China will impose a cybersecurity review on mainland companies seeking initial public offerings in Hong Kong on national security grounds, according to a draft regulation released on Sunday, adding a new layer of oversight for Chinese tech giants from ByteDance to Didi Chuxing if they choose to sell shares in the city.
The Cyberspace Administration of China (CAC), the country’s top cybersecurity authority, released the draft regulation titled “Network Data Security Management Regulations” for public consultation through December 13, with the final version being subject to change. The regulation stipulates that “data-processing entities seeking a listing in Hong Kong that will influence or may influence national security” must apply for a cybersecurity check.
The draft is the first time the Chinese government has clarified that some IPOs in Hong Kong will be subject to a data security screening. New rules earlier this year required such a review for foreign IPOs of some companies, but the rules for Hong Kong were unclear. The new regulation could introduce an additional regulatory layer for listing in the city.
The proposed regulation does not specify criteria to merit national security concerns, but explanatory notes list a wide range of “important data” that could qualify, including unpublished government data, data on key technologies and scientific research, data on the economy and key sectors such as telecoms, finance and energy, as well as data regarding national geography, key infrastructure and genetics.
Amid increased cybersecurity scrutiny, multiple Chinese tech companies have delayed or scrapped plans to go public overseas. An IPO for TikTok owner ByteDance, the world’s most valuable privately held company, has been highly anticipated, but the company denied reports this year that it was looking at listing in Hong Kong.
The draft regulation is designed for the implementation of the country’s three major laws governing data collection and usage: the 2017 Cybersecurity Law, and this year’s Data Security Law and the Personal Information Protection law.
The new draft comes after Chinese authorities released a draft of the “Measures for Cybersecurity Review” in July. That regulation specified that technology platform companies with the personal data of more than 1 million users must apply for a review from the Cybersecurity Review Office if they plan to list in a foreign market. The office under the CAC is backed by 12 powerful Chinese ministries and was little known until this year.
Companies that fail to comply with the review requirement face having their business licenses revoked and a fine of 500,000 yuan to 2 million yuan (US$78,360 to US$313,450).
Hong Kong’s stock exchange competes with those in the US to attract Chinese companies, which have found themselves caught in the crossfire of an escalating US-China tech war that has resulted in regulatory uncertainty both in New York and in mainland China. The new rules could complicate IPO strategies for executives hoping foreign listing rules would not apply to Hong Kong.
However, the new draft regulation puts the Hong Kong listing requirements in a separate clause from those for “foreign IPOs”, and it is less specific, suggesting listing in the special administrative region may still be easier than in foreign markets.
In an interview with the South China Morning Post in July, Hong Kong Financial Secretary Paul Chan Mo-po said that Hong Kong remains the ideal choice for mainland Chinese firms eyeing IPOs.
“Being part of the same country, data security is not a concern,” he said. “We have very stringent requirements in terms of personal data privacy protection, so those tech companies coming here will be able to avoid the sudden regulatory shocks that they have seen in the past month.”
Beijing has intensified a cybersecurity crackdown since ride-hailing giant Didi Chuxing listed on the New York Stock Exchange in June in the face of government concerns. Two days after the US$4.4 billion IPO, Beijing launched a cybersecurity probe into the company. Days later, the CAC also launched probes into Full Truck Alliance and Boss Zhipin, two other companies that had listed in New York in June.
The investigations were for “effectively preventing potential national security risks relating to procurement, data processing and overseas listings”, the state-owned Xinhua News Agency said in a report last month.
Since launching the cybersecurity reviews, Beijing authorities have introduced multiple new laws and regulations related to data security, including the measures on overseas listings.