China’s process for approving initial public offerings (IPOs) in foreign capital markets will require an additional layer of oversight, as the cyberspace regulator is being formally inserted into the procedures, according to draft rules proposed by the Cyberspace Administration of China (CAC).

Technology platform companies that possess the personal data of at least 1 million users must apply for a review by the Cybersecurity Review Office, a group backed by 12 powerful Chinese ministries, if they plan an IPO in a foreign market, according to a draft of the updated version of Beijing’s Measures for Cybersecurity Review published on Saturday, which is open for feedback until July 25.

The draft does not specify if it exempts or covers Hong Kong - the world’s favourite IPO destination in seven of the past 12 years - although the city is usually not considered a “foreign” market under Chinese regulations.

The threshold was set at 1 million - a low bar a country where almost 1 billion people go online actively- apparently to conform with Foreign Investment Risk Review Modernization Act of the United States, which requires approvals by the Committee on Foreign Investment in the United States (CFIUS) for deals that involve the personal data of 1 million or more US individuals.

A driver of Chinese ride-hailing service Didi drives with a phone showing a navigation map on Didi's app in Beijing on July 5, 2021.

Coming hot on the heels of a series of crackdowns by the cyberspace regulator on China’s dominant ride-hailing service Didi-Chuxing, the new rules could significantly change the regulatory landscape for Chinese tech firms wanting to raise funds from foreign markets.

Didi, which raised US$4.4 billion in a June 30 stock sale in New York, angered Chinese regulators - especially the CAC - because of the way that it forced its way to the listing, sources have told the Post. Four sources described the company’s insistence to list as akin to a “deliberate act of deceit”.

The draft is mainly aimed at listings in the US, said You Yunting, senior partner at Shanghai Debund Law Firm.

“The Chinese government has been hoping to strengthen supervision of Chinese companies listed overseas for some time … but since the start of the China-US trade war, data has become a focus of the power play between the two sides,” You said. “Didi’s US listing was only the fuse that lit the supervision, but even without the Didi incident, the Chinese government would still have taken the initiative.”

The draft regulations also cover data security risks involving foreign powers, with reviews assessing the risks of data being transferred abroad illegally, or being stolen, leaked and destroyed.

Reviews will also consider the national security risks of critical information infrastructure: whether critical and personal data is being affected, controlled, or maliciously used by foreign governments after a foreign listing, according to the draft.

The proposal did not say whether Chinese tech companies that have already filed to list in New York must go through the cybersecurity review. LinkDoc Technology, a company backed by Alibaba Group Holding’s Alibaba Health unit, and the Beijing-based Daojia are among the China-domiciled technology companies that have filed to raise funds in the US. Alibaba owns this newspaper.

An American flag is seen in front of the logo for Chinese ride hailing company Didi during its IPO on the New York Stock Exchange (NYSE), June 30, 2021.

The current regulations, issued in April and effective from June 2020, require that critical information infrastructure operators go through a cybersecurity review if they acquire network products or services that may threaten national security.

The Cyber Security Review Office has already announced probes into Didi, truck-hailing apps Yunmanman and Huochebang, as well as a recruiting app operated by Boss Zhipin, all on national security grounds.