Chinese tech giants to face cybersecurity reviews for IPOs in Hong Kong, but rules more lenient than foreign listings

A draft regulation from the Cyberspace Administration of China clarifies rules for listing in Hong Kong, but keeps them separate from foreign IPOs

Tech companies seeking overseas IPOs were forced to reassess options this year under cybersecurity review rules for companies with data on 1 million users

Reading Time:3 minutes

Electronic billboards display stock transactions on Exchange Square, the location of the Hong Kong stock exchange, on September 21. Photo: EPA-EFE

Published: 7:29pm, 14 Nov 2021Updated: 11:04pm, 14 Nov 2021

China will impose a cybersecurity review on mainland companies seeking initial public offerings in Hong Kong on national security grounds, according to a draft regulation released on Sunday, adding a new layer of oversight for Chinese tech giants from ByteDance to Didi Chuxing if they choose to sell shares in the city.

The Cyberspace Administration of China (CAC), the country’s top cybersecurity authority, released the draft regulation titled “Network Data Security Management Regulations” for public consultation through December 13, with the final version being subject to change. The regulation stipulates that “data-processing entities seeking a listing in Hong Kong that will influence or may influence national security” must apply for a cybersecurity check.

The draft is the first time the Chinese government has clarified that some IPOs in Hong Kong will be subject to a data security screening. New rules earlier this year required such a review for foreign IPOs of some companies, but the rules for Hong Kong were unclear. The new regulation could introduce an additional regulatory layer for listing in the city.

The proposed regulation does not specify criteria to merit national security concerns, but explanatory notes list a wide range of “important data” that could qualify, including unpublished government data, data on key technologies and scientific research, data on the economy and key sectors such as telecoms, finance and energy, as well as data regarding national geography, key infrastructure and genetics.

Amid increased cybersecurity scrutiny, multiple Chinese tech companies have delayed or scrapped plans to go public overseas. An IPO for TikTok owner ByteDance, the world’s most valuable privately held company, has been highly anticipated, but the company denied reports this year that it was looking at listing in Hong Kong.

The draft regulation is designed for the implementation of the country’s three major laws governing data collection and usage: the 2017 Cybersecurity Law, and this year’s Data Security Law and the Personal Information Protection law.

The new draft comes after Chinese authorities released a draft of the “Measures for Cybersecurity Review” in July. That regulation specified that technology platform companies with the personal data of more than 1 million users must apply for a review from the Cybersecurity Review Office if they plan to list in a foreign market. The office under the CAC is backed by 12 powerful Chinese ministries and was little known until this year.