China’s New Draft Cybersecurity Review Rules to Impact Companies’ HK IPO
China has tightened cybersecurity review requirements for companies pursuing IPO in Hong Kong but has kept it separate from requirements for share listing outside mainland China and Hong Kong. Companies seeking to list outside of China and Hong Kong will be subject to a review if they hold data of more than one million people.
On November 14, 2021, the Cyberspace Administration of China (CAC) released the Network Data Security Management Regulation (Exposure Draft), seeking public opinions until December 13, 2021. The sprawling draft Regulation, consisting of 75 articles, unifies data security rules introduced by the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL).
What to make of the latest Regulation?
A notable provision of the Network Data Security Management Regulation requires firms to undergo a cybersecurity review before seeking initial public offerings (IPOs) in Hong Kong – if it implicates national security.
In addition, and consistent with the draft Measures for Cybersecurity Review released on July 10 this year, the Regulation includes a similar provision that firms with personal data of more than one million users will be subject to government review before listing abroad.
The country’s top cybersecurity authority started to tighten rules for companies seeking to sell shares overseas in July this year, following its probe into Didi Chuxing for suspected data violations just two days after the ride-hailing company’s blockbuster IPO on the New York Stock Exchange.
The draft Measures for Cybersecurity Review, which was published by the CAC, has required companies holding personal data of more than one million users to submit to a screening by Chinese authorities before their overseas IPOs. However, the Measures did not clarify whether the requirement applied to Hong Kong listings.
The latest development
The proposed Network Data Security Management Regulation thus supplements the Measures. The former separates the scenarios of “going public abroad” and “going public in Hong Kong” in Item 2 and Item 3 of Article 13 (see preceding section).
Mainland companies seeking to go public in Hong Kong will be subject to a cybersecurity check when it implicates “national security”; however, the proposed regulation does not specify the criteria that merit national security concerns.
Nevertheless, the Regulation’s explanatory notes have listed the definition of “important data”, including unpublished government data, data on key technologies and scientific research, data on the economy and key sectors, such as telecoms, finance, and energy, as well as data regarding national geography, key infrastructure, and genetics.
What else does the proposed regulation say?
The Network Data Security Management Regulation has nine chapters that put out a laundry list of requirements on data security, including:
- Basic data security and emergency response duties
- Guidelines for the collection, processing, and transmission of personal information
- Rules and responsibilities for agencies handling “important data”
- Requirements on cross-border data transfer
- Special obligations for Internet platforms
In addition to imposing a security review on certain firms seeking to list in Hong Kong or abroad, the CAC also requires security assessment for cross-border transfer of “important data” as well as cross-border transfer of personal data by operators of critical information infrastructure and by firms holding personal information of more than one million people.
Why it matters
The draft Regulation specifies fines, extracted from the CSL, DSL, and PIPL. For organizations, the maximum penalties are RMB 50 million (US$7.8 million) or 5 percent of revenue and for individuals, they could be liable up to RMB 1 million’s fine (US$156,700).
The proposed Network Data Security Management Regulation introduces fresh uncertainty that could see mainland data-rich firms rethink their pivot to list in Hong Kong in the wake of the Chinese government’s investigation into Didi. If the Regulation is enacted in the present form, the firms will need to carefully understand their full obligations in order to carry on their capital-raising plan in the Hong Kong territory.
China Briefing has been paying close attention to China’s laws and regulations concerning data security and personal information protection. We will release follow-up articles with in-depth interpretation of the Network Data Security Management Regulation. Please follow us and for more information or assistance, you are welcome to contact us at China@dezshira.com.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
- Previous Article What to Make of the New Regulations in China’s Gaming Industry
- Next Article China Stops Issuing GSP Licenses to 32 Countries: An Explainer