Several revisions in China’s updated Cybersecurity Review Measures, in effect from February 15, 2022, focus on risks associated with data processing activities and the data security risks arising from Chinese entities listing overseas. Under the new Measures, network platform companies with access to the personal information of more than one million users will need to apply for a cybersecurity review before listing abroad. A reading of the language of the new Measures has resulted in industry experts assuming that the geographical scope of “foreign listings” does not include Hong Kong. If this understanding is correct, the Measures could shift more Chinese companies towards Hong Kong IPOs to avoid potential reviews.
On January 4, the first working day of 2022, the Cyberspace Administration of China (CAC), in conjunction with 12 other authorities – including the China Securities Regulatory Commission (CSRC) – finally promulgated the high-profile Cybersecurity Review Measures (hereafter the “Measures”).
The new Measures, which will come into force from February 15, 2022, spell out the legal basis, scope of application, government bodies in charge, content, and procedures for cybersecurity review.
The Measures will subject two main groups – critical information infrastructure (CII) operators as well as network platform operators – to a cybersecurity review, under the following circumstances:
(Based on the Regulation on the Security and Protection of CII, CII operators refer to operators of information infrastructure in important industries and sectors, such as public communications and information services, energy, transport, water conservancy, finance, public services, e-government services, and national defense)
(The Measures don’t define the network platform operators. For a network platform operator with more than one million users, it could be any data-rich consumer tech company.)
The CAC began revising the Cybersecurity Review Measures on July 10, 2021, days after the announcement of the investigation into the ride-hailing firm Didi Chuxing.
The revision was to supersede the original Measures that were effective from June 1, 2020, which focused on reviews of the procurement of ICT (information communication technology) equipment and services by CII operations – in other words, CII supply chain reviews.
With a new aim to protect cybersecurity and data security, the draft revision started incorporating data processing activities and foreign IPOs into the scope of review, which in part echoed the Data Security Law (DSL) adopted on June 10, 2021.
Compared with the original file, the 2021 Cybersecurity Review Measures have made the following amendments:
Among all the changes, the newly added Article 7 of the revamped Measures has attracted most attention. It stipulates that:
“Where any network platform operator who possesses the personal information of more than one million users seeks foreign listings (“国外上市”), it shall file an application with the Office of Cybersecurity Review for cybersecurity review.”
As the draft and final versions of the Measures both use the term “foreign listings” (“国外上市”), instead of “offshore listings” (“境外上市”) – the former term is often interpreted as listing outside of China, like in the US, and excluding listing in Hong Kong, while the latter term would include Hong Kong, many lawyers and bankers speculate the wording indicates that mainland companies pursuing IPOs in Hong Kong may be exempt from the cybersecurity review process.
Such discussion took place in November when the CAC issued a draft of the Network Data Security Management Regulation. The regulation specifically mentioned Hong Kong listings as requiring special vetting if they involve matters of national security, and separated Hong Kong listings from foreign listings in two perspective items.
According to Caixin’s report citing several lawyers involved in Hong Kong IPOs, “the city’s bourse recently started to ask mainland companies whether they could be subject to cybersecurity reviews. The inquiries have extended to non-Internet companies. At the moment, companies are required only to submit a legal document drawn up by mainland lawyers outlining the likelihood of a cybersecurity review.”
The Office of Cybersecurity Review (OCR), a subordinate office under the CAC, will entrust the China Cybersecurity Review Technology and Certification Center (CCRC) to conduct the review, the CAC said in a press conference.
The CCRC will undertake the tasks of receiving the filing materials and conducting formal examination of the submissions under the guidance of the OCR. The CCRC will also set up a window for cybersecurity review consultation.
Network platform operators holding data of more than one million users are required to proactively apply to the OCR for a security review before they apply to foreign securities regulators to list.
Operators voluntarily filing an application for cybersecurity review should submit the following materials:
When members under the cybersecurity review working mechanism deem a network product or service or a data processing activity as affecting or potentially affecting national security, the OCR can also report to the CCRC for approval and initiate a cybersecurity review in accordance with the Measures.
In aggregate, the general review process takes up to 70 working days from the start of the application. For the special review process, the maximum reviewing time required can be more than 160 working days, or more than eight months.
When carrying out the cybersecurity review, the OCR will focus on the assessment of national security risks that may be brought about by procurement activities, data processing activities, and overseas listing. The following factors are taken into account (the last three items are newly added, zeroing in on protecting core or important data and personal information):
Most revisions in the new Cybersecurity Review Measures relates to risks associated with data processing activities. It also emphasizes the data security risks arising from Chinese market entities listed overseas, which reflects China’s growing concerns that foreign regulators could gain access to sensitive data from Chinese entities listed on foreign stock markets, particularly in the US.
In fact, the promulgation of the new Measures was preceded by a string of decisions by Chinese authorities to boost the oversight of offshore listings by Chinese companies. On December 24, 2021, the CSRC unveiled a set of rules imposing new filing requirements for Chinese companies seeking to sell shares directly or indirectly overseas. On December 27, the new negative lists for foreign investment access allowed companies in foreign investment-restricted sectors to go public overseas, but at the same time required them to obtain approval from relevant regulators in advance.
In the mid- to long-term, mainland companies, especially those whose businesses impact cybersecurity, data security, and are subject to foreign investment restriction, will face a stringent review process when seeking offshore listings.
The practical processes are still a black box for many companies, and even a conundrum for officials, as it will not be easy to secure the data without compromising the potential economic loss caused by data blocking. Thus, more detailed rules and guidelines can be expected along with the implementation of the new Cybersecurity Review Measures. Presently, it may very well be that many mainland companies hold out their IPO plans, shift towards Hong Kong IPOs, or navigate a route that does not trigger cybersecurity or data security red flags.
If your business requires assistance to set up a compliant IT system in China, you can reach out to our team by sending an email to email@example.com.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « China is Committing to Strengthening IP Protections. But Should Foreign Companies Take it in Good Faith?
Next Article Investing in Dalian: Key Industries and Preferential Zones to Set Up »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Doing Business in China 2022 is designed to introduce the fundamentals of investing in China. Compiled by the ...
With the scope and penalties of China’s social credit system being further clarified in 2021, legal and regu...
As a legitimate tool for reasonable tax planning and cost saving, tax incentives play an important role. Compa...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.