurement, data processing and overseas listings”, the state-owned Xinhua News Agency said in a report last month.
Since launching the cybersecurity reviews, Beijing authorities have introduced multiple new laws and regulations related to data security, including the measures on overseas listings.